How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

Transcription

1 How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation

2 Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and degrees Summary

3 Background The law requires a written information security program The law requires general controls that all companies should already have in place General security policy Regular maintenance of program Identity and access management It also requires specific technical controls that are not present in most regulations Encryption Vulnerability management Firewalls Consistent with HIPAA, GLB, and the Payment Card Data,, y Security Standard (PCIDSS)

4 Requirements Establishing a living security program Risk assessment Partner management Formal identity and access management Incident response and follow up Encryption Configuration management Vulnerability Management

5 Do All The Requirements Apply to Me? The safe answer is: YES The real answer is: It depends on the risk associated with your business and your ability to implement controls The procedural and administrative i ti aspects of the regulations are hard to avoid The complexity of your program should fit your organization s risk profile Some technical requirements may be modulated to fit your capabilities In any event, you will need a written program and you will need to assess your risk

6 Purpose The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

7 Program Factors Program must be appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information (b) the amount of resources available to such person (c) the amount of stored data (d) the need for security and confidentiality of both consumer and employee information. Program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

8 FAQ The regulation adopts a risk-based approach to information security. A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business's size, scope of business, amount of resources and the need for security. For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.

9 How You Decide How To Implement Controls The appropriate level of control depends on risk You need to assess your risk to determine the degree to which you must implement controls HIPAA, Red Flag Rules, and PCI all require risk analysis How do we assess risk?

10 Assessing Inherent Risk The type and quantity of protected assets Value Attractiveness Volume Authorized users These factors are directly proportional to risk

11 Residual Risk Assessment Preventive controls and effectiveness Look specifically at required controls in 201 CMR 17 and your implementation Detective controls and effectiveness Attackers - who Attack vectors - how Knowledge availability - complexity Technical skills required to perpetrate attack

12 Assessment Results Risk is the product of inherent risk and likelihood The conclusion of your risk assessment is a measure of the effectiveness of your controls If you can achieve the regulation s intent without all the specified controls, document your conclusion This will can serve as one justification for a missing or limited control The other factor is feasibility

13 Feasibility Technical infeasibility can be an acceptable justification for not implementing a specified control The FAQ mentions Encryption of devices Encryption of backups Other areas that might be affected Monitoring and log review Depth of partner practice assessment

14 Size and Scope Smaller businesses require less stringent controls Assumptions: Less data Less attractive target Fewer possible attackers

15 Rules of Thumb Let data dictate your path More valuable data requires stricter control Name, address, SSNs, payment cards, driver s licenses, bank account numbers Greater volume requires more control Employees, customers, other organizations data Greater accessibility requires stronger controls Accessible to multiple organizations, large numbers of users, from the Internet The more risk the more the controls must be The more risk, the more the controls must be implemented in full

16 Risk Management You need to document a method similar to the one described earlier Your method needs to be repeatable Smaller, simpler environments should document a simple process of considering how data might be compromised and the effectiveness of controls More complex and higher risk environments should model risk management on NIST standards or OCTAVE Document results of risk assessments (critical for audit)

17 Partner Management If your share data with partners or allow outsiders access, you must implement a program to assess their practices At minimum, look for a description of their practices and statement that they implement the required controls Document your assessment Review risk and partner practices annually Establish contracts requiring controls / compliance Write this up as policy

18 Identity & Access Management Smaller organizations should have an easier time with this requirement Establish a policy that specifies that only a small set of people are allowed access to the data Larger companies will need to have a formal access granting process with regular recertification of access Everyone needs to have a well defined process for removing rights upon termination Use technical controls to enforce access control (unique logins, permissions, strong passwords) Log access

19 Incident Management Everyone needs a procedure Simpler environments may have a simple policy establishing a point of contact, a procedure for investigation, notification, and post incident review Eventually, all incident management policies and procedures should include Forms for reporting A decision tree for matching response to severity A contact list for communication External contacts for security expertise and law enforcement Requirements for post incident root cause analysis and remediation

20 Training and Awareness Distribute your policy and get acknowledgement Ensure that employees understand their responsibilities This may only be the subset with access Establish a disciplinary process Train employees what needs to be done in case of a suspected breach Re-enforce the need for physical controls (locks, paper) Make sure employees understand portable device and encryption requirements

21 Vulnerability Management The complexity of vulnerability management depends on the complexity of your environment The simplest policy makes statements about monitoring vulnerabilities, virus detection, and patch management More complex environments would require Network management Application vulnerability management Configuration management Testing

22 Encryption Encrypt your data on public networks Use WPA2 on wireless networks Avoid data on portable devices if you can Use file system encryption on laptops Encrypt your backups if you can Write down your policies Make sure your employees know your policies

23 Summary Your approach needs to match your risk Write up your policy For small organizations with only employee data, it could be as short as a few pages For larger organizations, a full program makes sense At the risk of overkill, you can look to PCI DSS for recommendations of practice The key to doing a good job is to establish a minimum program with periodic checks and refinement over time Your best cost control is isolation and data elimination Establish security first, compliance second