1 / 64

Information Security Laws & What They Mean For You

Information Security Laws & What They Mean For You. John Nicholson John.Nicholson@ShawPittman.com. What are we going to talk about?. Legal Basics - Laws, Regulations and Other Similar Things Federal Information Security Rules State Information Security Rules Enforcement Actions

masato
Download Presentation

Information Security Laws & What They Mean For You

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Laws & What They Mean For You John Nicholson John.Nicholson@ShawPittman.com

  2. What are we going to talk about? • Legal Basics - Laws, Regulations and Other Similar Things • Federal Information Security Rules • State Information Security Rules • Enforcement Actions • Your Questions and Comments

  3. Part I Legal Basics: Laws, Regulations and Other Things

  4. Why does any discussion of the law have to be so complicated? Okay, um, the law is like an onion. Oh, it’s stinky? Yes! No! It makes you cry? No! The law has layers! Onions have layers and the law has layers! Oh, layers. They both have layers. You know, not everybody likes onions.

  5. “7-Layer Model” of Legal Controls US Supreme Court US Federal Courts State Courts State Regulations State Laws State Constitution Executive Orders Federal Regulations Federal Laws/International Treaties US Constitution

  6. What’s the difference between Federal laws and State laws? • Under the US Constitution, the Federal government has limited powers. • Powers not reserved to Congress are retained by the States. • When passing laws, Congress may “preempt” States from acting in a particular area. • States may be prohibited from passing any laws in the preempted area OR • The Federal law may be the minimum/maximum standard and States are permitted to be more/less stringent.

  7. Why is preemption important to IT? • Preemption enables Congress to ensure similarity of laws across the States • When dealing with a service (i.e., the Internet) that crosses State lines, Federal laws/regulations ensure that everyone is treated the same (or at least understands the minimum standard)

  8. Why does preemption matter to you? • Multiple layers of laws and regulations. Depending on where you are in the US, you may be subject to different regulatory schemes. • For example, California has been very active in passing data privacy and security laws. If your organization operates in California (or you gather information about Californians) you may be subject to California’s laws.

  9. What’s the difference between Federal laws and regulations? Federal laws are bills that are passed by Congress and signed into law by the President. • Laws generally specify what is required, but not how it should be done. • Laws generally specify which entity within the Executive Branch is responsible for drafting regulations to implement the law. • Laws are frequently vague and can be ambiguous.

  10. Information Security-Related Federal Laws • Federal Information Security Management Act of 2002 (“FISMA”) • Gramm-Leach-Bliley Act (“GLBA”) • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) • Sarbanes-Oxley Act • USA PATRIOT Act • Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”) • Electronic Communications Privacy Act (“ECPA”)

  11. What are Regulations? • Regulations are promulgated by agencies like Office of Management and Budget, Dept. of Health and Human Services, etc. • Frequently written with assistance from industry. • Subject to public comment before taking effect. • Published in the Federal Register. Regulations implement laws.

  12. What are Executive Orders? • An order having the force of law issued by the President to the army, navy, or other part of the executive branch of the government. • Generally in areas where Congress has delegated authority to the President or where Congress hasn’t acted. Executive Orders are directions from the President to the Executive Branch.

  13. How do State laws and regulations differ? • Generally only apply to activities in that state (but California is changing this). • Are subject to preemption by Federal laws. • Must also comply with the relevant State constitution, which may be stricter than the US Constitution.

  14. What is the role of the courts? • Courts interpret the law. • Where laws are unclear or ambiguous, courts decide what the law really means. • Courts work in a hierarchy. • US Supreme Court decides US Constitutional issues. • Federal courts decide issues related to Federal laws and interstate issues. • State courts generally decide State constitutional issues and intra-state issues. • Federal and State courts must defer to US Supreme Court.

  15. Part II Federal Information Security “Rules” (Laws, Regulations and Executive Orders)

  16. Federal Activities Related to Information Security • Major Federal responsibility is securing Federally owned/operated systems. • Federal government does not generally regulate security of non-government systems. • HOWEVER, Federal government does requires that certain types of information be protected. • Federal government working with industry regarding security of critical infrastructure.

  17. Federal Laws We’re Going to Cover Today • Federal Information Security Management Act • Gramm-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley Act (SOX)

  18. Federal Information Security Management Act • Builds on requirements of: • Computer Security Act of 1987 • Paperwork Reduction Act of 1995 • Information Technology Management Reform Act of 1996 • Provides basic statutory framework for securing Federally owned/operated computer systems. • Covers “non-national security systems”

  19. FISMA • Requires each agency to • Inventory computer systems, • Identify and provide appropriate security protections, and • Develop, document and implement agency-wide information security program • Authorizes National Institute of Standards & Technology (NIST) to develop security standards and guidelines for systems used by federal government.

