the emerging trend toward programmatic information security management l.
Download
Skip this Video
Download Presentation
The Emerging Trend Toward Programmatic Information Security Management

Loading in 2 Seconds...

play fullscreen
1 / 54

The Emerging Trend Toward Programmatic Information Security Management - PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on

Information Security Law Update. The Emerging Trend Toward Programmatic Information Security Management. presented by Brad Bolin Senior Security Consultant Shavlik Technologies, LLC. Regulatory Timeline. Spending is Up, Compliance is Critical.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Emerging Trend Toward Programmatic Information Security Management' - meris


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the emerging trend toward programmatic information security management

Information Security Law Update

The Emerging Trend Toward Programmatic Information Security Management

presented by

Brad Bolin

Senior Security ConsultantShavlik Technologies, LLC

regulatory timeline
Regulatory Timeline

Property of Shavlik Technologies www.shavlik.com

spending is up compliance is critical
Spending is Up, Compliance is Critical
  • The majority of IT Executives believe that overall IT spending will increase over the next 12 months…
  • …and that compliance with government laws and regulations is one of the key drivers.

Source: Network World 500 Research Study, 2004

Property of Shavlik Technologies www.shavlik.com

spending is up compliance is critical4
Spending is Up, Compliance is Critical
  • Chief Security Officers identify compliance as the #1 factor driving security investment in their companies
  • The amount of time spent by IT and Security Professionals and Managers (YOU!) on compliance-related activities is steadily increasing

Source: CSO Security Sensor VI Report, CSO Magazine (2004)

Property of Shavlik Technologies www.shavlik.com

information security programs
Information Security Programs

Patterns

Responses

Predictions

Property of Shavlik Technologies www.shavlik.com

public sector regulation
Public Sector Regulation
  • Privacy Act of 1974
  • Computer Security Act of 1987
  • Federal Information Security Management Act of 2002

Property of Shavlik Technologies www.shavlik.com

privacy act
Privacy Act

Privacy Act of 1974

Property of Shavlik Technologies www.shavlik.com

privacy act of 1974
Privacy Act of 1974
  • Requires the use of “appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records.”
  • Addresses controls (safeguards) only
  • Does not require the agency to take a “programmatic” approach to information security

Property of Shavlik Technologies www.shavlik.com

computer security act
Computer Security Act

Computer Security Act of 1987

Property of Shavlik Technologies www.shavlik.com

computer security act of 1987
Computer Security Act of 1987
  • Program Requirements
    • Documented
    • Risk-based
      • Safeguards “commensurate with the risk and magnitude of the harm” resulting from loss of CIA
    • Periodic review
      • “revised annually as necessary”
    • Administrative, Technical and Physical Controls
      • Security Awareness and Training

Property of Shavlik Technologies www.shavlik.com

fisma
FISMA

Federal Information Security Act of 2002

Property of Shavlik Technologies www.shavlik.com

federal information security act

Program Development & Maintenance

Control Measures

Federal Information Security Act
  • FISMA builds upon and extends the requirements of the Computer Security Act of 1987
  • Requires agencies to “develop, document, and implement an agencywide information security program”
  • Program Requirements:
    • Risk-based
    • Documented
    • Management sponsorship
    • Periodic testing and reporting (no less than annually)
    • Strategic policies and procedures
    • Program improvement
    • Administrative Technical and Physical Controls
      • Security awareness and training
      • Subordinate plans for securing networks, facilities, and systems
      • Incident response procedures
      • Disaster recovery plans

Property of Shavlik Technologies www.shavlik.com

laws affecting the private sector
Laws Affecting the Private Sector
  • Gramm-Leach-Bliley Act
  • Health Insurance Portability and Accountability Act
  • Sarbanes-Oxley Act
  • Federal Trade Commission Act, Section 5

Property of Shavlik Technologies www.shavlik.com

sidebar laws v regulations
Sidebar: Laws v. Regulations

RULES

RULES

RULES

Property of Shavlik Technologies www.shavlik.com

slide15
GLBA

Gramm-Leach-Bliley Act

Property of Shavlik Technologies www.shavlik.com

gramm leach bliley act
Gramm-Leach-Bliley Act
  • Several federal agencies have issued rules/regulations under the Act:
    • Securities and Exchange Commission
    • Federal Banking Agencies
    • Federal Trade Commission

