Regulatory Compliance and You

advertisement
Regulatory Compliance and You
WHO PUT ALL THESE REGULATIONS ON ME?
WHAT IS A PERSON TO DO?
WHERE DO I GO FROM HERE?
WHEN DID THIS GET SO COMPLICATED?
WHY DO I HAVE TO DO THIS?
HELLO
Judi Ellis
EDMC Security Architect
CGEIT, CISM, CRISC
jjpineridge@zoominternet.net
Experience:
• PNC
• Highmark
• KPMG
• CMRI
• NCFTA
• e-Profile
•Jefferson Wells
Overview
•Control Standards
•Frameworks
•Regulations
•Measurement
•Bringing it all together
Control Standards
 ISO 27001
 Basel II
 CoBIT
 SEC
 ITIL
 FFIEC
 FISMA
 CIS
 NIST
 FDCC
 CIS-Center for Internet
 COSO
Security
 AES-Advanced Encryption
Standard
 SANS
 BS 1799
Regulations
 HIPAA
 FERPA
 SOX 404/302
 Red Flags
 PCI-DSS
 HiTECH
 Title IV
 ACH
 GLBA
 NACHA
 US Patriot Act
 PII Laws
 FLSA
 Safe Harbor
 Can Spam
 COPA
Frameworks
Armed robbery, eh? I’m in for being out of compliance with Federal Guidelines.
ISO 2700*
Formally known as ISO/IEC 27001: 2005 - Information technology
Security techniques
Information security management systems – ISMS
Requirements, is an information security management system standard
published in October 2005 by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission
(IEC). The standard is derived from British standard 1799, and for that reason
the standard is frequently cited as ISO 17799. It is intended to be used in
conjunction with ISO/IEC 27002, the Code of Practice for Information Security
Management, which delineates security control objectives and recommends a
range of specific security controls.
Adopt an all encompassing management process to ensure all information
security controls meet info security needs on an ongoing basis.
FISMA-NIST
The Federal Information Security Management Act of 2002 (FISMA) is
a Federal law enacted in 2002 as Title III of the E-Government Act of
2002. The act was designed to bolster computer and network security
within the federal government and affiliated parties (such as recipients
of Federal monies and government contractors) by mandating yearly
information security audits.
FISMA establishes:






_ Standards for categorizing information and information systems by mission impact
_ Standards for minimum security requirements for information and information systems
_ Guidance for selecting appropriate security controls for information systems
_Guidance for assessing security controls in information systems
_Guidance for security authorization of information systems
_Guidance for monitoring the security controls and security authorization of systems
NIST References











NIST publications include the following key security-related documents:
FIPS Publication 199, Standards for Security Categorization of Federal Information and
Information System
FIPS Publication 200, Minimum Security Requirements for Federal Information and
Federal Information Systems
NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal
Information Systems
NIST Special Publication 800-37 Revision 1, Guide for Security Authorization of Federal Information
Systems: A Security Lifecycle Approach
NIST Special Publication 800-39, NIST Risk Management Framework
NIST Special Publication 800-53 Revision 2, Recommended Security Controls for
Federal Information Systems
NIST Special Publication 800-53A, Guide for Assessing the Security Controls in
Federal Information Systems
NIST Special Publication 800-59, Guide for Identifying an Information System as a National
Security System
NIST Special Publication 800-60, Revision 1, Guide for Mapping Types of Information
and Information Systems to Security Categories
PCI-DSS
Payment Card Industry Data Security Standard
 PCI DSS is a worldwide security standard established through the Security
Standards Council (SSC) in 2006 by:





