CS996
Information Security Management
Legal Requirements &
Regulatory Compliance
Yevgeniy Shupikov
Boris Gitelman
Polytechnic University, Spring 2005
Overview







Why legal
Major U.S. laws
 HIPAA
 Gramm-Leach-Bliley Act
 FISMA
 Basel II
 Sarbanes-Oxley Act
 USA PATRIOT Act
 California’s SB 1386
 COPA & COPPA
Systems and Security Engineering
Process Integration
Summary
Questions & Discussion
Homework
References
 Examples:
 SB 1386 precedent
 Examples on SB 1386
 Example on legal liability
Why legal
 The focus of this presentation is
 To present briefly various major laws;
 To describe their intention, impact, and significance;
 To show how laws lead to security requirements for
systems.
 We will show some examples of cases
 Because U.S. legislature is vastly precedent driven;
 To show how laws impact the real world; and
 To emphasize the cost of compliance and noncompliance.
Framework for each law
 General introduction
 Motivation, overall goal
 Specific clauses with security implications
 What are the implied security requirements?
 Cost of compliance
 Cost of non-compliance
 fines, jail, other penalties, etc…
 Examples from news
 Precedent cases leading to the law’s creation
 Court cases after the law was passed
What is HIPAA?
 Health Insurance Portability and
Accountability Act
 A comprehensive federal law passed in 1996
that institutes major medical reform
 HIPAA’s main theme:
KEEP INDIVIDUALS’ HEALTH
INFORMATION SECURE AND
CONFIDENTIAL
HIPAA Structure
HIPAA
Title II:
Administrative
Simplification
Security
Rule
Title I: Insurance
Portability
Privacy
Rule
Other Standards
HIPAA Security Rule
 Ensure
 Confidentiality (only the right people see it)
 Integrity (the information is what it is supposed to be –
it hasn’t been changed)
 Availability (the information can be obtained when
needed )
 Covers what safeguards must be in place to protect
health information from unauthorized access,
alteration, deletion, or transmission.
 Applies only to electronic health information
 Compliance data: April 21, 2005
HIPAA Security Rule Provisions
 Three types:
 Administrative – relates primarily to policies,
procedures and organizational practices
 Physical – physical measures, policies and
procedures to protect electronic information systems,
buildings and equipment from natural, man-made and
environmental hazards, and unauthorized access
 Technical – relates to the processes that must be put
in place to protect, control and monitor information
access; mechanisms to be employed to guard data
integrity, confidentiality and availability
HIPAA Security Rule – Administrative Safeguards Section
HIPAA Security Rule – Technical Safeguards Section
HIPAA Security Rule – Physical Safeguards Section
HIPAA Privacy Rule
 The Privacy Rule covers what patient health information is to be
protected, the use and disclosures of this information, and what
rights patients have with respect to their information
 Rule applies to health information in any form (electronic or
paper based)
 Compliance date: April 14, 2003
Privacy Rule Provisions

Designation of a privacy officer

Privacy training for all employees

Reasonable safeguards to prevent intentional or
incidental disclosure or misuse of PHI



Formal sanctions for employee violations.
Provide individuals “Notice of Privacy Practices”
statement
Provide written authorization for the disclosure of any
medical information
Cost of HIPAA Non-Compliance
Non-Compliance
(Civil Penalty)
 $100 for each violation
 Maximum of $25,000 per year per
incident
Unauthorized Disclosure or
Misuse of Patient Information
(Criminal Penalty)