Property of Shavlik Technologies www.shavlik.com

federal banking agencies
Federal Banking Agencies

Interagency Guidelines for Safeguarding Customer Information (GLBA)

Property of Shavlik Technologies www.shavlik.com

federal banking agencies interagency guidelines
Federal Banking AgenciesInteragency Guidelines
  • Program Requirements
    • Management Involvement
    • Documented
    • Risk-based
    • Program maintenance and improvement
    • Appropriate to size and complexity of organization
    • Designated program coordinator
    • Third party oversight

Property of Shavlik Technologies www.shavlik.com

federal banking agencies interagency guidelines19
Federal Banking AgenciesInteragency Guidelines
  • Administrative, Technical and Physical Controls:
    • Incident response procedures
      • Intrusion detection systems
    • Security training and awareness
    • Access controls, including authentication and authorization mechanisms
    • Physical access restrictions
    • Encryption of customer information in transit and at rest
    • System change control procedures
    • Personnel security measures
    • Environmental protection measures
    • Periodic control testing, conducted or reviewed by independent staff or third parties

Property of Shavlik Technologies www.shavlik.com

federal trade commission
Federal Trade Commission

Standards for Safeguarding Customer Information (GLBA)

Property of Shavlik Technologies www.shavlik.com

gramm leach bliley act ftc standards
Gramm-Leach-Bliley ActFTC Standards
  • Written information security program is required, less robust than Interagency Guidelines
  • Program Requirements
    • Management Involvement
    • Documented
    • Risk-based
    • Third party oversight
    • Administrative, Technical and Physical Controls
    • Security Awareness and Training
      • Intrusion detection and response
      • Information processing, storage, transmission and disposal procedures

Property of Shavlik Technologies www.shavlik.com

hipaa
HIPAA

Health Insurance Portability and

Accountability Act

Property of Shavlik Technologies www.shavlik.com

dept of health human services
Dept of Health & Human Services

Security Standards; Final Rule

Property of Shavlik Technologies www.shavlik.com

hipaa required implementation specifications
HIPAARequired Implementation Specifications
  • Program Requirements
    • Management involvement
    • Documented
    • Risk-based
    • Designated program coordinator
    • Third party management
    • Appropriate to the size and complexity of organization
    • Administrative, Technical and Physical Controls
      • Authentication mechanisms
      • Incident Response Procedures
      • Contingency Plans (Disaster Recovery, etc.)
      • Audit Controls
      • Access Control
      • Information processing, storage, transmission and disposal procedures
      • Workstation use
      • Workstation security

Property of Shavlik Technologies www.shavlik.com

slide25
SOX

Sarbanes-Oxley Act

Property of Shavlik Technologies www.shavlik.com

sarbanes oxley act sox
Sarbanes-Oxley Act (“SOX”)

Source: Newsweek Magazine

Property of Shavlik Technologies www.shavlik.com

sarbanes oxley act
Sarbanes-Oxley Act
  • Due in part to the fact that violations can land executives in jail, SOX compliance efforts are taken very seriously

Source: Unknown

Property of Shavlik Technologies www.shavlik.com

sarbanes oxley act28
Sarbanes-Oxley Act
  • Section 404 of the SOX Act requires management
    • to assess internal controls over financial reporting on a yearly basis; and
    • to have their assessment attested to by an independent auditor
  • Neither the Act nor the SEC’s rules mention information security or information technology, however
  • Financial reporting is inextricably linked to information technology in most modern corporations

Property of Shavlik Technologies www.shavlik.com

sarbanes oxley act29
Sarbanes-Oxley Act
  • The term “internal control” has been interpreted to include IT general controls and application controls
    • Application controls address the specific applications that support financial reporting within an organization
    • IT general controls address the underlying computing infrastructure, including everything from physical and logical network security, database management, system development, and change management, to disaster recovery

Property of Shavlik Technologies www.shavlik.com

sarbanes oxley act30
Sarbanes-Oxley Act
  • Although a written security program is not required, documentation is paramount!
  • Companies must generate and “maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting.”
  • This “evidential matter” is one of the most important bases for the independent auditor’s report
  • If SOX compliance activities are to be cost-efficient, they must be reduced to coordinated, documented, repeatable processes—in other words, an information security (and technology) program.