American Express
Discover Financial Services
JCB International
MasterCard Worldwide
Visa
 The PCI security standards are technical and operational requirements placed on
organizational entities that process card payments to prevent credit card fraud, and
hacking and mitigate other security vulnerabilities/threats.
 The standards apply to all organizations that store, process or transmit cardholder
data, which obviously includes an increasingly larger number of state agencies
transacting with businesses, with citizens, and with other government entities.
PCI-DSS
 The following are the six primary control areas comprising
the Payment Card Industry security standard:
 Build
and Maintain a Secure Network
 Protect Cardholder Data
 Maintain a Vulnerability Management Program
 Implement Strong Access Control Measures
 Regularly Monitor and Test Networks
 Maintain an Information Security Policy
CoBIT

Control Objectives for Information and related Technology, COBIT, is an open,
international standard originally published in 1996 by the IT Governance Institute and
the Information Systems Audit and Control

Association (ISACA). COBIT is a set of best practices for information technology designed
to provide managers, auditors, and IT users with a set of generally accepted measures,
indicators, processes and best practices. It assists in maximizing the benefits derived
through the use of information technology and develops appropriate IT governance and
control for private-sector companies or public agencies.

The COBIT Framework is organized into four domains, thirty-four high-level control
objectives, and 318 detailed control objectives. The framework follows a general plan-docheck-act structure.
CoBIT
 Plan and Organize
 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate
CoBIT-Plan and Organize
 P01 Define a strategic IT plan.
 P02 Define the information architecture.
 P03 Determine technological direction.
 P04 Define the IT processes, organization, and






relationships.
P05 Manage the IT investment.
P06 Communicate management aims and direction.
P07 Manage IT human resources.
P08 Manage quality.
P09 Assess and manage IT risks.
P10 Manage projects
CoBIT-Acquire and Implement
 AI1 Identify automated solutions.
 AI2 Acquire and maintain application software.
 AI3 Acquire and maintain technology infrastructure.
 AI4 Enable operation and use.
 AI5 Procure IT resources.
 AI6 Manage changes.
 AI7 Install and accredit solutions and changes
CoBIT Deliver and Support













DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11Manage Data.
DS12 Manage the physical environment.
DS13 Manage operations
CoBIT Monitor and Evaluate
ME1 Monitor and evaluate IT performance.
 ME2 Monitor and evaluate internal control.
 ME3 Ensure regulatory compliance.
 ME4 Provide IT governance

Regulations
I’ve been here for so long I don’t remember what I did,
but it had something to do with non-compliance.
SAS-70
 Statement on Auditing Standards No. 70 (SAS-70), Service Organizations, is an
auditing standard created by the American Institute of Certified Public
Accountants (AICPA) in 1992. SAS 70 defines standards used by auditors to
assess the internal controls of service organizations and prepare service
auditor’s reports. Service organizations are entities providing services that
impact the control environment of their customers.
 Examples of service organizations are insurance and medical claims processors,
trust companies, hosted data centers, application service providers (ASPs),
managed security providers, credit processing organizations and
clearinghouses.
SAS-70
 Auditors follow AICPA standards for fieldwork, quality control and reporting
and issue a formal report to the service provider that includes the auditor’s
opinion once the audit is completed.
 SAS-70 audits consist of two types. A Type I audit assesses the service
organization’s description of controls placed in operation and the suitability of
the design of the controls to achieve the specified control objectives, as the
latter are defined by the service provider. A Type II service auditor’s report
includes the information contained in a Type I service auditor’s report and also
includes the service auditor’s opinion on whether the specific controls were
operating effectively during the period under review.
 Recently replaced by SSAE-16 – 6/2011- more of an international presence,
broadly accepted in accordance to ISAE 3402.
HIPAA
 The Health Insurance Portability and Accountability Act (HIPAA) was enacted
by the Federal government in 1996.
Title II of HIPAA, known as the Administrative Simplification (AS) provisions,
requires the establishment of national standards for electronic health care
transactions and national identifiers for providers, health insurance plans, and
employers, with the overall goals of protecting the privacy and security of
health information and promoting the efficiency of the health care industry
through use of standardized electronic transactions.
 Requires covered entities to protect the privacy and security of an individual’s
health information.