Penalties up to $250,000

Prison time up to 10 years
Penalties may apply
to the individual
violator but they
may also apply to
the organization or
even to its officers
Costs of HIPAA Compliance
•The government made 5-year, “conservative” cost estimates of the
privacy regulation alone at $3.8 BILLION
•The American Hospital Association estimates that hospitals alone
may spend up to $20 BILLION over 5 years on information systems
changes & upgrades
•In the long run, however, significant savings may be realized due to
industry standardization, automation, and lower overhead
•For example, a PAPER-based claim costs $6.00 to $8.00 to process…
The same claim in ELECTRONIC form costs $0.17 to process
Gramm-Leach Bliley (GLB) Act
 GLB Act is a 1999 Federal law which requires
“financial institutions” to ensure the security and
confidentiality of customer personal information
 Financial institutions include mortgage lenders, loan
brokers, financial or investment advisers, tax
preparers, providers of real estate settlement
services, and debt collectors
 College’s and Universities are considered financial
institutions under the Act
 Has two main provisions Privacy Rule, Safeguards
Rule
What is “Customer Information”?








Social security numbers
Bank account numbers
Credit card account numbers
Date and/or location of birth
Account balances; payment histories; credit
ratings; income histories
Drivers license information
ACH (Automated Clearing House) numbers
Tax return information
What is the Privacy Rule?
 Requires financial institutions to give their
customers privacy notices that explain the
financial institution’s information collection
and sharing practices.
 Customers have the right to limit some
sharing of their information.
 Companies that receive personal financial
information from a financial institution may be
limited in their ability to use that information.
Safeguards Rule
 The Safeguards Rule requires “financial institutions”
to develop an information security program that
includes these components:
 Designate a Security Program Coordinator
responsible for coordinating the program
 Conduct a risk assessment to identify reasonably
foreseeable security and privacy risks.
 Ensure that safeguards are employed to control
the identified risks; regularly test and monitor the
effectiveness of these safeguards.
Objectives of the Safeguards Rule
1. to ensure the security and confidentiality of
customer records and information.
2. to protect against any anticipated threats or
hazards to the security or integrity of such
records.
3. to protect against unauthorized access to or
use of such records or information which
could result in substantial harm or
inconvenience to any customer.
GLB Safeguards
 There are three types of safeguards that must
be considered as part of the safeguards rule:



Administrative
Physical
Technical
Administrative Safeguards
 Reference checks for potential employees
 Confidentiality agreements that include standards for




handling customer information
Training employees on basic steps they must take to
protect customer information
Assure employees are knowledgeable about
applicable policies and expectations
Limit access to customer information to employees
who have a business need to see it
Impose disciplinary measures where appropriate
Physical Safeguards
 Locking rooms and file cabinets where customer






information is kept
Using password activated screensavers
Using strong passwords
Changing passwords periodically and not writing
them down
Encrypting sensitive customer information transmitted
electronically
Referring calls or requests for customer information
to staff trained to respond to such requests
Being alert to fraudulent attempts to obtain customer
information and reporting these to management for
referral to appropriate law enforcement agencies
Technical Safeguards
 Storing electronic customer information on a secure server that







is accessible only with a password -or has other security
protections -and is kept in a physically-secure area
Avoiding storage of customer information on machines with an
Internet connection
Maintaining secure backup media and securing archived data
Using anti-virus software that updates automatically
Obtaining and installing patches that resolve software
vulnerabilities
Following written contingency plans to address breaches of
safeguards
Maintaining up-to-date firewalls particularly with broadband
Internet access or allows staff to connect to the network from
home
Providing central management of security tools and keep
employees informed of security risks and breaches
FISMA
 Federal Information Security Management
Act
 Title III of the Electronic Government Act of
2002
 Applies to Federal Agencies, including
government contractors
 Purpose is to secure Information
Infrastructure used in all of the Federal
Agencies
FISMA Requirements for Federal
Agencies
 Plan for security
 Ensure that appropriate officials are assigned
security responsibility
 Review periodically the security controls in
their information systems
 Annual security reporting to Office of
Management and Budget
 Security awareness training
 Follow guidelines issued by NIST for
information security controls
FISMA Requirements continued
Report to Congress provides:
 A summary of government-wide performance
in the area of information technology security
management
 An analysis of government-wide weaknesses
in information technology security practices,
and,
 A plan of action to improve information
technology security performance
FISMA Requirements continued
 Report to congress includes:





