Beruflich Dokumente
Kultur Dokumente
Agenda
Maturing of Information Technology Impact of Regulations and Standards A Compliance Framework Regulatory and Compliance Initiatives Developing Policies, Procedures, Standards and Guidelines
Regulatory Bodies
Federal Energy Regulatory Commission Federal Communications Commission Surface Transportation Board National Highway Traffic Safety Administration Federal Highway Administration U.S. Consumer Product Safety Commission Securities and Exchange Commission Illinois Commerce Commission And many others
6
HIPAA
Healthcare
GLBA
Financial Services
Sarbanes-Oxley
Publicly Traded Companies
EU Data Protection
European and US
US Patriot Act
Just about everyone
10
HIPAA
GLBA
Sarbanes Oxley
CA SB 1386
EU Data Protection
11
FTC Receives Largest COPPA Civil Penalties to Date in Settlements with Mrs. Fields Cookies and Hershey Foods (February 27, 2003)
Mrs. Fields pays civil penalties of $100,000 and Hershey pays civil penalties of $85,000
13
Privacy policy states: Any information you provide to us at this site when you establish or update an account, enter a contest, shop online or request information . . . is maintained in private files on our secure web server and internal systems . . . ."
14
A Compliance Framework
15
Regulatory Compliance
compliance n. The act of complying with a wish, request, or demand
16
Information Security and Data Privacy Legal & Regulatory Compliance Framework
INVESTIGATION Research
IMPLEMENTATION Design How must the existing information security framework / program be refined to assure legal & regulatory compliance?
VALIDATION Applicability
Development
Deployment
Change management: How may longevity of compliance be assured among ever-changing legal / regulatory landscape?
Info. sec. & data privacy legal & regulatory business impact assessment
Sustainment
Enforcement
17
A Framework - Investigation
Need to identify regulations regardless of immediate understanding of their applicability Data privacy is gigantic and far-reaching, be cautious Document the entire process!
18
A Framework - Validation
Is your organization international? What about your clients requirements? Should the organization adopt compliance categories that are outside of its operational scope?
19
A Framework - Interpretation
What is the difference between addressable and required? What effect (and who will be affected) will legal / regulatory requirements have on the organization? Do you really mitigate liability by doing nothing?
20
A Framework - Implementation
Information Security and Data Privacy Legal & Regulatory Compliance
IMPLEMENTATION
How must the existing information security framework / program be refined to assure legal & regulatory compliance?
Design
Development
Deployment
Change management: How may longevity of compliance be assured among ever-changing legal / regulatory landscape?
Sustainment
Enforcement
21
22
23
24
GLBA (Finance)
Also called the Financial Services Modernization Act of 1999. This act provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.
25
Basel II
Regulatory framework governing risk management practices for financial institutions Defines minimum capital requirement for adherence and review of public disclosure procedures May require well-defined business continuity operations Provides financial institutions a standard methodology to evaluate risk
28
Eastern Europe Estonia; Poland; Slovakia; Slovenia Hungary; Czech; Latvia; Lithuania
29
30
31
Install and Maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications
32
Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security
33
Others?
Securities and Exchange Commission (SEC) Federal, State and Local Requirements Food and Drug Administration (FDA) Federal Communications Commission (FCC) NERC List of other government agencies
http://www.lib.lsu.edu/gov/alpha
35
36
37
39
Standards
Provides specific technical requirements
Procedures
Describes specific operational steps
Should be succinct
40
Standard
All laptop computers must be secured using the MicroSaver Retractable cable lock (model no. 64149).
Guidelines Guidelines
It It is is recommended recommended that that you you never never leave leave any computer system any computer system unattended. unattended.
Procedure
As a laptop owner, ensure that a cable lock is received from the resource center. The cable lock may be secured to the laptop by first positioning the eye of the lock into ...
41
Accreditation
ment Assess
De p lo
n ig s De
42
Extranet Policy
Third-party access requirements
43
Develop collaboratively among several business units, and not in a vacuum Develop in such a way where compliance may be evaluated and measured accordingly Document Integrate in applicable business units throughout the organization Incorporate in organizations knowledge bases, awareness and education programs
44
Investigation
Establish adequate policy controls and evaluate compliance measures
Human Resources
Couple information protection and job descriptions
45
You should distinguish by function and familiarity of systems. People are the weakest link and must be educated and trained.
46
47
48
Technology: Key enabler for program execution; ineffective in the absence of people and processes
49
Information Discovery
How can you find out *things*; where should you look?
Internet Archive (Wayback Machine) SEC Edgar Database US State and Federal Criminal Databases Corporate or External Search Engine Patent Databases Attrition.org Dataloss Technical Information Leakages (Newsgroups, Leaked Website Information,
51
Think of system architecture as evaluating the business processes, identifying appropriate technologies and then issuing building permits
52
53