Slide 1

The Emerging Trend Toward Programmatic Information Security Management presented by Brad Bolin Senior Security Consultant Shavlik Technologies, LLC Information Security Law Update Slide 2 Property of Shavlik Technologies www.shavlik.com 2 Regulatory Timeline Slide 3 Property of Shavlik Technologies www.shavlik.com 3 Spending is Up, Compliance is Critical The majority of IT Executives believe that overall IT spending will increase over the next 12 months and that compliance with government laws and regulations is one of the key drivers. Source: Network World 500 Research Study, 2004 Slide 4 Property of Shavlik Technologies www.shavlik.com 4 Spending is Up, Compliance is Critical Chief Security Officers identify compliance as the #1 factor driving security investment in their companies The amount of time spent by IT and Security Professionals and Managers (YOU!) on compliance- related activities is steadily increasing Source: CSO Security Sensor VI Report, CSO Magazine (2004) Slide 5 Property of Shavlik Technologies www.shavlik.com 5 Information Security Programs Patterns Responses Predictions Slide 6 Property of Shavlik Technologies www.shavlik.com 6 Public Sector Regulation Privacy Act of 1974 Computer Security Act of 1987 Federal Information Security Management Act of 2002 Slide 7 Property of Shavlik Technologies www.shavlik.com 7 Privacy Act Privacy Act of 1974 Slide 8 Property of Shavlik Technologies www.shavlik.com 8 Privacy Act of 1974 Requires the use of appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records. Addresses controls (safeguards) only Does not require the agency to take a programmatic approach to information security Slide 9 Property of Shavlik Technologies www.shavlik.com 9 Computer Security Act Computer Security Act of 1987 Slide 10 Property of Shavlik Technologies www.shavlik.com 10 Computer Security Act of 1987 Program Requirements Documented Risk-based Safeguards commensurate with the risk and magnitude of the harm resulting from loss of CIA Periodic review revised annually as necessary Administrative, Technical and Physical Controls Security Awareness and Training Slide 11 Property of Shavlik Technologies www.shavlik.com 11 FISMA Federal Information Security Act of 2002 Slide 12 Property of Shavlik Technologies www.shavlik.com 12 FISMA builds upon and extends the requirements of the Computer Security Act of 1987 Requires agencies to develop, document, and implement an agencywide information security program Program Requirements: Risk-based Documented Management sponsorship Periodic testing and reporting (no less than annually) Strategic policies and procedures Program improvement Administrative Technical and Physical Controls Security awareness and training Subordinate plans for securing networks, facilities, and systems Incident response procedures Disaster recovery plans Federal Information Security Act Program Development & Maintenance Control Measures Slide 13 Property of Shavlik Technologies www.shavlik.com 13 Laws Affecting the Private Sector Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act Sarbanes-Oxley Act Federal Trade Commission Act, Section 5 Slide 14 Property of Shavlik Technologies www.shavlik.com 14 Sidebar: Laws v. Regulations RULES Slide 15 Property of Shavlik Technologies www.shavlik.com 15 GLBA Gramm-Leach-Bliley Act Slide 16 Property of Shavlik Technologies www.shavlik.com 16 Gramm-Leach-Bliley Act Several federal agencies have issued rules/regulations under the Act: Securities and Exchange Commission Federal Banking Agencies Federal Trade Commission Slide 17 Property of Shavlik Technologies www.shavlik.com 17 Federal Banking Agencies Interagency Guidelines for Safeguarding Customer Information (GLBA) Slide 18 Property of Shavlik Technologies www.shavlik.com 18 Federal Banking Agencies Interagency Guidelines Program Requirements Management Involvement Documented Risk-based Program maintenance and improvement Appropriate to size and complexity of organization Designated program coordinator Third party oversight Slide 19 Property of Shavlik Technologies www.shavlik.com 19 Federal Banking Agencies Interagency Guidelines Administrative, Technical and Physical Controls: Incident response procedures Intrusion detection systems Security training and awareness Access controls, including authentication and authorization mechanisms Physical access restrictions Encryption of customer information in transit and at rest System change control procedures Personnel security measures Environmental protection measures Periodic control testing, conducted or reviewed by independent staff or third parties Slide 20 Property of Shavlik Technologies www.shavlik.com 20 Federal Trade Commission Standards for Safeguarding Customer Information (GLBA) Slide 21 Property of Shavlik Technologies www.shavlik.com 21 Gramm-Leach-Bliley Act FTC Standards Written information security program is required, less robust than Interagency Guidelines Program Requirements Management Involvement Documented Risk-based Third party oversight Administrative, Technical and Physical Controls Security Awareness and Training Intrusion detection and response Information processing, storage, transmission and disposal procedures Slide 22 Property of Shavlik Technologies www.shavlik.com 22 HIPAA Health Insurance Portability and Accountability Act Slide 23 Property of Shavlik