usenix:lisa 2004 good point information security laws & what they mean for you john nicholson...

USENIX:LISA 2004

GOOD POINT

GOOD POINT

GOOD POINT

Information Security Laws & What They

Mean For You

John Nicholson

[email protected]

G L O B A L S O U R C I N GG L O B A L S O U R C I N G- 2 -

What are we going to talk about?

Legal Basics - Laws, Regulations and Other Similar Things

Federal Information Security Rules

State Information Security Rules

Enforcement Actions

Your Questions and Comments


Part I

Legal Basics:

Laws, Regulations

and Other Things


Why does any discussion of the law have to be so

complicated?

Okay, um, the law is like an onion.Oh, it’s stinky?

Yes! No!It makes you cry?

No! The law has layers! Onions have layers and the law has layers!

Oh, layers. They both have layers. You know, not everybody likes onions.


“7-Layer Model” of Legal Controls

US Constitution

Federal Laws/International Treaties

Federal Regulations

Executive Orders

State Constitution

State Laws

State Regulations

US

Su

pre

me C

ou

rtU

S F

ed

era

l C

ou

rts

Sta

te C

ou

rts


What’s the difference between Federal laws and

State laws?

Under the US Constitution, the Federal government has limited powers.

Powers not reserved to Congress are retained by the States.

When passing laws, Congress may “preempt” States from acting in a particular area.

– States may be prohibited from passing any laws in the preempted area OR

– The Federal law may be the minimum/maximum standard and States are permitted to be more/less stringent.


Why is preemption important to IT?

Preemption enables Congress to ensure similarity of laws across the States

When dealing with a service (i.e., the Internet) that crosses State lines, Federal laws/regulations ensure that everyone is treated the same (or at least understands the minimum standard)


Why does preemption matter to you?

Multiple layers of laws and regulations. Depending on where you are in the US, you may be subject to different regulatory schemes.

For example, California has been very active in passing data privacy and security laws. If your organization operates in California (or you gather information about Californians) you may be subject to California’s laws.


What’s the difference between Federal laws and

regulations?

Federal laws are bills that are passed by Congress and signed into law by the President.

Federal laws are bills that are passed by Congress and signed into law by the President.

Laws generally specify what is required, but not how it should be done.

Laws generally specify which entity within the Executive Branch is responsible for drafting regulations to implement the law.

Laws are frequently vague and can be ambiguous.


Information Security-Related Federal Laws

Federal Information Security Management Act of 2002 (“FISMA”)

Gramm-Leach-Bliley Act (“GLBA”)

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

Sarbanes-Oxley Act

USA PATRIOT Act

Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)

Electronic Communications Privacy Act (“ECPA”)


What are Regulations?

• Regulations are promulgated by agencies like Office of Management and Budget, Dept. of Health and Human Services, etc.

• Frequently written with assistance from industry.

• Subject to public comment before taking effect.

• Published in the Federal Register.

Regulations implement laws.Regulations implement laws.


What are Executive Orders?

An order having the force of law issued by the President to the army, navy, or other part of the executive branch of the government.

Generally in areas where Congress has delegated authority to the President or where Congress hasn’t acted.

Executive Orders are directions from the President to the Executive Branch.

Executive Orders are directions from the President to the Executive Branch.


How do State laws and regulations differ?

Generally only apply to activities in that state (but California is changing this).

Are subject to preemption by Federal laws.

Must also comply with the relevant State constitution, which may be stricter than the US Constitution.


What is the role of the courts?

Courts interpret the law.

– Where laws are unclear or ambiguous, courts decide what the law really means.

Courts work in a hierarchy.

– US Supreme Court decides US Constitutional issues.

– Federal courts decide issues related to Federal laws and interstate issues.

– State courts generally decide State constitutional issues and intra-state issues.

– Federal and State courts must defer to US Supreme Court.


