bill franklin | senior it auditor | [email protected] october 28, 2009 information privacy...
Post on 19-Dec-2015
214 views
TRANSCRIPT
2
Agenda
Introduction
Laws, Regulations, Industry Requirements
Federal Regulations
State Regulations
BREAK – 20 Minutes
PCI DSS Example
AICPA - Generally Accepted Privacy Principles (GAPP)
Case Studies / Discussion
Privacy Evaluation
Next Steps
Summary
3
Introduction
Lighthouse IT Compliance Group
Bill Franklin CISA, CGEIT, QSA
Senior IT Auditor
(978) 821-4863
http://www.lighthouseITCompliance.com
4
Introduction …
Knowledge and Experience
Highly Experienced Staff (15 to 25 Years in the Industry)
Certifications Include:
CISA – Certified Information Systems Auditor
CISSP – Certified Information Systems Security Professional
QSA – PCI Qualified Security Assessor
ASV – Authorized Scanning Vendor
CGEIT – Certified in the Governance if Enterprise Information Technology
CoBiT® 4 - Control Objectives for Information and related Technology
Utilize Industry Standard Frameworks and Best Practices Including:
CoBiT®
ISO
ITIL
5
Services Include:
IT Risk Assessments and Audits
External and Internal Network Scanning
Business Continuity Planning / Disaster Recovery
Training & Education
PCI Compliance
ASV Scanning Solutions
QSA Services
PCI Remediation
SAS 70 Preparation
For More Information:
www.lighthouseITCompliance.com Or www.lighthousecs.com
Introduction
6
Data Security
Privacy – Freedom from Unauthorized Intrusion
Merriam-Webster Dictionary
Security
Confidentiality – Private, Secret
Availability
Integrity
Merriam-Webster Dictionary
7
Privacy – What is it?
Definition
According to NIST (National Institute of Standards and Technology) information security is defined as “…protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.” http://csrc.nist.gov/ Publication SP800-59
Privacy focuses on the unauthorized access, use, and disclosure part of the definition - confidentiality.
Definition of privacy/confidentiality for our purposes will be “Ensuring that information is accessible only to those authorized to have access” as stated ISO (International Standard Organization) http://www.iso.org.
8
Dangers of Identity Theft
9
N
S
EW
Types of Risk
PoliticalGeographic
Business
Unintended Events
Malicious Actions
(Internal & External)Mismanageme
nt
Human Errors
Accidents
Natural Disasters
Security Compromise
IT Fraud / Social Engineering
Hackers / Virus Attacks
Physical Vandalism
Planning
Control
Compliance
Monitoring
Remediation
Global in a World Made Flat by the Internet
10
N
S
EW
Malicious RisksWho Would Do That?
External Internal
Internaland
ExternalTeam
Hackers - Viruses
(International) X Social Engineering
(Confidence Man/Woman) Employees
With access to funds and confidential information
X
11
Data Breaches
• According to Verizon’s 2009 Data Breach Investigations Report, Data Breach statistics for 2009 closely resemble the stats from 2008
• Data Breaches continue to originate from external sources
• Breaches linked to business partners fell for the first time in years
• Breaches caused by insiders is still very high
• The predominance of total records lost was attributed to outsiders
• 91 percent of all compromised records were linked to organized criminal groups
12
Laws
Regulations
Requirements
Privacy – Confidentiality - Security
Rules
13
Mitsubishi Corp.(New York, NY)
14
Analysis of Worst Breaches
June 2009
Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business
A report on actual data from investigations of over 600 cases of computer crime that were the worst in the world
“The quick, short story for the bank and financial industries this year is they have had an increase in organized crime and they were entirely focused at the financial sector, very focused. We saw an increase in sophisticated tool use. But the good news is that in all of those cases, they got in through some easy way. They got in somewhere on a non-sensitive, non-critical device where the password was password, or where it wasn't patched two years ago, or where it was a little SQL injection attack.”
www.BankInfoSecurity.com
15
What’s the Difference
Law or Legal Requirement
Government Regulation
Industry Requirement
16
Legal Requirement
The LAW http://dictionary.law.com
1) Any system of regulations to govern the conduct of the people of a community, society or nation, in response to the need for regularity, consistency and justice based upon collective human experience.
2) A statute, ordinance or regulation enacted by the legislative branch of a government and signed into law, or in some nations created by decree without any democratic process.
Protect Against / Penalties for:
• Fraud
• Embezzlement
• Money Laundering
=
Prison Time
17
Regulations
18
Industry Requirements− Certify that an organization meets certain
standards to ensure a required level of competence in a particular area
− Individuals and businesses using their products and services can rely on this certification to verify the organization’s competence.
