Regulatory Compliance and Information Security

1
Regulatory Compliance and Information Security
Uday Ali Pabrai, CISSP, CSCSAuthor, The Art of
Information Security
2
Security Challenges

• 99 of all reported intrusions result through
  exploitation of known vulnerabilities or
  configuration errors, for which safeguards and
  countermeasures are available NIST
• Increased dependence on electronic information
  and infrastructure

3
Standards Regulatory Compliance

• Seriously influencing security architecture
  priorities
• International Regulations and Standards
• ISO/IEC 177992005
• EU Legislations
• UK Legislations
• Canadas PIPEDA
• Japans PIP
• Australias Privacy Act
• U.S. Regulations
• Sarbanes-Oxley
• HIPAA
• FISMA
• GLB
• California Privacy Laws
• FFIEC
• 21 CFR Part 11

4
ISO/IEC 17799 2005

• Is an international security standard
• Provides an exceptional framework for an
  organization to base their security infrastructure

5
ISO/IEC 17799 2005

• Covers These Areas
• Security Policy
• Organizing Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development and
  Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance

6
HIPAA

• HIPAA law has specific requirements for the
  protection of medical records
• HIPAA includes requirements for
• Transactions Code Sets
• Identifiers
• Privacy
• Security
• HIPAA Privacy Rule enforced effective April 13,
  2003
• HIPAA Security Rule enforced effective April 20,
  2005

7
HIPAA Security
8
FISMA

• The Federal Information Security Management Act
  (FISMA) is Title III of the U.S. E-Government Act
  (Public Law 107-347)
• It was signed into law by U.S. President George
  W. Bush in December 2002.
• FISMA impacts all U.S. federal information
  systems
• The FISMA legislation is about protecting
  information and information systems from
  unauthorized access, use, disclosure, disruption,
  modification, or destruction in order to provide
  CIA

9
SOX Security

• Sarbanes-Oxley Act of 2002 is having an impact on
  an organizations IT, especially security
  systems, practices and controls
• Section 404 is a critical part of legislation
• Requires an internal control report
• Areas of security that require particular
  attention include
• Secure identity management
• Data integrity
• Automated audit capabilities

10
Payment Card Industry (PCI) Data Security Standard

• The Payment Card Industry (PCI) Data Security
  Standard (DSS) enables merchants and service
  providers to assess their security status by
  using a single set of security requirements for
  all payment organizations
• 12 information security requirements have been
  defined
• The requirements apply to all members, merchants,
  and service providers that store, process, or
  transmit cardholder data

11
PCI DSS Key Requirements

• The 12 PCI information security requirements are
• Install and maintain a firewall configuration to
  protect data
• Do not use vendor-supplied defaults for system
  passwords and other security parameters
• Protect stored data
• Encrypt transmission of cardholder data and
  sensitive information across public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and
  applications
• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer
  access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources
  and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information
  security

12
EU - Data Protection Directive (EU DPD)

• The European Union Data Protection Directive (EU
  DPD) covers the processing of personal data,
  including automatically processed data and manual
  data in a filing system
• The 95/46/EU DPD regulation applies to member
  countries within the EU and other countries that
  conduct business with member countries

13
UK The Turnbull Guidance

• The Turnbull Guidance 1999 is also known as
  Internal Control Guidance for Directors on the
  Combined Code
• Goal is to encourage companies to identify and
  manage internal and external risk within the
  organization
• This regulation impacts all companies listed on
  the UK Stock Exchange
• Effective date Publicly listed companies in the
  UK have had to comply since December 2000

14
UK Data Protection Act

• This Act in the UK makes it a legal obligation
  for anyone processing personal data to establish
  good practice in managing and using the data
• Good information security practice is required
  and includes organizations having the
  capabilities to prevent
• Unauthorized or unlawful processing
• Accidental loss or damage to data
• The scope of this legislation covers any
  organization that collects personal data

15
UK Freedom of Information Act 2000

• This Act states that public authority information
  cannot be altered, defaced or destroyed
• Public authorities need to implement effective
  records and document management systems and IT
  security solutions are required to ensure the
  uptime of these systems and that both the
  information and the records kept on them are not
  altered or corrupted in any way
• Effective date January 1, 2005

16
Japan - PIP

• The Japan Personal Information Protection Act
  2003 (PIP) establishes responsibilities of the
  national government and local governments and the
  obligations of private companies in handling
  personal information
• Requirements include the ability to safeguard
  personal data and protect it against loss,
  unauthorized access and disclosure
• Effective date May 2003 (compliance date May
  2005)

17
Canada - PIPEDA

• Canadas Personal Information Protection and
  Electronic Document Act (PIPEDA) establishes
  rules for the collection, use, and disclosure of
  personal information by organizations during
  commercial activities
• PIPEDA contains a set of 10 Fair Information
  Principles
• Effective date April 2000 (compliance date
  January 2004)

18
Gramm-Leach-Bliley (GLB)

• Gramm-Leach-Bliley (GLB) includes provisions for
  CIA of consumer financial information in the
  areas of
• Administrative safeguards
• Physical safeguards
• Technical safeguards
• GLB applies to financial institutions in the USA
• Banks, securities firms, insurance companies
• Other companies selling financial products