HIPAA
 HIPAA’s Security Rule covers health plans, healthcare clearinghouses, and
healthcare providers. Health plans are defined as any individual or group plan
that provides or pays the cost of health care, which includes the Medicare and
Medicaid programs operated at the state and federal levels.
 The Rule establishes three types of security safeguards required for compliance:
administrative, physical, and technical.
 For each of these types, various security standards are identified, and for each
standard, both required and addressable implementation specifications are
delineated.
 The rule includes eighteen standards that cover thirty-six implementation
specifications.
HIPAA
 Required specifications must be adopted and administered as dictated by the
rule. Addressable specifications are more flexible. The Centers for Medicare
and Medicaid Services defines the following steps for complying with the
Security Rule:









Assess current security, risks, and gaps
Develop an implementation plan
Review the Security Rule standards and specifications
Review addressable implementation specifications
Determine security measures
Implement solutions
Document decisions
Reassess periodically
The security rule required covered entities to be in compliance with
the rule no later than April 2005, though smaller health plans were
given an additional year to comply.
HIPAA
 (“Privacy Rule”) establishes, a set of national standards
that address the use and disclosure of individuals’
health information—called PHI (Personal Health
Information) by organizations called “covered entities” as
well as standards for individuals privacy rights to
understand and control how their health information is
used. Thank you OCR (Office of Civil Rights)
 A major goal of the Privacy Rule is to assure that PHI is
properly protected while permitting appropriate uses of the
information protecting the privacy of the individual.
HIPAA
 HIPAA was passed in 1996, it wasn’t until 2/4/2011 the first
HIPAA violation occurred and resulted in a $4.3 m fine to
Maryland healthcare provider Cignet for the failure to
provide 41 patients with copies of their medical records.
 HIPAA did not have teeth until HiTech came along and
provided enforcement and penalties.
 http://threatpost.com/en_us/blogs/hipaa-bares-its-teeth-
43m-fine-privacy-violation-022311
FERPA
 The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g;
34 CFR Part 99) is a Federal law that protects the privacy of student
education records. The law applies to all schools that receive funds under an
applicable program of the U.S. Department of Education.
 Schools or public agencies that receive student data may disclose, without
consent, “directory” information such as a student’s name, address, telephone
number, date and place of birth, honors and awards, and dates of attendance.
 However, schools or agencies must tell parents and eligible students about
directory information and allow parents and eligible students a reasonable
amount of time to request that the school not disclose directory information
about them. Schools must notify parents and eligible students annually of their
rights under FERPA.
 Education records must not be disclosed and must be protected.
SOX
 The Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002
in response to a number of major corporate and accounting scandals, most
prominently that of the Enron Corporation.

SOX establishes new, enhanced standards for all U.S. public companies, and
though as such it is not directed at government, it has nonetheless had a
significant impact on internal accounting controls in public agencies through its
focus on management oversight of how fiscal information within agencies is
created, accessed, stored, processed, and transmitted within automated as well
as manual record systems.
SOX
Among the Act’s principal reforms are these elements:




_ Creation of an independent public company accounting oversight board
_ A heightened level of corporate governance and responsibility measures
_ Expanded corporate, financial, and insider disclosure requirements, and
_ A range of new penalties for fraud and other violations.
Measurements
As-Is Assessment
Where do I start?

_Come up with the Plan





_Assessment
_ Measurement
_Identify Gaps
_Plan of Attack









What regulations do I need to follow? Where am I today? Where are my gaps? What do I need to do? I need a
plan. I need to get started. How do I start? What do I do? How do I do this?
Where do I need to be to pass an audit
_Work your plan
_ Assessment
_Measurement
_ Identify Gaps
_Readjust your plan
_Assessment
_Measurement
_Identify Gaps
Plan-ISMS
Information Security Management System
Assessment
Getting Started














