- Количество слайдов: 41
Regulatory Compliance and You WHO PUT ALL THESE REGULATIONS ON ME? WHAT IS A PERSON TO DO? WHERE DO I GO FROM HERE? WHEN DID THIS GET SO COMPLICATED? WHY DO I HAVE TO DO THIS?
HELLO Judi Ellis EDMC Security Architect CGEIT, CISM, CRISC [email protected] net Experience: • PNC • Highmark • KPMG • CMRI • NCFTA • e-Profile • Jefferson Wells
Overview • Control Standards • Frameworks • Regulations • Measurement • Bringing it all together
Control Standards ISO 27001 Basel II Co. BIT SEC ITIL FFIEC FISMA CIS NIST FDCC CIS-Center for Internet COSO Security AES-Advanced Encryption Standard SANS BS 1799
Regulations HIPAA FERPA SOX 404/302 Red Flags PCI-DSS Hi. TECH Title IV ACH GLBA NACHA US Patriot Act PII Laws FLSA Safe Harbor Can Spam COPA
Frameworks Armed robbery, eh? I’m in for being out of compliance with Federal Guidelines.
ISO 2700* Formally known as ISO/IEC 27001: 2005 - Information technology Security techniques Information security management systems – ISMS Requirements, is an information security management system standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is derived from British standard 1799, and for that reason the standard is frequently cited as ISO 17799. It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which delineates security control objectives and recommends a range of specific security controls. Adopt an all encompassing management process to ensure all information security controls meet info security needs on an ongoing basis.
FISMA-NIST The Federal Information Security Management Act of 2002 (FISMA) is a Federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act was designed to bolster computer and network security within the federal government and affiliated parties (such as recipients of Federal monies and government contractors) by mandating yearly information security audits. FISMA establishes: _ Standards for categorizing information and information systems by mission impact _ Standards for minimum security requirements for information and information systems _ Guidance for selecting appropriate security controls for information systems _Guidance for assessing security controls in information systems _Guidance for security authorization of information systems _Guidance for monitoring the security controls and security authorization of systems
NIST References NIST publications include the following key security-related documents: FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems NIST Special Publication 800 -30, Risk Management Guide for Information Technology Systems NIST Special Publication 800 -37, Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800 -37 Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach NIST Special Publication 800 -39, NIST Risk Management Framework NIST Special Publication 800 -53 Revision 2, Recommended Security Controls for Federal Information Systems NIST Special Publication 800 -53 A, Guide for Assessing the Security Controls in Federal Information Systems NIST Special Publication 800 -59, Guide for Identifying an Information System as a National Security System NIST Special Publication 800 -60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories
PCI-DSS Payment Card Industry Data Security Standard PCI DSS is a worldwide security standard established through the Security Standards Council (SSC) in 2006 by: American Express Discover Financial Services JCB International Master. Card Worldwide Visa The PCI security standards are technical and operational requirements placed on organizational entities that process card payments to prevent credit card fraud, and hacking and mitigate other security vulnerabilities/threats. The standards apply to all organizations that store, process or transmit cardholder data, which obviously includes an increasingly larger number of state agencies transacting with businesses, with citizens, and with other government entities.
PCI-DSS The following are the six primary control areas comprising the Payment Card Industry security standard: Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Co. BIT Control Objectives for Information and related Technology, COBIT, is an open, international standard originally published in 1996 by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). COBIT is a set of best practices for information technology designed to provide managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices. It assists in maximizing the benefits derived through the use of information technology and develops appropriate IT governance and control for private-sector companies or public agencies. The COBIT Framework is organized into four domains, thirty-four high-level control objectives, and 318 detailed control objectives. The framework follows a general plan-docheck-act structure.
