CS 996 Information Security Management Legal Requirements

CS 996 Information Security Management Legal Requirements & Regulatory Compliance Yevgeniy Shupikov Boris Gitelman Polytechnic University, Spring 2005

Overview n n n n Why legal Major U. S. laws n HIPAA n Gramm-Leach-Bliley Act n FISMA n Basel II n Sarbanes-Oxley Act n USA PATRIOT Act n California’s SB 1386 n COPA & COPPA Systems and Security Engineering Process Integration Summary Questions & Discussion Homework References n Examples: n SB 1386 precedent n Examples on SB 1386 n Example on legal liability

Why legal n The focus of this presentation is n To present briefly various major laws; n To describe their intention, impact, and significance; n To show laws lead to security requirements for systems. n We will show some examples of cases n Because U. S. legislature is vastly precedent driven; n To show laws impact the real world; and n To emphasize the cost of compliance and noncompliance.

Framework for each law n General introduction n Motivation, overall goal n Specific clauses with security implications n What are the implied security requirements? n Cost of compliance n Cost of non-compliance n fines, jail, other penalties, etc… n Examples from news n Precedent cases leading to the law’s creation n Court cases after the law was passed

What is HIPAA? n Health Insurance Portability and Accountability Act n A comprehensive federal law passed in 1996 that institutes major medical reform n HIPAA’s main theme: KEEP INDIVIDUALS’ HEALTH INFORMATION SECURE AND CONFIDENTIAL

HIPAA Structure HIPAA Title II: Administrative Simplification Security Rule Title I: Insurance Portability Privacy Rule Other Standards

HIPAA Security Rule n Ensure n Confidentiality (only the right people see it) n Integrity (the information is what it is supposed to be – it hasn’t been changed) n Availability (the information can be obtained when needed ) n Covers what safeguards must be in place to protect health information from unauthorized access, alteration, deletion, or transmission. n Applies only to electronic health information n Compliance data: April 21, 2005

HIPAA Security Rule Provisions n Three types: n Administrative – relates primarily to policies, procedures and organizational practices n Physical – physical measures, policies and procedures to protect electronic information systems, buildings and equipment from natural, man-made and environmental hazards, and unauthorized access n Technical – relates to the processes that must be put in place to protect, control and monitor information access; mechanisms to be employed to guard data integrity, confidentiality and availability

HIPAA Security Rule – Administrative Safeguards Section

HIPAA Security Rule – Technical Safeguards Section

HIPAA Security Rule – Physical Safeguards Section

HIPAA Privacy Rule n The Privacy Rule covers what patient health information is to be protected, the use and disclosures of this information, and what rights patients have with respect to their information n Rule applies to health information in any form (electronic or paper based) n Compliance date: April 14, 2003

Privacy Rule Provisions n Designation of a privacy officer n Privacy training for all employees n Reasonable safeguards to prevent intentional or incidental disclosure or misuse of PHI n n n Formal sanctions for employee violations. Provide individuals “Notice of Privacy Practices” statement Provide written authorization for the disclosure of any medical information

Cost of HIPAA Non-Compliance (Civil Penalty) n $100 for each violation n Maximum of $25, 000 per year per incident Unauthorized Disclosure or Misuse of Patient Information (Criminal Penalty) u Penalties up to $250, 000 u Prison time up to 10 years Penalties may apply to the individual violator but they may also apply to the organization or even to its officers

Costs of HIPAA Compliance • The government made 5 -year, “conservative” cost estimates of the privacy regulation alone at $3. 8 BILLION • The American Hospital Association estimates that hospitals alone may spend up to $20 BILLION over 5 years on information systems changes & upgrades • In the long run, however, significant savings may be realized due to industry standardization, automation, and lower overhead • For example, a PAPER-based claim costs $6. 00 to $8. 00 to process… PAPER The same claim in ELECTRONIC form costs $0. 17 to process

Gramm-Leach Bliley (GLB) Act n GLB Act is a 1999 Federal law which requires “financial institutions” to ensure the security and confidentiality of customer personal information n Financial institutions include mortgage lenders, loan brokers, financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors n College’s and Universities are considered financial institutions under the Act n Has two main provisions Privacy Rule, Safeguards Rule

What is “Customer Information”? Social security numbers n Bank account numbers n Credit card account numbers n Date and/or location of birth n Account balances; payment histories; credit ratings; income histories n Drivers license information n ACH (Automated Clearing House) numbers n Tax return information n

What is the Privacy Rule? n Requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices. n Customers have the right to limit some sharing of their information. n Companies that receive personal financial information from a financial institution may be limited in their ability to use that information.