Certification and accreditation of systems
Security costs
Annual testing of system controls
Contingency planning
Implementation of security configuration
requirement
FISMA Areas
Computer Incident Response Capability*
Policy Management & Integration*
Sec Awareness, Training, & Education*
Security Roles & Responsibilities*
Critical Infrastructure Protection*
Security Response (COOP)*
Physical Security (IT)*
Congressional Reporting*
Information
Security
Operations
Policy &
Compliance
Mgmt
Performance Measurements*
Sec within CPIC (Funding)*
ISSO Management*
IS Program
Management
Contractor Compliance*
(Strategic)
Patch Management*
Standards, Baselines & Config*
System
Integration,
Configuration, &
Lifecycle Mgmt
Vulnerability,
Certification &
Accreditation
Mgmt
Contractor Assessments*
C&A Process Management*
Risk Management*
Security within System Lifecycle Management*
Document Management*
Roles and Responsibilities for IT Security
Management Team
Agency Head
Inspector General
 Verify that security program
elements exist
 Validate Plan of Action &
Milestones
 Identify all known security
weaknesses and that a robust
process exists for maintaining
the POA&M
ISSO
 Carry out responsibilities of
the CIO
 Security is the ISSO’s primary
responsibility, not an other
duty as assigned
 Maintain professional
qualifications
Held accountable ultimately for
the protection of an agency’s
systems
Expected to include security as
a part of strategic and
operational planning
Assign CIOs compliance
responsibility
Chief Information Officer
Designate a senior information
security officer who reports
directly to the CIO
Held accountable for agencywide security program
Program Officials and
System Owners
 Assess risk and test controls
 Update system documentation
 Ensure systems are certified
and accredited
Develop and implement
policies, procedures and
controls
Report on progress quarterly to
OMB
Overview of Agency Security
FISMA Cost of non-compliance
 Probable exploitation of security
vulnerabilities
 Unauthorized access and/or modification of
sensitive data
 Jeopardize funding for current and future IT
projects
FISMA Cost of compliance
 “In F[iscal] Y[ear] 2004, the Federal agencies
spent $4.2 billion securing the government’s
total information technology investment of
approximately $59 billion or about seven
percent of the total information technology
portfolio.”
Basel II Objectives - 2004
 An international set of recommendations
aimed at producing uniformity in the way
banks approach risk and asset management
 Requires all banking institutions to have
sufficient assets to offset any risks they may
face
 Compliance by end of 2006
 Advance a “three-pillar” approach
Basel II – the Three Pillars
Capital
Adequacy
PILLAR 1
Minimum
Capital
Requirement
Rules
To Calculate
Required Capital
PILLAR 2
PILLAR 1
PILLAR 3
Supervisory
Review
Process
Market
Discipline
Requirements
Increased
Supervisory
Power
Increased
Disclosure
Requirements
New Regulatory Structure Based on Three Pillars
Types of risk in Basel II
Credit risk – the risk that a borrower or counterparty might not honour its
contractual obligations
Market risk – the risk of adverse price movements such as exchange rates,
the value of securities, and interest rates
Operational risk – the risk of loss resulting from inadequate or failed internal
processes, people, and systems, or from external events
Role of IT is to minimize the Operational Risk of an organization, by
ensuring Confidentiality, Integrity, and Availability (CIA)
Sarbanes-Oxley Act (SOX)
 SOX effective July 30, 2002
 House: 107 H.R. 3763, H. Rept. 107-414, H. Rept. 107-610
 Senate: 107 S. 2673, S. Rept. 107-205
 Law: Pub. L. 107-204, 116 Stat. 745
 Named after Senator Paul Sarbanes and Representative
Michael G. Oxley
 a.k.a. Public Company Accounting Reform and Investor
Protection Act of 2002
 Precedent: series of corporate financial scandals

