Cybersecurity Set 15
SOX Control Certification Requirements
A company must create, document, and test its ICFR It must report on its ICFR every year After a company makes its yearly report, outside auditors must review it to make sure the ICFR work ICFR are processes that provide reasonable assurance that an organization's financial reports are reliable
Main Requirements of the GLBA Privacy Rule
A financial institution may not share a consumer's NPI with nonaffiliated third parties Can share this information only when it first provides the consumer with notice of its privacy practices. Notice must: Tell consumers about the types of data that the institution collects State how the institution uses the collected information Describe how the institution protects a consumer's NPI Privacy Rule requires that consumers have a chance to opt out of certain types of data sharing with nonaffiliated third parties Protect the security and confidentiality of customer data Protect against threats to the security or integrity of customer data Protect against unauthorized access to or use of customer data that could result in harm to a customer Require a financial institution to create a written information security program
Gramm-Leach-Bliley Act (GLBA)
Addresses privacy and security of consumer financial information Federal Financial Institutions Examination Council (FFIEC) regulatory committee services the U.S. banking community FFIEC Council developed a Cybersecurity Assessment Tool used to identify bank or financial institution's cybersecurity maturity FFIEC complements a banking or financial organization's ongoing risk management program and cybersecurity implementations
Federal Information Security Management Act of 2002 (FISMA)
Applies to federal agencies and their IT systems Federal agencies fall under the executive branch of the U.S. government The Office of Management and Budget (OMB) is responsible for FISMA compliance
Payment Card Industry Data Security Standard (PCI DSS): Purpose and Scope
Assists merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from reaches and theft of cardholder data Helps vendors understand and implement PCI standards and requirements for ensuring secure payment solutions are properly implemented To validate compliance: On-site PCI audit by a qualified security assessor (QSA) Quarterly vulnerability assessment scanning performed by an approved scanning vendor (ASV) Complete an annual self-assessment questionnaire (SAQ) with quarterly vulnerability assessment scanning from an approved ASV scanning company SAQ lists all security control requirements that are needed for various SAQ levels
Federal Information Security Modernization Act (FISMA) of 2014
Clearly defines the roles, responsibilities, accountabilities, requirements, and practices needed to fully implement FISMA security controls and requirements
Health Insurance Portability and Accountability Act (HIPAA): Purpose and Scope
Contains data protection rules that address security and privacy of personally identifiable health information Department of Health and Human Services (HHS) responsible for rules and compliance Protected health information (PHI) is any individually identifiable information about a person's health Covers health care providers and business associates
CIPA: Main Requirments
Covered schools and libraries must filter offensive Internet content so children can't get to it Technology protection measure (TPM) is any technology that can block or filter the objectionable content Schools and libraries must adopt and enforce an Internet safety policy to comply with CIPA A library or school must be able to disable the TPM for any adult if that adult needs to use a computer
Role of the National Institude of Standards and Technology (NIST)
Creates guidance that all federal agencies use for their information security programs Creates standards that agencies use to classify their data and IT systems Creates guidelines and minimum information security controls for IT systems Creates Federal Information Processing Standards (FIPSs) and Special Publications (SPs)
Main Requirements of the HIPAA Privacy Rule
Determines how covered entities must protect the privacy of PHI Covered entities may not use or disclose a person's PHI without his or her written consent Exceptions allow a covered entity to share a person's PHI without a person's written consent A covered entity must inform people about how it uses and discloses PHI Require covered entities to use security safeguards to protect electronic protected health information (EPHI) Require covered entities to create an information security program Require covered entities to use information security principles to protect EPHI Use required and addressable safeguards
Family Educational Rights and Privacy Act (FERPA)
Educational institutions can collect and store student data: Demographic information Address and contact information Parental demographic information Parental address and contact information Grade information Disciplinary information
FERPA: Oversight
FPCO oversees FERPA compliance Has the authority to review and investigate FERPA complaints Schools that violate FERPA can lose federal funding Only the FPCO is allowed to sanction schools that violate FERPA
Federal Information Security
Federal government is the largest creator and user of information in the United States Government IT systems hold: Data that are critical for government operations Data that are important for running the business of the federal government Sensitive military data
GLBA: Purpose and Scope
Financial institutions must follow GLBA privacy and security rules to help mitigate data breaches and identity theft GLBA requires financial institutions to protect consumers' nonpublic financial information (NPI) NPI is personally identifiable financial information that a consumer gives to a financial institution
Personally Indentifiable Information (PII)
First, middle, and last name Home mailing address Social Security number Driver's license number Financial account data Health data and biometric data Authentication credentials
Organizations must:
Follow laws and regulations Interpret them so that policies and procedures can be defined Document: Policies Standards Procedures Guidelines
HIPAA Oversight
HHS oversees compliance with the HIPAA Privacy and Security Rules HHS delegated this function to Office for Civil Rights (OCR) OCR enforces HIPAA compliance HITECH Act defined a tiered system for assessing the level of each HIPAA violation: Tiers A-D
FERPA: Purpose and Scope
If school doesn't receive federal funds, it doesn't have to comply with FERPA Primary goal is to protect the privacy of student records: Written documents Computer media Video Film Photographs Includes any records maintained by an outside party acting on a school's behalf
GLBA: Oversight
Institutions that violate GLBA can be subject to both criminal and civil penalties Monetary fines can be substantial GLBA requires financial institutions to follow privacy and security rules Make sure that your organization's IT systems operate in a way that complies with the law
Consequences
Loss of federal contracts or funding Censure by Congress Provide testimony to Congress Business fails
Risk Management Framework (RMF) Process
NIST recommends using a risk management framework (RMF) approach for FISMA compliance. The NIST RMF outlines six steps to protect federal IT systems. These steps are: Categorize information systems. Select the minimum security controls. Implement security controls in IT systems. Assess security controls for effectiveness. Authorize the IT system for processing. Continuously monitor security controls.