Industry Requirements
19
Industry Requirements
It’s not just the IT industry that has these requirements:
− Extractive Industry: Mineral & Petroleum (Explosives) – Really important when you’re handling dynamite.
− Manure Management: Beef Cattle Industry – Who knew there were requirements for this?
− PCI DSS: Payment Card Industry Data Security Standards – Here’s something that’s relevant to us.
What do these pictures have in common?
20
Remember
Your Requirements− Not only is your business affected by Privacy Laws,
Regulations and Requirements …− You as an Individual and Consumer are affected as
well− Think about YOUR personal information being
compromised− Threats are no longer just Local, they are International
21
Federal Regulations
22
GLBA - Gramm-Leach-Bliley Act
This is the nation's first effort to enact restrictions on the sharing and sale of consumers’ personal financial information.
23
GLBA - Areas of the Organization Affected
• Consumer Compliance
• Information Systems
24
GLBA
The privacy of consumers' financial information became relevant to regulatory agencies when lawmakers passed the Gramm-Leach- Bliley Act, which was signed into law on November 12th, 1999.
The focus of the act was to modernize the nation's financial industries by breaking down barriers between banking and related areas such as securities and insurance.
25
GLBA
• The GLBA primarily sought to "modernize" financial services -- that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies.
• The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use.
26
GLBA
• Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks.
• Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives.
27
Safe Harbor
• In order to bridge the different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive imposed by European Commission, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor" framework.
• The Safe Harbor—approved by the EU in 2000—is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.
28
GLBA
• Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals:
1. First, banks, brokerage companies, and insurance companies must securely store personal financial information
2. Second, they must advise you of their policies on sharing of personal financial information
3. Third, they must give consumers the option to opt-out of some sharing of personal financial information
29
HIPAA
HIPAA - Health Insurance Portability and Accountability Act
•National health information privacy standards issued by the U.S. Department of Health and Human Services (DHHS), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
•The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first national standards for protecting the privacy of health information.
30
HIPAA
• The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.
31
HITECH
• HITECH - Health Information Technology for Economic and Clinical Health Act
• Series of privacy and security provisions that expand the current requirements under HIPAA
32
HIPAA Information Stolen
33
NAIC National Association ofInsurance Commissioners
• The NAIC adopted the Privacy of Consumer Financial and Health Information Model Regulation on September 26, 2000.
• The model regulation was drafted in response to requirements set forth in Title V of the Gramm-Leach-Bliley Act (GLBA). GLBA calls on the state insurance regulators to issue regulations protecting the privacy of insurance consumers’ personal information.
• Importantly, the NAIC model privacy regulation also includes special protections for health information. The regulation requires insurance companies and agents to get your affirmative consent before sharing health information with any other entity.
34
Family Educational Rights and Privacy Act (FERPA)
• The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
• FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
35
ID Theft Red Flags …Federal Trade Commission
• The Fair and Accurate Credit Transaction Act (the FACT Act), which amends the Fair Credit Reporting Act (FCRA) establishes numerous requirements that provide protection for the victims of identity theft, provide more information to consumers about credit reports and credit scoring, limits sharing of information with affiliates, and protects consumer medical and other information.
FIGHTING FRAUD WITH THE RED FLAGS RULE
A How-To Guide for Business
http://www.ftc.gov/redflagsrule
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf
36
ID Theft Red Flags …
Overview
The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs.
Your Program must include four basic elements, which together create a framework to address the threat of identity theft.
37
ID Theft Red Flags …
Who Must Comply …
The Red Flags Rule applies to “financial institutions” and “creditors.”
The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.”
You need to implement a written program only if you have Covered Accounts.
38
ID Theft Red Flags …
Who Must Comply
It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves.
For example, many non-profit groups and government agencies are “creditors” under the Rule.
The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.
39
ID Theft Red Flags …
First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business.
Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft.
For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.
40
ID Theft Red Flags
Second, your Program must be designed to detect the red flags you’ve identified.
For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.
Third, your Program must spell out appropriate actions you’ll take when you detect red flags.
Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.
41
State Regulations
42
State Privacy Regulations
• The State Security Breach Laws were enacted to protect the confidential personal information of consumers.
• The laws require that an individual or a commercial entity that conducts business in a state and that owns or licenses computerized data that includes personal information about a resident of a state becomes aware of a breach of the security of their computer system, the business or entity should conduct a prompt investigation to determine if personal information has been compromised and assess the risk of misuse.
43
State Privacy Regulations
• The law also requires the individual or the commercial entity provide notice as soon as possible to the affected state resident unless the investigation determines that the misuse of information about a state resident has not occurred and is not reasonably likely to occur.
