WHITE PAPER: IT COMPLIANCE. Compliance Field Guide. Symantec Control Compliance Suite

Transcription

1 WHITE PAPER: IT COMPLIANCE Compliance Field Guide Symantec Control Compliance Suite

2 Contents Reducing the Cost of IT Compliance in an Increasingly Regulated World... 3 Symantec Control Compliance Suite the Choice of Market Leaders... 5 The Six Best Practices of Highly Successful Companies... 7 FISMA GLBA HIPAA JOINT COMMISSION PCI DSS SOX State Data Privacy Laws COBIT ISO 27002:2005 (formerly ISO 17799) ISO 27799: ISO 27789: ITIL (Information Technology Infrastructure Library) NIST SP (National Institute of Standards Special Publication Resource Guide for Implementing HIPAA)... 30

3 Reducing the Cost of IT Compliance in an Increasingly Regulated World In the last few years alone, IT Compliance has become a critical business function that can significantly affect an organization s growth and bottom line. The reason? An ever-expanding regulatory landscape whose complexity is straining already tapped IT Compliance organizations and accelerating external audit fees. In a recent IT Policy Compliance Group survey, 70 percent of the respondents reported being subject to multiple regulatory compliance mandates. Factors Driving Compliance Costs Higher Recently, the IT Policy Compliance Group estimated that, on average, 34 percent of IT resources are being spent on meeting multiple regulatory compliance demands. As more organizations struggle to address these mandates, the cost of compliance and audits continues to climb. Regulations are commonly revised or added, a trend accelerating under the current administration. Regulations often are not prescriptive costing additional resources to interpret rules or create one-off policies. Many organizations continue to address compliance through a collection of manual processes and loosely integrated technologies. This further strains limited security and IT resources, and prevents a proactive security posture. Different groups in separate departments often duplicate efforts by meeting the demands of the same controls. The heterogeneous nature of the corporate network creates a ripple effect that complicates the process of establishing, maintaining, and auditing controls. Mergers and acquisitions result in additional entitlements and controls and a larger regulatory footprint for the surviving entity. Addressing Risk in IT Simply put, IT risk is business risk. Audit failures, security threats, data loss incidents, and system outages all represent potential risk scenarios for the business, each with consequences that range from fines and remediation costs to reputation damage and revenue loss. In addition, every large company comprises multiple, heterogeneous environments, making it extremely difficult to centrally view, analyze, and report on compliance risks. To prioritize compliance efforts and get better alignment with the business, companies must take a riskbased approach. They must be able to: 3

4 View and assess risk for policies, technical controls, required procedures, and IT assets across all platforms and business units throughout the enterprise. Normalize risk calculations across multiple technical controls. Combine risk assessments for both technical controls and manual procedures. Prioritize remediation to address top priority risks. Addressing Risk in IT Simply put, IT risk is business risk. Audit failures, security threats, data loss incidents, and system outages all represent potential risk scenarios for the business, each with consequences that range from fines and remediation costs to reputation damage and revenue loss. In addition, every large company comprises multiple, heterogeneous environments, making it extremely difficult to centrally view, analyze, and report on compliance risks. To prioritize compliance efforts and get better alignment with the business, companies must take a riskbased approach. They must be able to: View and assess risk for policies, technical controls, required procedures, and IT assets across all platforms and business units throughout the enterprise. Normalize risk calculations across multiple technical controls. Combine risk assessments for both technical controls and manual procedures. Prioritize remediation to address top priority risks. The Financial Benefits of Risk-Based Performance Budgeting Risk-based performance budgeting for information security and audit in IT establishes shared goals and objectives for delivering better results. According to the IT Compliance Institute, the financial exposure due to the loss or theft of customer data and business downtime depends almost entirely on the types of compliance and audit practices that IT implements to manage these risks. Further, such practices impact both the magnitude and frequency of financial loss. Best-in-class firms experience the lowest and most infrequent financial losses. Normative performing organizations experience higher financial losses. Firms operating at the worse levels experience the highest and most frequent financial losses. Organizations that have implemented best practices in information security and audit enjoy, on average, 52% annual reductions in audit expenses, and 38% annual reductions in overall spend (i.e., audit expenses + security). Whereas most other organizations are not spending enough on the correct practices and are not receiving benefits from the money they do spend the best performers have aligned spending with practices that are delivering results. 4