Technologies www.shavlik.com 23 Dept of Health & Human Services Security Standards; Final Rule Slide 24 Property of Shavlik Technologies www.shavlik.com 24 HIPAA Required Implementation Specifications Program Requirements Management involvement Documented Risk-based Designated program coordinator Third party management Appropriate to the size and complexity of organization Administrative, Technical and Physical Controls Authentication mechanisms Incident Response Procedures Contingency Plans (Disaster Recovery, etc.) Audit Controls Access Control Information processing, storage, transmission and disposal procedures Workstation use Workstation security Slide 25 Property of Shavlik Technologies www.shavlik.com 25 SOX Sarbanes-Oxley Act Slide 26 Property of Shavlik Technologies www.shavlik.com 26 Sarbanes-Oxley Act (SOX) Source: Newsweek Magazine Slide 27 Property of Shavlik Technologies www.shavlik.com 27 Sarbanes-Oxley Act Due in part to the fact that violations can land executives in jail, SOX compliance efforts are taken very seriously Source: Unknown Slide 28 Property of Shavlik Technologies www.shavlik.com 28 Sarbanes-Oxley Act Section 404 of the SOX Act requires management to assess internal controls over financial reporting on a yearly basis; and to have their assessment attested to by an independent auditor Neither the Act nor the SECs rules mention information security or information technology, however Financial reporting is inextricably linked to information technology in most modern corporations Slide 29 Property of Shavlik Technologies www.shavlik.com 29 Sarbanes-Oxley Act The term internal control has been interpreted to include IT general controls and application controls Application controls address the specific applications that support financial reporting within an organization IT general controls address the underlying computing infrastructure, including everything from physical and logical network security, database management, system development, and change management, to disaster recovery Slide 30 Property of Shavlik Technologies www.shavlik.com 30 Sarbanes-Oxley Act Although a written security program is not required, documentation is paramount! Companies must generate and maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. This evidential matter is one of the most important bases for the independent auditors report If SOX compliance activities are to be cost-efficient, they must be reduced to coordinated, documented, repeatable processesin other words, an information security (and technology) program. Slide 31 Property of Shavlik Technologies www.shavlik.com 31 FTC Act Federal Trade Commission Act Slide 32 Property of Shavlik Technologies www.shavlik.com 32 FTC Enforcement Action Tower Records Tower Records maintained a privacy policy on its website: Slide 33 Property of Shavlik Technologies www.shavlik.com 33 Re-Written Order Status Application Order Status Application FTC Enforcement Action Tower Records TOWERRECORDS.COM CHECK-OUT INTERFACE Application Component #2 Application Component #1 Slide 34 Property of Shavlik Technologies www.shavlik.com 34 FTC Enforcement Action Tower Records The FTC argued that: TowerRecords.com had made a promise to their customers They violated their own policy due to inadequate security measures Tower Records argued that it had taken reasonable measures to secure its systems The FTC countered: Information on closing the vulnerabilities that resulted in the violation (user account and session management) had been available to the public since at least 2000. The result? Slide 35 Property of Shavlik Technologies www.shavlik.com 35 FTC Enforcement Action Tower Records Tower Records ordered to implement and maintain a comprehensive information security program Program requirements: Management involvement Designated program coordinator Risk-based Administrative, technical and physical controls: Security awareness and training Information systems controls Network and software design Information processing, storage, transmission, and disposal Intrusion detection Slide 36 Property of Shavlik Technologies www.shavlik.com 36 FTC Enforcement Action Tower Records Tower Records was also required to obtain an independent assessment of the effectiveness of their program every 6 months Slide 37 Property of Shavlik Technologies www.shavlik.com 37 Sidebar Negligence Liability Existing information security and privacy legislation is often criticized for lacking a private cause of action; Citizens cant sue A common law negligence action is one way in which private citizens might obtain redress for injuries done to them due to careless security practices Elements of a Negligence Action Duty of Care Breach of Duty of Care Damages Proximate Cause Signposts on the road FTC Enforcement Actions SB 1386 Slide 38 Property of Shavlik Technologies www.shavlik.com 38 Other Government (In)Actions Proposed Corporate Information Security Accountability Act The National Strategy to Secure Cyberspace Slide 39 Property of Shavlik Technologies www.shavlik.com 39 Proposed Corporate Information Security Accountability Act In late 2003, Representative Adam Putnam, Chairman of the House Subcommittee on Information Policy developed draft legislation entitled the Corporate Information Security Accountability Act Would have required publicly-traded companies to include an