44
State Privacy Regulations
• In addition to Federal regulations, various states are enacting privacy regulations. The following slides provide information on various state privacy legislation.
• Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have now enacted legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information.
45
State Privacy Regulations
46
State Privacy Regulations
47
Rhode IslandBanking & Insurance ProtectionCHAPTER 27-58The Banking And Insurance Consumer Protection Act
§ 27-58-10
Confidential customer information.
A.As used in this section, unless the context requires otherwise:
1) "Customer" means a person with an investment, security, deposit, trust, or credit relationship with a financial institution; and
2) "Nonpublic customer information" means information regarding a person that has been derived from a record of a financial institution, including information concerning the terms and conditions of insurance coverage, insurance expirations, insurance claims, or insurance history of an individual. Nonpublic customer information does not include customer names, addresses or telephone numbers.
B.No financial institution shall use any nonpublic customer information for the purpose of selling or soliciting the purchase of insurance or provide the nonpublic customer information to a third party for the purpose of another's sale or solicitation of the purchase of insurance.
48
Rhode IslandPersonal Information
§ 27-58-13 Penalties.
•Any person who violates the provisions of this chapter, or who fails to perform any duties imposed by this chapter, or who violates any administrative regulation promulgated pursuant to this chapter shall be liable for a civil penalty not to exceed the sum of one hundred dollars ($100) for each day which the violation continues, and in addition, may be concurrently enjoined from any further violations by the superior court upon petition of the insurance commissioner.
49
Rhode IslandFinancial Information
REGULATION 99
PRIVACY OF CONSUMER FINANCIAL INFORMATION
A. Purpose. This Regulation governs the treatment of nonpublic personal financial information about individuals by all insurance licensees of the Rhode Island Department of Business Regulation. This Regulation:
1)Requires a licensee to provide notice to individuals about its privacy policies and practices;
2)Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and
3)Provides methods for individuals to prevent a licensee from disclosing that information.
50
Rhode IslandFinancial Information
B. Scope. This Regulation applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. This Regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
C. Compliance. A licensee domiciled in this state that is in compliance with this Regulation in a state that has not enacted laws or regulations that meet the requirements of Title V of the Gramm-Leach-Bliley Act (PL 102-106) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach- Bliley Act in the other state.
51
Rhode IslandHealth InformationREGULATION 100
PRIVACY OF CONSUMER HEALTH INFORMATION
A. Purpose. This Regulation governs the treatment of individual’s nonpublic personal health information by all insurance licensees of the Rhode Island Department of Business Regulation. This Regulation:
1)Describes the conditions under which a licensee may disclose nonpublic personal health information about individuals to affiliates and nonaffiliated third parties; and
2)Provides methods for individuals to prevent a licensee from disclosing that information.
B. Scope. This Regulation applies to all nonpublic personal health information
C. Compliance. An insurance licensee that is in compliance with this regulation may be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in a state which has not yet enacted laws or regulations that meet the requirements of Gramm-Leach-Bliley.
52
Rhode IslandHealth Information
Section 7 Relationship to Federal Rules
Irrespective of whether a licensee is subject to the Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services (the “federal rule”), if a licensee complies with all requirements of the federal rule except for its effective date provision, the licensee shall not be subject to the provisions of this Regulation.
53
Top 10 TipsPreventing a Security Breach
www.scmagazineus.com
David Hobson, managing director of Global Gecure Systems August 12, 2008
1.Management sets the tone for their organizations by their own behavior. As such, good information practices are obligatory for all stakeholders, not just employees.
2.Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.
54
Top 10 TipsPreventing a Security Breach
3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organizations.
4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.
5. Information assurance is everyone's job and as such investments in training and awareness programs for all employees are critical.
6. Management should set out the company's expectations with respect to information assurance in clear, accessible policies.
55
Top 10 TipsPreventing a Security Breach
7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.
8. Investments need to be made in technology that will result in the secure transport and processing of information by the company's information technology assets.
9. Suitable best practices should be identified and implemented rather than ad hoc approaches.
10. Expert advice should be sought and used at all times to advise and oversee efforts in respect to information assurance from an experienced and objective third-party perspective.
56
Fourth Annual US Cost of
Data Breach Study Benchmark Study of Companies
Sponsored by PGP Corporation Independently conducted by Ponemon Institute LLC
Publication Date: January 2009
www.ponemon.org
57
Break20 Minutes
58
PCI DSSPayment Card Industry Data Security Standard
ExampleProtection of Sensitive Information
ApplicationCan be Applied to More Than Payment Card Data
59
Who / What Is PCI?