Part II

Federal Information Security “Rules”(Laws, Regulations and Executive Orders)


Federal Activities Related to Information Security

Major Federal responsibility is securing Federally owned/operated systems.

Federal government does not generally regulate security of non-government systems.

HOWEVER, Federal government does requires that certain types of information be protected.

Federal government working with industry regarding security of critical infrastructure.


Federal Laws We’re Going to Cover Today

Federal Information Security Management Act

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley Act (SOX)


Federal Information Security Management Act

Builds on requirements of:

– Computer Security Act of 1987

– Paperwork Reduction Act of 1995

– Information Technology Management Reform Act of 1996

Provides basic statutory framework for securing Federally owned/operated computer systems.

Covers “non-national security systems”


FISMA

Requires each agency to

– Inventory computer systems,

– Identify and provide appropriate security protections, and

– Develop, document and implement agency-wide information security program

Authorizes National Institute of Standards & Technology (NIST) to develop security standards and guidelines for systems used by federal government.


FISMA (cont.)

Authorizes Secretary of Commerce to decide which standards to promulgate.

Authorizes Director of OMB to oversee development and implementation of standards.

Authorizes Director of OMB to require other agencies to comply with the standards and review each agency’s information security program.

Useful NIST materials available at http://csrc.nist.gov/sec-cert/index.html


What is a “National Security System”?

“Any computer system (including any telecommunications system) used or operated by an agency …

(i) the function of which -

(I) involves intelligence activities;

(II) involves cryptologic activities related to national security;

(III) involves command and control of military forces;

(IV) involves equipment that is an integral part of a weapon or weapons system;

(V) …is critical to the direct fulfillment of military or intelligence missions; or

(ii) is protected at all times by procedures established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.”


What are the rules for National Security Systems?

Specified in National Security Directive (NSD) 42 issued by the President in 1990

NSD 42 allocates various responsibilities to different national security players

– CIA - some intelligence systems

– DOD - military/weapons systems

– NSA - some intelligence systems


Gramm-Leach-Bliley Act

Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.

Authorizes various agencies to coordinate development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc.

FTC announced final rule implementing GLBA in May 2002.


GLBA (cont)

FTC GLBA regulations:

– Published at 16 CFR 314

– Require “financial institutions” to develop, implement and maintain comprehensive information security program with appropriate administrative, technical and physical safeguards, including: Designating employee to coordinate program

Performing risk assessments

Performing regular testing and monitoring

Process for making changes in light of test results or changes in circumstances.


So what is a “financial institution” under GLBA?

Under GLBA rule, “financial institutions” generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information.

FTC's GLBA rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions.

What’s tricky about GLBA?

– Broad definition of “financial institution” could potentially include array of companies that may not consider themselves as such (e.g., department store that offers lay-away services or manufacturers that offer equipment financing).

– Multiple agencies with authority to issue regulations. Could conflict.


What do you need to do under GLBA?

If GLBA applies to your company:

– Create, implement and maintain an information security program.

– The information security program should have the regular involvement of the Board of Directors (this may be beyond your scope).

– Regularly assess risks.

– Create, document, implement and maintain policies and procedures to manage and control risk, including training, testing and managing/monitoring third party service providers.

– Adjust information security program as necessary based on testing or other changes.


Health Insurance Portability and Accountability Act

Authorizes Secretary of Health and Human Services to adopt standards that require “health plans”, “health care providers” and “health care clearinghouses” to take reasonable and appropriate administrative, technical and physical safeguards to:

– Ensure integrity and confidentiality of individually identifiable health information held or transferred by them;

– Protect against any reasonably anticipated threats, unauthorized use or disclosure; and

– Ensure compliance by officers and employees.

Security regulations published at 45 CFR 164, Subpart C

HIPAA security regulations are much more substantive than GLBA security regulations.


