Compliance: PCI, HIPAA, SAS70, etc'

1
Compliance PCI, HIPAA, SAS70, etc.
Building an effective compliance program
Eric Wright Frank Dezort ewright_at_schneiderdowns.co
m fdezort_at_schneiderdowns.com July 1, 2009
2
Your Presenters

• Eric Wright - Shareholder
• Eric has been involved with Information
  Technology with Schneider Downs for 26 years. He
  specializes in and oversees the design, setup,
  installation and implementation of accounting
  systems and a wide range of ERP software
  solutions for our clients. In addition, Eric has
  managed the IT component of our internal audit,
  IT compliance, and 404 engagements for some of
  this areas largest companies.
• Frank Dezort Senior Manager
• Frank serves as a senior manager in both the
  Technical Advisory Services and Internal Audit
  practices. Frank specializes in providing
  technology risk management, internal audit,
  Sarbanes-Oxley, internal control and compliance
  assessments, information security consulting and
  technology advisory services. Frank has over 24
  years of experience in the technology industry.

2
3
Schneider Downs Profile

• Founded in 1956
• Offices in Pittsburgh, Pennsylvania and Columbus,
  Ohio
• Approximately 350 personnel and 29 Shareholders
• The 46th-largest certified public accounting firm
  in the U.S. (AICPA Major Firms Division)
• Fourth largest certified public accounting firm
  in Western Pennsylvania
• Registered with the PCAOB
• Founding member of IGAF Worldwide (1979)

3
4
Schneider Downs Profile

• National firm credentials with regional firm
  approach
• Significant SEC/PCAOB experience
• Offer the breadth of services and professionals
  with the experience to meet registrants needs
• Member of IGAF Worldwide, a national and
  international association of firms
• Dedicated industry groups
• Manufacturing
• Construction/Real Estate
• Transportation
• Auto Dealers
• Nonprofit
• Broad base of clients
• Private companies
• Mid-cap public companies

Offering 75 Products and Services
4
5
Compliance 1 easy slide
5
6
Compliance Timeline
NCUA Mar, 1970
FFIEC Mar, 1979
SAS-70 Apr, 1992
CoBiT Apr, 1996
1960
1970
1980
1990
2000
HIPAA Aug, 1996
FERPA Aug, 1974
COSO Jul, 1985
EU Data Protection Directive Oct, 1995
6
7
Compliance Timeline
201 CMR 17.00 Mass. Privacy Law Oct, 2008
CMMI Jan, 2002
FACTA Nov, 2003
TG-3 May, 2006
NSR 597.970 Jun, 2005
PCI Dec, 2004
FISMA Dec, 2002
NY SSN Law Sep, 2006
2000
2002
2004
2006
2010
2008
Basil II Jun, 2004
NERC CIP Aug, 2006
JSOX April, 2008
Nev SB 227 Nevada PCI Law Jan, 2010
ITILv3 May, 2007
SOX Jul, 2002
CA SB1386 Jul, 2003
ISO 27001 Oct, 2005
7
8
Full Steam Ahead
USS Compliance

• US Congress has a number of pending bills which
  may impact the state of compliance, enforcement,
  strengthening the penalties for non-compliance.
• Legislation is putting organizations on notice
  that gambling with compliance is about to get
  more risky and expensive
• H.R. 1797 Dubbed the Compete Act of 2009 seeks
  to update SOX including portions containing
  provisions related to network security and data
  integrity
• Physician Payment Sunshine Act of 2009 New
  compliance burden on medical industry to monitor
  and disclose financial relationships between
  physicians and medical device and pharmaceutical
  industries
• American Recovery and Reinvestment Act of 2009
  Title XIII Includes expanded enforcement and
  increased penalties for HIPAA compliance
• State legislation on compliance initiatives being
  passed almost daily

8
9
New Electronic World
Investments
Cash
Public Network
ACH/Wire Transfers
Banking

• Shopping
• (Credit/Debit)

9
10
WHY is this Happening?

• Change

Increased Risk

• Reliance on IT Automation
• Electronic Transactions

Increased Threats

• Public Networks
• Reliance on Third Parties
• Data flowing beyond the walls
• Successful Breaches
• Global Presence

Increased Control Requirements

• Professional Attackers
• Attacks originate around the world
• Knowledgeable Attackers

• Automated controls
• Data integrity
• Reliance on electronic data
• Unacceptable level of data losses

10
11
Why Increased Compliance?