Co. BIT Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
Co. BIT-Plan and Organize P 01 Define a strategic IT plan. P 02 Define the information architecture. P 03 Determine technological direction. P 04 Define the IT processes, organization, and relationships. P 05 Manage the IT investment. P 06 Communicate management aims and direction. P 07 Manage IT human resources. P 08 Manage quality. P 09 Assess and manage IT risks. P 10 Manage projects
Co. BIT-Acquire and Implement AI 1 Identify automated solutions. AI 2 Acquire and maintain application software. AI 3 Acquire and maintain technology infrastructure. AI 4 Enable operation and use. AI 5 Procure IT resources. AI 6 Manage changes. AI 7 Install and accredit solutions and changes
Co. BIT Deliver and Support DS 1 Define and manage service levels. DS 2 Manage third-party services. DS 3 Manage performance and capacity. DS 4 Ensure continuous service. DS 5 Ensure systems security. DS 6 Identify and allocate costs. DS 7 Educate and train users. DS 8 Manage service desk and incidents. DS 9 Manage the configuration. DS 10 Manage problems. DS 11 Manage Data. DS 12 Manage the physical environment. DS 13 Manage operations
Co. BIT Monitor and Evaluate ME 1 Monitor and evaluate IT performance. ME 2 Monitor and evaluate internal control. ME 3 Ensure regulatory compliance. ME 4 Provide IT governance
Regulations I’ve been here for so long I don’t remember what I did, but it had something to do with non-compliance.
SAS-70 Statement on Auditing Standards No. 70 (SAS-70), Service Organizations, is an auditing standard created by the American Institute of Certified Public Accountants (AICPA) in 1992. SAS 70 defines standards used by auditors to assess the internal controls of service organizations and prepare service auditor’s reports. Service organizations are entities providing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.
SAS-70 Auditors follow AICPA standards for fieldwork, quality control and reporting and issue a formal report to the service provider that includes the auditor’s opinion once the audit is completed. SAS-70 audits consist of two types. A Type I audit assesses the service organization’s description of controls placed in operation and the suitability of the design of the controls to achieve the specified control objectives, as the latter are defined by the service provider. A Type II service auditor’s report includes the information contained in a Type I service auditor’s report and also includes the service auditor’s opinion on whether the specific controls were operating effectively during the period under review. Recently replaced by SSAE-16 – 6/2011 - more of an international presence, broadly accepted in accordance to ISAE 3402.
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Federal government in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers, with the overall goals of protecting the privacy and security of health information and promoting the efficiency of the health care industry through use of standardized electronic transactions. Requires covered entities to protect the privacy and security of an individual’s health information.
HIPAA HIPAA’s Security Rule covers health plans, healthcare clearinghouses, and healthcare providers. Health plans are defined as any individual or group plan that provides or pays the cost of health care, which includes the Medicare and Medicaid programs operated at the state and federal levels. The Rule establishes three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, various security standards are identified, and for each standard, both required and addressable implementation specifications are delineated. The rule includes eighteen standards that cover thirty-six implementation specifications.
HIPAA Required specifications must be adopted and administered as dictated by the rule. Addressable specifications are more flexible. The Centers for Medicare and Medicaid Services defines the following steps for complying with the Security Rule: Assess current security, risks, and gaps Develop an implementation plan Review the Security Rule standards and specifications Review addressable implementation specifications Determine security measures Implement solutions Document decisions Reassess periodically The security rule required covered entities to be in compliance with the rule no later than April 2005, though smaller health plans were given an additional year to comply.
HIPAA (“Privacy Rule”) establishes, a set of national standards that address the use and disclosure of individuals’ health information—called PHI (Personal Health Information) by organizations called “covered entities” as well as standards for individuals privacy rights to understand control how their health information is used. Thank you OCR (Office of Civil Rights) A major goal of the Privacy Rule is to assure that PHI is properly protected while permitting appropriate uses of the information protecting the privacy of the individual.
HIPAA was passed in 1996, it wasn’t until 2/4/2011 the first HIPAA violation occurred and resulted in a $4. 3 m fine to Maryland healthcare provider Cignet for the failure to provide 41 patients with copies of their medical records. HIPAA did not have teeth until Hi. Tech came along and provided enforcement and penalties. http: //threatpost. com/en_us/blogs/hipaa-bares-its-teeth- 43 m-fine-privacy-violation-022311
FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U. S. C. § 1232 g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U. S. Department of Education. Schools or public agencies that receive student data may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools or agencies must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. Education records must not be disclosed and must be protected.
