Cybersecurity Set 15

SOX Control Certification Requirements

A company must create, document, and test its ICFR ​ It must report on its ICFR every year​ After a company makes its yearly report, outside auditors must review it to make sure the ICFR work​ ICFR are processes that provide reasonable assurance that an organization's financial reports are reliable

Main Requirements of the GLBA Privacy Rule

A financial institution may not share a consumer's NPI with nonaffiliated third parties​ Can share this information only when it first provides the consumer with notice of its privacy practices. Notice must:​ Tell consumers about the types of data that the institution collects​ State how the institution uses the collected information​ Describe how the institution protects a consumer's NPI​ Privacy Rule requires that consumers have a chance to opt out of certain types of data sharing with nonaffiliated third parties Protect the security and confidentiality of customer data​ Protect against threats to the security or integrity of customer data​ Protect against unauthorized access to or use of customer data that could result in harm to a customer​ Require a financial institution to create a written information security program

Gramm-Leach-Bliley Act (GLBA)

Addresses privacy and security of consumer financial information​ Federal Financial Institutions Examination Council (FFIEC) regulatory committee services the U.S. banking community​ FFIEC Council developed a Cybersecurity Assessment Tool used to identify bank or financial institution's cybersecurity maturity​ FFIEC complements a banking or financial organization's ongoing risk management program and cybersecurity implementations

Federal Information Security Management Act of 2002 (FISMA)

Applies to federal agencies and their IT systems​ Federal agencies fall under the executive branch of the U.S. government​ The Office of Management and Budget (OMB) is responsible for FISMA compliance​

Payment Card Industry Data Security Standard (PCI DSS): Purpose and Scope

Assists merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from reaches and theft of cardholder data​ Helps vendors understand and implement PCI standards and requirements for ensuring secure payment solutions are properly implemented To validate compliance: ​ On-site PCI audit by a qualified security assessor (QSA)​ Quarterly vulnerability assessment scanning performed by an approved scanning vendor (ASV)​ Complete an annual self-assessment questionnaire (SAQ) with quarterly vulnerability assessment scanning from an approved ASV scanning company​ SAQ lists all security control requirements that are needed for various SAQ levels

Federal Information Security Modernization Act (FISMA) of 2014

Clearly defines the roles, responsibilities, accountabilities, requirements, and practices needed to fully implement FISMA security controls and requirements

Health Insurance Portability and Accountability Act (HIPAA): Purpose and Scope

Contains data protection rules that address security and privacy of personally identifiable health information​ Department of Health and Human Services (HHS) responsible for rules and compliance​ Protected health information (PHI) is any individually identifiable information about a person's health​ Covers health care providers and business associates

CIPA: Main Requirments

Covered schools and libraries must filter offensive Internet content so children can't get to it​ Technology protection measure (TPM) is any technology that can block or filter the objectionable content​ Schools and libraries must adopt and enforce an Internet safety policy to comply with CIPA​ A library or school must be able to disable the TPM for any adult if that adult needs to use a computer

Role of the National Institude of Standards and Technology (NIST)

Creates guidance that all federal agencies use for their information security programs​ Creates standards that agencies use to classify their data and IT systems​ Creates guidelines and minimum information security controls for IT systems​ Creates Federal Information Processing Standards (FIPSs) and Special Publications (SPs)​

Main Requirements of the HIPAA Privacy Rule

Determines how covered entities must protect the privacy of PHI​ Covered entities may not use or disclose a person's PHI without his or her written consent​ Exceptions allow a covered entity to share a person's PHI without a person's written consent​ A covered entity must inform people about how it uses and discloses PHI Require covered entities to use security safeguards to protect electronic protected health information (EPHI) ​ Require covered entities to create an information security program​ Require covered entities to use information security principles to protect EPHI​ Use required and addressable safeguards

Family Educational Rights and Privacy Act (FERPA)

Educational institutions can collect and store student data:​ Demographic information​ Address and contact information​ Parental demographic information​ Parental address and contact information​ Grade information​ Disciplinary information

FERPA: Oversight

FPCO oversees FERPA compliance ​ Has the authority to review and investigate FERPA complaints​ Schools that violate FERPA can lose federal funding​ Only the FPCO is allowed to sanction schools that violate FERPA