Payment Card Industry Data Security Standard
Global Standard(Standard Released in 2006 v1.1, October 2008 Revised Standard Released v1.2)
“The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.”
“The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.”
“The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.”
https://www.pcisecuritystandards.org/
60
PCI Security Standards Site
61
What Does PCI DSS Apply To?
Brands
MasterCard Worldwide
Visa, Inc.
American Express
Discover Financial Services
JCB International (Japanese)
Credit Cards
Debit Cards
Stored Value / Top Up(Replenished from a Credit or Debit Card)
62
Cardholder Data
Data ElementStorage
Permitted Protection Required
PCI DSS Req. 3.4(Render PAN Unreadable
Anywhere It is Stored)
Cardholder Data
Primary Account Number (PAN)
Yes Yes Yes
Cardholder Name 1 Yes Yes 1 No
Service Code 1 Yes Yes 1 No
Expiration Date 1 Yes Yes 1 No
Sensitive Authentication Data 2
Full Magnetic Stripe 3 No N/A N/A
CAV2 / CVC2 / CVV2 / CID No N/A N/A
PIN / PIN Block No N/A N/A
1 These data elements must be protected if stored in conjunction with the PAN. This protection must be per PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
2 Sensitive authentication data must not be stored after authorization (even if encrypted).
3 Full track data from the magnetic stripe, magnetic image on the chip, or elsewhere.
63
3 PCI Security Standards …
www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf
64
3 PCI Security Standards …
PED - PIN Entry Devices
Set of requirements and guidelines for vendors PIN Entry Devices to ensure the security and confidentiality of payment card data.
Devices
POS – Point of Sale
EPP – Encrypting Pin Pad
AFD – Automated Fuel Dispensers
1
65
3 PCI Security Standards …
PA DSS – Payment Application Data Security Standard
“… help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.”
Software
Payment – Back Office, Middleware, Switching
POS – Face to Face, Kiosk
Shopping Cart / Store Front
2
66
3 PCI Security Standards
PCI DSS – Payment Card Industry Data Security Standard
“… a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.”
Acceptance of Payment Card data - Process, Transmit, Store
Merchants – Sell Goods or Services
Service Providers – Processes, Transmits, Stores Payment Card Data on Behalf of Another Organization
3
67
Who Needs To Comply?
If you handle payment card information
Proccess (Accept)
Transmit
Store
Payment Card Transactions
Internet
POS (Point of Sale)
Phone
Paper (In Person)
68
Structure
Brands
MasterCard, Visa, Amex, Discover, JCB
Acquiring Banks
Merchants
PCI CouncilService Provider
69
Levels
Merchant Levels
Determined by the Brand
Determines the Method of Compliance
Determines the Frequency of Compliance
If a Security Breach Occurs You Are Automatically a Level 1
Service Provider Levels
Generally a Level 1
Exceptions for lower volume providers
70
Merchant Level 1
Merchant Level
CriteriaOnsite
Review 1, 3
SelfAssessment 3
NetworkSecurityScan 2, 3
Level 1 American Express-2.5 million American Express Card transactions or more per year;-Any merchant that has had a data incident-Any merchant that American Express otherwise deems a Level 1
RequiredAnnually
NotRequired
RequiredQuarterly
Level 1 Discover-Merchants processing over 6 million Discover Network card transactions annually-Any merchant Discover Network determines to be a Level 1-Merchants required by another payment brand to validate and report as a Level 1
RequiredAnnually
NotRequired
RequiredQuarterly
Level 1 JCB-Merchants processing over 1 million JCB transactions annually-Compromised merchants
RequiredAnnually
NotRequired
RequiredQuarterly
Level 1 MasterCard-Any merchant, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually -Any merchant that experienced a compromise of payment card data-Any merchant meeting the Level 1 criteria of a competing payment brand -Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements
RequiredAnnually
NotRequired
RequiredQuarterly
Level 1 Visa-Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year-Any merchant that experienced a compromise of payment card data-Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system
RequiredAnnually
Attestation of Compliance Form
NotRequired
RequiredQuarterly
71
Merchant Level 2
Merchant LevelCriteria
OnsiteReview 1, 3
SelfAssessment 3
NetworkSecurityScan 2, 3
Level 2 American Express-50,000 to 2.5 million American Express Card transactions per year Not
RequiredRequiredAnnually
RequiredQuarterly
Level 2 Discover-Merchants processing 1 million to 6 million Discover Network card-not-present only transactions annually-Merchants required by another payment brand to validate and report as a Level 2 merchant
NotRequired
RequiredAnnually
RequiredQuarterly
Level 2 JCB-Less than 1 million JCB transactions anually Not
RequiredRequiredAnnually
RequiredQuarterly
Level 2 MasterCard-All merchants with more than one million total MasterCard transactions but less than six million total transactions annually-All merchants meeting the Level 2 criteria of a competing payment brand
NotRequired
RequiredAnnually
RequiredQuarterly
Level 2 Visa-Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year
NotRequired
RequiredAnnually
Attestation of Compliance Form
RequiredQuarterly
72
Merchant Level 3
Merchant Level CriteriaOnsite
Review 1, 3
SelfAssessment 3
NetworkSecurityScan 2, 3