Enron, Arthur Andersen, WorldCom, Tyco
 Motivation: revise outdated legislature on audit requirements for
public companies
 Applies to public companies filing form 10-K with Securities and
Exchange Commission
SOX Structure
 Organized into 11 titles:
 Title I: Public Company Accounting Oversight Board
 Title II: Auditor Independence
 Title III: Corporate Responsibility
 Title IV: Enhanced Financial Disclosures
 Title V: Analyst Conflicts of Interest
 Title VI: Commission Resources and Authority
 Title VII: Studies and Reports
 Title VIII: Corporate and Criminal Fraud Accountability
 Title IX: White Collar Crime Penalty Enhancements
 Title X: Corporate Tax Returns
 Title XI: Corporate Fraud Accountability
SOX: Excerpts
 Title I: Evaluation of whether internal control structure
and procedures include records that accurately
reflect transactions and disposition of assets
 Title III: internal controls have been reviewed for their
effectiveness within 90 days prior to the report
 Title IV: Requires senior management, directors, and
principal stockholders to disclose changes in
securities ownership or securities based swap
agreements within two business days (formerly ten
days after the close of the calendar month).
Mandates electronic filing and availability of such
disclosures one year after the date of enactment.
SOX: Major Provisions
 CEOs, CFOs, and directors
 May not get personal loans from company
 Must publicly report their compensations, profits &
additional disclosures
 Must certify truthfulness and completeness of
 company’s financial reports and
 reports on presence and effectiveness of internal
controls (structures to detect, prevent, and correct
errors and fraud within company)
 Criminal and civil penalties for securities violations
 Significantly longer jail sentences and larger fines
SOX: Major Provisions




Independent auditor
Auditor rotation [at most 5 consecutive years]
Mandatory internal audit certified by external auditors
Annual independent audit reports regarding internal
controls and financial reporting
 7 year retention period on audit documents (includes
everything from reports to internal emails)
 Numerous restrictions on employment of/by auditors,
services auditing firms provide to the corporation and
vice versa, affiliate/sub-divisions involvement, other
conflicts of interests arrangements and etc.
 Attorneys liable to disclose violations.
SOX Cost of non-compliance
 Public companies in violation may be taken off NYSE
and NASDAQ by SEC.
 SEC is authorized to freeze personal and corporate
payments, funds, and accounts temporarily.
 Corporate fines up to $25,000,000.
 “Knowing”


Fines of $1,000,000 and/or
Jail sentences up to 10 years
 “Willing”
 Fines of $5,000,000 and/or
 Jail sentences up to 20 years
SOX IT Impact
 If top executives are liable for the data they sign off
on, they will make sure that data is accurate and
protected:



Confidentiality: no one except financial officers,
auditors, and executives should have access to it
Integrity: better make sure it hasn’t been tampered
with, or else jail
 Authentication, non-repudiation, etc
Availability: obligated to disclose this data to SEC and
Public Company Accounting Oversight Board
(PCAOB) within 2 days
SOX IT Impact
 Data retention policy and the mechanisms to
implement it correctly:


How do you collect and store all data relating
to financial and audit reviews, reports,
electronic and voice communications, and
other documents that contain analysis,
reports, or opinions that served as basis in
creating the financial and audit records.
With respect to confidentiality, integrity, and
availability
SOX IT Impact
 How do top executives know/ensure the data
they sign was accurate to begin with?
 Internal Controls






design, implement, and monitor
complete, fast, reliable, and effective
methods, mechanisms, and procedures to
prevent, find, and correct
inaccurate, incomplete, and/or fraudulent
documents and activities within the company
SOX Impact
 Smaller companies may be affected when trading





with a larger SOX compliant company
SOX allegedly tends to increase quantity but not
quality of financial reports.
Companies have to think twice before going public:
some stay private.
Some private companies comply with SOX voluntarily
as a measure of security and a show of industry
competitiveness.
CEOs, CFOs, directors, and auditors are much more
cautious and concerned.
Restored image of “greater corporate integrity” and
“honest enterprise”
SOX: Guidance on Compliance
 COSO (Committee of Sponsoring Organizations of the