Federal Information Security

Federal government is the largest creator and user of information in the United States​ Government IT systems hold: ​ Data that are critical for government operations​ Data that are important for running the business of the federal government​ Sensitive military data

GLBA: Purpose and Scope

Financial institutions must follow GLBA privacy and security rules to help mitigate data breaches and identity theft​ GLBA requires financial institutions to protect consumers' nonpublic financial information (NPI)​ NPI is personally identifiable financial information that a consumer gives to a financial institution​

Personally Indentifiable Information (PII)

First, middle, and last name​ Home mailing address​ Social Security number​ Driver's license number​ Financial account data​ Health data and biometric data​ Authentication credentials

Organizations must:

Follow laws and regulations ​ Interpret them so that policies and procedures can be defined​ Document:​ Policies​ Standards​ Procedures ​ Guidelines

HIPAA Oversight

HHS oversees compliance with the HIPAA Privacy and Security Rules​ HHS delegated this function to Office for Civil Rights (OCR)​ OCR enforces HIPAA compliance​ HITECH Act defined a tiered system for assessing the level of each HIPAA violation: Tiers A-D

FERPA: Purpose and Scope

If school doesn't receive federal funds, it doesn't have to comply with FERPA​ Primary goal is to protect the privacy of student records:​ Written documents​ Computer media​ Video​ Film​ Photographs​ Includes any records maintained by an outside party acting on a school's behalf

GLBA: Oversight

Institutions that violate GLBA can be subject to both criminal and civil penalties​ Monetary fines can be substantial​ GLBA requires financial institutions to follow privacy and security rules​ Make sure that your organization's IT systems operate in a way that complies with the law

Consequences

Loss of federal contracts or funding​ Censure by Congress​ Provide testimony to Congress​ Business fails​

Risk Management Framework (RMF) Process

NIST recommends using a risk management framework (RMF) approach for FISMA compliance.​ ​ The NIST RMF outlines six steps to protect federal IT systems. These steps are:​ ​ Categorize information systems. ​ Select the minimum security controls. ​ Implement security controls in IT systems. ​ Assess security controls for effectiveness. ​ Authorize the IT system for processing. ​ Continuously monitor security controls.

U.S. Compliance Laws

Organizations entrusted with sensitive data should take steps to protect data​ U.S. doesn't have one comprehensive data protection law​ Many federal data protection laws focus on specific types of data​ Require organizations to use security controls to protect the different kinds of data that they collect​ Laws are not optional​

Making Sense of Laws for Information Security Compliance

Organizations must comply with federal laws and state laws​ As a systems security professional, you will: ​ Possess the skills needed to make sense of these compliance laws​ Understand how IT systems must be configured in order to meet your organization's compliance requirements​ Be able to explain how these laws affect IT systems​ Be able to explain the steps that your organization took to be compliant

How Are Privacy and Information Security Related?

Privacy ​ A person's right to control the use and disclosure of his or her own personal information​ Control ​ A person can decide how his or her data can be collected, used, and shared with third parties​ Information security ​ The process used to keep data private​ ​ Security is the process; privacy is a result

Sarbanes-Oxley Act: Purpose and Scope

Protects investors from financial fraud​ Applies to publicly traded companies that must register with the Securities and Exchange Commission (SEC)​ Requires companies to verify the accuracy of their financial information​ Section 404 requires an organization's executive officers to establish, maintain, review, and report on effectiveness of the company's internal controls over financial reporting (ICFR)

PCI DSS: Main Requirements

Requirement 3.3​ Updated requirement to clarify that any displays of the primary access number (PAN) (e.g., a 16-digit credit card number) greater than first six/last four digits of the PAN requires a legitimate business need​ Added guidance on common masking scenarios​ Requirement 8.3​ Expanded Requirement 8.3 into subrequirements that require multifactor authentication for personnel with nonconsole administrative access and personnel with remote access to cardholder data environment (CDE) Requirement 10.8.1(effective February 1, 2018)​ A new requirement for service providers to detect and report on failures of critical security control systems​ Requirement 11.3.4.1 (effective February 1, 2018)​ A new requirement for service providers to perform penetration testing on segmentation controls at least every six months Requirement 12.4 (effective February 1, 2018)​ A new requirement for service providers' executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program​ Requirement 12.11.1 (effective February 1, 2018)​ A new requirement for service providers to perform reviews at least quarterly, to confirm that personnel are following security policies and operational procedures