Safeguards Rule n The Safeguards Rule requires “financial institutions” to develop an information security program that includes these components: n Designate a Security Program Coordinator responsible for coordinating the program n Conduct a risk assessment to identify reasonably foreseeable security and privacy risks. n Ensure that safeguards are employed to control the identified risks; regularly test and monitor the effectiveness of these safeguards.

Objectives of the Safeguards Rule 1. to ensure the security and confidentiality of customer records and information. 2. to protect against any anticipated threats or hazards to the security or integrity of such records. 3. to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

GLB Safeguards n There are three types of safeguards that must be considered as part of the safeguards rule: Administrative n Physical n Technical n

Administrative Safeguards n Reference checks for potential employees n Confidentiality agreements that include standards for n n handling customer information Training employees on basic steps they must take to protect customer information Assure employees are knowledgeable about applicable policies and expectations Limit access to customer information to employees who have a business need to see it Impose disciplinary measures where appropriate

Physical Safeguards n Locking rooms and file cabinets where customer n n n information is kept Using password activated screensavers Using strong passwords Changing passwords periodically and not writing them down Encrypting sensitive customer information transmitted electronically Referring calls or requests for customer information to staff trained to respond to such requests Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies

Technical Safeguards n Storing electronic customer information on a secure server that n n n n is accessible only with a password -or has other security protections -and is kept in a physically-secure area Avoiding storage of customer information on machines with an Internet connection Maintaining secure backup media and securing archived data Using anti-virus software that updates automatically Obtaining and installing patches that resolve software vulnerabilities Following written contingency plans to address breaches of safeguards Maintaining up-to-date firewalls particularly with broadband Internet access or allows staff to connect to the network from home Providing central management of security tools and keep employees informed of security risks and breaches

FISMA n Federal Information Security Management Act n Title III of the Electronic Government Act of 2002 n Applies to Federal Agencies, including government contractors n Purpose is to secure Information Infrastructure used in all of the Federal Agencies

FISMA Requirements for Federal Agencies n Plan for security n Ensure that appropriate officials are assigned security responsibility n Review periodically the security controls in their information systems n Annual security reporting to Office of Management and Budget n Security awareness training n Follow guidelines issued by NIST for information security controls

FISMA Requirements continued Report to Congress provides: n A summary of government-wide performance in the area of information technology security management n An analysis of government-wide weaknesses in information technology security practices, and, n A plan of action to improve information technology security performance

FISMA Requirements continued n Report to congress includes: n Certification and accreditation of systems n Security costs n Annual testing of system controls n Contingency planning n Implementation of security configuration requirement

FISMA Areas Computer Incident Response Capability* Policy Management & Integration* Sec Awareness, Training, & Education* Security Roles & Responsibilities* Critical Infrastructure Protection* Security Response (COOP)* Physical Security (IT)* Congressional Reporting* Information Security Operations Policy & Compliance Mgmt Performance Measurements* Sec within CPIC (Funding)* ISSO Management* IS Program Management Contractor Compliance* (Strategic) Patch Management* Standards, Baselines & Config* System Integration, Configuration, & Lifecycle Mgmt Vulnerability, Certification & Accreditation Mgmt Contractor Assessments* C&A Process Management* Risk Management* Security within System Lifecycle Management* Document Management*

Roles and Responsibilities for IT Security Management Team Agency Head Inspector General 4 Held accountable ultimately for the protection of an agency’s systems 4 Verify that security program elements exist 4 4 4 Expected to include security as a part of strategic and operational planning Validate Plan of Action & Milestones Identify all known security weaknesses and that a robust process exists for maintaining the POA&M 4 Assign CIOs compliance responsibility Chief Information Officer 4 Designate a senior information security officer who reports directly to the CIO 4 Held accountable for agencywide security program 4 Develop Program Officials and System Owners ISSO 4 Carry out responsibilities of the CIO 4 Security is the ISSO’s primary responsibility, not an other duty as assigned 4 Maintain professional qualifications 4 Assess risk and test controls 4 Update system documentation 4 Ensure systems are certified and accredited and implement policies, procedures and controls 4 Report OMB on progress quarterly to

