WHO PUT ALL THESE REGULATIONS ON ME? WHAT IS A PERSON TO DO? WHERE DO I GO FROM HERE? WHEN DID THIS GET SO COMPLICATED? WHY DO I HAVE TO DO THIS? Regulatory Compliance and You Slide 2 HELLO Judi Ellis EDMC Security Architect CGEIT, CISM, CRISC firstname.lastname@example.org Experience: PNC Highmark KPMG CMRI NCFTA e-Profile Jefferson Wells Slide 3 Overview Control Standards Frameworks Regulations Measurement Bringing it all together Slide 4 ISO 27001 CoBIT ITIL FISMA NIST CIS-Center for Internet Security AES-Advanced Encryption Standard Basel II SEC FFIEC CIS FDCC COSO SANS BS 1799 Control Standards Slide 5 HIPAA SOX 404/302 PCI-DSS Title IV GLBA US Patriot Act FLSA Can Spam FERPA Red Flags HiTECH ACH NACHA PII Laws Safe Harbor COPA Regulations Slide 6 Frameworks Armed robbery, eh? Im in for being out of compliance with Federal Guidelines. Slide 7 ISO 2700* Formally known as ISO/IEC 27001: 2005 - Information technology Security techniques Information security management systems ISMS Requirements, is an information security management system standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is derived from British standard 1799, and for that reason the standard is frequently cited as ISO 17799. It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which delineates security control objectives and recommends a range of specific security controls. Adopt an all encompassing management process to ensure all information security controls meet info security needs on an ongoing basis. Slide 8 FISMA-NIST The Federal Information Security Management Act of 2002 (FISMA) is a Federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act was designed to bolster computer and network security within the federal government and affiliated parties (such as recipients of Federal monies and government contractors) by mandating yearly information security audits. FISMA establishes: _ Standards for categorizing information and information systems by mission impact _ Standards for minimum security requirements for information and information systems _ Guidance for selecting appropriate security controls for information systems _Guidance for assessing security controls in information systems _Guidance for security authorization of information systems _Guidance for monitoring the security controls and security authorization of systems Slide 9 NIST References NIST publications include the following key security-related documents: FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800-37 Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach NIST Special Publication 800-39, NIST Risk Management Framework NIST Special Publication 800-53 Revision 2, Recommended Security Controls for Federal Information Systems NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System NIST Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories Slide 10 PCI-DSS Payment Card Industry Data Security Standard PCI DSS is a worldwide security standard established through the Security Standards Council (SSC) in 2006 by: American Express Discover Financial Services JCB International MasterCard Worldwide Visa The PCI security standards are technical and operational requirements placed on organizational entities that process card payments to prevent credit card fraud, and hacking and mitigate other security vulnerabilities/threats. The standards apply to all organizations that store, process or transmit cardholder data, which obviously includes an increasingly larger number of state agencies transacting with businesses, with citizens, and with other government entities. Slide 11 PCI-DSS The following are the six primary control areas comprising the Payment Card Industry security standard: Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Slide 12 CoBIT Control Objectives for Information and related Technology, COBIT, is an open, international standard originally published in 1996 by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). COBIT is a set of best practices for information technology designed to provide managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices. It assists in maximizing the benefits derived through the use of information technology and develops appropriate IT governance and control for private-sector companies or public agencies. The COBIT Framework is organized into four domains, thirty-four high-level control objectives, and 318 detailed control objectives. The framework follows a general plan-do- check-act structure. Slide 13 Slide 14 CoBIT Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate Slide 15 CoBIT-Plan and Organize P01 Define a strategic IT plan. P02 Define the information architecture. P03 Determine technological direction. P04 Define the IT processes, organization, and relationships. P05 Manage the IT investment. P06 Communicate management aims and direction. P07 Manage IT human resources. P08 Manage quality. P09 Assess and manage IT risks. P10 Manage projects Slide 16 CoBIT-Acquire and Implement AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes Slide 17 CoBIT Deliver and Support DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11Manage Data. DS12 Manage the physical environment. DS13 Manage operations Slide 18 CoBIT Monitor and Evaluate ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure regulatory compliance. ME4 Provide IT governance Slide 19 Regulations Ive been here for so long I dont remember what I did, but it had something to do with non-compliance. Slide 20 SAS-70 Statement on Auditing Standards No. 70 (SAS-70), Service Organizations, is an auditing standard created by the American Institute of Certified Public Accountants (AICPA) in 1992. SAS 70 defines standards used by auditors to assess the internal controls of service organizations and prepare service auditors reports. Service organizations are entities providing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses. Slide 21 Auditors follow AICPA standards for fieldwork, quality control and reporting and issue a formal report to the service provider that includes the auditors opinion once the audit is completed. SAS-70 audits consist of two types. A Type I audit assesses the service organizations description of controls placed in operation and the suitability of the design of the controls to achieve the specified control objectives, as the latter are defined by the service provider. A Type II service auditors report includes the information contained in a Type I service auditors report and also includes the service auditors opinion on whether the specific controls were operating effectively during the period under review. Recently replaced by SSAE-16 6/2011- more of an international presence, broadly accepted in accordance to ISAE 3402. SAS-70 Slide 22 HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Federal government in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers, with the overall goals of protecting the privacy and security of health information and promoting the efficiency of the health care industry through use of standardized electronic transactions. Requires covered entities to protect the privacy and security of an individuals health information. Slide 23 HIPAAs Security Rule covers health plans, healthcare clearinghouses, and healthcare providers. Health plans are defined as any individual or group plan that provides or pays the cost of health care, which includes the Medicare and Medicaid programs operated at the state and federal levels. The Rule establishes three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, various security standards are identified, and for each standard, both required and addressable implementation specifications are delineated. The rule includes eighteen standards that cover thirty-six implementation specifications. HIPAA Slide 24 Required specifications must be adopted and administered as dictated by the rule. Addressable specifications are more flexible. The Centers for Medicare and Medicaid Services defines the following steps for complying with the Security Rule: Assess current security, risks, and gaps Develop an implementation plan Review the Security Rule standards and specifications Review addressable implementation specifications Determine security measures Implement solutions Document decisions Reassess periodically The security rule required covered entities to be in compliance with the rule no later than April 2005, though smaller health plans were given an additional year to comply. Slide 25 HIPAA (Privacy Rule) establishes, a set of national standards that address the use and disclosure of individuals health informationcalled PHI (Personal Health Information) by organizations called covered entities as well as standards for individuals privacy rights to understand and control how their health information is used. Thank you OCR (Office of Civil Rights) A major goal of the Privacy Rule is to assure that PHI is properly protected while permitting appropriate uses of the information protecting the privacy of the individual. Slide 26 HIPAA HIPAA was passed in 1996, it wasnt until 2/4/2011 the first HIPAA violation occurred and resulted in a $4.3 m fine to Maryland healthcare provider Cignet for the failure to provide 41 patients with copies of their medical records. HIPAA did not have teeth until HiTech came along and provided enforcement and penalties. http://threatpost.com/en_us/blogs/hipaa-bares-its-teeth- 43m-fine-privacy-violation-022311 http://threatpost.com/en_us/blogs/hipaa-bares-its-teeth- 43m-fine-privacy-violation-022311 Slide 27 FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Schools or public agencies that receive student data may disclose, without consent, directory information such as a students name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools or agencies must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. Education records must not be disclosed and must be protected. Slide 28 SOX The Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002 in response to a number of major corporate