5 Symantec Control Compliance Suite the Choice of Market Leaders Symantec Control Compliance Suite (CCS) is proven at some of the world s most demanding companies in a range of industries; 9 of the top 10 commercial banks 8 of the top 10 health care providers 6 of the top 10 energy companies Symantec Control Compliance Suite - An Integrated, Automated Approach The Symantec Control Compliance Suite Platform is an integrated solution that offers regulatory content, risk-based reporting, and process automation of all policies, standards, and controls required to manage IT governance, risk, and compliance on a global enterprise scale. These capabilities are delivered via four product modules: Policy Manager Standards Manager Response Assessment Manager Vulnerability Manager The Control Compliance Suite unique Control Rationalization Framework dramatically reduces the IT operations and security resources required to satisfy internal policies and multiple mandates. The framework contains more than 2,000 control statements that have been interpreted from volumes of regulatory authority documents. This adaptable library of control statements is then linked to processes that automate the task of gathering evidence from technical and procedural controls. Control Compliance Suite also includes over 200 customizable sample policies, policy templates, questionnaires and technical standards covering over 60 regulations, frameworks and best practices. This content is automatically updated on a quarterly basis, as regulations change, ensuring customers have the most relevant and up-todate regulatory and technical content. By providing these technologies in a single solution, Control Compliance Suite helps companies prioritize IT risk, automate compliance processes, and eliminate redundancies for bottom-line savings. How Control Compliance Suite Helps Companies Reduce Cost and Risk, and Improve Results Symantec CCS enables organizations to automate all phases of IT Governance, Risk, and Compliance (IT GRC). With Symantec, companies can prioritize IT risk, automate compliance processes, and eliminate redundancies for bottom-line savings. 5

6 Symantec s CCS Control Rationalization Framework 2000 control statements mapped to thousands of technical and procedural controls and linked to customizable policies is key to helping organizations drive down compliance costs and risk. For example, one control statement Secure your network from external attacks may apply to GLBA, HIPAA, PCI DSS, and SOX. CCS links this control statement to relevant procedural and technical activities, from monitoring hand scanner access to a data center, to auditing server patch logs, to gathering attestation that a newly-terminated employee has turned in his security badge. Companies subject to multiple regulations need only report on these associated activities once. But they can apply their findings across each relevant regulation. Further, organizations that run these types of reports more frequently identify and remediate potential compliance violations proactively. This is why companies with the most frequent reporting and assessment, experience fewer incidents that require IT intervention to pass audit. Control Compliance Suite supports efforts to practice more cost-effective compliance: By taking a holistic, automated approach to managing your compliance processes with Symantec CCS, you can effectively address three key challenges. To gain visibility and control over your IT risk posture, the Symantec solution allows you to automatically gather information from multiple sources, identify threats to critical assets and information, prioritize deficiencies based on risk and trigger workflows for rapid remediation. To support compliance for multiple mandates, Symantec Control Compliance Suite provides up-to-date content on standards and regulations, and then lets you de-duplicate common controls to eliminate redundant efforts and deliver the right information to the right people through Web-based, dynamic dashboards. To help you cut the cost of compliance, Control Compliance Suite enables you to automate costly and error-prone manual compliance assessment processes, facilitate more frequent assessments and evaluate all of your operating systems, databases and key applications with one powerful tool that covers the breadth of your environment. 6

7 Six Best Practices of Highly Successful Companies Look at the organizations with the best recent track record of compliance and audit. These companies: Have the lowest amount of system downtime due to IT failure. Experience the fewest data breaches and data loss. Incur the fewest problems with regulatory compliance deficiencies that must be corrected with IT in order to pass audit. These companies share a similar approach to their regulatory challenges: 1. Form a senior leadership team to drive the compliance initiative. 2. Take key actions to improve results. 3. Assess and report continuously. 4. Focus on specific technical security and user account controls. 5. Report comprehensively. 6. Manage the information security budget to manage business risk. Automating the compliance process is critical. Without automation, many of these practices would not be possible. Automation enables these organizations to monitor and report their positions frequently and costeffectively. It also virtually eliminates the ad hoc rush of error-prone manual procedures typically involved in preparing for an audit. 1. Form a Senior Leadership Team to Drive the Compliance Initiative Identifying needs, selecting a solution, and assessing program effectiveness requires input from technical, executive, and business stakeholders. If they are disconnected, they may waste resources on duplicate or insufficient compliance tools and processes. Successful companies create a senior leadership team, which includes the CISO, IT, CIO, legal counsel, and representatives of relevant business units and physical plant security. They identify the business information that is the object of regulatory requirements, and evaluate the business risk of non-compliance. The team also ascertains the IT procedures and technical controls required to manage such risk, meet regulatory and compliance reporting requirements, and keep core business operations running smoothly. 7

