Who put all these regulations on me?

1
Regulatory Compliance and You

• Who put all these regulations on me?
• What is a person to do?
• Where do I go from here?
• When did this get so complicated?
• Why do I have to do this?

2
HELLO

• Judi Ellis
• EDMC Security Architect
• CGEIT, CISM, CRISC
• jjpineridge_at_zoominternet.net
• Experience
• PNC
• Highmark
• KPMG
• CMRI
• NCFTA
• e-Profile
• Jefferson Wells

3
Overview

• Control Standards
• Frameworks
• Regulations
• Measurement
• Bringing it all together

4
Control Standards

• ISO 27001
• CoBIT
• ITIL
• FISMA
• NIST
• CIS-Center for Internet Security
• AES-Advanced Encryption Standard

• Basel II
• SEC
• FFIEC
• CIS
• FDCC
• COSO
• SANS
• BS 1799

5
Regulations

• HIPAA
• SOX 404/302
• PCI-DSS
• Title IV
• GLBA
• US Patriot Act
• FLSA
• Can Spam

• FERPA
• Red Flags
• HiTECH
• ACH
• NACHA
• PII Laws
• Safe Harbor
• COPA

6
Frameworks
Armed robbery, eh? Im in for being out of
compliance with Federal Guidelines.
7
ISO 2700

• Formally known as ISO/IEC 27001 2005 -
  Information technology
• Security techniques
• Information security management systems ISMS
• Requirements, is an information security
  management system standard published in October
  2005 by the International Organization for
  Standardization (ISO) and the International
  Electrotechnical Commission (IEC). The standard
  is derived from British standard 1799, and for
  that reason the standard is frequently cited as
  ISO 17799. It is intended to be used in
  conjunction with ISO/IEC 27002, the Code of
  Practice for Information Security Management,
  which delineates security control objectives and
  recommends a range of specific security controls.
• Adopt an all encompassing management process to
  ensure all information security controls meet
  info security needs on an ongoing basis.

8
FISMA-NIST

• The Federal Information Security Management Act
  of 2002 (FISMA) is a Federal law enacted in 2002
  as Title III of the E-Government Act of 2002. The
  act was designed to bolster computer and network
  security within the federal government and
  affiliated parties (such as recipients of Federal
  monies and government contractors) by mandating
  yearly information security audits.
• FISMA establishes
• _ Standards for categorizing information and
  information systems by mission impact
• _ Standards for minimum security requirements for
  information and information systems
• _ Guidance for selecting appropriate security
  controls for information systems
• _Guidance for assessing security controls in
  information systems
• _Guidance for security authorization of
  information systems
• _Guidance for monitoring the security controls
  and security authorization of systems

9
NIST References

• NIST publications include the following key
  security-related documents
• FIPS Publication 199, Standards for Security
  Categorization of Federal Information and
  Information System
• FIPS Publication 200, Minimum Security
  Requirements for Federal Information and Federal
  Information Systems
• NIST Special Publication 800-30, Risk Management
  Guide for Information Technology Systems
• NIST Special Publication 800-37, Guide for the
  Security Certification and Accreditation of
  Federal Information Systems
• NIST Special Publication 800-37 Revision 1, Guide
  for Security Authorization of Federal Information
  Systems A Security Lifecycle Approach
• NIST Special Publication 800-39, NIST Risk
  Management Framework
• NIST Special Publication 800-53 Revision 2,
  Recommended Security Controls for Federal
  Information Systems
• NIST Special Publication 800-53A, Guide for
  Assessing the Security Controls in Federal
  Information Systems
• NIST Special Publication 800-59, Guide for
  Identifying an Information System as a National
  Security System
• NIST Special Publication 800-60, Revision 1,
  Guide for Mapping Types of Information and
  Information Systems to Security Categories

10
PCI-DSS

• Payment Card Industry Data Security Standard
• PCI DSS is a worldwide security standard
  established through the Security Standards
  Council (SSC) in 2006 by
• American Express
• Discover Financial Services
• JCB International
• MasterCard Worldwide
• Visa
• The PCI security standards are technical and
  operational requirements placed on organizational
  entities that process card payments to prevent
  credit card fraud, and hacking and mitigate other
  security vulnerabilities/threats.
• The standards apply to all organizations that
  store, process or transmit cardholder data, which
  obviously includes an increasingly larger number
  of state agencies transacting with businesses,
  with citizens, and with other government
  entities.
•  

