Failure to comply: What s the worst that can happen?

Transcription

1 Failure to comply: What s the worst that can happen?

2 Why businesses should automate processes to achieve compliance with state and federal legislation and mitigate risks. In 2013, one of the biggest stories in information security was the Target data breach. Credit and debit card accounts were compromised during a virtual heist of in-store payment systems that affected as many as 110 million customers. In the aftermath, the IT security community weighed in with its views. John Pescatore, Director of SANS Institute, suggested that the breach will have direct financial costs to Target on the order of $2 billion. i According to a Sterne Agee analyst, the cost to replace customer cards will top $550 million, excluding penalties, credit watch expenses, and any lawsuits that may follow. What does it all mean? Well, compliance refers to industry-wide government regulations and rules that govern how data is to be managed and protected. The phrase being compliant refers to meeting and being able to demonstrate that the organization is meeting those regulations. Technology plays an important role in compliance apart from being used to defend the organization against instances of negligence. These words imply expensive audits, lawyers, and ultimately even insurance products and services to address the legal landscape that governs online commerce, contracts and legal responsibility. What is the IT role in compliance? This is a complex question. But in a nutshell, IT has to set out a series of rules built on industry best practices designed to reduce the organization s risk by spelling out the policy, governance, and technical and administrative controls that must be applied to certain types of information. IT generally provides the technical

3 controls to automate the business process and compile the necessary proof of compliance through logging. ii Information systems generate a huge volume of log data, which can be leveraged beyond just proof of compliance. With the right tool in place, such as GFI EventsManager, log file activity can boost security and detect security incidents before they escalate. Automating log file collection and analysis is a National Institute of Standards (NIST) best practice when it comes to protecting your information systems: iii Organizations also may store and analyze certain logs to comply with Federal legislation and regulations, including the Federal Information Security Management Act of 2002 (FISMA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), the Gramm- Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS). Organizations of any size gather, process and create information that requires they adhere to any number of state, federal and international standards. For instance, PCI DSS applies to a credit card or debit card account number alone, or with any of the following: Cardholder name Security code Expiration date iv Other types of information must be safeguarded as well, such as personally identifiable information (PII) and protected health information (PHI). PII includes a name together with one or more of the following: Social security number Driver license number Financial account number in combination with any security code, access code, or password PHI is any information that links individuals with their physical or mental health condition such as: Name of individual or relative Telephone numbers Electronic mail ( ) address Social security numbers Medical record numbers Account numbers Health plan beneficiary number Dates such as birth, admission, or discharge Full-face photographic images and any comparable images Any other unique identifying number, characteristic, or code

4 PHI in the United States is subject to HIPAA v. In the U.S., a perceived HIPAA violation can cost you and your organization dearly. Fines upon conviction for a HIPAA violation can range from $100 per record to $50,000 per record and that can add up quickly if you are a company that deals in hundreds or thousands of similar records a year. vi What could happen if a data breach occurs and your organization has demonstrated a cavalier attitude, or lacks documentation proving compliance? In one case, the U.S. Federal Trade Commission (FTC) imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a data security breach that compromised nearly 160,000 consumer records in The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA) because the company failed to implement reasonable procedures for protecting the data. The finding that reasonable procedures were not implemented in this context means that ChoicePoint Inc. did not comply with relevant industry best practices or, at a minimum, could not demonstrate that best practices were implemented. vii Many other pieces of legislation impose specific governance requirements, safeguards, policies and penalties for violations and many of the requirements can only be met by technical controls. In addition to legislation and regulation already mentioned, others include: European Union Data Protection Directive (EUDPD) Personal Data Act Computer Misuse Act Data Protection Act 21 CFR Part 11 BASEL II Various state security breach laws