Property of Shavlik Technologies www.shavlik.com

ftc act
FTC Act

Federal Trade Commission Act

Property of Shavlik Technologies www.shavlik.com

ftc enforcement action tower records
FTC Enforcement ActionTower Records
  • Tower Records maintained a privacy policy on its website:

Property of Shavlik Technologies www.shavlik.com

ftc enforcement action tower records33

Re-Written Order StatusApplication

Order StatusApplication

FTC Enforcement ActionTower Records

TOWERRECORDS.COM “CHECK-OUT” INTERFACE

Application Component #1

Application Component #2

Property of Shavlik Technologies www.shavlik.com

ftc enforcement action tower records34
FTC Enforcement ActionTower Records
  • The FTC argued that:
    • TowerRecords.com had made a promise to their customers
    • They violated their own policy due to inadequate security measures
  • Tower Records argued that it had taken reasonable measures to secure its systems
  • The FTC countered:
    • Information on closing the vulnerabilities that resulted in the violation (user account and session management) had been available to the public since at least 2000.
  • The result?

Property of Shavlik Technologies www.shavlik.com

ftc enforcement action tower records35
FTC Enforcement ActionTower Records
  • Tower Records ordered to implement and maintain a “comprehensive information security program”
  • Program requirements:
    • Management involvement
    • Designated program coordinator
    • Risk-based
    • Administrative, technical and physical controls:
      • Security awareness and training
      • Information systems controls
      • Network and software design
      • Information processing, storage, transmission, and disposal
      • Intrusion detection

Property of Shavlik Technologies www.shavlik.com

ftc enforcement action tower records36
FTC Enforcement ActionTower Records
  • Tower Records was also required to obtain an independent assessment of the effectiveness of their programevery 6 months

Property of Shavlik Technologies www.shavlik.com

sidebar negligence liability
Sidebar – Negligence Liability
  • Existing information security and privacy legislation is often criticized for lacking a private cause of action; Citizens can’t sue
  • A common law negligence action is one way in which private citizens might obtain redress for injuries done to them due to careless security practices
  • Elements of a Negligence Action
    • Duty of Care
    • Breach of Duty of Care
    • Damages
    • Proximate Cause
  • Signposts on the road…
    • FTC Enforcement Actions
    • SB 1386

Property of Shavlik Technologies www.shavlik.com

other government in actions
Other Government (In)Actions
  • Proposed Corporate Information Security Accountability Act
  • The National Strategy to Secure Cyberspace

Property of Shavlik Technologies www.shavlik.com

proposed corporate information security accountability act
Proposed Corporate Information Security Accountability Act
  • In late 2003, Representative Adam Putnam, Chairman of the House Subcommittee on Information Policy developed draft legislation entitled the Corporate Information Security Accountability Act
  • Would have required publicly-traded companies to include an independently-certified assessment of their security in each annual report

Property of Shavlik Technologies www.shavlik.com

proposed corporate information security accountability act40
Proposed Corporate Information Security Accountability Act
  • Program requirements:
    • Management involvement
    • Documented
    • Risk-based
    • Periodic testing and evaluation of the program
    • Policies and procedures
    • Independent program auditing
    • Administrative Technical and Physical Controls
      • Asset inventories
      • Incident response plans
      • Business continuity plans
  • It never progressed beyond draft status. What happened???