8 2. Take Key Actions to Improve Results Companies that take a reactive approach to compliance that is, they gather data only to prepare for a scheduled audit experience more data breaches, greater system downtime due to IT failure, and more compliance deficiencies found on audit. Proactive companies have learned to prioritize risks, improve controls, and automate the procedures and collection of IT audit data all on their own timeline. Taking these actions can virtually eliminate the fire drill of one-off audit preparation, while also significantly decreasing the number of deficiencies an audit may uncover. 3. Assess and Report Continuously It is more cost-effective to monitor and measure risk management controls constantly, rather than only in advance of scheduled audits. This enables companies to fix issues before they are uncovered on audit. Successful companies measure the effectiveness of their controls weekly, and assess business and financial risks bi-monthly. This reporting framework has been demonstrated to be most effective at managing the business and financial risk profile. 4. Focus on Specific Technical Security and User Account Controls Compliance violations often occur around issues involving active directory controls; access control lists; storage and backup controls; and IT change management. For example, a single weak password on one server could cause an organization to fall out of compliance. Companies that have failed to automate controls in these areas have historically demonstrated reduced compliance and incurred a greater cost of audit. Successful organizations make it a priority to identify what controls are needed around technical security and user authorization accounts, and monitor and measure these controls automatically and regularly. 5. Report Comprehensively Compliance stakeholders may come from many different areas of the organization, yet each may receive the same bi-monthly or quarterly report. Stakeholders require customizable reports to understand what s working, identify the factors that could lead to a problem, and take steps to avoid that problem in the future. Organizations that have demonstrated the most successful compliance efforts deliver a wide range of customized reports appropriate to each audience. These may cover: Real-time events that relate to information security controls, related IT security tests, and audit controls. Operational service levels that help IT understand where gaps in compliance may be occurring in order to prioritize accordingly. Financial and business impact statements that go to the CIO and the executive leadership team, office of legal counsel, and business unit owners. The effectiveness of change management controls on legal and regulatory compliance, within the context of past audits. 8

9 6. Manage the Information Security Budget to Manage Business Risk An increase in compliance risk or regulatory footprint may not bring with it an increase in the resources required to manage risk. But by targeting their limited IT resources on the areas of greatest impact, companies can expand coverage or improve operating margin. Successful companies leverage their leadership team to prioritize risk, change select business practices, and re-allocate resources in highlytargeted fashion to deliver significant ROI. In fact, returns for incremental spending on improvements that reduce the financial and business risks from the use of IT far surpass the 20% hurdle rates that are typical of the alternative cash investment analysis that Finance usually seeks. Relevant Compliance Regulations With one exception, the regulations that follow are external mandates that have been passed by the state or federal legislature. They present requirements that affected companies must follow; failure to comply can result in substantial financial and legal penalties. The one exception is PCI DSS the Payment Card Industry Data Security Standard which affects virtually any company storing and/or processing credit card information. While PCI is an industry standard, failure to comply carries with it penalties as severe as or even more severe than those described in some state or federal security regulations. 9

10 FISMA Overview and Implications In 2002 the Federal Information Security Management Act (FISMA) was signed into law. The primary purpose of FISMA is to provide a comprehensive framework to ensure effective information security controls are in place for all U.S. federal agencies and affiliates. FISMA replaced the Government Information Security Reform Act (GISRA) and the Computer Security Act of 1987 with permanent mandates. FISMA imposes a mandatory set of processes that encompass Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, plus the special publications SP-800 series issued by the National Institute of Standards and Technology (NIST) and other legislation (such as HIPAA) that is pertinent to federal information systems. These processes must be followed by federal agencies or by contractors or other organizations on behalf of such agencies. To comply with FISMA organizations must: Complete periodic risk assessments and regularly test the effectiveness of security policies, procedures, and practices. Develop security policies and procedures. Take specific actions to mitigate or reduce risks. Establish a pre-determined process for remediating security deficiencies as they are discovered. Participate in yearly audits and provide a process for reporting security incidents. In December 2006, NIST released Special Publication : Revision 1, Recommended Security Controls for Federal Information Systems. The final draft of this publication was delivered in September 2007, after which federal agencies had 120 days after final publication to comply. NIST issued a draft of Revision 3 of SP in February, 2009 its first major update since initial publication. The public comment period on this draft extended until March 27, In June 2010, NIST released Special Publication A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. Industries/Types of Companies Affected: All U.S. federal agencies and their affiliates must comply. Governing Organization: OMB (Office of Management and Budget). Who this is Important to: Compliance, Privacy, and Security officials. Executive officers of all U.S. federal agencies or organizations that perform contract or other affiliate work for any U.S. federal agency. 10