HIPAA Scope & Key Definitions

HIPAA Scope– Requires health care entities to implement new privacy policies, comply with

technical security requirements, provide notice/secure authorizations for a range of uses and disclosures of health information, and enter into written agreements with business partners regarding the ability to share such information

HIPAA Key Definitions– Protected health information (“PHI”) includes all individually identifiable health

information (“IIHI”) in the hands of “covered entities.”

– “Covered Entity” includes the following types : 1) health care plans; 2) health care clearinghouses; and 3) health care providers who electronically transmit health information in connection with certain specified transactions.

– “Business Associates” are any people or entities that perform certain activities or functions on behalf of a Covered Entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).


HIPAA Security Rule - General

Requires CEs to implement unified security approach based on “defense in depth.”

Is technology neutral. CEs select appropriate technology to protect information.

Requires CEs to protect information from both internal and external threats.

Requires CEs to conduct regular, thorough and accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/number2.htm#four for a detailed discussion of how to conduct a risk analysis.


HIPAA Security Regulations

HIPAA security requirements fall into three categories:

– Administrative Safeguards

– Physical Safeguards

– Technical Safeguards

Each category includes:

– “standards”: WHAT the organization must do; and

– “implementation specifications”: HOW it must be done.


HIPAA Administrative Safeguards

Administrative safeguards require documented policies and procedures for managing:

– Day-to-day operations;

– Conduct and access of workforce members to protected information;

– Selection, development and use of security controls.


HIPAA Administrative Safeguards Standards

Security management process

Overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.

Assigned security responsibility

Single individual must be designated as having overall responsibility for the security of CE's protected information.

Workforce security

Policies, procedures, and processes must be developed and implemented that ensure only properly-authorized workforce members have access to protected information.

I nformation access management

Policies, procedures, and processes must be developed and implemented for authorizing, establishing, and modifying access to protected information.

Security awareness and training

Security awareness and training program for a CE's entire workforce must be developed and implemented.


HIPAA Administrative Safeguards Standards (cont)

Security incident procedures

Policies, procedures, and processes must be developed and implemented for reporting, responding to, and managing security incidents.

Contingency plan

Policies, procedures, and processes must be developed and implemented for responding to a disaster or emergency that damages information systems containing protected information.

Evaluation CE must perform periodic technical and non-technical evaluations that determine the extent to which CE's security policies, procedures, and processes meet the ongoing requirements of the Security Rule.

Business associate contracts and other arrangements

CE must, when dealing with business associates that create, receive, maintain, or transmit protected information on CE's behalf, develop and implement contracts that ensure the business associate will appropriately safeguard the information.


HIPAA Physical Safeguards

Physical safeguards are intended to protect information systems and protected information from unauthorized physical access.

CE must limit physical access while still permitting authorized physical access.


HIPAA Physical Safeguards (cont)

Facility access controls

Overall requirement to implement policies, procedures, and processes that limit physical access to electronic information systems while ensuring that properly-authorized access is allowed.

Workstation use

Policies and procedures must be developed and implemented that specify appropriate use of workstations and the characteristics of the physical environment of workstations that can access protected information.

Workstation security

CE must implement physical safeguards for all workstations that can access protected information to limit access to only authorized users.

Device and media controls

Policies, procedures, and processes must be developed and implemented for the receipt and removal of hardware and electronic media that contain protected information into and out of a CE, and the movement of those items within a CE.


HIPAA Technical Safeguards

Technical Safeguards are requirements for using technology to control access to protected information

Access control Policies, procedures, and processes must be developed and implemented for electronic information systems that contain protected information to only allow access to persons or software programs that have appropriate access rights.

Audit controls Mechanisms must be implemented to record and examine activity in information systems that contain or use protected information.

I ntegrity Policies, procedures, and processes must be developed and implemented that protect information from improper modification or destruction.


HIPAA Technical Safeguards (cont)

Person or entity authentication

Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to protected information are who or what they claim to be.

Transmission security

Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to protected information that is being transmitted over an electronic communications network (e.g., the Internet).