11
PCI-DSS

• The following are the six primary control areas
  comprising the Payment Card Industry security
  standard
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

12
CoBIT

• Control Objectives for Information and related
  Technology, COBIT, is an open, international
  standard originally published in 1996 by the IT
  Governance Institute and the Information Systems
  Audit and Control
• Association (ISACA). COBIT is a set of best
  practices for information technology designed to
  provide managers, auditors, and IT users with a
  set of generally accepted measures, indicators,
  processes and best practices. It assists in
  maximizing the benefits derived through the use
  of information technology and develops
  appropriate IT governance and control for
  private-sector companies or public agencies.
• The COBIT Framework is organized into four
  domains, thirty-four high-level control
  objectives, and 318 detailed control objectives.
  The framework follows a general plan-do-check-act
  structure.

13
(No Transcript)
14
CoBIT

• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

15
CoBIT-Plan and Organize

• P01 Define a strategic IT plan.
• P02 Define the information architecture.
• P03 Determine technological direction.
• P04 Define the IT processes, organization, and
  relationships.
• P05 Manage the IT investment.
• P06 Communicate management aims and direction.
• P07 Manage IT human resources.
• P08 Manage quality.
• P09 Assess and manage IT risks.
• P10 Manage projects

16
CoBIT-Acquire and Implement

• AI1 Identify automated solutions.
• AI2 Acquire and maintain application software.
• AI3 Acquire and maintain technology
  infrastructure.
• AI4 Enable operation and use.
• AI5 Procure IT resources.
• AI6 Manage changes.
• AI7 Install and accredit solutions and changes

17
CoBIT Deliver and Support

• DS1 Define and manage service levels.
• DS2 Manage third-party services.
• DS3 Manage performance and capacity.
• DS4 Ensure continuous service.
• DS5 Ensure systems security.
• DS6 Identify and allocate costs.
• DS7 Educate and train users.
• DS8 Manage service desk and incidents.
• DS9 Manage the configuration.
• DS10 Manage problems.
• DS11 Manage Data.
• DS12 Manage the physical environment.
• DS13 Manage operations

18
CoBIT Monitor and Evaluate

• ME1 Monitor and evaluate IT performance.
• ME2 Monitor and evaluate internal control.
• ME3 Ensure regulatory compliance.
• ME4 Provide IT governance

19
Regulations
Ive been here for so long I dont remember what
I did, but it had something to do with
non-compliance.
20
SAS-70

• Statement on Auditing Standards No. 70 (SAS-70),
  Service Organizations, is an auditing standard
  created by the American Institute of Certified
  Public Accountants (AICPA) in 1992. SAS 70
  defines standards used by auditors to assess the
  internal controls of service organizations and
  prepare service auditors reports. Service
  organizations are entities providing services
  that impact the control environment of their
  customers.
• Examples of service organizations are insurance
  and medical claims processors, trust companies,
  hosted data centers, application service
  providers (ASPs), managed security providers,
  credit processing organizations and
  clearinghouses.

21
SAS-70

• Auditors follow AICPA standards for fieldwork,
  quality control and reporting and issue a formal
  report to the service provider that includes the
  auditors opinion once the audit is completed.
• SAS-70 audits consist of two types. A Type I
  audit assesses the service organizations
  description of controls placed in operation and
  the suitability of the design of the controls to
  achieve the specified control objectives, as the
  latter are defined by the service provider. A
  Type II service auditors report includes the
  information contained in a Type I service
  auditors report and also includes the service
  auditors opinion on whether the specific
  controls were operating effectively during the
  period under review.
• Recently replaced by SSAE-16 6/2011- more of an
  international presence, broadly accepted in
  accordance to ISAE 3402.

22
HIPAA

• The Health Insurance Portability and
  Accountability Act (HIPAA) was enacted by the
  Federal government in 1996.
• Title II of HIPAA, known as the Administrative
  Simplification (AS) provisions, requires the
  establishment of national standards for
  electronic health care transactions and national
  identifiers for providers, health insurance
  plans, and employers, with the overall goals of
  protecting the privacy and security of health
  information and promoting the efficiency of the
  health care industry through use of standardized
  electronic transactions.
• Requires covered entities to protect the privacy
  and security of an individuals health
  information.