Level 3 American Express-Less than 50,000 American Express Card transactions per year
NotRequired
RequiredAnnually
RequiredQuarterly
Level 3 Discover-Merchants processing 20,000 to 1 million Discover Network card-not-present only transactions annually-Merchants required by another payment brand to validate and report as a Level 3 merchant
NotRequired
RequiredAnnually
RequiredQuarterly
Level 3 JCB-NA NA NA NA
Level 3 MasterCard-All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions-All merchants meeting the Level 3 criteria of a competing payment brand
NotRequired
RequiredAnnually
RequiredQuarterly
Level 3 Visa-Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
NotRequired
RequiredAnnually
RequiredQuarterly
73
Merchant Level 4
1 For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a QSA - Qualified Security Assessor.
2 To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an ASV - Approved Scanning Vendor.
3 Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.
Merchant Level CriteriaOnsite
Review 1, 3
SelfAssessment 3
NetworkSecurityScan 2, 3
Level 4 3 American Express-NA NA NA NA
Level 4 3 Discover-All other Discover Network merchants Not
RequiredRecommended
AnnuallyRecommended
Quarterly
Level 4 3 JCB-NA NA NA NA
Level 4 3 MasterCard-All other merchants Not
RequiredRecommended
AnnuallyRecommended
Quarterly
Level 4 3 Visa-Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
NotRequired
RecommendedAnnually
RecommendedQuarterly
74
PCI Validation Change
MasterCard
Requiring ROC by a QSA for Level 2
Merchants
http://treasuryinstitute.org/blog/index.php?itemid=260
75
PCI Compliance Process
76
PCI DSS v 1.2 Confidential Information
77
PCI DSS v 1.2 (6 Areas, 12 Requirements)
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect Stored Data (Electronic)
4. Encrypt transmission of cardholder and sensitive information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and Maintain Secure Systems and Applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
78
PCI DSS Requirements
The Numbers
6 Areas
12 High Level Requirements
62 Detail Level Requirements
Numerous Sub Requirements
79
PCI DSSBuild and Maintain a Secure Network
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords and other security parameters
1.1 - Establish firewall and router configuration standards
1.2 - Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment.
Note: An “untrusted network” is any network that is external tot the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
1.4 - Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
80
PCI DSSBuild and Maintain a Secure Network
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords and other security parameters
2.1 - Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).
2.2 - Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
2.3 - Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-consoleadministrative access.
2.4 - Shared hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in “Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.”
81
PCI DSSProtect Card Holder Data
Protect Cardholder Data
3. Protect Stored Data (Electronic)
4. Encrypt transmission of cardholder and sensitive information across public networks
3.1 - Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
3.2 - Do not store sensitive authentication data after authorization (even if encrypted).
3.3 - Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
3.4 - Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs)
82
PCI DSSProtect Card Holder Data
Protect Cardholder Data
3. Protect Stored Data (Electronic)
4. Encrypt transmission of cardholder and sensitive information across public networks
3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.
3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
4.2 - Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).
83
PCI DSSMaintain a Vulnerability Management Program
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and Maintain Secure Systems and Applications
5.1 - Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
5.2 - Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.
6.1 - Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
6.2 - Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.
84
PCI DSSMaintain a Vulnerability Management Program
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and Maintain Secure Systems and Applications
6.3 - Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices and incorporate information security throughout the software development life cycle.
6.4 - Follow change control procedures for all changes to system components.
6.5 - Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes.
85
PCI DSSMaintain a Vulnerability Management Program
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and Maintain Secure Systems and Applications
6.6 - For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at leastannually and after any changes.
ORInstalling a web-application firewall in front of public-facing web applications
86
PCI DSSImplement Strong Access Control Measures
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
7.1 - Limit access to system components and cardholder data to only those individuals whose job requires such access.
7.2 - Establish a mechanism for system components with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.
8.1 - Assign all users a unique ID before allowing them to access system components or cardholder data.