  20. FISMA (cont.) • Authorizes Secretary of Commerce to decide which standards to promulgate. • Authorizes Director of OMB to oversee development and implementation of standards. • Authorizes Director of OMB to require other agencies to comply with the standards and review each agency’s information security program. • Useful NIST materials available at http://csrc.nist.gov/sec-cert/index.html

  21. What is a “National Security System”? “Any computer system (including any telecommunications system) used or operated by an agency … (i) the function of which - (I) involves intelligence activities; (II) involves cryptologic activities related to national security; (III) involves command and control of military forces; (IV) involves equipment that is an integral part of a weapon or weapons system; (V) …is critical to the direct fulfillment of military or intelligence missions; or (ii) is protected at all times by procedures established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.”

  22. What are the rules for National Security Systems? • Specified in National Security Directive (NSD) 42 issued by the President in 1990 • NSD 42 allocates various responsibilities to different national security players • CIA - some intelligence systems • DOD - military/weapons systems • NSA - some intelligence systems

  23. Gramm-Leach-Bliley Act • Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information. • Authorizes various agencies to coordinate development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc. • FTC announced final rule implementing GLBA in May 2002.

  24. GLBA (cont) FTC GLBA regulations: • Published at 16 CFR 314 • Require “financial institutions” to develop, implement and maintain comprehensive information security program with appropriate administrative, technical and physical safeguards, including: • Designating employee to coordinate program • Performing risk assessments • Performing regular testing and monitoring • Process for making changes in light of test results or changes in circumstances.

  25. So what is a “financial institution” under GLBA? • Under GLBA rule, “financial institutions” generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information. • FTC's GLBA rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions. • What’s tricky about GLBA? • Broad definition of “financial institution” could potentially include array of companies that may not consider themselves as such (e.g., department store that offers lay-away services or manufacturers that offer equipment financing). • Multiple agencies with authority to issue regulations. Could conflict.

  26. What do you need to do under GLBA? If GLBA applies to your company: • Create, implement and maintain an information security program. • The information security program should have the regular involvement of the Board of Directors (this may be beyond your scope). • Regularly assess risks. • Create, document, implement and maintain policies and procedures to manage and control risk, including training, testing and managing/monitoring third party service providers. • Adjust information security program as necessary based on testing or other changes.

  27. Health Insurance Portability and Accountability Act • Authorizes Secretary of Health and Human Services to adopt standards that require “health plans”, “health care providers” and “health care clearinghouses” to take reasonable and appropriate administrative, technical and physical safeguards to: • Ensure integrity and confidentiality of individually identifiable health information held or transferred by them; • Protect against any reasonably anticipated threats, unauthorized use or disclosure; and • Ensure compliance by officers and employees. • Security regulations published at 45 CFR 164, Subpart C • HIPAA security regulations are much more substantive than GLBA security regulations.

  28. HIPAA Scope & Key Definitions • HIPAA Scope • Requires health care entities to implement new privacy policies, comply with technical security requirements, provide notice/secure authorizations for a range of uses and disclosures of health information, and enter into written agreements with business partners regarding the ability to share such information • HIPAA Key Definitions • Protected health information (“PHI”) includes all individually identifiable health information (“IIHI”) in the hands of “covered entities.” • “Covered Entity” includes the following types : 1) health care plans; 2) health care clearinghouses; and 3) health care providers who electronically transmit health information in connection with certain specified transactions. • “Business Associates” are any people or entities that perform certain activities or functions on behalf of a Covered Entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).

  29. HIPAA Security Rule - General • Requires CEs to implement unified security approach based on “defense in depth.” • Is technology neutral. CEs select appropriate technology to protect information. • Requires CEs to protect information from both internal and external threats. • Requires CEs to conduct regular, thorough and accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/number2.htm#four for a detailed discussion of how to conduct a risk analysis.

  30. HIPAA Security Regulations • HIPAA security requirements fall into three categories: • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Each category includes: • “standards”: WHAT the organization must do; and • “implementation specifications”: HOW it must be done.

  31. HIPAA Administrative Safeguards • Administrative safeguards require documented policies and procedures for managing: • Day-to-day operations; • Conduct and access of workforce members to protected information; • Selection, development and use of security controls.

  32. HIPAA Administrative Safeguards Standards

  33. HIPAA Administrative Safeguards Standards (cont)

  34. HIPAA Physical Safeguards • Physical safeguards are intended to protect information systems and protected information from unauthorized physical access. • CE must limit physical access while still permitting authorized physical access.