11 Fines and Penalties: There is no fine associated with this framework. 11

12 GLBA Overview and Implications The Financial Services Modernization Act of 1999, a.k.a. the Gramm-Leach-Bliley Act (GLBA), gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to financial institutions, which include not only banks, securities firms, and insurance companies, but also companies providing financial products and services to consumers including; lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, residential real estate settlement services, collecting consumer debts, and an array of other activities. GLBA was signed into law in November The Act required financial institutions to have a comprehensive, written information security program in place by July 1, Financial institutions had until July 1, 2003 to comply with the Safeguard Rule, which required proactive steps to ensure free security of customer information. Specifically, GLBA: Mandates privacy and protection of customer records. Defines non-public personal information (NPPI). Creates uniform standard of notification to consumers about their rights regarding the use of NPPI by financial institutions. Requires that banks and other financial institutions enact a board-approved information security policy that supports the privacy program. Enables states to enforce existing or even enact new privacy laws. Specific Rules Relevant to IT Assets The types of institutions that are regulated by GLBA vary widely, as do the types of agencies charged with overseeing these institutions. As a result, the list of rules that enforce all or portions of GLBA (below) is significant. In most cases each rule applies only to a specific subset of regulated companies: Title V CFTC (Commodity Futures Trading Commission) 17 CFR Section FDIC (Federal Deposit Insurance Commission) 12 CFR Part 364, appendix B FRB (Federal Reserve Board) 12 CFR Part 208, appendix D-2, and 12 CFR Part 225, appendix S FTC (Federal Trade Commission) 16 CFR Part 314 NCUA (National Credit Union Association) 12 CFR Part 748, appendices A, B OCC (Office of the Comptroller of Currency) 12 CFR Part 30, appendix B OTS (Office of Thrift Supervision) 12 CFR Part 570 appendix D SEC (Securities and Exchange Commission) 17 CFR Section

13 Industries/Types of Companies Affected Financial institutions: banks and bank holding companies, insurance companies, credit unions, etc., as well as auto leasing companies, check cashing services, travel agencies, and retailers who issue credit cards. Governing Organizations Federal Financial Institutions Examinations Council (FFIEC), which includes the Federal Deposit Insurance Commission (FDIC), the Federal Reserve System, and the Office of the Comptroller of Currency (OCC) SEC (Securities and Exchange Commission) FTC (Federal Trade Commission) OTS (Office of Thrift Supervision) CFTC (Commodity Futures Trading Commission) NCUA (National Credit Union Administration) State insurance authorities Who this is Important to CISO CFO / Accounting Legal Director of IT Boards of Directors Fines and Penalties for Individuals Officers and directors of the financial institution are subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation. Additional fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both. Where a violation occurs while violating another Federal law, or as a part of a pattern of any illegal activity involving more than $100,000 within a twelve-month period, the violator will be subject to a fine of up to twice the amount provided in Title 18 and imprisoned for up to ten years, or both. Fines and Penalties for Financial Institutions A civil penalty of not more than $100,000 for each violation. Additional sanctions, including the penalties specified in section 8 of the Federal Deposit Insurance Act. Termination of FDIC insurance. Implementation of Cease and Desist Orders barring policies or practices deemed in violation of the Act s privacy provisions. Removal of the financial institution s management including directors, officers, etc., and potentially barring them permanently from working in the banking industry. Fines of up to $1,000,000 for the individual or the lesser of $1,000,000 or 1% of the total assets of the financial institution. 13