• Failure of organizations to police themselves and
  to uphold a reasonable standard for integrity and
  data security has led to federal and state
  compliance mandates.
• Large number of data breaches and the massive
  size of the larger events (TJX, Heartland)
• Changing of the guard in Washington brought
  renewed intensity for network security and data
  protection along with State and location
  government regulations.
• Cyber Czar New White House Office of cyber
  security reports to the National Security Council
  and National Economic Council.

11
12
Why Increased Compliance?

• Expansion to a global marketplace and global data
  sharing. Origin of threats has expanded to a
  world wide audience International laws lagging,
  International enforcement not defined, Foreign
  Business ethics questionable
• For-Profit enterprises being developed to market
  and distribute/sell information obtained from
  theft of data and credentials credit card
  purchases, medical coverage, investment accounts
• Changes in type of services offered and the way
  they are delivered

12
13
Why Increased Compliance?

• National Security Council 60-Day Cyberspace
  Strategy Policy Review Report
• The government, working with State and local
  partners, should identify procurement strategies
  that will incentivize the market to make more
  secure products and services available to the
  public.
• In addition to cooperation with industry
  partnerships, the review also calls for the
  government to examine laws addressing
  cyber-security, with the White House partnering
  with Congress to ensure that there are adequate
  laws.

13
14
Why Increased Compliance?

• National Security Council 60-Day Cyberspace
  Strategy Policy Review Report
• Additional incentive mechanisms that the
  government should explore include adjustments to
  liability considerations (reduced liability in
  exchange for improved security or increased
  liability for the consequences of poor security),
  indemnification, tax incentives, and new
  regulatory requirements and compliance mechanisms
• Systemic loss of U.S. economic value - Industry
  estimates of losses from intellectual property to
  data theft in 2008 range as high as 1 trillion

14
15
Why Increased Compliance?

• Banking Industry - Troubled Asset Relief Program
  (TARP)
• Banking regulators have said they intend to use
  the stress tests ? along with other safety and
  soundness measurement tools currently in place ?
  to gain a better understanding of a banks
  activities, financial condition and balance
  sheet, commitments and risk structure.
• Financial institutions will face significant
  challenges as they measure and stress test their
  regulatory compliance and risk management
  programs. They will need to assess and adjust
  processes and controls to accommodate changes in
  regulatory oversight.
• The best approach will be methodical and
  risk-based with a view toward sustaining
  compliance through changes in regulation and
  regulatory oversight.

15
16
Changes to Compliance

• Payment Card Industry Lifecycle Process for
  Changes to Standard

16
17
Changes to Compliance

• Federal Trade Commission Fair and Accurate Credit
  Transaction Act (FACTA) ID Theft Red Flag Rule
• Originally applied to all financial institutions
  regulated by the Board of Governors of the
  Federal Reserve System (FRB), Federal Deposit
  Insurance Corporation (FDIC), National Credit
  Union Administration (NCUA), Office of the
  Comptroller of the Currency (OCC), Office of
  Thrift Supervision (OTS), and Federal Trade
  Commission (FTC).
• Expanded to include FTC overseen Creditors, which
  include state-chartered credit unions, hospitals,
  utilities, mortgage brokers, auto dealers,
  Dentists, Doctors, Colleges, Universities

17
18
Changes to Compliance

• Federal Trade Commission Fair and Accurate Credit
  Transaction Act (FACTA) ID Theft Red Flag Rule
• Also provide guidance for users of consumer
  reports regarding reasonable policies and
  procedures to employ when consumer reporting
  agencies send them notices of address discrepancy
• FTC delayed the enforcement date for the Identity
  Theft Red Flags Rule - this time an addition
  three months, to August 1, 2009 most covered
  entities unfamiliar with regulations
• On August 1, we start our enforcement program and
  will be looking for high-risk entities that have
  done very little to bring themselves into
  compliance with this regulation. For those
  businesses that have in earnest worked to comply
  with the Red Flags, Betsy Broder Assistant
  Director at FTC says they'll not be focused upon
  for enforcement.