HIPAA Documentation Requirements

CE must maintain documentation (e.g., policies and procedures) required by HIPAA Security Rule until LATER OF

– 6 years from date of creation; OR

– 6 years from date policy/procedure was last in effect.

CE must regularly review and update documentation.


So what? I don’t work for a health care company!

You might be surprised - – If your company self-insures, you might work for a health care

plan– Your company could also be a Business Associate of a Covered

Entity

Because people have given thought to the process around protecting systems and information, other regulatory frameworks may try to piggyback off of the HIPAA model.

Also, by understanding HIPAA model, you may have a head start on the regulation you might be subjected to in the future, like….


Sarbanes-Oxley

After Enron, Adelphia Communications, MCI/Worldcom (among others) showed there were flaws in current financial reporting requirements, Congress passed SOX.

Purpose of SOX is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.”

Two sections of SOX have impact on information security: Section 302 and Section 404.


Sarbanes-Oxley Sections 302 and 404

Section 302 states that CEO and CFO must personally certify that financial reports are accurate and complete. Must also assess and report on effectiveness of internal controls around financial reporting.

Section 404 states that corporation must assess effectiveness of internal controls and report assessment to SEC. Assessment must also be reviewed by outside auditing firm.

No assessment of internal controls is complete without an understanding of information security. Insecure systems cannot be considered a source of reliable financial information.


Information Security under SOX

SOX created Public Company Accounting Oversight Board (PCAOB) to oversee and guide auditors in assessing SOX compliance.

PCAOB tasked with creating Proposed Auditing Standards.

PCAOB selected control framework developed by Committee of Sponsoring Organizations (COSO) that provides structured guidelines for implementing internal controls.


Information Security under SOX (cont)

As supplement to COSO guidelines, PCAOB selected Information Systems Audit and Control Association (ISACA) Control Objectives for Information and related Technology (COBIT) framework.

IT Governance Institute has used COSO and COBIT frameworks to create specific IT control objectives for SOX.

Public companies with market capitalizations of $75 million or more must be in compliance with Section 404 for their fiscal year ending on or after June 15. Smaller companies have until the fiscal year ending on or after April 15, 2005, to comply.


What do you have to do to comply with SOX?

Comply with requirements of ITGI Framework Topics:– Security Policy

– Security Standards

– Access and Authentication

– User Account Management

– Network Security

– Monitoring

– Segregation of Duties

– Physical Security


ITGI Security Framework Topics:

Security Policy

Security Policy

– For SOX compliance, policies are key to demonstrating compliance.

– Auditors will look for: Whether policies exist for appropriate information security

topics

Whether policies have been approved at appropriate management levels

Whether policies are communicated effectively to personnel

– See ISO 17799 and SANS Security Policy Project http://www.sans.org.resources/policy



Security Standards

Security Standards– Existence of appropriate security standards is necessary for SOX

compliance

– Example of a “security standard” is Windows 2000 benchmark provided by Center for Internet Security, which provides specific guidance for configuring security on a Windows 2000 box.

– Areas for which standards should be specified: Workstation/Server configuration

Physical security

Network infrastructure administration

System access controls

Data classification and management

ADM



Security Standards (cont)

Auditors will look for: Whether standards exist for appropriate technology

areas given the nature of your business and your environment

Whether standards have been approved at appropriate management levels

Whether standards are communicated effectively to personnel

Whether standards are followed

Process for exception handling

Process for modification of standards



Access and Authentication

Access and Authentication

– Company must employ methods to validate that only authorized personnel can access system and perform activities within their level of authorization.

– Methods could include: Two factor

Biometric

Password (provided that passwords are subject to appropriate requirements regarding length, complexity, aging and reuse)

– Company should have clear policies prohibiting password sharing



User Account Management

User Account Management

Company should have clearly documented processes regarding creation/modification/removal of user accounts.