5 This is a short list of the possible local, national or international rules that might apply to a business and it is ever-expanding as governments play catch-up and try to protect consumers from data leaks. Businesses are advised to consult a subject matter expert in compliance to help determine the organization s requirements and what automated tools are adequate. Determining what legislation might apply is critical. The starting point is to look at the various reasons why your organization accesses customer data and the methods used to do so; and determining when, where and how information relating to customers is being stored. This information is key for taking the discussion to the next phase and making smart choices about automated solutions suitable for compliance. There are thousands of pieces of legislation governing data compliance in the U.S. alone, but these can be narrowed down by asking a few questions such as: In what industry does your organization operate? What types of customers does your organization serve? In what jurisdiction(s) do you conduct business? Second, what are the requirements imposed by the applicable laws and what physical, technical, or organizational changes are required to meet the legislated requirements that your organization must follow? Third, how can compliance with the specified requirements be demonstrated to a third-party auditor? Proof needs to be provided in the form of reports, logs, audit results and documented policies. IT compliance is not just about executing business processes correctly; it s about being able to prove that the business processes have been executed correctly. In this case correctly means that processes were completed as required by the legislation. Automated tools can play a big role in demonstrating compliance with various pieces of legislation. Patch management and vulnerability scanning, monitoring and controlling website access, and collecting and analyzing logs can easily be

6 addressed in part, or in full, by an automated tool. As a defense-in-depth strategy, reducing the attack surface with GFI LanGuard by keeping machines up-to-date, and controlling access to dangerous websites with GFI WebMonitor, is a good start. Both solutions help you to check the boxes on your list of requirements. The GLBA is often overlooked or misunderstood legislation. This happens because organizations don t realize that it applies to them. The GLBA applies to a financial institution which, according to the act, is any organization engaging in financial activities. At this point you may think I m not a bank, so it does not apply to me Not so fast! The GLBA considers your business a financial institution if you do any of the following activities: Providing loans or credit, including receiving application information, and making and servicing such loans Financial advisory services Collecting delinquent loans Check-cashing services Tax planning Holding information from a consumer report Career counseling services for those seeking employment in finance, accounting or auditing Investment advisory services Credit counseling services Tax preparation Sale of money orders, savings bonds or traveler s checks Travel agency services provided in connection with financial services Real estate settlement services Money wiring services Issuing credit cards or long-term payment plans involving interest charges Personal property and real estate appraisals Services provided by a principal, broker or agent with respect to life, health, liability or disability insurance products Providing or issuing annuities viii With this broad scope of activities, many businesses may be shocked to discover they are in fact subject to the requirements of the GLBA. When a business introduces safeguards to protect the security, confidentiality and integrity of customer information,

7 administrative, physical and technical safeguards must be considered: Administrative safeguards are outside the scope of this white paper. However, consideration must be given to the crossover between physical and technical safeguards. The adoption of IP camera systems, card access systems and even heating and air conditioning (HVAC) systems have IT components, if not dedicated IT systems. To protect the physical environment, one must protect the machines that control the physical environment. Failure to diligently protect all the systems, whatever their role in the enterprise, will provide cybercriminals with a foothold into the enterprise. Endpoint security for all the enterprise workstations and portable devices is just as important for compliance purposes as for the servers that store and process the information. As mentioned earlier, the GLBA was introduced in 1999 and digitally based threats to business have become an epidemic since the act s introduction. Complying with the GLBA administratively, physically and technically provides a base level of security, but it s not nearly enough defense against modern malware and talented cybercriminals. In a 2010 document, the SANS Institute identified key IT requirements for compliance with the GLBA. In short, organizations must: Have a written security policy Establish a baseline of risk assessment and conduct a vulnerability scan Monitor and report on access to any files, folders or databases that contain consumer financial information Notify consumers if you believe their information has been compromised Designate a security program coordinator Establish an employee security awareness and training program Create policies for information processing, transmission, storage and disposal (and review and revise for material changes) Have appropriate measures to detect, prevent and respond to attacks and intrusions Provide a procedure for FTC reviews or audits Provide oversight for contracted service provider organizations Obviously performing... a baseline of risk assessment and... vulnerability scan needs to occur regularly and SANS recommends that an automated, continuous assessment capability be implemented. Appropriate measures to detect, prevent, and respond to attacks and intrusions also lends itself to an automated