23
HIPAA

• HIPAAs Security Rule covers health plans,
  healthcare clearinghouses, and healthcare
  providers. Health plans are defined as any
  individual or group plan that provides or pays
  the cost of health care, which includes the
  Medicare and Medicaid programs operated at the
  state and federal levels.
• The Rule establishes three types of security
  safeguards required for compliance
  administrative, physical, and technical.
• For each of these types, various security
  standards are identified, and for each standard,
  both required and addressable implementation
  specifications are delineated.
• The rule includes eighteen standards that cover
  thirty-six implementation specifications.

24
HIPAA

• Required specifications must be adopted and
  administered as dictated by the rule. Addressable
  specifications are more flexible. The Centers for
  Medicare and Medicaid Services defines the
  following steps for complying with the Security
  Rule
•  Assess current security, risks, and gaps
• Develop an implementation plan
• Review the Security Rule standards and
  specifications
• Review addressable implementation specifications
• Determine security measures
• Implement solutions
• Document decisions
• Reassess periodically
•  The security rule required covered entities to
  be in compliance with the rule no later than
  April 2005, though smaller health plans were
  given an additional year to comply.

25
HIPAA

• (Privacy Rule) establishes, a set of national
  standards that address the use and disclosure of
  individuals health informationcalled PHI
  (Personal Health Information) by organizations
  called covered entities as well as standards
  for individuals privacy rights to understand and
  control how their health information is used.
  Thank you OCR (Office of Civil Rights)
• A major goal of the Privacy Rule is to assure
  that PHI is properly protected while permitting
  appropriate uses of the information protecting
  the privacy of the individual.

26
HIPAA

• HIPAA was passed in 1996, it wasnt until
  2/4/2011 the first HIPAA violation occurred and
  resulted in a 4.3 m fine to Maryland healthcare
  provider Cignet for the failure to provide 41
  patients with copies of their medical records. 
• HIPAA did not have teeth until HiTech came along
  and provided enforcement and penalties.  
• http//threatpost.com/en_us/blogs/hipaa-bares-its-
  teeth-43m-fine-privacy-violation-022311

27
FERPA

• The Family Educational Rights and Privacy Act
  (FERPA) (20 U.S.C. 1232g 34 CFR Part 99) is a
  Federal law that protects the privacy of student
  education records. The law applies to all schools
  that receive funds under an applicable program of
  the U.S. Department of Education.
• Schools or public agencies that receive student
  data may disclose, without consent, directory
  information such as a students name, address,
  telephone number, date and place of birth, honors
  and awards, and dates of attendance.
• However, schools or agencies must tell parents
  and eligible students about directory information
  and allow parents and eligible students a
  reasonable amount of time to request that the
  school not disclose directory information about
  them. Schools must notify parents and eligible
  students annually of their rights under FERPA.
• Education records must not be disclosed and must
  be protected.

28
SOX

• The Sarbanes-Oxley Act (SOX) was enacted by the
  Federal government in 2002 in response to a
  number of major corporate and accounting
  scandals, most prominently that of the Enron
  Corporation.
• SOX establishes new, enhanced standards for all
  U.S. public companies, and though as such it is
  not directed at government, it has nonetheless
  had a significant impact on internal accounting
  controls in public agencies through its focus on
  management oversight of how fiscal information
  within agencies is created, accessed, stored,
  processed, and transmitted within automated as
  well as manual record systems.

29
SOX

• Among the Acts principal reforms are these
  elements
• _ Creation of an independent public company
  accounting oversight board
• _ A heightened level of corporate governance and
  responsibility measures
• _ Expanded corporate, financial, and insider
  disclosure requirements, and
• _ A range of new penalties for fraud and other
  violations.

30
Measurements
31
As-Is Assessment

• Where do I start?
• _Come up with the Plan
• What regulations do I need to follow? Where am I
  today? Where are my gaps? What do I need to do?
  I need a plan. I need to get started. How do I
  start? What do I do? How do I do this?
• _Assessment
• _ Measurement
• _Identify Gaps
• _Plan of Attack
• Where do I need to be to pass an audit
• _Work your plan
• _ Assessment
• _Measurement
• _ Identify Gaps
• _Readjust your plan
• _Assessment
• _Measurement
• _Identify Gaps