Treadway Commission)
 Enterprise Risk Management Framework:www.erm.coso.org
 assess control environment, determine objectives, prepare
risk assessment, monitor controls
CobiT (Control Objectives for Information and related
Technology)
 more at www.isaca.org/cobit.htm
ISO-17799
 http://www.iso.ch/iso/en/prods-services/ISOstore/store.html
Information Systems Audit and Control Association (ISACA)
American Institute of Certified Public Accountants (AICPA)
USA PATRIOT Act
 Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act of 2001
 USA PATRIOT Act effective October 26, 2001
 H.R. 3162, S. 1510, Public Law 107-56
 Incorporates an older Foreign Intelligence Surveillance Act
 Response to September 11, 2001
 Broad, complicated, and lengthy legislation
 342 pages with 158 sections and 15 amendments to federal
statutes
 As of November 2004
 372 suspected terrorists charged
 194 convicted
USA PATRIOT Act: IT Sections
 Title I: Enhancing domestic security against terrorism


Sec. 103. Increased funding for the technical support center at the
Federal Bureau of Investigation.
Sec. 105. Expansion of National Electronic Crime Task Force Initiative.
 Title II: Enhanced surveillance procedures










Sec. 201. Authority to intercept wire, oral, and electronic communications
relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications
relating to computer fraud and abuse offenses.
Sec. 203. Authority to share criminal investigative information.
Sec. 204. Clarification of intelligence exceptions from limitations on
interception and disclosure of wire, oral, and electronic communications.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 210. Scope of subpoenas for records of electronic communications.
Sec. 212. Emergency disclosure of electronic communications to protect
life and limb.
Sec. 217. Interception of computer trespasser communications.
Sec. 220. Nationwide service of search warrants for electronic evidence.
Sec. 223. Civil liability for certain unauthorized disclosures.
USA PATRIOT Act: IT Sections
 Title III: International money laundering abatement and anti-
terrorist financing act of 2001






Sec. 312. Special due diligence for correspondent accounts and private
banking accounts.
Sec. 326. Verification of identification.
Sec. 328. International cooperation on identification of originators of wire
transfers.
Sec. 361. Financial crimes enforcement network.
Sec. 362. Establishment of highly secure network.
Sec. 366. Efficient use of currency transaction report system.
 Title IV: Protecting the border





Sec. 403. Access by the Department of State and the INS to certain
identifying information in the criminal history records of visa applicants
and applicants for admission to the United States.
Sec. 405. Report on the integrated automated fingerprint identification
system for ports of entry and overseas consular posts.
Sec. 414. Visa integrity and security.
Sec. 416. Foreign student monitoring program.
Sec. 417. Machine readable passports.
USA PATRIOT Act: IT Sections
 Title V: Removing obstacles to investigating terrorism


Sec. 507. Disclosure of educational records.
Sec. 508. Disclosure of information from NCES surveys.
 Title VI: Providing for victims of terrorism, public safety officers,
and their families
 Title VII: Increased information sharing for critical infrastructure
protection

Sec. 711. Expansion of regional information sharing system to facilitate
Federal-State-local law enforcement response related to terrorist attacks.
 Title VIII: Strengthening criminal laws against terrorism


Sec. 815. Additional defense to civil actions relating to preserving records
in response to Government requests.
Sec. 816. Development and support of cybersecurity forensic capabilities.
USA PATRIOT Act: IT Sections
 Title IX: Improved intelligence

Sec. 903. Sense of Congress on the establishment and maintenance of
intelligence relationships to acquire information on terrorists and terrorist
organizations.
 Title X: Miscellaneous



