1 / 19

Getting a “Leg-Up” on Compliance

Getting a “Leg-Up” on Compliance. Legislative and Regulatory Currency and Completeness in a Highly Dynamic, Rule-Making World Beckie Krantz, JD Karen Worstell, CISM . Disclaimer.

elvina
Download Presentation

Getting a “Leg-Up” on Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Getting a “Leg-Up” on Compliance Legislative and Regulatory Currency and Completeness in a Highly Dynamic, Rule-Making World Beckie Krantz, JD Karen Worstell, CISM

  2. Disclaimer • This presentation intends to demonstrate an approach for establishing a baseline of compliance in accordance with ISO 27001 requirements using specialized automated tools. • We are not offering legal advice and the information in this presentation should not be construed as such.

  3. About Us • Karen Worstell, CISM, is the Managing Principal for W Risk Group LLC • Defining due diligence for information protection to a defensible standard of care • CobiT • ISO 20000 (ITIL) • ISO 27000 series • Certified ISO 27001 trainer under British Standards Institute • Comprehensive risk evaluation and compliance plans

  4. About Us • Beckie Krantz, JD, is the CEO of Legicrawler • Legicrawler provides automated tools for legislative tracking in all 50 states and Congress • Email updates and notification • Legislative alerts with committee information and member contact information • Web publishing • Trend analysis on legislation

  5. Getting Started • Recognize that a defensible standard of care requires us to establish a baseline for compliance: • “Define an ISMS policy in terms of the characteristics of the business…that: takes into account business and legal or regulatory requirements and contractual security obligations”. ISO/IEC 27001:2005 Clause 4.2.1(b)2. • Consider a basic list pertinent to our case study1 on the following page: 1 See handout. Note:PCI is not named as a primary because our case study does not involve payment card information

  6. Dynamic, Yet: Expectation of Due Care No Plausible Deniability Minimal Harmonization Substantial Penalties

  7. Legislative/Regulatory History PDD 63 (1998) Federal Information Security Management Act (FISMA) (2002) 1995 1990 2000 EU Data Protection Directive (1995) GLBA (1999) Public Company Accounting Reform and Investor Protection Act, (2002) PL 107-204, 116 Stat 745 US Safe Harbor (1998) Computer Security Act of 1987 PL 100-235 Electronic Communications Privacy Act of 1986 PL 100-235 1985 SB 1386 (2003) 2005 Computer Fraud and Abuse Act of 1984 18 USC §1030 Revised Federal Rules of Civil Procedure (Dec 2006) Foreign Corrupt Practices Act 1977 15 USC § § 78dd-1 Nevada SB17 (2010) MA 201 CMR 17 (2009) 1980 44 Privacy Breach Notification at State level 2010

  8. Enforcing Privacy Promises: Section 5 of the FTC Act (15 USC §§ 41-58 as amended (aka unfair and deceptive business practices) amended 1996 Financial Modernization Act (aka Gramm-Leach-Bliley Act) 1999 California SB 1386 for Breach Notification (45 states) incl. Washington Revised Code 19.255.010 and RCW 42.56.590. Washington RCW 41.05 for the secure exchange of health information Massachusetts 201 CMR 17 (M.G.L c 93H) - safeguarding personal information about residents of the Commonwealth Nevada SB 227 to encrypt personal information (amendment to NRS 603A)

  9. Automated Tools are Necessary • Legicrawler was created to save time and cost in while tracking legislative updates • Roughly 250,000 new bills introduce nationwide every legislative cycle • Annual cost for tracking is at least an order of magnitude less with automated tools • Added benefits: completeness, timeliness, validity

  10. Methodology for Identifying Legislative and Regulatory Items • Identify industry - e.g. insurance is part of financial services • Identify the key areas for regulatory/legislative compliance that are part of the business process • Collection of SSN • Storage and transmittal of any record that contains at least name and address • Check FTC site for updates and links • If you have access to tools like Westlaw or Lexis-Nexis, use them • If necessary, visit AG site in every state and search on “privacy, security” and follow the threads • Once the baseline is established, utilize automated tools to keep it current!

  11. Aha! New Legislation • Alaska (eff 7/1/09) SB 133 §18.23.310 Statewide Health Information Exchange System, Info Confidentiality • Louisiana (eff 7/6/09) HB 347 Confidentiality of Health Information • Massachusetts (eff 3/1/10) 201 CMR 17 Safeguarding Personal Information • Maine (eff 6/12/09) LD 1490 Provides for individuals’ rights to prohibit transfer of their healthcare information • Nevada (3/1/10) Requires encryption of data and compliance with PCI • Texas (eff 9/1/09) Breach of sensitive personal information and protected health information. • Washington (eff 7/26/09) Secure exchange of health information

  12. AS 18.23.005 CA amendments to 56.10, 56.11 of Civil Code DE SB 44 GA HB 507 IL HB 2572 MA HB 3535 MA SB 173 MA SB 200 MA SB 545 MN HF 1689 US S.778 US S.773 To see a truly useful list, click here! Partial List of Pending Legislation

  13. How This Gets Used • Keep current on legislation that could have a significant impact on security budget planning (e.g. NV encryption/PCI statute) • Provide for an informed dialogue between IT and Company Counsel, and professional associations • Provide a basis for an informed action plan early in legislative lifecycle • Supports the assertion of due diligence to a defensible standard of care relative to regulatory and legislative tracking

  14. Legislative Lifecycle Legislative Action Law & Regulation Political Action Compliance Discussion

  15. Legislative Take Action Plan • Corporate Regulatory/Government Affairs • Personal Activism • Industry Response • Amicus Briefs

  16. Key Takeaways • Information security “standard of care” requires a thorough assessment and treatment of all pertinent regulations, statutes and contractual clauses. • Establishing a baseline • Use automated tools to keep it fresh and identify areas of action • Get involved in the legislative process!

  17. Questions? @Legicrawler bkrantz@knsinfo.com @Konakaren karen@wriskgroup.net

  18. Citations • "Computer Security Act of 1987." Major Acts of Congress. Ed. Brian K. Landsberg. Macmillan-Thomson Gale, 2004. eNotes.com. 2006. 25 Oct 2009 <http://www.enotes.com/major-acts-congress/
computer-security-act> • “Computer Security Act of 1987” 25 Oct 2009 < http://epic.org/crypto/csa/> • “Enforcing Privacy Promises” 25 Oct 2009 http://www.ftc.gov/privacy/privacyinitiatives/promises.html • National Conference of State Legislatures, State Security Breach Notification laws, 27 July 2009. 25 Oct 2009 http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx • “Links to State and Federal Legislation”. 25 Oct 2009. http://www.privacyrights.org/links.htm#legal • Complete this list… • “Revised Code of Washington (RCW)” 26 Oct 2009. http://apps.leg.wa.gov/RCW/

More Related