and accounting scandals, most prominently that of the Enron Corporation. SOX establishes new, enhanced standards for all U.S. public companies, and though as such it is not directed at government, it has nonetheless had a significant impact on internal accounting controls in public agencies through its focus on management oversight of how fiscal information within agencies is created, accessed, stored, processed, and transmitted within automated as well as manual record systems. Slide 29 Among the Acts principal reforms are these elements: _ Creation of an independent public company accounting oversight board _ A heightened level of corporate governance and responsibility measures _ Expanded corporate, financial, and insider disclosure requirements, and _ A range of new penalties for fraud and other violations. SOX Slide 30 Measurements Slide 31 Where do I start? _Come up with the Plan What regulations do I need to follow? Where am I today? Where are my gaps? What do I need to do? I need a plan. I need to get started. How do I start? What do I do? How do I do this? _Assessment _ Measurement _Identify Gaps _Plan of Attack Where do I need to be to pass an audit _Work your plan _ Assessment _Measurement _ Identify Gaps _Readjust your plan _Assessment _Measurement _Identify Gaps As-Is Assessment Slide 32 Plan-ISMS Information Security Management System Slide 33 Getting Started _ Choose a tool-SANS, CMS, Big 4, NIST, ISO. OCTAVE OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation SM ) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. OCTAVE Methods There are three OCTAVE methods: the original OCTAVE method, which forms the basis for the OCTAVE body of knowledge OCTAVE-S, for smaller organizations OCTAVE-Allegro, a streamlined approach for information security assessment and assurance OCTAVE methods are founded on the OCTAVE criteriaa standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the fundamental principles and attributes of risk management that are used by the OCTAVE methods. Features and benefits of OCTAVE methods The OCTAVE methods are self-directedSmall teams of organizational personnel across business units and IT work together to address the security needs of the organization. flexibleEach method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill level. evolvedOCTAVE moved the organization toward an operational risk-based view of security and addresses technology in a business context. Assessment Slide 34 CMMI Model Capability Maturity Model Integration (CMMI) is a Process improvement approach whose goal is to help organizations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organization. CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. According to the Software Engineering Institute (SEI, 2008), CMMI helps "integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes. Slide 35 Whats a person to do? To benefit from the standards and guidelines, it is imperative that you: Understand the complexity of overlapping standards Select a foundational standard while expecting to reference others as needed Start the as is assessment to identify existing gaps Incorporate the standard by reference in your security architecture Understand related vertical standards and potential impacts on the enterprise as they evolve Develop strong working relationships with internal and external auditors Monitor, test, and quantify compliance levels, to ensure that standards and controls are working and effective (CMMI model already discussed) Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standards Slide 36 Pulling IT All Together Control Activity CoBITISO- 2700 ITILNewCo Best Practices SOXGLBAPCI- DSS CMSHiTech Create Backups XXXXXXXX Passwords must be 8 characters long XXXXX Conduct a yearly IT risk assessment XXXXX Centralized Monitoring XXXX Slide 37 Measuring IT Create Backups CMMI - 2 Passwords 8 characters long CMMI - 3 Yearly IT Risk Assessment CMMI -2 Centralized monitoring CMMI -1 Slide 38 Measurement Slide 39 Pulling it Together Focus on Relevant Regulations Get Executive Buy-in Assemble the Right Team Develop Policies for Compliance Identify Common Controls Perform a Gap Analysis Classify your Data Look for the Quick Wins Start Small, Go Big Educate Users Slide 40 Useful Websites CMMI- http://www.sei.cmu.edu/library/abstracts/presentations/20080925webinar.cfm PCI-DSS V 2.0 - https://www.pcisecuritystandards.org/security_standards/documents.php CMS - https://www.cms.gov/home/regsguidance.asp HIPAA - http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html HiTech - http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html GLBA- http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act FISMA - http://csrc.nist.gov/groups/SMA/fisma/index.html NIST 800 series - http://csrc.nist.gov/publications/PubsSPs.html CoBIT - http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx OCTAVE - http://www.cert.org/octave/ http://www.cert.org/octave/ Slide 41 Questions? Conclusion How long do we have to get in Compliance?