Sec. 1003. Definition of `electronic surveillance'.
Sec. 1008. Feasibility study on use of biometric identifier scanning system
with access to the FBI integrated automated fingerprint identification
system at overseas consular posts and points of entry to the United States.
Sec. 1015. Expansion and reauthorization of the crime identification
technology act for antiterrorism grants to States and localities.
USA PATRIOT Act
 Expanded surveillance with reduced checks and
balances







wiretaps, search warrants, pen/trap orders, and
subpoenas
online activity, phones, faxes, ISP records
DNA samples, bank records/accounts, surveys, college
records/transcripts
some “relevant” information vs. “probable cause” from
4th amendment
no reporting back on results vs. report to judge with
results
valid for up to a year vs. up to 30 days
Police, FBI, CIA, other; shared information
USA PATRIOT Act
 Concerns:



Majority of sections were not carefully studied
and debated in Congress nor advice taken
from experts outside law enforcement.
A large setback to Americans’ civil liberties,
particularly privacy.
Insufficient evidence that the provisions ARE
needed and WILL provide a measure against
terrorism.
SB 1386 precedent
 California state payroll database was compromised
on April 5, 2002.

personal records on 260,000 state employees

Names, SSNs, and payroll information.
 The security breach was discovered on May 7, 2002.
 The state notified the people on May 24, 2002.
 Public opinion was that it took too long to issue the
warnings.
California Security Breach
Information Act (SB 1386)
 SB 1386 effective July 1, 2003
 Applies to any person or company “conducting business”
 with unencrypted computerized personal information on
CA residents


first name or initial and last name, and one of the following
SSN, driver license, account/card number, code/password,
other access granting information
 must notify the people of the security breach
 publicly (reputations at stake), via mail (expensive), or via email
(inexpensive, but comply with e-Sign Law).
 “in the most expedient time possible, consistent with the
legitimate needs of law enforcement … or any measures
necessary to determine the scope of the breach and
restore the reasonable integrity of the data system.”
California Security Breach
Information Act (SB 1386) (continued)
 Intent: timely alert people about a possible
occurrence of identity theft
 Motivation: Having to disclose breaches will push
companies





to review systems and policies in preparation to
comply.
to improve their network/computer security.
to reduce the amount of personal information stored.
to use encryption to secure their data.
to use intrusion detection/prevention software to
respond timely.
California Security Breach
Information Act (SB 1386) (continued)
 Impact:



Potentially high cost of compliance.
Some companies are required to go public (ex. Over 500,000
records).
Victims of violation of SB 1386 can/will/do take civil action.
Think about 30,000 simultaneous cases against your company
and the cost involved.
 Similar legislation may soon appear in other states and/or on the
federal level.

Notification of Risk to Personal Data Act (Senator Dianne
Feinstein)
 Gray areas:



Do CA companies notify non-CA residents?
Do out-of-state companies have to comply?
Law does not apply if data is encrypted with no minimum
strength requirement. What if they use the Caesar’s cipher?
Examples on SB 1386
 ChoicePoint Inc. had a breach in
October 2004




Company database contains 19 billion records
personal records on 30,000+ consumers stolen by
social engineering means
Names, SSNs, credit histories, criminal records,
etc
People outside CA are concerned they did not get
the letter when they should have.
Examples on SB 1386
 SAIC had a break-in in January 2005



Several desktops were stolen containing stockholders’ data
Names, SSNs, address, phone numbers, shares
bought/sold/held
45,000 current and former employees affected
 Other recent similar incidents (see references):




Bank of America lost tapes (records on 1 million customers)
LexisNexis break-in (records on 32,000 U.S. citizens)
Boston College (records on 120,000 alumni)
CSU Chico break-in (records on ~60,000 students/faculty)
Child Online Protection Act (COPA)
 Purpose: “protecting children from harmful sexual material on
the Internet”
 COPA originally consists of two parts


Children’s Online Privacy Protection Act (coming up)
COPA (partial restatement of a broader Communications
Decency Act)
 Concerns:


U.S. law enforceable only on U.S. companies
Law may violate adults’ freedom of speech
 History