14 Alternative fine based on gain or loss: If any person derives pecuniary gain from the offense, or if the offense results in pecuniary loss to a person other than the defendant, the defendant may be fined not more than the greater of twice the gross gain or twice the gross loss, unless imposition of a fine under this subsection would unduly complicate or prolong the sentencing process. 14

15 HIPAA Act: Enforcement Rule: Overview and Implications The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated that further rules be implemented to create standards for the use and dissemination of health care information. The first of these rules the Privacy Rule took effect in 2003, and was later refined in the American Recovery and Reinvestment Act of The Privacy Rule requires any organization entrusted with Protected Health Information (PHI) to safeguard this data against deliberate or inadvertent misuse or disclosure. HIPAA applies to both electronic and non-electronic information. Successive HIPAA rules include: The Security Rule, which governs the security of electronic protected health information (ephi) The Enforcement Rule, which sets forth civil penalties for violating HIPAA rules The Unique Identifiers Rule, which mandates the use of unique identifiers for healthcare providers. In February, 2009, Congress broadened and strengthened HIPAA by enacting the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH directly regulates certain organizations not heretofore subject to HIPAA fines and penalties. These organizations, or business associates, include vendors that receive, use, maintain, and disclose PHI on behalf of health care providers and health plans. These vendors must comply with HIPAA Security Rule provisions mandating administrative, physical, and technical safeguards. They must adhere to the terms of their business associate agreements, including any restrictions on the use and disclosure of PHI. They must also notify covered entities, as well as any affected individual, of any security breach. Essentially, HITECH is the first national data breach notification law. To show compliance with HIPAA rules, health organizations must, among other things: Ensure the confidentiality, integrity, and availability of all ephi the covered entity creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Ensure compliance by their workforce. Any unauthorized leak of information that makes any patient identifiable as an individual is a breach of the Privacy Rule. This could include: An employee using a peer-to-peer (P2P) file sharing application to download music to his computer. This employee is inadvertently exposing to every user of that file sharing application all patient health information to which he has access that s located on that computer. A nurse casually discussing a patient s medical condition with a friend in an instant message session. 15

16 An employee using her web mail account to send a list of patients with diabetes (and their contact information) to a friend working for a pharmaceutical company looking to market a new brand of insulin. Specific Rule Relevant to CCS 45 CFR, Part 164. This rule provides security standards for the protection of electronic protected health information, and standards for the use of individually identifiable health information in such a way as to maintain privacy. Industries/Types of Companies Affected Health insurance firms Claims processing services Health care providers, especially hospitals Healthcare clearinghouses Companies that self-insure and/or administer their own healthcare plans Business Associates, i.e., vendors that receive, use, maintain, and disclose protected health information on behalf of health care providers and health plans, such as: technology vendors practice management companies transcription services billing services attorneys accountants Governing Organizations Health & Human Services (HHS) Office of Civil Rights (OCR) Department Of Justice (DOJ) Who this is Important to Corporate officers, such as the CEO; the CFO; or the CIO CISO Compliance officers, such as Regulatory Affairs Mgr, Dir., or VP; Compliance Officer; Privacy Officer; Security Officer; or QA Director 16

17 Fines and Penalties American Recovery and Reinvestment Act of 2009 (ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations. HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million Criminal Penalties: A person who knowingly obtains or discloses personally identifiable health information in violation of HIPAA faces a fine of $50,000 and up to a one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use this information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice. In September 2008, HIPAA levied its first fine; $100,000 against Providence Health Systems, a non-profit hospital system based in Seattle. In February of 2009 the HHS and the FTC fined CVS Caremark, (i.e., the CVS pharmacy chain) $2.25 million for failing to safeguard identifying information during disposal. In July 2009, the California department of Public Health issued an administrative penalty of $187,500 against Kaiser after concluding that the hospital didn't do enough to protect patient health information. These fines suggest the Federal Government as well as local governments will be aggressive about enforcing HIPAA. 17