87
PCI DSSImplement Strong Access Control Measures
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
8.2 - In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
Password or passphrase Two-factor authentication (for example, token devices, smart
cards, biometrics, or public keys)
8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
88
PCI DSSImplement Strong Access Control Measures
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
8.4 - Render all passwords unreadable during transmission and storage on all system components using strong cryptography (defined in PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms).
8.5 - Ensure proper user authentication and password management for non-consumer users and administrators on all system components.
9.1 - Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 - Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible.
89
PCI DSSImplement Strong Access Control Measures
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
9.3 - Make sure all visitors are handled as follows: Authorized before entering areas where cardholder data is
processed or maintained. Given a physical token (for example, a badge or access
device) that expires and that identifies the visitors as non-employees.
Asked to surrender the physical token before leaving the facility or at the date of expiration.
9.4 - Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
90
PCI DSSImplement Strong Access Control Measures
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
9.5 - Store media backups in a secure location, preferably in an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.
9.6 - Physically secure all paper and electronic media that contain cardholder data.
9.7 - Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data.
9.8 - Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals).
91
PCI DSSImplement Strong Access Control Measures
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
9.9 - Maintain strict control over the storage and accessibility of media that contains cardholder data.
9.10 - Destroy media containing cardholder data when it is no longer needed for business or legal reasons.
92
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
PCI DSSRegularly Monitor and Test Networks
10.1 - Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to eachindividual user.
10.2 - Implement automated audit trails for all system components to reconstruct the following events:All individual user accesses to cardholder dataAll actions taken by any individual with root oradministrative privilegesAccess to all audit trailsInvalid logical access attemptsUse of identification and authentication mechanismsInitialization of the audit logsCreation and deletion of system-level objects
93
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
PCI DSSRegularly Monitor and Test Networks
10.3 - Record at least the following audit trail entries for all system components for each event:User identificationType of eventDate and timeSuccess or failure indicationOrigination of eventIdentity or name of affected data, system component, or resource
10.4 - Synchronize all critical system clocks and times.
10.5 - Secure audit trails so they cannot be altered.
94
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
PCI DSSRegularly Monitor and Test Networks
10.6 - Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).
Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6.
10.7 - Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).
95
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
PCI DSSRegularly Monitor and Test Networks
11.1 - Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identity all wireless devices in use.
11.2 - Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rulemodifications, product upgrades).
Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.
96
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
PCI DSSRegularly Monitor and Test Networks
11.3 - Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:Network-layer penetration testsApplication-layer penetration tests
11.4 - Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic in the cardholder data environment and alert personnel tosuspected compromises. Keep all intrusion detection and prevention engines up-to-date.
97
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
PCI DSSRegularly Monitor and Test Networks
11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files, and configure the software to perform critical file comparisons at least weekly.
Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
98
PCI DSSMaintain Information Security Policy
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
12.1 - Establish, publish, maintain, and disseminate a security policy that accomplishes the following:Addresses all PCI DSS requirements.Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.Includes a review at least once a year and updates when the environment changes.
12.2 - Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).
99
PCI DSSMaintain Information Security Policy
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
12.3 - Develop usage policies for critical employee-facing technologies (for example, remote access technologies, wireless technologies, removableelectronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors.
12.4 - Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors.
100
PCI DSSMaintain Information Security Policy
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
12.5 - Assign to an individual or team the following information security management responsibilities:Establish, document, and distribute security policies and procedures.Monitor and analyze security alerts and information, and distribute to appropriate personnel.Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.Administer user accounts, including additions, deletions, and modifications.Monitor and control all access to data.
101
PCI DSSMaintain Information Security Policy
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
12.6 - Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.Educate employees upon hire and at least annually.Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures.
12.7 - Screen potential employees (see definition of “employees” at 9.2 above) prior to hire to minimize the risk of attacks from internal sources.
For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
102
PCI DSSMaintain Information Security Policy
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
12.8 - If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
Maintain a list of service providersMaintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possessEnsure there is an established process for engaging service providers including proper due diligence prior to engagementMaintain a program to monitor service providers’ PCI DSS compliance status
12.9 -Implement an incident response plan. Be prepared to respond immediately to a system breach.