1998: Child Online Protection Act is passed.
1998: Injunction blocking the law from enforcement is obtained.
1999: 3rd Circuit Court of Appeal struck the law down.
2002: Supreme Court finds reasons for struck down insufficient.
2003: 3rd Circuit Court of Appeal upheld the 2002 decision.
2004: Supreme Court upheld law as unconstitutional.
(Ashcroft vs. American Civil Liberties Union)
Children’s Online Privacy
Protection Act (COPPA)
 U.S. legislation in effect since April 21, 2000
 The law applies to children under the age of 13.
 “Web site operator” must include a policy on how to
obtain “verifiable” consent from a parent.
 Outlines how the “Web site operator” must protect the
safety and privacy of children online.
 High cost of compliance.
 Impact:
 “Web site operators” choose to shutdown or to stop
providing child contents and services rather than
comply.
 Practically very few cases for COPPA violations.
Example on legal liability
 Currently open question of legal liability:

“who is responsible for securing a consumer’s data – even
on the consumer’s own computer”
 Joe Lopez (Miami) filed a lawsuit against Bank of
America on Feb 7


His home PC was compromised by a trojan/keylogger
(Coreflood)
Resulting in loss of $90,348 in wire transfers to Latvia
 The argument:


Joe Lopez: Bank of America had not alerted him about
malicious code the could infect his computer
Bank of America: customers “need to have reasonable
computer security”
Example on legal liability
 Who is liable?



The customer failed to secure his computer system.
The bank failed to secure their customer’s system/instruct
him to do so.
The bank is responsible for accepting fraudulent ID.
 Implications

E-commerce, Online shopping, Internet banking, etc
 The right answer



Currently being decided in court of law
Possible solution: awareness and education
Discussion
System Engineering Process Integration
Assets at
Risk
Mission Need
CONOPS
Threat
Analysis
Prelim. Risk
Analysis
Functional
Rqmts
Legal
Rqmnts
Primary
Sec Rqmts
System
Arch.
Corp/Org
Policy
Assess
Security
Arch
Other
Rqmts
Derived
Sec Rqmts
Risk
Analysis
Vulner.
Analysis
Security
Design
Courtesy of Dr. Hery
System
Design
Assess
Summary
 Legal requirements
 affect the system development life cycle
 effect system and security design
 Compliance ensures
 the people and the company are protected
 that the business stays afloat when something goes
wrong
 Impact
 Cost
 money, work, time
 Civil/criminal penalties
 Cultural
Questions & Discussion
 Any questions, comments, etc…
 Please feel free to contact

Yevgeniy Shupikov:


yevgeniysh@hotmail.com
Boris Gitelman:

borgit@optonline.net
Homework
 The final homework assignment will be

distributed to all by Dr. Hery

http://isis.poly.edu/courses/cs996-management-s2005/
References

General:



Sarbanes-Oxley Act (SOX)











http://searchsecurity.techtarget.com/topics/0,295493,sid14_tax299993,00.html
http://www.wikipedia.org
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
http://www.csbs.org/government/legislative/misc/2002_sarbanes-oxley_summary.htm
http://www.legalarchiver.org/soa.htm
http://www.cpeonline.com/cpenew/sarox.asp
http://www.whitehouse.gov/news/releases/2002/07/20020730.html
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci956077,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci929451,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1012386,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1012387,00.html
http://news.com.com/The+CIO+time+bomb/2010-1022_3-5287894.html
USA Patriot Act



http://en.wikipedia.org/wiki/USA_PATRIOT_Act
http://www.eff.org/Privacy/Surveillance/Terrorism/20011031_eff_usa_patriot_analysis.php
http://www.epic.org/privacy/terrorism/hr3162.html
References

California Security Breach Information Act (SB 1386):