U.S. Compliance Laws
Organizations entrusted with sensitive data should take steps to protect data U.S. doesn't have one comprehensive data protection law Many federal data protection laws focus on specific types of data Require organizations to use security controls to protect the different kinds of data that they collect Laws are not optional
Making Sense of Laws for Information Security Compliance
Organizations must comply with federal laws and state laws As a systems security professional, you will: Possess the skills needed to make sense of these compliance laws Understand how IT systems must be configured in order to meet your organization's compliance requirements Be able to explain how these laws affect IT systems Be able to explain the steps that your organization took to be compliant
How Are Privacy and Information Security Related?
Privacy A person's right to control the use and disclosure of his or her own personal information Control A person can decide how his or her data can be collected, used, and shared with third parties Information security The process used to keep data private Security is the process; privacy is a result
Sarbanes-Oxley Act: Purpose and Scope
Protects investors from financial fraud Applies to publicly traded companies that must register with the Securities and Exchange Commission (SEC) Requires companies to verify the accuracy of their financial information Section 404 requires an organization's executive officers to establish, maintain, review, and report on effectiveness of the company's internal controls over financial reporting (ICFR)
PCI DSS: Main Requirements
Requirement 3.3 Updated requirement to clarify that any displays of the primary access number (PAN) (e.g., a 16-digit credit card number) greater than first six/last four digits of the PAN requires a legitimate business need Added guidance on common masking scenarios Requirement 8.3 Expanded Requirement 8.3 into subrequirements that require multifactor authentication for personnel with nonconsole administrative access and personnel with remote access to cardholder data environment (CDE) Requirement 10.8.1(effective February 1, 2018) A new requirement for service providers to detect and report on failures of critical security control systems Requirement 11.3.4.1 (effective February 1, 2018) A new requirement for service providers to perform penetration testing on segmentation controls at least every six months Requirement 12.4 (effective February 1, 2018) A new requirement for service providers' executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program Requirement 12.11.1 (effective February 1, 2018) A new requirement for service providers to perform reviews at least quarterly, to confirm that personnel are following security policies and operational procedures
Children's Internet Protection Act (CIPA): Purpose and Scope
Requires certain schools and libraries to filter offensive Internet content so that anyone under 17 can't access it Any school or library receiving federal funding from the E-Rate program must comply
FISMA: Purpose and Main Requirements
Risk assessments Annual inventory Policies and procedures Subordinate plans Security awareness training Testing and evaluation Remedial actions Incident response Continuity of operations An agency must: Protect the IT systems that support its operations Test its IT systems at least yearly Review the information security controls on IT systems Apply some types of controls and make sure they work Monitor its security risk
SOX Oversight
SEC oversees and enforces most SOX provisions Mission is to protect investors and maintain the integrity of the securities industry Has five commissioners who serve 5-year terms Has 11 regional offices in the United States SOX requires SEC to review a public company's yearly and quarterly reports at least once every three years
SOX Records Retention Requirements
SOX requires public companies to: Maintain their financial audit papers for seven years, including, work papers, memoranda, correspondence, electronic records; other records created, sent, or received in connection with the audit Retain the records and documentation that it uses to assess its internal controls over financial reporting It's a crime for a person or company to knowingly and willfully violate records retention provisions
National Security Systems (NSSs)
Secure using a risk-based approach Include systems used for: Intelligence activities National defense Foreign policy Military activities Committee on National Security Systems (CNSS) oversees FISMA activities Use the same six-step process as the NIST RMF
Agencies with GLBA Oversight Responsibilites
Securities and Exchange Commission (SEC): Oversees securities brokers and dealers. Federal Reserve System (the Fed): Oversees state-chartered member banks and bank holding companies. Federal Deposit Insurance Corporation (FDIC): Oversees state-chartered banks that aren't members of the Fed. National Credit Union Administration (NCUA): Oversees federally insured credit unions. Office of the Comptroller of the Currency (OCC): Oversees nationally chartered banks. Office of Thrift Supervision (OTS): Oversees all nationally chartered and some state-chartered thrifts. Federal Trade Commission (FTC): Oversees GLBA for any financial institution that isn't regulated by one of the other agencies.
FERPA: Main Requirements
Students (or their parents, if the student is under 18) have the following rights: To know what data are in the student's student record and the right to inspect and review that record To request that a school correct errors in a student record To consent to have certain kinds of student data released A school must protect personally identifiable information in student records (name, SSN, student number) A school can't release a student's records to a third party without student's written consent FERPA allows directory information to be disclosed without student consent as long as the student is notified; school can do this so long as it has given notice to the student A student can choose to forbid the release of directory information
CIPA: Oversight
The FCC has oversight for CIPA Little oversight action is required The FCC may require a library to refund the E-Rate discount for the period of time it wasn't in compliance
HIPAA Omnibus Regulations
•Modification to the standard for reporting breaches of unsecured PHI • Extension of HHS enforcement authority over business associates • Expansion of the definition of the term business associate to include health information organizations, e-prescribing gateways, entities that provide data transmission services for PHI and that require routine access to such PHI, and personal health record vendors • Modifications to the requirements for business associate agreements • New obligations for business associates to enter into business associate agreements • Removal of limitations on the liability of covered entities for the acts and omissions of business associates • Changes to the requirements for notices of privacy practices • New limitations on the sale of PHI • New limitations on and clarifications concerning the use and disclosure of PHI for marketing • Relaxation of certain limitations on the use of PHI for fundraising • Improvement to the regulations concerning authorizations for the use or disclosure of PHI for research