18 JOINT COMMISSION Overview and Implications The Joint Commission (formerly JCAHO Joint Commission on Accreditation of Healthcare Organizations) is an independent, non-profit organization that establishes standards and accreditation criteria for the healthcare industry. The Joint Commission is the nation s predominant standards-setting and accrediting body in healthcare, evaluating more than 16,000 U.S. healthcare organizations. It is also the accrediting agency for HIPAA, and its accreditation is a requirement for Medicare billing. The Joint Commission was established in 1951 to continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. The Joint Commission s process evaluates an organization s compliance with select standards and other accreditation or certification requirements. Among the 18 accreditation standards published by the Joint Commission, one standard is focused on Information Management. This standard applies to all types of information managed by the organization, except where the standard limits itself to a defined set of health care information. The Information Management standard includes five core sections: 1. Planning for the Management of Information 2. Protecting the Privacy of Health Information 3. Capturing, Storing and Retrieving Data 4. Knowledge-Based Information 5. Monitoring Data and Health Information Management Processes Governing Organizations Joint Commission Who this is Important to Privacy Officers and Risk Officers; CISO Industries/Types of Companies Affected General, psychiatric, children s and rehabilitation hospitals Critical access hospitals Medical equipment services, hospice services, and other home care organizations Nursing homes and other long term care facilities Behavioral health care organizations, addiction services Rehabilitation centers, group practices, office-based surgeries, and other ambulatory care providers Independent or freestanding laboratories 18

19 PCI DSS Overview and Implications The Payment Card Industry (PCI) formed in 2004 to create a common industry security requirement called Data Security Standard (DSS) acceptable to all cardholder associations, who until this point had been enforcing their own individual security programs. These common standards define how card and cardholder data should be managed and processed to keep it secure, and establish security best practices for networks, systems, and applications. The standards were revised in September, 2006 as version 1.1, which limits the type of data companies can store, and also mandated that companies not store data unless absolutely necessary. Version 1.2, published in October 2008, included explanatory and clarifying enhancements. In October 2010, PCI Security Standards Council released version 2.0 of the Data Security Standard. The effective date of this version is January 1, 2011 although companies are not forced to validate against version 2.0 until December Version 2.0 does not introduce any additional requirements, but rather adds clarifying language to facilitate the understanding and adoption of the standard. PCI DSS consist of 12 basic requirements; violating any one of these requirements will trigger overall PCI non-compliance. To remain in compliance, merchants must: Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Use and regularly update anti-virus software. Develop and maintain secure systems and applications. Implement Strong Access Control Measures Restrict access to data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. 19

20 Maintain an Information Security Policy Maintain a policy that addresses information security. Any violation of any one requirement causes a merchant to become non-pci compliant. This could include: An employee not authorized to see the full credit card account numbers is accidentally provided with logon to an internal application that will display complete cardholder information. A quality control manager s to a superior a wav file of a customer conversation that includes the customer s account number and PIN. A merchant scans hard-copy records such as credit card imprints into an unsecured database. Third-party audits are determined by four levels of merchant transaction volume: Level 1 Organizations processing over 6,000,000 transactions per year, any merchant that has suffered a hack or an attack that resulted in an account data compromise, or any merchant that the any of the card brands determine should meet the Level 1 merchant requirements Validation requirements include annual onsite data security assessment and quarterly network scans by PCI-qualified vendors. Level 2 Organizations processing 1,000,000 to 6,000,000 payment card transactions per year. Validation requirements include annual self-assessment questionnaire and quarterly network scans. Level 3 Organizations processing 20,000 to 1,000,000 Payment card e-commerce transactions per year. Validation requirements are the same as for Level 2. Level 4 Organizations processing 20,000 to 1,000,000 Payment card e-commerce transactions per year. May be required to conduct quarterly network scans and complete annual self-assessment questionnaire. Industries/Types of Companies Affected Merchants or service providers, who accept, capture, store, transmit, or processes credit card data. Governing Organizations Payment Card Industry Security Standards Council Federal agencies include the DOJ (Department of Justice) and the FTC (Federal Trade Commission) State and local law enforcement agencies Who this is Important to Corporate officers, such as the CEO; the CFO; the CIO; or the CISO Compliance officers, such as Regulatory Affairs Mgr, Dir., or VP; Compliance Officer; Privacy Officer; Security Officer; or QA Director Legal counsel 20

21 Fines and Penalties Penalties for non-compliance with PCI are discretionary and not made public; estimates range from $100/year to $40M/year depending on industry, company size and maturity. A rare penalty is restriction or termination of the ability to process credit card transactions. More commonly, organizations are charged an increased transaction fee (the percentage you render back on every card run). NOTE: Acquirers can pass on penalties to their merchants and service providers through their contractual relationships. 21