19
California Senate Bill 1386 (SB 1386)

• The California Information Practice Act or Senate
  Bill 1386 (SB 1386) requires organizations
  conducting business in California to disclose any
  security breach that occurs to any California
  resident whose unencrypted personal information
  was, or is, reasonably believed to have been
  acquired by an unauthorized person
• The law requires notification of security
  breaches involving unencrypted sensitive data
• Effective date July 2003

20
California Assembly Bill 1950 (AB 1950)

• The California Assembly Bill 1950 (AB 1950)
  expands on the privacy requirements of SB 1386
  and requires that organizations take reasonable
  precautions to protect California residents
  personal data from modification, deletion,
  disclosure, and misuse rather than just report on
  its disclosure
• Effective date January 2005 (compliance date)

21
21 CFR Part 11

• Title 21 of the U.S. Code of Federal Regulations
  Part 11 (21 CFR Part 11) outlines the Food and
  Drug Administrations (FDAs) requirements for
  electronic records and electronic signatures
• FDA is part of U.S. Department of Health and
  Human Services (HHS)
• It is designed to prevent fraud while permitting
  the widest possible use of electronic technology
• Affected organizations include biopharmaceutical
  (human and veterinary), personal care products,
  medical devices, and food and beverage industries
• Organizations must implement controls to ensure
  authenticity, integrity, confidentiality, and
  non-repudiation of electronic records
• Effective Date Original date was 1997. FDAs
  Final Guidance was published in August 2003

22
21 CFR Part 11 Key Requirements

• Impacted organizations must
• Establish controls for systems to ensure
  authenticity, integrity and confidentiality of
  data
• Execute validation of systems to ensure accuracy,
  reliability, and consistency with intended
  performance
• Use secure, computer-generated, time-stamped
  audit trails for operator entries and actions
• Use authority checks to ensure only authorized
  individuals can access and use systems
• Establish and follow written policies and
  security controls that deter falsification of
  records and signatures
• Ensure that records cannot be excised, copied or
  otherwise transferred to falsify an electronic
  record

23
NERCs Cyber Security Standards

• The North American Electric Reliability Council
  (NERC) Cyber Security Standards requires power
  utilities to assess and enhance their security
  environments
• Commonly referred to as Critical Infrastructure
  Protection (CIP) standards 002 through 009
• CIP-002 Critical Cyber Assets
• CIP-003 Security Management Controls
• CIP-004 Personnel Training
• CIP-005 Electronic Security
• CIP-006 Physical Security
• CIP-007 Systems Security Management
• CIP-008 Incident Reporting and Response Planning
• CIP-009 Recovery Planning

24
Typical Security Remediation Initiatives

• Enterprise Security Priorities
• Deploy Firewall Solutions, IDS/IPS
• Secure Facilities Server Systems
• Deploy Device Media Control Solutions
• Implement Identity Management Systems
• Deploy Access Control Solutions
• Implement Auto-logoff Capabilities
• Deploy Integrity Controls and Encryption
• Activate Auditing Capabilities
• Test Contingency Plans

25
Enterprise Security Posture?

• State of information security in business today
• Information security executives have more
  information than ever but that does not mean
  they know what to do with it
• The bigger the company the more it watches its
  employees
• Dramatic rise in surveillance (tracking workers
  information access)
• Want to rein in instant messaging and other
  applications
• Security executives still have difficulty
• Identifying who is attacking them
• Where the attack is coming from
• How the attack is being executed
• Firewalls/log files/IDS are typically the way
  attacks are discovered
• Compliance establishes minimal capabilities to
  deter and detect attacks

26
Emerging Trends

• Solutions must be able to provide value
  concurrently in two dimensions
• Security
• Availability
• Businesses are looking at addressing compliance
  from a strategic perspective
• Mandate a proactive approach to building a
  comprehensive set of capabilities in security and
  availability
• Must lead to positive impact on costs and
  performance
• Acute corporate demand for infrastructure
  solutions that address regulatory compliance
  issues

27
Strategic Approach

• A strategic approach to compliance must include
  some or all of the following
• Improving security while enhancing asset
  availability
• Strengthening governance, risk mitigation, and
  compliance programs
• Enhancing performance through operational cost
  reductions or revenue protection
• Improving strategic positioning with capabilities
  such as those that can help with merger,
  acquisition, divestment, or consolidation
• Executives must have a clear understanding of
  domestic regulations and standards that impact
  their operations and the industry

28
Critical Strategic Task Sets

• Establish and implement security controls
• Maintain, protect and assess compliance with
  established safeguards
• Identify, respond to, and remediate weaknesses
  and violations
• Build and maintain reporting capabilities that
  can reliably demonstrate compliance
• Challenge is how to map regulatory requirements
  to specific security imperatives and then
  identify the solutions most appropriate for
  compliance, security and availability

29
Getting Compliant Critical Steps
30
Defense In-Depth
31
Enterprise Security Goals

• Establish your enterprise security objectives.
• These may include
• Ensure confidentiality, integrity availability
  of all sensitive business information
• Protect against any reasonably anticipated
  threats or hazards to the security or integrity
  of information
• Protect against any reasonably anticipated uses
  or disclosures of such information that are not
  permitted or required
• Ensure compliance with legislations and standards
  as required

32
Thank You!

• Contact Information
• Pabrai_at_ecfirst.com