8 and continuous protection solution. Lastly, preventing the unauthorized disclosure of protected information is impossible to do manually an automated data-loss-prevention solution, and and fax archiving solutions are worth considering. Since the GLBA was first enforced, the financial transaction world has been completely transformed. Tellers on isolated terminals inside a corporate network no longer conduct the majority of financial transactions. Instead, consumers have embraced the Internet for financial transactions; the next frontier is mobile payments and PCI DSS compliance is required on this platform as well. The Gartner Group says, Worldwide mobile payments are growing by about 40 percent a year and predicted to reach $325 billion in i x E-commerce websites or even generic corporate websites might be collecting information about customers, including credit and bank account information to facilitate a transaction. Moreover, if your organization is bound by legislation or industry compliance such as HIPAA, GLBA, PCI DSS, or Sarbanes- Oxley to protect the privacy and security of identifiable personal information, there is the risk of being found non-compliant if hackers gain access to sensitive information. the victim of a breach, a finding of negligence would be unlikely, as you were compliant with a minimum standard of care as defined by the GLBA. Without being compliant, you risk penalties under the GLBA, civil suits attempting to try and prove organizational negligence or lack of due diligence and court-ordered injunctive relief. It can compute to hundreds of thousands of dollars in fines. The penalties for violating the GLBA are quite severe: A financial institution can be fined up to $100,000 for each violation. The officers and directors of the financial institution can be fined up to $10,000 for each violation. Criminal penalties include imprisonment for up to five years, a fine, or both. If the GLBA is violated at the same time that another federal law is violated, or if the GLBA is violated as part of a pattern of any illegal activity involving more than $100,000 within a 12-month period, the violator s fine will be doubled and he or she will be imprisoned for up to 10 years. Running a modern network is a complex and challenging job. Compliance with a minimum legislated standard of care such as GLBA or In the simplest of terms, proof of compliance indicates best efforts of organizational due diligence when safeguarding data that is legislated to be protected. A compelling reason to think of moving towards compliance with the GLBA (or other applicable legislation), and being able to prove your compliance is that it would virtually eliminate a court finding you guilty. Even if your business was

9 PCI DSS could be an opportunity to get your organization thinking about safeguarding your customer s data appropriately. Harder to quantify is the cost to the business as customers lose faith in the organization s ability to provide (willingly or not) basic security measures to protect their sensitive information. Clients will part ways with previously trusted organizations that have shown themselves incapable of meeting the minimum standard of technical security for personal information. And why not? Companies that want to be successful in today s ever-changing world of virtual commerce must be ready to defend themselves against the savvy cybercriminal and guard their customers data with every tool available to comply with industry regulations and standards. i SANS NewsBites Vol. 15 Num.101 ii iii iv v vi vii viii ix NOTE: THIS IS NOT LEGAL ADVICE. It is an opinion of the author and his team, and in no way should it be used, thought about, conceived of, or construed as legal advice. Talk to your lawyer if you have legal issues. Compliance, negligence and liability are complex and intricate topics. It is something to consider and talk to your lawyer about! GFI Software provides many tools to automate processes that help an organization achieve compliance with state and federal legislation. The complex, modern, business network cannot be managed without automated tools which control and mitigate risk. Manual management of risk doesn t work. This white paper highlights the quick wins that GFI EventsManager, GFI LanGuard and GFI WebMonitor can provide to your business. The concise reports, comprehensive feature set and top-notch technical support will allow your business to make the right choices when it comes to compliance audits today and in the future. For more information about GFI s network and security solutions, visit our website: Web security, monitoring and Internet access control Download your FREE 30-day trial LanGuard Network security scanner and patch management Automated network security and patch managment Download your FREE 30-day trial Automated IT Monitoring and Log Data Management Download your FREE 30-day trial

10 GFI 7001 feb14 GFI Software, 4309 Emperor Blvd, Suite 400, Durham, NC 27703, USA Tel: +1 (888) Fax: +1 (919) For a full list of GFI offices/contact details worldwide, please visit: Disclaimer GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.