1 / 48

IT Legislation & Regulation

IT Legislation & Regulation. CS5493. Information has become a valued asset for commerce and governments. … as a result of its value, information is a target for malicious attackers. Early legislation was designed to create punitive measures against those who

Download Presentation

IT Legislation & Regulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. IT Legislation & Regulation CS5493

  2. Information has become a valued asset for commerce and governments. … as a result of its value, information is a target for malicious attackers.

  3. Early legislation was designed to create punitive measures against those who • gained unauthorized access to data and systems • caused damage to data and systems. (etc) • Later legislation was designed to target the custodians of information systems and their data.

  4. Computer Fraud & Abuse Act (1984) Establishes punishment for unauthorized or fraudulent access to government computers and electronic data. • Amended 1994 and 1996 • Patriot Act amended it in 2001 http://www.panix.com/~eck/computer-fraud-act.html • Search document for “protected computer” and “financial institution”

  5. Computer Security Act (1987) • Governs the security and privacy of sensitive information in Federal computer systems and to establish the minimum acceptable security practices for such systems. • Requires the creation of computer security plans, and the appropriate training of system users and owners. http://epic.org/crypto/csa/ http://epic.org/crypto/csa/csa.html http://csrc.nist.gov/groups/SMA/ispab/documents/csa_87.txt (Read the Background)

  6. SOX • Sarbanes – Oxley (2002) • Public Company Accounting Reform and Investor Protection Act (senate) • Corporate and Auditing Accountability and Responsibility Act (house) • SOX contains 11 articles covering regulations for publicly traded companies and private financial companies.

  7. SOX • There is nothing specific in the original SOX concerning IT policies, procedure, best practices, etc. • Article 8 addresses criminal penalties for manipulation, destruction, or alteration of financial records (IT professionals should be aware).

  8. SOX Section 404 • It is the responsibility of management to establish and maintain adequate internal security controls for financial information and reporting.

  9. SOX Section 404 • The compliance costs of SOX represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems (an efficient IT infrastructure for maintaining financial records)

  10. PCAOB • Public Accounting Oversight Board established by SOX. • The PCAOB (created by SOX) emphasizes the need for IT security controls, but provides no details as to what the controls should be.

  11. SOX Efficacy • FEI study shows that for companies with revenues above 4 billion, the % cost attributed to SOX is below .04% of revenue • Borrowing costs were lower for companies in compliance with SOX (Iliev 2007) • Compliance led to faster rise in share price (Lord & Benoit 2006)

  12. SOX • Companies with less than $100 million in revenues experienced a higher % of cost due to SOX – 2.55% of revenues. • Fewer new companies are registering as publicly traded due to the cost of compliance. • Only 22% of surveyed companies believed SOX was of any benefit to them (maybe the larger firms?)

  13. SOX The following has a link to the actual bill: http://uscode.house.gov/download/pls/15C98.txt The following has a synopsis of penalties in section 802: http://www.soxlaw.com/

  14. SOX Conclusion http://www.youtube.com/watch?v=n2ylBKOURtw

  15. HIPAA • Health Insurance Portability and Accountability Act (1996, amended 2006) • Governs how doctors, hospitals, insurance companies, and other health care providers handle personal medical information • All patient information must be handled to maintain patient privacy • Patients are empowered to access their own medical records and petition to correct errors or omissions.

  16. HIPAA • Requires privacy procedures whenever medical information is collected or distributed. • Procedures must document instructions for addressing and responding to security breaches that are identified either during an audit or the normal course of operations.

  17. HIPAA • Controls must govern the introduction and removal of hardware and software from the network. • When equipment is retired it must be disposed of properly to ensure that PHI is not compromised. • Access to equipment containing health information should be carefully controlled and monitored

  18. HIPAA • Access to hardware and software must be limited to properly authorized individuals • Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts • Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public

  19. HIPAA Penalties http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html

  20. HIPAA https://www.cms.gov/EducationMaterials/02_HIPAAMaterials.asp#TopOfPage http://www.youtube.com/watch?v=Czpa6rw16Yw&feature=related http://www.youtube.com/watch?v=MWK9DmmenIQ&feature=related http://www.youtube.com/watch?v=6wRDorQ73Ng&feature=related http://www.youtube.com/watch?v=d2Cw0ARJVDM http://www.youtube.com/watch?v=d2Cw0ARJVDM http://www.youtube.com/watch?v=KhF6v_WQOlo http://www.youtube.com/watch?v=KhF6v_WQOlo

  21. Reaching the Audience • Some of the tools used are designed to reach a wide audience.

  22. GLBA (1999) • Gramm-Leach-Bliley Act • Banks and financial institutions must protect the confidentiality and security of information • Must disclose how private information is gathered on clients and how it is shared. • Must disclose how private client information is protected. • Must disclose privacy policies and procedures upon entering into a contract.