– In writing and subject to review and approval;

– Process regarding termination of access for terminated employees, including procedures for IT notification; and

– Regular access privilege review and adjustment.



Network Security

Network Security

– Perimeter security with firewalls and IDS Internal firewalls could be warranted to segregate sensitive

areas of the internal network or wireless access points

– Encryption should be used for sensitive information (SSL in general and PGP (or better) for financial information)

– Anti-virus protection should be installed and regularly updated

– Wireless security requires special assessment and could be segregated from remainder of network.

– Regular penetration testing.



Monitoring & Segregation

Monitoring

– Policies and procedures should exist to monitor logs and identify incidents.

– Policies and procedures should exist for incident response.

Segregation of Duties

– Separation of duties minimizes opportunity for catastrophic error or fraud.

– Where segregation of duties is not possible, other controls to detect fraud should be implemented.



Physical Security

Physical Security

– Appropriate physical mechanisms to secure access to facilities and individual hardware should be implemented.

– Controls over access should be developed and implemented. Ability to issue keys, for example, should be controlled, and

keys should be accounted for.

Access to facilities and specified areas should be regularly reviewed and modified to reflect changes in responsibilities.

Procedures for recovering/disabling keys or access devices from terminated personnel should be developed and implemented.


Part III

State Information Security “Rules”


California has been leading the way

SB 1386

– Requires notification to California-resident data owners if a security breach discloses (or might have disclosed) certain information that could lead to identity theft.

– Covered information: Name (full name or first initial and last name)

connected with social security number; driver’s license number; California Identification Care number; or account number or credit or debit card number along with any required

security code, access code, or password that would permit access to an individual’s financial account.


SB 1386 (cont)

Companies are not required to notify customers if the information was stored in encrypted form.

– Some speculation that even something as simple as ROT13 would satisfy this requirement, but don’t bank on it.


AB 1950

On Sept. 29, California enacted AB 1950, which requires a business that

– Stores personal information about a California resident MUST implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.

– Discloses personal information about a California resident to a third party as part of a contract will require the third party to implement and maintain the same reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.


My organization isn’t in California, why should I care?

Because SB 1386 applies to any person or organization that conducts business in California and stores personal information about California residents on a computer system.

Because AB 1950 applies to any business that “owns or licenses” personal information about a California resident, and any company that contracts to receive personal information about a California resident.


Part IV

Enforcement


FTC has started enforcing security “promises”

FTC Actions Regarding Security:

Eli Lilly

Disclosure of email addresses of Prozac prescription holders

Microsoft

Overpromising regarding security of MS Passport service

Guess, Inc.Promising security of information while remaining

vulnerable to common attacks


FTC is creating a standard

FTC and other bodies are creating a de facto “reasonableness” standard with regard to security.

COBIT, ISO 17799, NIST standards may become the default standards for a “reasonable” company.

So what?


You’ve been cracked…And now you’re sued.

US law requires people to behave “reasonably”.

If you don’t behave reasonably and someone is harmed because of it, you may be liable for negligence.

So…If your systems get cracked, and the cracker uses your boxes to launch an attack on someone else, that victim may try to sue you for negligently configuring your systems so that the cracker could get in.


You’ve been sued…And you might lose.

If you cannot show that you were “reasonable” - which may be defined as having complied with COBIT/NIST/ISO 17799, a court may decide that you were negligent and your company is liable for the damages of the downstream victim(s).

This hasn’t happened, yet, but many people think it’s coming.


Part V

Conclusion


Conclusion

Whether you like it or not, some form of regulatory requirement for information security is coming your way.

– It may be GLBA, HIPAA, SOX, a State regulation or some combination (which may not be consistent)

Get familiar with COBIT, the NIST guidelines and ISO 17799 and begin planning for compliance if you haven’t already done so.

Understand how laws and regulations are created. You have a voice and the people writing the laws are not technically savvy.

usenix:lisa 2004 good point information security laws & what they mean for you john nicholson...

Documents