22 SOX Overview and Implications The Sarbanes-Oxley (SOX) Act imposes far-reaching and specific requirements on financial accounting and applies to all firms traded on U.S. securities markets. Though most of this law is focused on timeliness and accuracy of financial reporting, creating an audit trail to prove no data has been compromised is also critical for SOX compliance. SOX began phasing in when it was signed into law in July Section 404, regarding financial and documentation controls, took effect in November The SEC provided new guidance updates in May 2005 and December 2006, to help companies reduce excessive testing of controls and documentation so that smaller firms can comply with the law without incurring excessive costs. Information leaks can force the early disclosure of financial results, which can lead to revenue loss, remediation expense, and non-compliance. The acquisition of proprietary IP by a competitor can also lead to legal exposure and revenue loss. Companies affected by SOX are thus strongly motivated to prevent the disclosure of confidential information, and to be able to prove that no such event occurred. When the law first took effect, implementing programs for SOX compliance was costly, labor-intensive, and inefficient. Now companies can refer to methodologies, such as that laid out in the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT). GAIT was developed by the Institute of Internal Auditors (IIA), and is intended to help corporate managers and external auditors identify and implement the key controls that need to be monitored and reported out. In addition, companies can leverage proven best practices for SOX compliance. Two examples common among organizations with the least IT control deficiencies: shifting spending from consultants and contract labor to automated tools, and automating IT measurements, reporting, controls, change management processes, and IT security policies. Specific Rule Relevant to CCS Section 404: Executives must design, implement, maintain, and assess an internal control structure; external auditors must attest to management assertions Industries/Types of Companies Affected Financial accounting firms are most directly affected, but all publicly-traded U.S. companies must comply Governing Organizations SEC (Securities and Exchange Commission) Who this is Important to CISO, CIO Corporate officers such as the CEO and CFO (in recognition of their personal accountability) Compliance Officers (may also have titles such as Corporate Legal Counsel, or Internal Audit Director 22

23 State Data Privacy Laws Overview and Implications As of January 2010, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have now enacted legislation requiring that organizations doing business in these states notify consumers of any security breaches involving unauthorized access to unencrypted computerized Personally Identifiable Information (PII). Massachusetts led the in 2009 with 201 CMR 17 Standards for The Protection of Personal Information of Residents of the Commonwealth. Laws in some of these states go even further, requiring organizations to proactively protect the customer data in their databases. In nearly all cases, the laws cover any transmission of unencrypted personal information, whether malicious or unwitting, as well as any unauthorized access to and modification or theft of personal information. The standards for what prompts a mandatory disclosure notice to consumers also vary from state to state. For instance, some states require notification when a detected breach creates a reasonable likelihood of harm to customers; others require notification when a breach is reasonably believed to have caused harm. In most cases the term reasonable is also left up to the discretion of the company or organization controlling the data. California s data breach disclosure law SB 1386 is strict, and has served as the model for many other state laws. SB 1386 requires that companies immediately disclose a data breach to customers, usually in writing. There is also a private right of action, with very few exemptions. Massachusetts 201 CMR 17 originally intended to take effect January 31, 2009, but delayed to May 1, 2009 is one of the most wide-ranging. 201 CMR 17 requires all businesses that collect personal data from or about Massachusetts residents to adopt a comprehensive written security program, conduct internal and external security reviews, and complete employee training regarding their programs. More specifically, businesses will be required to encrypt documents sent over the Internet or saved on laptops or flash drives; encrypt wirelessly transmitted data; and deploy up-to-date firewalls to create an electronic gatekeeper between the data and the outside world that only allows authorized users to access or transmit data. In addition, third-party service providers also have to prove they are capable of protecting personal information and are contractually obligated to do so. Finally, the law sets forth minimum technical requirements and controls for computer systems that electronically store or transmit personal information regarding Massachusetts residents. 23

24 To ensure compliance in all cases of state laws, companies must map out where they have customers, and then find the highest common denominator of applicable state laws, and work to comply with those laws. This could entail complying just with the standards of the most stringent state, or compiling a list of the most stringent statutes from multiple applicable states and complying with those. Generally, and at a minimum, this will require companies to: Safeguard customer data at the most granular levels. Designate one or more employees responsible for security. Perform a risk assessment and evaluate the effectiveness of current safeguards for controlling those risks. Design and implement safeguards, regularly monitor and test them, and adjust them according to test findings. Extend safeguards and data security practices to include any service providers. Industries/Types of Companies Affected Companies that compile, trade, or store consumer data in any of the affected states Governing Organizations Attorneys General of each individual state Who This is Important to Boards of Directors Owner, CEO CISO Relevant Compliance Standards and Frameworks Guidelines and frameworks are essentially internal mandates. They are generally used to strengthen security practices. Organizations also use them to gain clarity for an external mandate, such as HIPAA or Sarbanes- Oxley. Guidelines and frameworks provide an important roadmap for implementing the infrastructure and tailoring the policies that help companies demonstrate compliance. 24