  35. HIPAA Physical Safeguards (cont)

  36. HIPAA Technical Safeguards • Technical Safeguards are requirements for using technology to control access to protected information

  37. HIPAA Technical Safeguards (cont)

  38. HIPAA Documentation Requirements • CE must maintain documentation (e.g., policies and procedures) required by HIPAA Security Rule until LATER OF • 6 years from date of creation; OR • 6 years from date policy/procedure was last in effect. • CE must regularly review and update documentation.

  39. So what? I don’t work for a health care company! • You might be surprised - • If your company self-insures, you might work for a health care plan • Your company could also be a Business Associate of a Covered Entity • Because people have given thought to the process around protecting systems and information, other regulatory frameworks may try to piggyback off of the HIPAA model. • Also, by understanding HIPAA model, you may have a head start on the regulation you might be subjected to in the future, like….

  40. Sarbanes-Oxley • After Enron, Adelphia Communications, MCI/Worldcom (among others) showed there were flaws in current financial reporting requirements, Congress passed SOX. • Purpose of SOX is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.” • Two sections of SOX have impact on information security: Section 302 and Section 404.

  41. Sarbanes-Oxley Sections 302 and 404 • Section 302 states that CEO and CFO must personally certify that financial reports are accurate and complete. Must also assess and report on effectiveness of internal controls around financial reporting. • Section 404 states that corporation must assess effectiveness of internal controls and report assessment to SEC. Assessment must also be reviewed by outside auditing firm. No assessment of internal controls is complete without an understanding of information security. Insecure systems cannot be considered a source of reliable financial information.

  42. Information Security under SOX • SOX created Public Company Accounting Oversight Board (PCAOB) to oversee and guide auditors in assessing SOX compliance. • PCAOB tasked with creating Proposed Auditing Standards. • PCAOB selected control framework developed by Committee of Sponsoring Organizations (COSO) that provides structured guidelines for implementing internal controls.

  43. Information Security under SOX (cont) • As supplement to COSO guidelines, PCAOB selected Information Systems Audit and Control Association (ISACA) Control Objectives for Information and related Technology (COBIT) framework. • IT Governance Institute has used COSO and COBIT frameworks to create specific IT control objectives for SOX. • Public companies with market capitalizations of $75 million or more must be in compliance with Section 404 for their fiscal year ending on or after June 15. Smaller companies have until the fiscal year ending on or after April 15, 2005, to comply.

  44. What do you have to do to comply with SOX? • Comply with requirements of ITGI Framework Topics: • Security Policy • Security Standards • Access and Authentication • User Account Management • Network Security • Monitoring • Segregation of Duties • Physical Security

  45. ITGI Security Framework Topics:Security Policy • Security Policy • For SOX compliance, policies are key to demonstrating compliance. • Auditors will look for: • Whether policies exist for appropriate information security topics • Whether policies have been approved at appropriate management levels • Whether policies are communicated effectively to personnel • See ISO 17799 and SANS Security Policy Project http://www.sans.org.resources/policy

  46. ITGI Security Framework Topics:Security Standards • Security Standards • Existence of appropriate security standards is necessary for SOX compliance • Example of a “security standard” is Windows 2000 benchmark provided by Center for Internet Security, which provides specific guidance for configuring security on a Windows 2000 box. • Areas for which standards should be specified: • Workstation/Server configuration • Physical security • Network infrastructure administration • System access controls • Data classification and management • ADM

  47. ITGI Security Framework Topics:Security Standards (cont) • Auditors will look for: • Whether standards exist for appropriate technology areas given the nature of your business and your environment • Whether standards have been approved at appropriate management levels • Whether standards are communicated effectively to personnel • Whether standards are followed • Process for exception handling • Process for modification of standards

  48. ITGI Security Framework Topics:Access and Authentication • Access and Authentication • Company must employ methods to validate that only authorized personnel can access system and perform activities within their level of authorization. • Methods could include: • Two factor • Biometric • Password (provided that passwords are subject to appropriate requirements regarding length, complexity, aging and reuse) • Company should have clear policies prohibiting password sharing

  49. ITGI Security Framework Topics:User Account Management • User Account Management Company should have clearly documented processes regarding creation/modification/removal of user accounts. • In writing and subject to review and approval; • Process regarding termination of access for terminated employees, including procedures for IT notification; and • Regular access privilege review and adjustment.

  50. ITGI Security Framework Topics:Network Security • Network Security • Perimeter security with firewalls and IDS • Internal firewalls could be warranted to segregate sensitive areas of the internal network or wireless access points • Encryption should be used for sensitive information (SSL in general and PGP (or better) for financial information) • Anti-virus protection should be installed and regularly updated • Wireless security requires special assessment and could be segregated from remainder of network. • Regular penetration testing.

More Related