  23. GLBA • http://en.wikipedia.org/wiki/Gramm–Leach–Bliley_Act

  24. GLBA non-Compliance GLBA noncompliance can mean severe fines and even class-action lawsuits. Noncompliance can result in: • Institutions can be subject to civil penalties of up to $100,000 for each violation. • The officers and directors of the financial institution can be subject to, and personally liable for, a civil penalty of up to $10,000. • Imprisonment for up to five years is possible

  25. GISRA • Government Information Security Reform Act (2000) • Establishes accountability • Gov. agency security policies must be submitted to the Office of Management and Budget (OMB). Failure could result in loss of funding. http://whatis.techtarget.com/definition/government-information-security-reform-act.html

  26. FISMA (2002) • Federal Information Security Management Act • All federal agencies must develop and maintain formal information security programs. • Security awareness efforts • Secure access to computer resources • Strict AUP • Incident response and contingency planning

  27. FISMA Compliance • Poor FISMA compliance may result in a requirement to report before Congress and significant budget-related penalties may be applied.

  28. FERPA (1974) • Family Education Rights and Privacy Act • Covers the privacy of student education records • Applies to all schools receiving any funding from the US Dept. of Education. http://www.youtube.com/watch?v=_5XpRGd8O44

  29. Patriot Act (2001) • Expands the authority of US law-enforcement agencies to access information that pertains to their investigations.

  30. COPPA • Children's On-line Privacy Protection Act (1998) • Restricts how information is collected on children under the age of 13. • Operators must disclose how to verify consent from a parent or legal guardian • Outlines responsibilities for protecting children's privacy and safety on-line. http://www.youtube.com/watch?v=PFGhisN6he0&feature=related

  31. CDSBA • California Database Security Breach Act (2003) • Companies must immediately notify their customer if the customer's private information has been compromised. • Also limits how financial institutions share personal information of their clients. • Similar laws followed and have been enacted in 46 other states.

  32. PCI DSS Payment Card Industry Data Security Standards • An information security standard for organizations that handle cardholder information • Debit cards • Credit cards • ATM cards • Pre-pay cards • etc

  33. PCI DSS • Not a law, but guidelines for the payment card industry. • Participants include the major card issuers: Amex, Visa, MasterCard, Discover.

  34. PCI-DSS: PCI-SSC • Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data and thereby reduce credit card fraud.

  35. PCI DSS • Establishes standards for • Security management policies and procedures • Network architecture • Software design

  36. PCI Compliance • Validation of compliance is done annually — • by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or • by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

  37. PCI QSA The Qualified Security Assessor is conferred by the PCI SSC to those that meet specific information security requirements including: • The QSA must have completed a training programming endorsed by the PCI SSC • The QSA must be an employee of an approved PCI security and auditing firm. https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php

  38. PCI-DSS: 12-Requirements  Build and Maintain a Secure Network • Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters

  39. PCI 12-Requirements Protect Cardholder Data • 3. Protect stored cardholder data • 4. Encrypt transmission of cardholder data across open, public networks

  40. PCI 12-Requirements Maintain a Vulnerability Management Program • 5. Use and regularly update anti-virus software on all systems commonly affected by malware • 6. Develop and maintain secure systems and applications

  41. PCI 12-Requirements Implement Strong Access Control Measures • 7. Restrict access to cardholder data by business need-to-know policy • 8. Assign a unique ID to each person with computer access • 9. Restrict physical access to cardholder data

  42. PCI 12-Requirements Regularly Monitor and Test Networks • 10. Track and monitor all access to network resources and cardholder data • 11. Regularly test security systems and processes

  43. PCI 12-Requirements Maintain an Information Security Policy • 12. Maintain a policy that addresses information security • http://www.youtube.com/watch?v=OceYWri86Ts&feature=related

  44. PCI Merchant Levels There are four compliance-categories based on the volume of transactions by merchants.

  45. PCI Merchant Levels • L-1 : more than 6 million transactions per year. • L-2 : 1 to 6 million transactions per year. • L-3 : 20,000 to 1 million transactions per year • L-4 : fewer than 20,000 transactions per year. Transactions are based on Visa-card transactions.

  46. PCI – Compliance Guide http://www.pcicomplianceguide.org/pcifaqs.php

  47. PCI - Compliance • https://protect.iu.edu/sites/default/files/pci_saq_a.pdf • http://www.youtube.com/watch?v=7nF38aYBaTE&feature=related • http://www.youtube.com/watch?v=JvxxYClGBtA&feature=related https://protect.iu.edu/sites/default/files/pci_saq_a.pdf

  48. Regulation Summary • If you are better at complying with these rules and regulations you will achieve a higher level of efficiency and effectiveness in your security and privacy programs. (conclusion by Dr. L. Ponemon)

More Related