Week 11

FISMA: Purpose and Main Requirements

risk assessments, annual inventory, policies & procedures, subordinate plans, security awareness training, testing & evaluation, remedial actions, incident response, continuity of operations

information security

the process used to keep data private

Institute of Electrical and Electronics Engineers (IEEE)

- Is an international nonprofit organization that focuses on developing and distributing standards that relate to electricity and electronics ◦ Has the largest number of members of any technical professional organization in the world ◦ Supports 39 societies that focus activities on specific technical areas, including magnetics, photonics, and computers ◦ Provides training and educational opportunities covering a wide number of engineering topics - Standards are managed by the IEEE Standards Association (IEEE-SA)

Main Requirements of the GLBA Safeguards Rule

- Protect the security and confidentiality of customer data - Protect against threats to the security or integrity of customer data - Protect against unauthorized access to or use of customer data that could result in harm to a customer - Require a financial institution to create a written information security program

Internet Engineering Task Force (IETF)

- develops and promotes voluntary Internet standards and protocols, in particular the standards that comprise the Internet protocol suite (TCP/IP) - Focuses on the engineering aspects of Internet communication - Works closely with the W3C and ISO/IEC - Is a collection of working groups (WGs), with each group addressing a specific topic

FISMA 2014

Clearly defines the roles, responsibilities, accountabilities, requirements, and practices needed to fully implement FISMA security controls and requirements

Internet Architecture Board (IAB)

- A subcommittee of the IETF composed of independent researchers and professionals who have a technical interest in the overall well-being of the Internet - serves as an advisory body to the Internet Society (ISOC) - Is composed of independent researchers and professionals who have a technical interest in the well-being of the Internet ◦ Provides oversight for the following:◦ Architecture for Internet protocols and procedures◦ Processes used to create standards ◦ Editorial and publication procedures for RFCs ◦ Confirmation of IETF chair and technical area directors

Health Insurance Portability and Accountability Act (HIPAA): Purpose and Scope

- Contains data protection rules that address security and privacy of personally identifiable health information - Department of Health and Human Services (HHS) responsible for rules and compliance - Protected health information (PHI) is any individually identifiable information about a person's health - Covers health care providers and business associates

Main Requirements for HIPAA Privacy Rule

- Determines how covered entities must protect the privacy of PHI - Covered entities may not use or disclose a person's PHI without his or her written consent - Exceptions allow a covered entity to share a person's PHI without a person's written consent - A covered entity must inform people about how it uses and discloses PHI

World Wide Web Consortium (W3C)

- Is the main international standards organization for the World Wide Web - Develops protocols and guidelines that unify the Web and ensure its long-term growth - Standards developed or endorsed include: Cascading Style Sheets (CSS), HyperText Markup Language (HTML), Simple Object Access Protocol (SOAP), and Extensible Markup Language (XML)

International Organization for Standardization (ISO)

- Nongovernmental international organization - Its goal is to develop and publish international standards for nearly all industries - Is a network of 161 national standards institutes -Serves as a bridge between the public and private sectors -Best-known ISO standard is the Open Systems Interconnection (OSI) Reference Model

HIPAA Omnibus Rule

- Omnibus Rule provides a catchall update to HIPAA and HITECH Act rulings - Tightens the requirements of covered entities and business associates

Children's Internet Protection Act

- Requires certain schools and libraries to filter offensive Internet content so that anyone under 17 can't access it - Any school or library receiving federal funding from the E-Rate program must comply

Agencies with GLBA Oversight Responsibilities

- Securities and Exchange Commission (SEC) - Federal Reserve System (the Fed) - Federal Deposit Insurance Corporation (FDIC) - National Credit Union Administration (NCUA) - Office of the Comptroller of the Currency (OCC) - Office of Thrift Supervision (OTS) - Federal Trade Commission (FTC)

American National Standards Institute (ANSI)

- Strives to ensure the safety and health of consumers and the protection of the environment ◦ Oversees the creation, publication, and management of many standards and guidelines that directly affect businesses in nearly every sector ◦ Is composed of government agencies, organizations, educational institutions, and individuals ◦ Produces standards that affect nearly all aspects of IT but primarily software development and computer system operation

International Electrotechnical Committee (IEC)

- Works with the ISO - Is the preeminent organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes - Standards address a wide variety of areas-> power generations, semi conductors, telecommunication, and physical computer & networking hardware

NIST (National Institute of Standards and Technology)

- federal agency within the U.S. Dept of Commerce - mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life" - Provides standards for measurement and technology on which nearly all computing devices rely - Maintains the atomic clock that keeps the United States' official time - Maintains a list of standards and publications of general interest to the computer security community