18
19
Changes to Compliance

• American Recovery and Reinvestment Act (ARRA).
  The healthcare portion is known as the Health
  Information Technology for Economic and Clinical
  Health Act (HITECH)
• Contains drastic changes to the Health Insurance
  Portability and Accountability Act (HIPAA). This
  new legislation has significant ramifications, in
  the following areas - enforcement, breach
  notification, implication for business associates
  and use of encryption.
• HIPAA requires unusable, unreadable, or
  indecipherable to unauthorized individuals while
  in motion. However, healthcare organizations
  found to be distributing PHI via unsecure e-mail.
  Security breaches, even those without any
  discernible risk of harm, will be broadly
  publicized, often dictated by regulations, and
  can be financially catastrophic for non-compliant
  businesses, including a new tiered penalty
  structure ranging from 25,000 to 1.5 million.
• Healthcare organizations and their business
  associates need to begin to address the new
  requirements in order to be compliant with the
  February deadline.

19
20
Changes to Compliance

• Breaches Not Easy To Hide Breach of Personal
  Information Notification Act.
• The unauthorized access and acquisition of
  computerized data that MATERIALLY compromises the
  security or confidentiality of personal
  information maintained by the entity as part of a
  database of personal information regarding
  multiple individuals and that causes or the
  entity reasonably believes has caused or will
  cause loss or injury to any resident of this
  Commonwealth.
• A sole proprietorship, partnership, corporation,
  association or other group, however organized and
  whether or not organized to operate at a profit,
  including a financial institution organized,
  chartered or holding a license or authorization
  certificate under the laws of this Commonwealth,
  any other state, the United States or any other
  country, or the parent or the subsidiary of a
  financial institution

20
21
Breach Disclosure Laws
21
22
Compliance Viewpoint

• Compliance viewed as
• Necessary evil
• Projects rather than a culture of leading
  practices
• A milestone rather than an approach
• A checkbox rather than a strategy
• Discreet steps versus a continuous process
• Development of security programs specifically to
  pass a compliance test

22
23
Static Compliance Model
23
24
Compliant and done

• Risk management should drive compliance
• Risk and Security process that results in
  compliance by default
• Compliant is not equal to Secure
• Was Heartland Payment Systems PCI-DSS Compliant?
• Was Hannaford Brothers PCI-DSS Compliant
• Merrick Bank claims to have lost 16 million
  (Paid to Visa and MasterCard) as a result of a
  2005 breach of payment card processor CardSystems
  Solutions and is now seeking legal restitution
  from an IT company it hired to audit the
  processor.
• Compliance is a point in time

24
25
Continuous Compliance
25
26
Continuous Compliance Attributes

• Compliance is a catalyst for improvement
• Backing from Senior Management and BOD
• Strategic alignment of risk management and
  control improvements included in all IT processes
• Threats are viewed as real-time and continuous
• Governance and risk management are viewed as
  leading practices

26
27
Key Steps to Success

• Lay the Foundation
• Less than one third of organizations conduct
  regular IT vulnerability and IT risk assessments
  these provide the foundation for new compliance,
  governance, or risk management initiatives. (What
  are your top 5 risks?)
• Establish Consistent Policies
• Less than half of organizations have established
  consistent policies for compliance and risk
  management industry frameworks such as ISO,
  ITIL, and COBIT provide reference and
  significantly accelerate the process.
• Assign an Owner
• Less than half of organizations have established
  an executive or team with primary ownership of IT
  compliance and risk initiatives.

27
28
Gaining Value from Compliance

• Compliance becomes a culture rather than a
  project
• How will this initiative/decision/project effect
  risk?
• If it brings risks, are they quantifiable and
  measurable?
• Will risk be mitigated by our current practices
  and controls or will we have to adopt more
  stringent ones?
• Compliance is not driven by a mandate but
  contributes to a higher-level value proposition
• Automation of controls and activities
• Integrate into existing processes
• Audits serve as a point-in-time validation rather
  than the reason

28
29
Optimization of Controls

• Re-evaluate controls on a regular basis
• Goal is to balance controls and risk
• Challenge whether all controls are key
• Is control necessary to achieve objective
• Does residual risk increase if control removed
• Is there compensating controls
• Continue to assess the scope of the compliance
  initiative
• Limit to processes required by scope of
  compliance
• Limit to key controls within each process
• Limit the systems and applications required to
  meet objectives

29
30
Optimization of Controls

• Isolate the path of data through the network
• Establish minimum access to all layers within
  scope
• Operating system
• Database
• Network
• Application
• Segmentation of network through use of internal
  firewalls or switching technology
• Obtain a detailed understanding from
  auditors/regulators on risks and scope of audit
  or compliance requirements
• May not mean elimination or reduction of controls