103
PCI DSS v 1.2 (6 Areas, 12 Requirements)
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect Stored Data (Electronic)
4. Encrypt transmission of cardholder and sensitive information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and Maintain Secure Systems and Applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
104
QSA Audit Process
QSAQualifiedSecurityAssessor
SAQSelfAssessmentQuestionnaire
ROCReportOnCompliance
105
External ASV Scanning Process
ASVApprovedScanningVendor
106
Scoring Results
Pass or Fail
107
Areas to Assess
Business Process – Flow of Payment Card Data
Wireless, Email, Encryption
Third Party Applications Run In-House
Proprietary Applications
Network Segmentation
Third Parties / Outsourcing
Compensating Controls
Documentation, Documentation, Documentation
108
Common Weaknesses …
Firewall and Router Configuration Documentation
Change Management Policy and Procedures
Firewalls and Routers
In General
Information Security Program
Lack of Annual Overall IT Risk Assessment and Remediation
109
Common Weaknesses …
Lack of Quarterly External Vulnerability Scan with an ASV
Patches
Upgrades
Lack of Quarterly Internal Vulnerability Scan
Open Ports
Unnecessary Services
Lack of Penetration Tests for Networks and Applications
110
Common Weaknesses …
No DMZ (Demilitarized Zone)For Web Applications Processing Payment Card Data
111
Common Weaknesses
Encryption of Cardholder Data
In Storage (PCI DSS 3.4)
During Transmission
Encryption Key Management
PCI DSS Section 6 - Biggest Change in PCI DSS 1.2
Application Firewall
Thorough Application Testing
Hackers are focusing more on Applications
Lack of Documentation
112
Penalties
Fines of up to $25,000 per month for Level 1 and Level 2 Merchants
Increased Transaction Fees
Possible Revocation of Privilege to Accept Payment Cards
In the Case of A Security Breach
Responsible for full scale forensic investigation and remediation costs
Must obtain PCI DSS Level 1 Compliance to continue accepting payment cards
Possible Cost of Reissuing Cards incurred by Banks, Credit Unions, etc…
Lack of consumer trust due to confidential data disclosures harming the organizations reputation and brand
113
PCI DSS Summary
PCI Council is put together by the Brands(Visa, MC, AMEX, Discover, JCB)
PCI Council Determines the Standards
Global Standard
Acquiring Banks enforce the standard
Determine Levels and Reporting Requirements
2 Parts to the PCI DSS
Audit Full Audit by an QSA (Qualified Security Assessor) SAQ (Self Assessment Questionnaire)
External Scan By an ASV (Approved Scanning Vendor)
PASS or FAIL
114
The Challenge
115
The Challenge - Sustainability
PrepareFor
Audit
TestAnd
Remediate
SustainCompliance
Improve
The Wall
Complianc
e
Governanc
e
Perform
anc
eManageme
nt
Address Compliance
and
Create Sustainability
116
IT Integrated Framework SolutionLEVERAGE
Integrated Governance Framework
NAIC
Requir
em
ent
1R
equir
em
ent
2R
equir
em
ent
3R
equir
em
ent
n
ISO 27002CobiT® 4.1 ITIL
Contr
ol
Solu
tion
1
Contr
ol
Solu
tion
2
Contr
ol
Solu
tion
3
Contr
ol
Solu
tion
4
Contr
ol
Solu
tion
5
Contr
ol
Solu
tion
6
Contr
ol
Solu
tion
7
Contr
ol
Solu
tion
n
Map
Regu
lato
ry a
nd S
tan
dard
Req
uir
em
ents
to IT
Map
Regu
lato
ry a
nd S
tan
dard
Req
uir
em
ents
to IT
Contr
ols
Contr
ols
IT C
on
trols A
ddre
ss Multip
le
IT C
on
trols A
ddre
ss Multip
le
Require
men
tsR
equire
men
ts
StatePrivacy
Requir
em
ent
1R
equir
em
ent
2R
equir
em
ent
3R
equir
em
ent
n
GLBA
Requir
em
ent
1R
equir
em
ent
2R
equir
em
ent
3R
equir
em
ent
n
ID Theft Red Flags
Requir
em
ent
1R
equir
em
ent
2R
equir
em
ent
3R
equir
em
ent
n
HIPAA
Requir
em
ent
1R
equir
em
ent
2R
equir
em
ent
3R
equir
em
ent
n
NIST
PCI DSS
Requir
em
ent
1R
equir
em
ent
2R
equir
em
ent
3R
equir
em
ent
n
117
AICPAAmerican Institute
OfCertified Public
Accountants
118
AICPA - Generally Accepted Privacy Principles (GAPP)
Principle 1: Management This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures.
Principle 2: Notice This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed.
Principle 3: Choice and Consent This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
119
AICPA - Generally Accepted Privacy Principles (GAPP)
Principle 4: Collection This principle requires that the entity collect personal information only for the purposes identified in the notice.
Principle 5: Use and Retention This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.
Principle 6: Access This principle requires that the entity provide individuals with access to their personal information for review and update.
120
AICPA - Generally Accepted Privacy Principles (GAPP)
Principle 7: Disclosure to Third Parties This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.