independently-certified assessment of their security in each annual report Slide 40 Property of Shavlik Technologies www.shavlik.com 40 Proposed Corporate Information Security Accountability Act Program requirements: Management involvement Documented Risk-based Periodic testing and evaluation of the program Policies and procedures Independent program auditing Administrative Technical and Physical Controls Asset inventories Incident response plans Business continuity plans It never progressed beyond draft status. What happened??? Slide 41 Property of Shavlik Technologies www.shavlik.com 41 Proposed Corporate Information Security Accountability Act Putnam solicited feedback on the legislation from a variety of individuals, companies and trade associations. Based on that feedback, Putnam postponed introduction of the legislation, and formed Corporate Information Security Working Group CISWG developed recommendations for improving security in the private sector without government intervention Slide 42 Property of Shavlik Technologies www.shavlik.com 42 The National Strategy to Secure Cyberspace Slide 43 Property of Shavlik Technologies www.shavlik.com 43 The National Strategy to Secure Cyberspace Enterprises require clearly articulated, active information security policies and programs to audit compliance with cybersecurity best practices. The position of the Bush Administration is that federal regulation will not become a primary means of securing cyberspace[.] Anchored in the belief that companies will do the right thing on their own Slide 44 Property of Shavlik Technologies www.shavlik.com 44 Industry Reactions The number of companies reporting that they possessed an established security policy and auditing process decreased in 2004 Source: State of the CSO, 2004 (CSO Magazine) Slide 45 Property of Shavlik Technologies www.shavlik.com 45 Industry Reactions Fewer CSOs believe that security is considered a routine part of business operations in 2004 Source: State of the CSO, 2004 (CSO Magazine) Slide 46 Property of Shavlik Technologies www.shavlik.com 46 Industry Reactions The majority of information security managers would actually welcome a law requiring minimum security practices Source: Information Security Magazine Survey, 2003 Slide 47 Property of Shavlik Technologies www.shavlik.com 47 What Does the Market Believe? The evolution of public and private-sector regulations suggest that information security program requirements will continue to become increasingly elaborate However, the postponement of Putnams Act and the Natl Strategy to Secure Cyberspace indicate a reluctance to legislate What does the market believe? Slide 48 Property of Shavlik Technologies www.shavlik.com 48 Businesses Expect a Change (MD&A) Managements Discussion and Analysis of Financial Conditions and Results of Operations (MD&A) Required part of annual or interim financial statements for publicly-held companies Recent MD&As are filled with predictions of increased regulation and associated compliance costs Slide 49 Property of Shavlik Technologies www.shavlik.com 49 Businesses Expect a Change (MD&A) PayPal In the future, we might be subjected to: State or federal banking regulations; Financial services regulations or laws governing other regulated industries; or U.S. and international regulation of Internet transactions. If we are found to be in violation of any current or future regulations, we could be: exposed to financial liability; forced to change our business practices; or forced to cease doing business altogether Slide 50 Property of Shavlik Technologies www.shavlik.com 50 Information Security Programs Patterns Responses Predictions Slide 51 Property of Shavlik Technologies www.shavlik.com 51 Patterns The critical elements that appear in nearly every law/regulation: Management involvement Risk-based approach Documented Strategic policies and procedures Independent auditing Appropriate to size and complexity of organization Essential administrative, technical and physical controls to mitigate risk: Incident Response Plan Disaster Recovery Plan Third Party Oversight Measures Information processing, storage, transmission and disposal procedures Access Controls (administrative and technical) Physical & Environmental Security Controls Slide 52 Property of Shavlik Technologies www.shavlik.com 52 Responses Develop a comprehensive, documented information security program that includes the elements weve identified, and maintain it Appropriate to size and complexity One example is British Standard 7799 Part 2 (BS 7799-2:2002), defining Information Security Management Systems Slide 53 Property of Shavlik Technologies www.shavlik.com 53 Predictions Based on previous laws and regulations, we can predict that future legislative actions will continue to elaborate upon the comprehensive information security program model Laws and regulations initially targeted government entities only, now reach has extended to include business organizations; it could possibly even be extended to include individual citizens (Think Natl Strategy) Data privacy will continue to be a critical driver of new legislation, but general system integrity will also begin to play a role Slide 54 Property of Shavlik Technologies www.shavlik.com 54 Thank you very much! If you have any questions about my presentation, I can be reached at brad.bolin@shavlik.com