25 COBIT Overview and Implications The IT Governance Institute (ITGI) has published version 4.1 of the Control OBjectives for Information and related Technology (COBIT ) to help IT organizations comply with increasing regulatory demands and manage risk effectively. COBIT 4.1 is an IT governance framework and supporting toolset that provides good practices across a domain and process framework. The COBIT framework links IT initiatives to business requirements, organizes IT activities into a generally accepted process model, identifies major IT resources to be leveraged, and defines the management control objectives to be considered. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT enables managers to bridge the gap between control requirements, technical issues, and business risks. It can make audit work more consistent, facilitate control self-assessments, and generally enhance governance over information technology. The standardized framework includes tools to measure and assess a company s capabilities in 34 IT processes, addressing many elements of security. Among them are a list of critical success factors that provides best practices for each IT process, maturity models to help in benchmarking, and performancemeasurement elements. COBIT 5.0 is scheduled to release in 2011, COBIT 5 will consolidate and integrate the COBIT 4.1 framework with the Val IT 2.0 and Risk IT frameworks. It will also draw significantly from the Business Model for Information Security (BMIS) and ITA. Industries/Types of Companies Affected Cross-industry every organization that wants to improve its IT controls relevant to improved compliance with regulations such as Sarbanes-Oxley. Also, all companies for whom compliance with this standard is a function of marketing and other business agreements. Governing Organizations IT Governance Institute (ITGI). ITGI is a research think tank that exists to be the leading reference on ITenabled business systems governance for the global business community. Who this is Important to IT, security, and auditing managers Senior corporate officers, such as the CEO; the CTO; or the CIO Fines and Penalties There is no fine associated with this framework. 25

26 ISO 27002:2005 (formerly ISO 17799) Overview and Implications ISO represented the most widespread information security framework available at the time, and many organizations used it as the basis for their information security programs. In July 2005 the International Organization for Standards (ISO) released a new version; ISO 17799, and in July 2007 it renumbered the standard ISO/IEC 27002:2005 to bring it in line with other ISO/IEC series standards. ISO/IEC 27002:2005 is entitled Information Technology - Security Techniques - Code of Practice for Information Security Management. It establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. This standard contains best practices of control objectives and controls in the following areas: Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance ISO/IEC specifies some 39 control objectives to protect information assets against threats to their confidentiality, integrity, and availability. These control objectives in effect comprise a generic functional requirements specification for an organization s information security management controls architecture. The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC is a code of practice - a generic, advisory document, not truly a standard or formal specification. Instead, it is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities. Industries/Types of Companies Affected Cross-industry. Particularly affects organizations that have adopted ISO/IEC 17799:2000, and companies for whom compliance with this standard is a function of marketing and other business agreements. Who this is Important to Corporate officers, such as the CEO, CFO, CIO, or CISO IT and operations managers Security team 26

27 ISO 27799: Overview and Implications ISO 27799:2008 is an information security standard developed by the International Organization for Standardization (ISO). Its full title is Health informatics -- Information Security Management in Health Using ISO/IEC The purpose of ISO 27799:2008 is to provide guidance to health organizations and other holders of personal health information (PHI) on how to protect such information via implementation of the ISO standard. It specifically covers the security management needs in this sector, with respect to the particular nature of the data involved. ISO 27799:2008 defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC and is a companion to that standard. It specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. Healthcare organizations and other custodians of health information that implement this international standard will be able to ensure a minimum requisite level of security that is appropriate to their organization s circumstances and that will maintain the confidentiality, integrity, and availability of personal health information. Adoption of ISO 27999:2008 is anticipated to assist interoperation and better enable the adoption of new collaborative technologies in healthcare delivery. Industries/Types of Companies Affected Healthcare Any organization who maintains PHI on premises Who this is Important to Corporate officers, such as the CEO, CFO, CIO, or CISO IT and operations managers Security team 27