Principle 8: Security for Privacy This principle requires that the entity protect personal information against unauthorized access (both physical and logical).
Principle 9: Quality This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice.
Principle 10: Monitoring and Enforcement This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.
121
Case Study Review
122
Network Solutions(Herndon, VA)
July 24, 2009
•573,000 records
•Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months.
•Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores.
•The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.
123
American Express(New York, NY)
August 14, 2009
•Unknown number of records
•Some American Express card members' accounts may have been compromised by an employee's recent theft of data.
•The former employee has been arrested and the company is investigating how the data was obtained.
•American Express declined to disclose any more details about the incident.
•The company has put additional fraud monitoring and protection controls on the accounts at issue.
124
Individual Business Owner
October 18, 2009
•Phishing Email Sent to intercept email
From: [email protected] [mailto:[email protected]]
Sent: Monday, October 19, 2009 12:58 PM
Subject: The settings for the [email protected] mailbox were changed
Dear user of the dddd.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox ([email protected]) settings were changed. In order to apply the new set of settings click on the following link:
<http://dddd.com.vvverfq.co.uk/owa/service_directory/[email protected]&from=dddd.com&fromname=xxxxxxxx.xxxxx> http://dddd.com/owa/service_directory/[email protected]&from=dddd.com&fromname=xxxxxxxx.xxxxx
Best regards, dddd.com Technical Support.
125
University of CaliforniaBerkeley School of JournalismBerkley, CA
May 7, 2009
•493 records
•Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server.
•The server contained much of the same material visible on the public face of the Web site.
•However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.
126
Johns HopkinsBaltimore, MD
May 12, 2009
•10,000 Records Compromised
•An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia.
•The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information.
127
Maine Office ofInformation TechnologyJune 4, 2009
•Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person.
•"We received a print job and were running it, and there was an equipment malfunction," Thompson said.
•"In restarting the piece of equipment, a mistake was made and it started one page off. It was an error and our quality assurance didn't pick it up.“
•Recipients received one page with their own information and another page with information belonging to a different person.
128
Quick Privacy Evaluation
129
Privacy Evaluation Handout
Are the Businesses You Frequent or Work for Exposing You to an Identity Thief?
Assign 1 point for each NO answer.
Each item illustrates what businesses can do to prevent identity theft. If they are not, it may be time for you to speak up.
If you weren't sure of some of the answers-perhaps you should be asking more questions at work and where you do business.
It's your responsibility to be a ID theft aware consumer as well.
The Higher the Score the More Risk
www.onguardonline.gov/games/overview.aspx
130
Next Steps …
Assess
Prioritize
Classify
Training
Monitor
131
Next Steps …
1. Privacy Assessment / Audit
The first step is to assess the organization
Use Frameworks such ase CoBiT, ISO, ITIL
Review Policies
Interview Staff
Walkthroughs / Observation
Understand the organization and types of Data in the Organization
132
Next Steps …
2. Prioritize Gaps
Prioritize highest risks to be remediated
Remediate issues
Create/update policies and procedures
Implement solutions to mitigate risks
133
Next Steps …
3. Data Classification
The data in the organization must be classified
Public to Private
As The Privacy requirements increase so do the Security requirements
Classify all types of data in the organization
134
Next Steps …
4. Perform Privacy Training
Create/Acquire Privacy Training for organization
Integrate Training with Company Polices
Consider Training options
– Onsite
– Online
– Mix of Both
Train the entire Staff – On-Going
135
Next Steps …
5. Monitor
Monitor all facets of the program
Evaluate new threats and changes to IT and Business
Update policies, procedures & training
Continue to improve ongoing
136
Summary - Be Smart
$$ Educate – (free webinars)
$$ Implement a repeatable process / framework
$$ Perform a Risk Assessment – Not just A Gap Analysis
$$ Common Policies and Procedures that comply with PCI DSS, GLBA, FERPA, HIPAA, State Privacy, etc…
137
Summary - Be Smart
$$ Regular External and Internal Vulnerability Scans (reduced pricing for extended years)
$$ Leverage Outsourcing (Co-ops etc…)
$$ Identify what you can do
$$ Ask yourself:
“Do we really need to store this information?”, and
“Who really needs this access?”
138
Research Sources
• Federal Trade Commission www.ftc.gov
• The Federal Financial Institutions Examination Council (FFIEC)www.ffiec.gov
• The AICPA's Information Technology Centerhttp://www.aicpa.org
• ISACAwww.isaca.org
• Maine Legislaturewww.maine.gov
• Identity Theft Resource Sitewww.IDtheft.gov
• Privacy Rights Organizationwww.privacyrights.org