Overview of Agency Security

FISMA Cost of non-compliance n Probable exploitation of security vulnerabilities n Unauthorized access and/or modification of sensitive data n Jeopardize funding for current and future IT projects

FISMA Cost of compliance n “In F[iscal] Y[ear] 2004, the Federal agencies spent $4. 2 billion securing the government’s total information technology investment of approximately $59 billion or about seven percent of the total information technology portfolio. ”

Basel II Objectives - 2004 n An international set of recommendations aimed at producing uniformity in the way banks approach risk and asset management n Requires all banking institutions to have sufficient assets to offset any risks they may face n Compliance by end of 2006 n Advance a “three-pillar” approach

Basel II – the Three Pillars Capital Adequacy PILLAR 1 Minimum Capital Requirement Rules To Calculate Required Capital PILLAR 2 PILLAR 1 PILLAR 3 Supervisory Review Process Market Discipline Requirements Increased Supervisory Power Increased Disclosure Requirements New Regulatory Structure Based on Three Pillars

Types of risk in Basel II Credit risk – the risk that a borrower or counterparty might not honour its contractual obligations Market risk – the risk of adverse price movements such as exchange rates, the value of securities, and interest rates Operational risk – the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events Role of IT is to minimize the Operational Risk of an organization, by ensuring Confidentiality, Integrity, and Availability (CIA)

Sarbanes-Oxley Act (SOX) n SOX effective July 30, 2002 n House: 107 H. R. 3763, H. Rept. 107 -414, H. Rept. 107 -610 n Senate: 107 S. 2673, S. Rept. 107 -205 n Law: Pub. L. 107 -204, 116 Stat. 745 n Named after Senator Paul Sarbanes and Representative Michael G. Oxley n a. k. a. Public Company Accounting Reform and Investor Protection Act of 2002 n Precedent: series of corporate financial scandals n Enron, Arthur Andersen, World. Com, Tyco n Motivation: revise outdated legislature on audit requirements for public companies n Applies to public companies filing form 10 -K with Securities and Exchange Commission

SOX Structure n Organized into 11 titles: n Title I: Public Company Accounting Oversight Board n Title II: Auditor Independence n Title III: Corporate Responsibility n Title IV: Enhanced Financial Disclosures n Title V: Analyst Conflicts of Interest n Title VI: Commission Resources and Authority n Title VII: Studies and Reports n Title VIII: Corporate and Criminal Fraud Accountability n Title IX: White Collar Crime Penalty Enhancements n Title X: Corporate Tax Returns n Title XI: Corporate Fraud Accountability

SOX: Excerpts n Title I: Evaluation of whether internal control structure and procedures include records that accurately reflect transactions and disposition of assets n Title III: internal controls have been reviewed for their effectiveness within 90 days prior to the report n Title IV: Requires senior management, directors, and principal stockholders to disclose changes in securities ownership or securities based swap agreements within two business days (formerly ten days after the close of the calendar month). Mandates electronic filing and availability of such disclosures one year after the date of enactment.

SOX: Major Provisions n CEOs, CFOs, and directors n May not get personal loans from company n Must publicly report their compensations, profits & additional disclosures n Must certify truthfulness and completeness of n company’s financial reports and n reports on presence and effectiveness of internal controls (structures to detect, prevent, and correct errors and fraud within company) n Criminal and civil penalties for securities violations n Significantly longer jail sentences and larger fines

SOX: Major Provisions Independent auditor Auditor rotation [at most 5 consecutive years] Mandatory internal audit certified by external auditors Annual independent audit reports regarding internal controls and financial reporting n 7 year retention period on audit documents (includes everything from reports to internal emails) n Numerous restrictions on employment of/by auditors, services auditing firms provide to the corporation and vice versa, affiliate/sub-divisions involvement, other conflicts of interests arrangements and etc. n Attorneys liable to disclose violations. n n

SOX Cost of non-compliance n Public companies in violation may be taken off NYSE and NASDAQ by SEC. n SEC is authorized to freeze personal and corporate payments, funds, and accounts temporarily. n Corporate fines up to $25, 000. n “Knowing” n n Fines of $1, 000 and/or Jail sentences up to 10 years n “Willing” n Fines of $5, 000 and/or n Jail sentences up to 20 years