30
31
Risk and Compliance Silos
31
32
Consolidation of Compliance
Control A
Control 1
Control B
Control 2
Control C
Control 3
Control D
Control 4
32
33
Compliance Overlap
Scope A
Control A
Control 1
Control B
Scope B
Control 2
Scope C
Control C
Control 3
Control D
Control 4
33
34
Continuous Auditing

• Key Risk
• Unauthorized business activities are not detected
  in a timely fashion
• Potential Impact
• Data theft
• Fraud
• Financial misstatement
• Recommended Control Activities
• Implement segregation of duties based on job
  descriptions
• Identify key business application risks that can
  be monitored electronically (e.g. suspicious
  transactions based on thresholds)
• Identify key system settings that should not be
  changed without authorization
• Implement continuous monitoring software and/or
  reporting to alert management when suspicious or
  unauthorized activity takes place

34
35
Security Monitoring

• Key Risks
• Undetected compromise or attacks (attack
  signatures)
• Failure to meet regulatory requirements (PCI,
  Privacy)
• Loss or disclosure of sensitive or critical
  information assets
• Potential Impact
• Loss of customers/clients (consumer confidence)
• Decrease in value of organization (stock)
• Lawsuits/fines (PCI-DSS, State, FTC)
• Recommended Control Activities
• Approach security as a process
• Periodic vulnerability and penetration testing
  including wireless and application
• Implement Intrusion Detection/Prevention
  monitoring (Managed Security Services)
• Monitoring of security patches and alerts

35
36
Example - Lack of Monitoring

• TJX Companies
• Eight major U.S. retailers were allegedly hacked
  by members of an international gang with 45.7
  million payment-card records stolen. (Per SEC
  Filing)
• Once inside the companies' networks, the alleged
  hackers installed "sniffer" programs that would
  capture card numbers, as well as password and
  account information, as the numbers were
  processed. According to a report in The Wall
  Street Journal in March 2007, the hackers left
  encrypted messages in the TJX systems to tell
  each other which files had been copied. Activity
  continued for 17 months.
• TJX has said the price of the settlement deal for
  handling the breach would fall within its
  previous estimates of around 256 million.

36
37
Example - Lack of Monitoring

• Heartland Payment Systems
• Leading payment processing company was
  compromised by intruders that hacked into its
  computers that process 100 million payment card
  transactions per month for 175,000 merchants.
• Intruders had access to Heartland's system for
  "longer than weeks" in late 2008 (USA Today
  Interview). Heartland was alerted to the breach
  by reports of suspicious transactions from Visa
  and MasterCard.
• There were two elements to it, one of which was a
  keylogger that got through our firewall, Then
  subsequently it was able to propagate a sniffer
  onto some of the machines in our network. And
  those are what was actually grabbing the
  transactions as they floated over our network.

37
38
Data Privacy - Breaches

• Source Privacy Rights Clearinghouse
• http//www.privacyrights.org/ar/ChronDataBreaches.
  htm
• A listing of all reported data breaches involving
  private information in the US since 2005
• Total number of breaches 600
• 104 through 4 months - 2009
• Total number or RECORDS stolen 245 million
• Examples include public companies, private
  companies, government agencies,
  schools/universities, and not-for-profits
• 70 of data breaches are off network devices

38
39
Progress Being Made - Breaches

• Source Pittsburgh Post Gazette Tuesday June
  30, 2009
• Most prolific computer hacker in U.S. history
  pleaded guilty
• Max Ray Vision used encryption programs to
  disguise extensive hacking into financial
  institutions and data processing centers.
• Caught with 1.8 Million stolen credit card
  accounts on his computer that resulted in a total
  amount of fraudulent purchases of 86.4 Million
• Established CardersMarket online forum selling to
  members

39
40
Data Privacy - Breach Examples
40
41
Data Privacy - Breach Examples
We found a file containing entire blueprints and
avionics package for Marine One, which is the
presidents helicopter.  What appears to be a
defense contractor in Bethesda, MD had a file
sharing program on one of their systems that also
contained highly sensitive blueprints for Marine
One.
Bob Boback, CEO Tiversa
Found on a server hosted at an Iranian IP address
41
42
Questions
42