Children's Internet Protection Act (CIPA): Purpose and Scope

Requires certain schools and libraries to filter offensive Internet content so that anyone under 17 can't access it​ Any school or library receiving federal funding from the E-Rate program must comply

FISMA: Purpose and Main Requirements

Risk assessments​ Annual inventory​ Policies and procedures ​ Subordinate plans ​ Security awareness training ​ Testing and evaluation ​ Remedial actions ​ Incident response​ Continuity of operations An agency must: ​ Protect the IT systems that support its operations​ Test its IT systems at least yearly​ Review the information security controls on IT systems​ Apply some types of controls and make sure they work​ Monitor its security risk

SOX Oversight

SEC oversees and enforces most SOX provisions​ Mission is to protect investors and maintain the integrity of the securities industry​ Has five commissioners who serve 5-year terms​ Has 11 regional offices in the United States​ SOX requires SEC to review a public company's yearly and quarterly reports at least once every three years

SOX Records Retention Requirements

SOX requires public companies to:​ Maintain their financial audit papers for seven years, including, work papers, memoranda, correspondence, electronic records; other records created, sent, or received in connection with the audit​ Retain the records and documentation that it uses to assess its internal controls over financial reporting​ It's a crime for a person or company to knowingly and willfully violate records retention provisions

National Security Systems (NSSs)

Secure using a risk-based approach​ Include systems used for:​ Intelligence activities​ National defense​ Foreign policy​ Military activities​ Committee on National Security Systems (CNSS) oversees FISMA activities​ Use the same six-step process as the NIST RMF

Agencies with GLBA Oversight Responsibilites

Securities and Exchange Commission (SEC): Oversees securities brokers and dealers.​ ​ Federal Reserve System (the Fed): Oversees state-chartered member banks and bank holding companies.​ ​ Federal Deposit Insurance Corporation (FDIC): Oversees state-chartered banks that aren't members of the Fed.​ ​ National Credit Union Administration (NCUA): Oversees federally insured credit unions.​ ​ Office of the Comptroller of the Currency (OCC): Oversees nationally chartered banks.​ ​ Office of Thrift Supervision (OTS): Oversees all nationally chartered and some state-chartered thrifts.​ ​ Federal Trade Commission (FTC): Oversees GLBA for any financial institution that isn't regulated by one of the other agencies.

FERPA: Main Requirements

Students (or their parents, if the student is under 18) have the following rights:​ To know what data are in the student's student record and the right to inspect and review that record​ To request that a school correct errors in a student record​ To consent to have certain kinds of student data released A school must protect personally identifiable information in student records (name, SSN, student number)​ A school can't release a student's records to a third party without student's written consent​ FERPA allows directory information to be disclosed without student consent as long as the student is notified; school can do this so long as it has given notice to the student​ A student can choose to forbid the release of directory information

CIPA: Oversight

The FCC has oversight for CIPA​ Little oversight action is required​ The FCC may require a library to refund the E-Rate discount for the period of time it wasn't in compliance

HIPAA Omnibus Regulations

•Modification to the standard for reporting breaches of unsecured PHI​ • Extension of HHS enforcement authority over business associates​ • Expansion of the definition of the term business associate to include health information organizations, e-prescribing gateways, entities that provide data transmission services for PHI and that require routine access to such PHI, and personal health record vendors ​• Modifications to the requirements for business associate agreements​ • New obligations for business associates to enter into business associate agreements​ • Removal of limitations on the liability of covered entities for the acts and omissions of business associates​ • Changes to the requirements for notices of privacy practices​ • New limitations on the sale of PHI​ • New limitations on and clarifications concerning the use and disclosure of PHI for marketing​ • Relaxation of certain limitations on the use of PHI for fundraising​ • Improvement to the regulations concerning authorizations for the use or disclosure of PHI for research