SOX IT Impact n If top executives are liable for the data they sign off on, they will make sure that data is accurate and protected: n n n Confidentiality: no one except financial officers, auditors, and executives should have access to it Integrity: better make sure it hasn’t been tampered with, or else jail n Authentication, non-repudiation, etc Availability: obligated to disclose this data to SEC and Public Company Accounting Oversight Board (PCAOB) within 2 days

SOX IT Impact n Data retention policy and the mechanisms to implement it correctly: How do you collect and store all data relating to financial and audit reviews, reports, electronic and voice communications, and other documents that contain analysis, reports, or opinions that served as basis in creating the financial and audit records. n With respect to confidentiality, integrity, and availability n

SOX IT Impact n How do top executives know/ensure the data they sign was accurate to begin with? n Internal Controls design, implement, and monitor n complete, fast, reliable, and effective n methods, mechanisms, and procedures to n prevent, find, and correct n inaccurate, incomplete, and/or fraudulent n documents and activities within the company n

SOX Impact n Smaller companies may be affected when trading n n n with a larger SOX compliant company SOX allegedly tends to increase quantity but not quality of financial reports. Companies have to think twice before going public: some stay private. Some private companies comply with SOX voluntarily as a measure of security and a show of industry competitiveness. CEOs, CFOs, directors, and auditors are much more cautious and concerned. Restored image of “greater corporate integrity” and “honest enterprise”

SOX: Guidance on Compliance n COSO (Committee of Sponsoring Organizations of the n n Treadway Commission) n Enterprise Risk Management Framework: www. erm. coso. org n assess control environment, determine objectives, prepare risk assessment, monitor controls Cobi. T (Control Objectives for Information and related Technology) n more at www. isaca. org/cobit. htm ISO-17799 n http: //www. iso. ch/iso/en/prods-services/ISOstore/store. html Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Accountants (AICPA)

USA PATRIOT Act n Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 n USA PATRIOT Act effective October 26, 2001 n H. R. 3162, S. 1510, Public Law 107 -56 n Incorporates an older Foreign Intelligence Surveillance Act n Response to September 11, 2001 n Broad, complicated, and lengthy legislation n 342 pages with 158 sections and 15 amendments to federal statutes n As of November 2004 n 372 suspected terrorists charged n 194 convicted

USA PATRIOT Act: IT Sections n Title I: Enhancing domestic security against terrorism n n Sec. 103. Increased funding for the technical support center at the Federal Bureau of Investigation. Sec. 105. Expansion of National Electronic Crime Task Force Initiative. n Title II: Enhanced surveillance procedures n n n n n Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism. Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses. Sec. 203. Authority to share criminal investigative information. Sec. 204. Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications. Sec. 209. Seizure of voice-mail messages pursuant to warrants. Sec. 210. Scope of subpoenas for records of electronic communications. Sec. 212. Emergency disclosure of electronic communications to protect life and limb. Sec. 217. Interception of computer trespasser communications. Sec. 220. Nationwide service of search warrants for electronic evidence. Sec. 223. Civil liability for certain unauthorized disclosures.

USA PATRIOT Act: IT Sections n Title III: International money laundering abatement and anti- terrorist financing act of 2001 n n n Sec. 312. Special due diligence for correspondent accounts and private banking accounts. Sec. 326. Verification of identification. Sec. 328. International cooperation on identification of originators of wire transfers. Sec. 361. Financial crimes enforcement network. Sec. 362. Establishment of highly secure network. Sec. 366. Efficient use of currency transaction report system. n Title IV: Protecting the border n n n Sec. 403. Access by the Department of State and the INS to certain identifying information in the criminal history records of visa applicants and applicants for admission to the United States. Sec. 405. Report on the integrated automated fingerprint identification system for ports of entry and overseas consular posts. Sec. 414. Visa integrity and security. Sec. 416. Foreign student monitoring program. Sec. 417. Machine readable passports.

USA PATRIOT Act: IT Sections n Title V: Removing obstacles to investigating terrorism n n Sec. 507. Disclosure of educational records. Sec. 508. Disclosure of information from NCES surveys. n Title VI: Providing for victims of terrorism, public safety officers, and their families n Title VII: Increased information sharing for critical infrastructure protection n Sec. 711. Expansion of regional information sharing system to facilitate Federal-State-local law enforcement response related to terrorist attacks. n Title VIII: Strengthening criminal laws against terrorism n n Sec. 815. Additional defense to civil actions relating to preserving records in response to Government requests. Sec. 816. Development and support of cybersecurity forensic capabilities.