SOX The Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002 in response to a number of major corporate and accounting scandals, most prominently that of the Enron Corporation. SOX establishes new, enhanced standards for all U. S. public companies, and though as such it is not directed at government, it has nonetheless had a significant impact on internal accounting controls in public agencies through its focus on management oversight of how fiscal information within agencies is created, accessed, stored, processed, and transmitted within automated as well as manual record systems.
SOX Among the Act’s principal reforms are these elements: _ Creation of an independent public company accounting oversight board _ A heightened level of corporate governance and responsibility measures _ Expanded corporate, financial, and insider disclosure requirements, and _ A range of new penalties for fraud and other violations.
As-Is Assessment Where do I start? _Come up with the Plan _Assessment _ Measurement _Identify Gaps _Plan of Attack What regulations do I need to follow? Where am I today? Where are my gaps? What do I need to do? I need a plan. I need to get started. How do I start? What do I do? How do I do this? Where do I need to be to pass an audit _Work your plan _ Assessment _Measurement _ Identify Gaps _Readjust your plan _Assessment _Measurement _Identify Gaps
Plan-ISMS Information Security Management System
Assessment Getting Started _ Choose a tool-SANS, CMS, Big 4, NIST, ISO…. OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation. SM) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. OCTAVE Methods There are three OCTAVE methods: the original OCTAVE method, which forms the basis for the OCTAVE body of knowledge OCTAVE-S, for smaller organizations OCTAVE-Allegro, a streamlined approach for information security assessment and assurance OCTAVE methods are founded on the OCTAVE criteria—a standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the fundamental principles and attributes of risk management that are used by the OCTAVE methods. Features and benefits of OCTAVE methods The OCTAVE methods are self-directed—Small teams of organizational personnel across business units and IT work together to address the security needs of the organization. flexible—Each method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill level. evolved—OCTAVE moved the organization toward an operational risk-based view of security and addresses technology in a business context.
CMMI Model Capability Maturity Model Integration (CMMI) is a Process improvement approach whose goal is to help organizations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organization. CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. CMMI is registered in the U. S. Patent and Trademark Office by Carnegie Mellon University. According to the Software Engineering Institute (SEI, 2008), CMMI helps "integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes. ”
What’s a person to do? To benefit from the standards and guidelines, it is imperative that you: Understand the complexity of overlapping standards Select a foundational standard while expecting to reference others as needed Start the “as is” assessment to identify existing gaps Incorporate the standard by reference in your security architecture Understand related vertical standards and potential impacts on the enterprise as they evolve Develop strong working relationships with internal and external auditors Monitor, test, and quantify compliance levels, to ensure that standards and controls are working and effective (CMMI model already discussed) Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standards
Pulling “IT” All Together Control Activity Co. BIT Create Backups X ISO 2700 ITIL New. Co Best Practices SOX GLBA PCIDSS CMS Hi. Tech X X X X Passwords must be 8 characters long X X X Conduct a yearly IT risk assessment X X X Centralized Monitoring X X
Measuring IT Create Backups – CMMI - 2 Passwords 8 characters long –CMMI - 3 Yearly IT Risk Assessment – CMMI-2 Centralized monitoring – CMMI-1
Pulling it Together Focus on Relevant Regulations Get Executive Buy-in Assemble the Right Team Develop Policies for Compliance Identify Common Controls Perform a Gap Analysis Classify your Data Look for the Quick Wins Start Small, Go Big Educate Users
Useful Websites CMMI- http: //www. sei. cmu. edu/library/abstracts/presentations/20080925 webinar. cfm PCI-DSS V 2. 0 - https: //www. pcisecuritystandards. org/security_standards/documents. php CMS - https: //www. cms. gov/home/regsguidance. asp HIPAA - http: //www. hhs. gov/ocr/privacy/hipaa/understanding/summary/index. html Hi. Tech - http: //www. hhs. gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr. html GLBA- http: //business. ftc. gov/privacy-and-security/gramm-leach-bliley-act FISMA - http: //csrc. nist. gov/groups/SMA/fisma/index. html NIST – 800 series - http: //csrc. nist. gov/publications/Pubs. SPs. html Co. BIT - http: //www. isaca. org/Knowledge-Center/cobit/Pages/COBIT-Online. aspx OCTAVE - http: //www. cert. org/octave/
Conclusion How long do we have to get in Compliance? Questions?