Property of Shavlik Technologies www.shavlik.com

proposed corporate information security accountability act41
Proposed Corporate Information Security Accountability Act
  • Putnam solicited feedback on the legislation from a variety of individuals, companies and trade associations.
  • Based on that feedback, Putnam postponed introduction of the legislation, and formed “Corporate Information Security Working Group”
  • CISWG developed recommendations for improving security in the private sector without government intervention

Property of Shavlik Technologies www.shavlik.com

the national strategy to secure cyberspace
The National Strategy to Secure Cyberspace

Property of Shavlik Technologies www.shavlik.com

the national strategy to secure cyberspace43
The National Strategy to Secure Cyberspace
  • “Enterprises require clearly articulated, active information security policies and programs to audit compliance with cybersecurity best practices.”
  • The position of the Bush Administration is that “federal regulation will not become a primary means of securing cyberspace[.]”
  • Anchored in the belief that companies will do the right thing on their own

Property of Shavlik Technologies www.shavlik.com

industry reactions
Industry Reactions
  • The number of companies reporting that they possessed an established security policy and auditing process decreased in 2004

Source: State of the CSO, 2004 (CSO Magazine)

Property of Shavlik Technologies www.shavlik.com

industry reactions45
Fewer CSOs believe that security is considered a routine part of business operations in 2004Industry Reactions

Source: State of the CSO, 2004 (CSO Magazine)

Property of Shavlik Technologies www.shavlik.com

industry reactions46
Industry Reactions
  • The majority of information security managers would actually welcome a law requiring minimum security practices

Source: Information Security Magazine Survey, 2003

Property of Shavlik Technologies www.shavlik.com

what does the market believe
What Does the Market Believe?
  • The evolution of public and private-sector regulations suggest that information security program requirements will continue to become increasingly elaborate
  • However, the postponement of Putnam’s Act and the Nat’l Strategy to Secure Cyberspace indicate a reluctance to legislate
  • What does the market believe?

Property of Shavlik Technologies www.shavlik.com

businesses expect a change md a
Businesses Expect a Change (MD&A)
  • Management’s Discussion and Analysis of Financial Conditions and Results of Operations (MD&A)
    • Required part of annual or interim financial statements for publicly-held companies
  • Recent MD&As are filled with predictions of increased regulation and associated compliance costs

Property of Shavlik Technologies www.shavlik.com

businesses expect a change md a49
Businesses Expect a Change (MD&A)
  • PayPal
    • In the future, we might be subjected to:
      • State or federal banking regulations;
      • Financial services regulations or laws governing other regulated industries; or
      • U.S. and international regulation of Internet transactions.
    • If we are found to be in violation of any current or future regulations, we could be:
      • exposed to financial liability;
      • forced to change our business practices; or
      • forced to cease doing business altogether

Property of Shavlik Technologies www.shavlik.com

information security programs50
Information Security Programs

Patterns

Responses

Predictions

Property of Shavlik Technologies www.shavlik.com

patterns
Patterns
  • The critical elements that appear in nearly every law/regulation:
    • Management involvement
    • Risk-based approach
    • Documented
    • Strategic policies and procedures
    • Independent auditing
    • Appropriate to size and complexity of organization
    • Essential administrative, technical and physical controls to mitigate risk:
      • Incident Response Plan
      • Disaster Recovery Plan
      • Third Party Oversight Measures
      • Information processing, storage, transmission and disposal procedures
      • Access Controls (administrative and technical)
      • Physical & Environmental Security Controls

Property of Shavlik Technologies www.shavlik.com

responses
Responses
  • Develop a comprehensive, documented information security program that includes the elements we’ve identified, and maintain it
  • Appropriate to size and complexity
  • One example is British Standard 7799 Part 2 (BS 7799-2:2002), defining Information Security Management Systems

Property of Shavlik Technologies www.shavlik.com

predictions
Predictions
  • Based on previous laws and regulations, we can predict that future legislative actions will continue to elaborate upon the “comprehensive information security program” model
  • Laws and regulations initially targeted government entities only, now reach has extended to include business organizations; it could possibly even be extended to include individual citizens (Think Nat’l Strategy)
  • Data privacy will continue to be a critical driver of new legislation, but general system integrity will also begin to play a role

Property of Shavlik Technologies www.shavlik.com

thank you very much
Thank you very much!
  • If you have any questions about my presentation, I can be reached at brad.bolin@shavlik.com

Property of Shavlik Technologies www.shavlik.com