USA PATRIOT Act: IT Sections n Title IX: Improved intelligence n Sec. 903. Sense of Congress on the establishment and maintenance of intelligence relationships to acquire information on terrorists and terrorist organizations. n Title X: Miscellaneous n n n Sec. 1003. Definition of `electronic surveillance'. Sec. 1008. Feasibility study on use of biometric identifier scanning system with access to the FBI integrated automated fingerprint identification system at overseas consular posts and points of entry to the United States. Sec. 1015. Expansion and reauthorization of the crime identification technology act for antiterrorism grants to States and localities.

USA PATRIOT Act n Expanded surveillance with reduced checks and balances n n n n wiretaps, search warrants, pen/trap orders, and subpoenas online activity, phones, faxes, ISP records DNA samples, bank records/accounts, surveys, college records/transcripts some “relevant” information vs. “probable cause” from 4 th amendment no reporting back on results vs. report to judge with results valid for up to a year vs. up to 30 days Police, FBI, CIA, other; shared information

USA PATRIOT Act n Concerns: n Majority of sections were not carefully studied and debated in Congress nor advice taken from experts outside law enforcement. n A large setback to Americans’ civil liberties, particularly privacy. n Insufficient evidence that the provisions ARE needed and WILL provide a measure against terrorism.

SB 1386 precedent n California state payroll database was compromised on April 5, 2002. n personal records on 260, 000 state employees n Names, SSNs, and payroll information. n The security breach was discovered on May 7, 2002. n The state notified the people on May 24, 2002. n Public opinion was that it took too long to issue the warnings.

California Security Breach Information Act (SB 1386) n SB 1386 effective July 1, 2003 n Applies to any person or company “conducting business” n with unencrypted computerized personal information on CA residents n n first name or initial and last name, and one of the following SSN, driver license, account/card number, code/password, other access granting information n must notify the people of the security breach n publicly (reputations at stake), via mail (expensive), or via email (inexpensive, but comply with e-Sign Law). n “in the most expedient time possible, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. ”

California Security Breach Information Act (SB 1386) (continued) n Intent: timely alert people about a possible occurrence of identity theft n Motivation: Having to disclose breaches will push companies n n n to review systems and policies in preparation to comply. to improve their network/computer security. to reduce the amount of personal information stored. to use encryption to secure their data. to use intrusion detection/prevention software to respond timely.

California Security Breach Information Act (SB 1386) (continued) n Impact: n Potentially high cost of compliance. n Some companies are required to go public (ex. Over 500, 000 records). n Victims of violation of SB 1386 can/will/do take civil action. Think about 30, 000 simultaneous cases against your company and the cost involved. n Similar legislation may soon appear in other states and/or on the federal level. n Notification of Risk to Personal Data Act (Senator Dianne Feinstein) n Gray areas: n Do CA companies notify non-CA residents? n Do out-of-state companies have to comply? n Law does not apply if data is encrypted with no minimum strength requirement. What if they use the Caesar’s cipher?

Examples on SB 1386 n Choice. Point Inc. had a breach in October 2004 n n Company database contains 19 billion records personal records on 30, 000+ consumers stolen by social engineering means Names, SSNs, credit histories, criminal records, etc People outside CA are concerned they did not get the letter when they should have.

Examples on SB 1386 n SAIC had a break-in in January 2005 n n n Several desktops were stolen containing stockholders’ data Names, SSNs, address, phone numbers, shares bought/sold/held 45, 000 current and former employees affected n Other recent similar incidents (see references): n n Bank of America lost tapes (records on 1 million customers) Lexis. Nexis break-in (records on 32, 000 U. S. citizens) Boston College (records on 120, 000 alumni) CSU Chico break-in (records on ~60, 000 students/faculty)