_ Choose a tool-SANS, CMS, Big 4, NIST, ISO….
OCTAVE
OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) is a suite of tools, techniques, and
methods for risk-based information security strategic assessment and planning.
OCTAVE Methods
There are three OCTAVE methods:
the original OCTAVE method, which forms the basis for the OCTAVE body of knowledge
OCTAVE-S, for smaller organizations
OCTAVE-Allegro, a streamlined approach for information security assessment and assurance
OCTAVE methods are founded on the OCTAVE criteria—a standard approach for a risk-driven and practice-based information
security evaluation. The OCTAVE criteria establish the fundamental principles and attributes of risk management that are used by
the OCTAVE methods.
Features and benefits of OCTAVE methods
The OCTAVE methods are
self-directed—Small teams of organizational personnel across business units and IT work together to address the security needs of
the organization.
flexible—Each method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill
level.
evolved—OCTAVE moved the organization toward an operational risk-based view of security and addresses technology in a business
context.
CMMI Model
 Capability Maturity Model Integration (CMMI) is a Process
improvement approach whose goal is to help organizations improve their
performance. CMMI can be used to guide process improvement across a
project, a division, or an entire organization.
 CMMI in software engineering and organizational development is a process
improvement approach that provides organizations with the essential elements
for effective process improvement. CMMI is registered in the U.S. Patent and
Trademark Office by Carnegie Mellon University. According to the Software
Engineering Institute (SEI, 2008), CMMI helps "integrate traditionally
separate organizational functions, set process improvement goals and
priorities, provide guidance for quality processes, and provide a point of
reference for appraising current processes.”
What’s a person to do?
To benefit from the standards and guidelines, it is imperative that you:








Understand the complexity of overlapping standards
Select a foundational standard while expecting to reference others as needed
Start the “as is” assessment to identify existing gaps
Incorporate the standard by reference in your security architecture
Understand related vertical standards and potential impacts on the enterprise as they
evolve
Develop strong working relationships with internal and external auditors
Monitor, test, and quantify compliance levels, to ensure that standards and controls are
working and effective (CMMI model already discussed)
Work untiringly to educate your enterprise about the role of security standards and their
own responsibilities under those standards

Work untiringly to educate your enterprise about the role of security standards and their own
responsibilities under those standards

Work untiringly to educate your enterprise about the role of security standards and their own
responsibilities under those standards

Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under
those standards
Pulling “IT” All Together
Control
Activity
CoBIT
Create
Backups
X
ISO2700
ITIL
NewCo
Best
Practices
SOX
GLBA
PCIDSS
CMS
HiTech
X
X
X
X
X
X
X
Passwords
must be 8
characters
long
X
X
X
X
X
Conduct a
yearly IT
risk
assessment
X
X
X
X
X
Centralized
Monitoring
X
X
X
X
Measuring IT
 Create Backups – CMMI - 2
 Passwords 8 characters long –CMMI - 3
 Yearly IT Risk Assessment – CMMI-2
 Centralized monitoring – CMMI-1
Measurement
Pulling it Together
 Focus on Relevant Regulations
 Get Executive Buy-in
 Assemble the Right Team
 Develop Policies for Compliance
 Identify Common Controls
 Perform a Gap Analysis
 Classify your Data
 Look for the Quick Wins
 Start Small, Go Big
 Educate Users
Useful Websites
 CMMI- http://www.sei.cmu.edu/library/abstracts/presentations/20080925webinar.cfm
 PCI-DSS V 2.0 - https://www.pcisecuritystandards.org/security_standards/documents.php
 CMS - https://www.cms.gov/home/regsguidance.asp
 HIPAA - http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
 HiTech http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html
 GLBA- http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
 FISMA - http://csrc.nist.gov/groups/SMA/fisma/index.html
 NIST – 800 series - http://csrc.nist.gov/publications/PubsSPs.html
 CoBIT - http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx
 OCTAVE - http://www.cert.org/octave/
Conclusion
How long do we have
to get in Compliance?
Questions?
Download