Recent IT Security Breaches & How Organizations Prepare. Evan McGrath Spohn Consulting September 8, 2014. Agenda. Recent Breaches Cost of a Security Breach What Hackers Target Regulatory Compliances & State Codes Cyber-Terrorism Things You can do. Recent Security Breaches.
September 8, 2014
Title 11, Personal Identity Information, Subtitle B. Identity Theft, Chapter 521. Unauthorized Use of Identifying Information
Sec. 521.052 BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL INFORMATION.
(a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective
action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
Sec. 521.053 NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED
“…shall disclose any breach of system security, after discovering or receiving notification of the breach, to any
resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible,…”
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory, non-waiverable standard developed in response to the Federal Information Security Management Act of 2002.
To comply with the federal standard, agencies must first determine the security category of their information system in accordance with the provisions of FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and then apply the appropriate set of baseline security controls in NIST Special Publication 800-53
The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems.
The agency's Risk Assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors.
In addition to the security requirements established by FISMA, there may also be specific security requirements in different business areas within agencies that are governed by other laws, Executive Orders, directives, policies, regulations, or associated governing documents, (e.g., the Health Insurance Portability and Accountability Act of 1996)
It is important that agency officials (including authorizing officials, chief information officers, senior agency information security officers, information system owners, information system security officers, and acquisition authorities) take steps to ensure that: (i) all appropriate security requirements are addressed in agency acquisitions of information systems and information system services; and (ii) all required security controls are implemented in agency information systems.
See http://csrc.nist.gov/sec-cert/ca-compliance.html for additional information on FISMA compliance.
Issued August 2009
Myth – Outsourcing card processing makes us compliant
Outsourcing simplifies payment card processing but does not provide automatic compliance.
Don’t forget to address policies and procedures for cardholder transactions and data
processing. Your business must protect cardholder data when you receive it, and process
charge backs and refunds. You must also ensure that providers’ applications and card payment
terminals comply with respective PCI standards and do not store sensitive cardholder data. You
should request a certificate of compliance annually from providers.