Beruflich Dokumente
Kultur Dokumente
An approach to lecture #2
Already we:
Hopefully were prepared Detected and analyzed Contained, eradicated?? and recovered Post mortem analysis
An approach
Do we need to be XXX compliant? What does regulatory compliance mean to unregulated industries?
Industries treatment of information is often regulated to assure society that protections meet an agreed upon standard. In such cases, the regulations are published, well known and expertise is available for interpreting the legal language.
Health Insurance Portability and Privacy act (HIPAA): 355 pages in the federal register Sarbanes Oxley: 65 pages NERC Critical Infrastructure Protection 31 documents (but carefully read - $1 million / day fining authority)
Simple compliance
The rules are knowable Its reasonably clear who the rules apply to As written into law, the rules are usually pretty generic Its possible to know where you stand
Simple sort of
Payment Card Industry Data Security Standard (PCI DSS): Industry self-regulation, notable failures in ecommerce FFIEC guidance on Internet banking authentication
Guidance, not regulation, though Internet searches link pages which incorrectly refer to the guidance as regulation because US Courts are finding against banks which have not implemented the guidance citing it as best practice
In the absence of regulation or authoritative controls, courts and the general population will still judge your actions based on a perception of good or best practices. The fact that there wasnt a law or regulation forcing you to do a good job is often moot. WEP encryption IS a way to encrypt wireless transactions, technically satisfying PCI DSS (at one time) but nobody would have defended TJX security practices as best ~= large fines
What!?!
These range from relatively minor to NERC CIP at $1,000,000 / day / incident back dated to the start of the non-compliant behavior Fines are typically assigned directly by the regulating body, no court action required
Legal: In some cases (some levels of HIPAA violation for example) non-compliance is criminal
Penalties include fines as well as potential jail time Criminal liability is, of course, individual an can be applied to directors, employees and officers of the company
Most levels include fines They can also decide not to allow you to accept credit cards anymore
FFIEC Guidance has NO direct effect, but banks are losing in court (sometimes) based on it
Civil judgments against the bank, based on noncompliance Other standards may apply in the same way, keeps lawyers busy
Organizational reputations are at stake Perception of shoddy infosec standards can cost you customers Umbrella laws like the Federal Trade Commissions Unfair Practices Act can be used to categorize poor behavior and levy fines in lieu of direct regulation
Many companies today have limited or no regulatory compliance issues with respect to IT security, but have customers / business partners with such requirements. In these cases, third party handling of information isnt always spelled out in law or regulation, but in some cases like HIPAA (Business Associate Agreements) the provisions are explicit
In cases like HIPAA where third party agreements are spelled out, it doesnt necessarily make it simpler
HIPAA is a legal requirement for the covered entity, but the BA agreements are civil While there is no private right of action against a covered entity (you cant sue them) under HIPAA, the contractual agreement may allow for civil action against third parties While you cannot contractually indemnify parties with respect to violations of the law (HIPAA violations) you CAN indemnify against contract breach
Sometimes there are no audit requirements, just penalties for breach or other evidence of noncompliance (e.g. state breach disclosure laws)
Complicated Landscape
46 of 50 states have laws regarding notification in the case of breach of Personally Identifiable Information (PII.) Each of them are different, some are VERY different. Washington State provides a free pass if the breached entity was PCI Compliant at the time of the breach Global companies with information stored in multiple locations throughout the world have to deal with local law and regulation, wherever they may be
Whos in charge
Break 1
If your customer must comply, they will likely feel that you need to comply as well. EVERYONE tries to spread the liability around Even if folks arent spreading it around, sometimes liability spreads through court action Even without liability or regulatory mandate, being responsible for a breach can be painful
Business Realities
Sometimes, full compliance without the requirement is a marketing tool Even though you arent currently mandated by law, someone in local or federal government is thinking about regulating you count on it. If a customer has to choose between you, and a competitor that is compliant, you lose MOST government regulations regarding information security and assurance are just good sense guidelines, and fairly weak at that.
Good Sense
CIPA (Children's Internet Protection Act) CISP (Visa Cardholder Information Security Program) PA-DSS (Payment Application Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard) Federal Circular A-123 FFIEC authentication in an electronic banking environment guidance FISMA (Federal Information Security Management Act) GLBA (Gramm-Leach Bliley Act) HIPAA (Health Insurance Portability and Accountability Act) Sarbanes-Oxley Act of 2002 (Public Company Accounting Reform and Investor Protection Act)
Compliance Costs
Direct Costs
New infrastructure (new firewalls, IDS, logging devices) Additional personnel Internal audit and compliance (time) ??? Opportunity costs Business model restrictions ???
Indirect costs
Direct Benefit
Marketing Material Sales (base on new marketing) Customer audit readiness ??? Process improvement (CMM style improvements?) Risk reduction ???
Indirect Benefit
Compliance Benefits
Break 2
You are the Director of Security (reporting to the CFO) for HackMeCo subsidiary which HIPAA covered healthcare providers use to examine medical billings and payments for evidence of fraud. All of their billing information flows through you (but you dont do billing). You arent collecting this information, so assume that you are not required to adopt PCI (technically, this may not be true, but lets use that as a baseline assumption) You DID have to sign a Business Associate agreement (sample available) to get Protected Health Information (PHI)
Nobody is demanding anything, we are operating performing the service we advertise. Customers have asked our salespeople if we are PCI compliant. Our salespeople said Gee, I expect that we are, but Ill ask The truth is, we are not PCI compliant, nor is there a legal requirement for it In a short email, we explained this to the salesperson, who then asked why not (and CCed the CIO and CEO) Not adversarial, just wants a discussion since she sees it as a potential negative.
No legal requirement (remember, PCI is industry based, not legal regulation) Even the Payment Card Industry says we dont have to be compliant We have billing data from our clients regarding health care billing, which includes HIPAA protected data as well as credit card info and billing histories You suspect the sales person asking for this is the one stealing your lunch out of the fridge
Our Situation
So far, its just an email conversation but the CIO has called for a meeting of the COO, CIO, Director of Marketing, Director of Operations, You and the Salesperson to discuss. The CFO (your boss) has asked that you research the topic and present your findings to the meeting with your recommendations. Draft an outline of your presentation to the management team
Remember, just because you are not forced to comply doesnt mean its necessarily a bad idea Weigh the benefits and costs of compliance or lack of compliance Put a mousetrap in your lunchbox