Information Security Standards

- necessary to create and maintain a competitive market for hardware and software vendors - guarantee compatibility between products from different countries - provide guidelines to ensure products in today's computing environments work together

Main Requirements for HIPAA Security Rule

1. Require covered entities to use security safeguards to protect electronic protected health information (EPHI) 2. Require covered entities to create an information security program 3. Require covered entities to use information security principles to protect EPHI 4. Use required and addressable safeguards

ISO 17799 (Withdrawn)

A former international security standard that has been withdrawn ◦ Is a comprehensive set of controls that represent best practices in information systems ◦ The ISO 17799 code of practice ◦ The BS 17799-2 specification for an information security management system ◦ Identifies security controls needed for information systems in business environments ◦ Enables potential customers to evaluate organizations on their efforts toward securing data

control

A person can decide how his or her data can be collected, used, and shared with third parties

Role of NIST

Creates guidance that all federal agencies use for their information security programs ◦Creates standards that agencies use to classify their data and IT systems ◦Creates guidelines and minimum information security controls for IT systems ◦Creates Federal Information Processing Standards (FIPSs) and Special Publications (SPs)

Standards Organizations

National Institute of Standards and Technology (NIST) International Organization for Standardization (ISO) International Electrotechnical Commission (IEC) World Wide Web Consortium (W3C) Internet Engineering Task Force (IETF) Institute of Electrical and Electronics Engineering (IEEE) International Telecommunications Union Telecommunication Sector (ITU-T) American National Standards Institute (ANSI) ETSI Cybersecurity Technical Committee (TC CYBER)

SOX Oversight

SEC oversees and enforces most SOX provisions: • Mission is to protect investors and maintain the integrity of the securities industry • Has five commissioners who serve 5-year terms • Has 11 regional offices in the United States SOX requires SEC to review a public company's yearly and quarterly reports at least once every three years

privacy

a person's right to control the use and disclosure of his or her own personal information

National Security Systems (NSSs)

• Secure using a risk-based approach • Include systems used for: • Intelligence activities • National defense • Foreign policy • Military activities • Committee on National Security Systems (CNSS) oversees FISMA activities • Use the same six-step process as the NIST RMF

Gramm-Leach-Bliley Act (GLBA)

◦ Addresses privacy and security of consumer financial information◦ Federal Financial Institutions Examination Council (FFIEC) regulatory committee services the U.S. banking community ◦ FFIEC Council developed a Cybersecurity Assessment Tool used to identify bank or financial institution's cybersecurity maturity ◦ FFIEC complements a banking or financial organization's ongoing risk management program and cybersecurity implementations

ETSI Cyber Security Technical Committee (TC CYBER)

◦ Develops standards for information and communications technologies (ICT) that are commonly adopted by member countries in the European Union (EU) ◦ Standards cover both wired and various wireless communication technologies ◦ Cyber Security Technical Committee, called TC CYBER, centralizes all cybersecurity standards within ETSI committees ◦ Standards focus on security issues related to the Internet and the business communications it transports

International Telecommunication Union Telecommunication Sector (ITU-T)

◦ Is a United Nations agency responsible for managing and promoting information and technology issues ◦ Performs all ITU standards work and is responsible for ensuring the efficient and effective production of standards covering all fields of telecommunications for all nations ◦ Divides its recommendations into 26 separate series, each bearing a unique letter of the alphabet ◦ For example, switching and signaling recommendations are in the Q series

Payment Card Industry Data Security Standard (PCI DSS)

◦ Is an international standard for handling transactions involving payment cards ◦ Payment Card Industry Security Standards Council (PCI SSC) developed, publishes, and maintains the standard ◦ Formed by some of the largest payment card vendors who created PCI DSS to protect payment card users from fraud and to preempt legislative requirements on the industry ◦ Requires layers of controls to protect all payment card-related information as it is processed, transmitted, and stored

US compliance laws

◦ Organizations entrusted with sensitive data should take steps to protect data ◦ U.S. doesn't have one comprehensive data protection law ◦ Many federal data protection laws focus on specific types of data ◦ Require organizations to use security controls to protect the different kinds of data that they collect ◦ Laws are not optional

Sarbnes-Oxley Act

◦ Protects investors from financial fraud◦ Applies to publicly traded companies that must register with the Securities and Exchange Commission (SEC) ◦ Requires companies to verify the accuracy of their financial information ◦ Section 404 requires an organization's executive officers to establish, maintain, review, and report on effectiveness of the company's internal controls over financial reporting (ICFR)

SOX Control Certification Requirements

◦A company must create, document, and test its ICFR ◦It must report on its ICFR every year ◦After a company makes its yearly report, outside auditors must review it to make sure the ICFR work ◦ICFR are processes that provide reasonable assurance that an organization's financial reports are reliable