Child Online Protection Act, Children’s Online Privacy Protection Act:





http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
http://searchsecurity.techtarget.com/topic/0,295492,sid14_tax300005,00.html
http://www.andysullivan.com/choicepoint.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci912476,00.html
Security Implications of California’s Senate Bill 1386 by www.credant.com
http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_35590989.html?tag=st.rc.targ_mb
http://news.com.com/LexisNexis+break-in+spurs+more+calls+for+reform/2100-1029_3-5606911.html
http://www.news10.net/storyfull1.asp?id=9784
http://www.signonsandiego.com/uniontrib/20050203/news_1b3saic.html
http://en.wikipedia.org/wiki/COPA
http://www.eff.org/legal/cases/ACLU_v_Reno_II/20020513_supreme_decision.pdf
http://en.wikipedia.org/wiki/COPPA
http://www.ftc.gov/ogc/coppa1.htm
Example on legal liability:


http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1062440,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1062076,00.html
References









http://www.nhvship.org/download/hipaa101_Exec_Final.ppt
HIPAA’s Final Security Rule: How Consul InSight™ Accelerates your Ability to Meet the
Audit and Logging Requirements of HIPAA’s Final Security Rule – whitepaper provided by
Bill Hery
Strategies for Complying with the Final HIPAA Security Rule – whitepaper provided by Bill
Hery
Addressing HIPAA Auditing Requirements for Data Access Accountability with Lumigent®
Entegra™ -- white paper provided by Bill Hery
http://www.whitehouse.gov/omb/inforeg/2004_fisma_report.pdf
http://csrc.nist.gov/policies/FISMA-final.pdf
http://www.fcw.com/fcw/articles/2004/0823/web-fisma-08-27-04.asp
http://www.marcorsyscom.usmc.mil/sites/ia/documents/Federal%20Information%20Security
%20Management%20Act%20(FISMA).htm
http://csrc.nist.gov/organizations/fissea/conference/2004/presentations/Thursday/FabiusFISSEA-031104.ppt
References continued









http://www.ftc.gov/privacy/glbact/
http://www.ftc.gov/privacy/glbact/glbsub1.htm
http://www.ffhsj.com/bancmail/bmarts/ecdp_art.htm
http://www.epic.org/privacy/glba/
http://www.hr.niu.edu/resources/files/Protecting%20NonPublic,%20Personal%20Information%20Under%20the%20Gramm-LeachBliley.ppt#256,1,Protecting Non-Public, Personal Information Under the Gramm-Leach-Bliley
Act
http://csrc.nist.gov/fasp/FASPDocs/programmgmt/NLRB_FISMA_CIO_Feb192004.ppt#297,9,Comprehensive Security Program
Through Performance-based Risk Management
http://www.Wikipedia.org
http://www.fdic.gov/deposit/deposits/international/us_implementation.ppt#256,1, U.S.
Implementation of Basel II: An Overview
http://www.developer.com/security/article.php/3403901
Data Privacy Laws: US vs. EC Differences
 In the US


There are strict laws on the collection and sharing of data about
individuals by the government
But the laws for corporate data collection and sharing are much looser,
except in special cases (e. g., HIPAA)
 In the European Community (EC), the opposite is true:


Governments are freer (but not completely free) to collect data about
individuals
Corporations must disclose what data they are collecting and what it
will be used for. Other uses of that data and most sharing of that data
are prohibited
 This has had an impact on international operations of US companies,
which must distinguish between US and EC citizens or take the more
stringent EC approach.
Example: Crypto Laws
 Until recently, the US closely controlled the export of crypto with key
length greater than 40 bit except for specified uses (e. g., international
banking)
 Some foreign countries ban or limit the use of crypto.

http://www2.epic.org/reports/crypto2000/ provides a dated summary
 Until 1999, France required all crypto devices and keys used in France
to be registered with the government
 Crypto is so widely used now (e. g., VPNs, SSL), that it is increasingly
difficult to regulate. Many people do not even know they are using
crypto when they are at a secure web site.
 Check laws in any country you plan to use crypto in (including crypto
devices on laptops)