Child Online Protection Act (COPA) n Purpose: “protecting children from harmful sexual material on the Internet” n COPA originally consists of two parts n n Children’s Online Privacy Protection Act (coming up) COPA (partial restatement of a broader Communications Decency Act) n Concerns: n U. S. law enforceable only on U. S. companies n Law may violate adults’ freedom of speech n History n n n 1998: Child Online Protection Act is passed. 1998: Injunction blocking the law from enforcement is obtained. 1999: 3 rd Circuit Court of Appeal struck the law down. 2002: Supreme Court finds reasons for struck down insufficient. 2003: 3 rd Circuit Court of Appeal upheld the 2002 decision. 2004: Supreme Court upheld law as unconstitutional. (Ashcroft vs. American Civil Liberties Union)

Children’s Online Privacy Protection Act (COPPA) n U. S. legislation in effect since April 21, 2000 n The law applies to children under the age of 13. n “Web site operator” must include a policy on how to obtain “verifiable” consent from a parent. n Outlines how the “Web site operator” must protect the safety and privacy of children online. n High cost of compliance. n Impact: n “Web site operators” choose to shutdown or to stop providing child contents and services rather than comply. n Practically very few cases for COPPA violations.

Example on legal liability n Currently open question of legal liability: n “who is responsible for securing a consumer’s data – even on the consumer’s own computer” n Joe Lopez (Miami) filed a lawsuit against Bank of America on Feb 7 n n His home PC was compromised by a trojan/keylogger (Coreflood) Resulting in loss of $90, 348 in wire transfers to Latvia n The argument: n n Joe Lopez: Bank of America had not alerted him about malicious code the could infect his computer Bank of America: customers “need to have reasonable computer security”

Example on legal liability n Who is liable? n n n The customer failed to secure his computer system. The bank failed to secure their customer’s system/instruct him to do so. The bank is responsible for accepting fraudulent ID. n Implications n E-commerce, Online shopping, Internet banking, etc n The right answer n n n Currently being decided in court of law Possible solution: awareness and education Discussion

System Engineering Process Integration Assets at Risk Mission Need CONOPS Threat Analysis Prelim. Risk Analysis Functional Rqmts Legal Rqmnts Primary Sec Rqmts System Arch. Corp/Org Policy Assess Security Arch Other Rqmts Derived Sec Rqmts Risk Analysis Vulner. Analysis Security Design Courtesy of Dr. Hery System Design Assess

Summary n Legal requirements n affect the system development life cycle n effect system and security design n Compliance ensures n the people and the company are protected n that the business stays afloat when something goes wrong n Impact n Cost n money, work, time n Civil/criminal penalties n Cultural

Questions & Discussion n Any questions, comments, etc… n Please feel free to contact n Yevgeniy Shupikov: n n yevgeniysh@hotmail. com Boris Gitelman: n borgit@optonline. net

Homework n The final homework assignment will be n distributed to all by Dr. Hery n http: //isis. poly. edu/courses/cs 996 -management-s 2005/

References n General: n n n Sarbanes-Oxley Act (SOX) n n n http: //searchsecurity. techtarget. com/topics/0, 295493, sid 14_tax 299993, 00. html http: //www. wikipedia. org http: //en. wikipedia. org/wiki/Sarbanes-Oxley_Act http: //www. csbs. org/government/legislative/misc/2002_sarbanes-oxley_summary. htm http: //www. legalarchiver. org/soa. htm http: //www. cpeonline. com/cpenew/sarox. asp http: //www. whitehouse. gov/news/releases/2002/07/20020730. html http: //searchsecurity. techtarget. com/tip/1, 289483, sid 14_gci 956077, 00. html http: //searchsecurity. techtarget. com/original. Content/0, 289142, sid 14_gci 929451, 00. html http: //searchsecurity. techtarget. com/original. Content/0, 289142, sid 14_gci 1012386, 00. html http: //searchsecurity. techtarget. com/original. Content/0, 289142, sid 14_gci 1012387, 00. html http: //news. com/The+CIO+time+bomb/2010 -1022_3 -5287894. html USA Patriot Act n n n http: //en. wikipedia. org/wiki/USA_PATRIOT_Act http: //www. eff. org/Privacy/Surveillance/Terrorism/20011031_eff_usa_patriot_analysis. php http: //www. epic. org/privacy/terrorism/hr 3162. html