32
Plan-ISMSInformation Security Management System
33
Assessment

• Getting Started
• _ Choose a tool-SANS, CMS, Big 4, NIST, ISO.
• OCTAVE
• OCTAVE (Operationally Critical Threat, Asset,
  and Vulnerability EvaluationSM) is a suite of
  tools, techniques, and methods for risk-based
  information security strategic assessment and
  planning.
• OCTAVE Methods
• There are three OCTAVE methods
• the original OCTAVE method, which forms the basis
  for the OCTAVE body of knowledge
• OCTAVE-S, for smaller organizations
• OCTAVE-Allegro, a streamlined approach for
  information security assessment and assurance
• OCTAVE methods are founded on the OCTAVE
  criteriaa standard approach for a risk-driven
  and practice-based information security
  evaluation. The OCTAVE criteria establish the
  fundamental principles and attributes of risk
  management that are used by the OCTAVE methods.
• Features and benefits of OCTAVE methods
• The OCTAVE methods are
• self-directedSmall teams of organizational
  personnel across business units and IT work
  together to address the security needs of the
  organization.
• flexibleEach method can be tailored to the
  organization's unique risk environment, security
  and resiliency objectives, and skill level.
• evolvedOCTAVE moved the organization toward an
  operational risk-based view of security and
  addresses technology in a business context.

34
CMMI Model

• Capability Maturity Model Integration (CMMI) is a
  Process improvement approach whose goal is to
  help organizations improve their performance.
  CMMI can be used to guide process improvement
  across a project, a division, or an entire
  organization.
• CMMI in software engineering and organizational
  development is a process improvement approach
  that provides organizations with the essential
  elements for effective process improvement. CMMI
  is registered in the U.S. Patent and Trademark
  Office by Carnegie Mellon University. According
  to the Software Engineering Institute (SEI,
  2008), CMMI helps "integrate traditionally
  separate organizational functions, set process
  improvement goals and priorities, provide
  guidance for quality processes, and provide a
  point of reference for appraising current
  processes.

35
Whats a person to do?

• To benefit from the standards and guidelines, it
  is imperative that you
• Understand the complexity of overlapping
  standards
• Select a foundational standard while expecting to
  reference others as needed
• Start the as is assessment to identify existing
  gaps
• Incorporate the standard by reference in your
  security architecture
• Understand related vertical standards and
  potential impacts on the enterprise as they
  evolve
• Develop strong working relationships with
  internal and external auditors
• Monitor, test, and quantify compliance levels, to
  ensure that standards and controls are working
  and effective (CMMI model already discussed)
• Work untiringly to educate your enterprise about
  the role of security standards and their own
  responsibilities under those standards
• Work untiringly to educate your enterprise about
  the role of security standards and their own
  responsibilities under those standards
• Work untiringly to educate your enterprise about
  the role of security standards and their own
  responsibilities under those standards
• Work untiringly to educate your enterprise about
  the role of security standards and their own
  responsibilities under those standards

36
Pulling IT All Together
37
Measuring IT

• Create Backups CMMI - 2
• Passwords 8 characters long CMMI - 3
• Yearly IT Risk Assessment CMMI-2
• Centralized monitoring CMMI-1

38
Measurement
39
Pulling it Together

• Focus on Relevant Regulations
• Get Executive Buy-in
• Assemble the Right Team
• Develop Policies for Compliance
• Identify Common Controls
• Perform a Gap Analysis
• Classify your Data
• Look for the Quick Wins
• Start Small, Go Big
• Educate Users

40
Useful Websites

• CMMI- http//www.sei.cmu.edu/library/abstracts/pre
  sentations/20080925webinar.cfm
• PCI-DSS V 2.0 - https//www.pcisecuritystandards.o
  rg/security_standards/documents.php
• CMS - https//www.cms.gov/home/regsguidance.asp
• HIPAA - http//www.hhs.gov/ocr/privacy/hipaa/under
  standing/summary/index.html
• HiTech - http//www.hhs.gov/ocr/privacy/hipaa/admi
  nistrative/enforcementrule/hitechenforcementifr.ht
  ml
• GLBA- http//business.ftc.gov/privacy-and-security
  /gramm-leach-bliley-act
• FISMA - http//csrc.nist.gov/groups/SMA/fisma/inde
  x.html
• NIST 800 series - http//csrc.nist.gov/publicati
  ons/PubsSPs.html
• CoBIT - http//www.isaca.org/Knowledge-Center/cobi
  t/Pages/COBIT-Online.aspx
• OCTAVE - http//www.cert.org/octave/

41
Questions?
Conclusion
How long do we have to get in Compliance?