References n California Security Breach Information Act (SB 1386): n n n n n Child Online Protection Act, Children’s Online Privacy Protection Act: n n n http: //info. sen. ca. gov/pub/01 -02/bill/sen/sb_1351 -1400/sb_1386_bill_20020926_chaptered. html http: //searchsecurity. techtarget. com/topic/0, 295492, sid 14_tax 300005, 00. html http: //www. andysullivan. com/choicepoint. html http: //searchsecurity. techtarget. com/original. Content/0, 289142, sid 14_gci 912476, 00. html Security Implications of California’s Senate Bill 1386 by www. credant. com http: //news. com/Bank+of+America+loses+a+million+customer+records/2100 -1029_35590989. html? tag=st. rc. targ_mb http: //news. com/Lexis. Nexis+break-in+spurs+more+calls+for+reform/2100 -1029_3 -5606911. html http: //www. news 10. net/storyfull 1. asp? id=9784 http: //www. signonsandiego. com/uniontrib/20050203/news_1 b 3 saic. html http: //en. wikipedia. org/wiki/COPA http: //www. eff. org/legal/cases/ACLU_v_Reno_II/20020513_supreme_decision. pdf http: //en. wikipedia. org/wiki/COPPA http: //www. ftc. gov/ogc/coppa 1. htm Example on legal liability: n n http: //searchsecurity. techtarget. com/column. Item/0, 294698, sid 14_gci 1062440, 00. html http: //searchsecurity. techtarget. com/original. Content/0, 289142, sid 14_gci 1062076, 00. html

References n n n n n http: //www. nhvship. org/download/hipaa 101_Exec_Final. ppt HIPAA’s Final Security Rule: How Consul In. Sight™ Accelerates your Ability to Meet the Audit and Logging Requirements of HIPAA’s Final Security Rule – whitepaper provided by Bill Hery Strategies for Complying with the Final HIPAA Security Rule – whitepaper provided by Bill Hery Addressing HIPAA Auditing Requirements for Data Access Accountability with Lumigent® Entegra™ -- white paper provided by Bill Hery http: //www. whitehouse. gov/omb/inforeg/2004_fisma_report. pdf http: //csrc. nist. gov/policies/FISMA-final. pdf http: //www. fcw. com/fcw/articles/2004/0823/web-fisma-08 -27 -04. asp http: //www. marcorsyscom. usmc. mil/sites/ia/documents/Federal%20 Information%20 Security %20 Management%20 Act%20(FISMA). htm http: //csrc. nist. gov/organizations/fissea/conference/2004/presentations/Thursday/Fabius. FISSEA-031104. ppt

References continued n n n n n http: //www. ftc. gov/privacy/glbact/glbsub 1. htm http: //www. ffhsj. com/bancmail/bmarts/ecdp_art. htm http: //www. epic. org/privacy/glba/ http: //www. hr. niu. edu/resources/files/Protecting%20 Non. Public, %20 Personal%20 Information%20 Under%20 the%20 Gramm-Leach. Bliley. ppt#256, 1, Protecting Non-Public, Personal Information Under the Gramm-Leach. Bliley Act http: //csrc. nist. gov/fasp/FASPDocs/programmgmt/NLRB_FISMA_CIO_Feb 192004. ppt#297, 9, Comprehensive Security Program Through Performance-based Risk Management http: //www. Wikipedia. org http: //www. fdic. gov/deposits/international/us_implementation. ppt#256, 1, U. S. Implementation of Basel II: An Overview http: //www. developer. com/security/article. php/3403901

Data Privacy Laws: US vs. EC Differences n In the US n There are strict laws on the collection and sharing of data about individuals by the government n But the laws for corporate data collection and sharing are much looser, except in special cases (e. g. , HIPAA) n In the European Community (EC), the opposite is true: n Governments are freer (but not completely free) to collect data about individuals n Corporations must disclose what data they are collecting and what it will be used for. Other uses of that data and most sharing of that data are prohibited n This had an impact on international operations of US companies, which must distinguish between US and EC citizens or take the more stringent EC approach.

Example: Crypto Laws n Until recently, the US closely controlled the export of crypto with key length greater than 40 bit except for specified uses (e. g. , international banking) n Some foreign countries ban or limit the use of crypto. n http: //www 2. epic. org/reports/crypto 2000/ provides a dated summary n Until 1999, France required all crypto devices and keys used in France to be registered with the government n Crypto is so widely used now (e. g. , VPNs, SSL), that it is increasingly difficult to regulate. Many people do not even know they are using crypto when they are at a secure web site. n Check laws in any country you plan to use crypto in (including crypto devices on laptops)