Information Systems Security: A General Comparison of FISMA, HIPAA, ISO and PCI-DSS Standards

Transcription

1 Leveraging People, Processes, and Technology Information Systems Security: A General Comparison of FISMA, HIPAA, ISO and PCI-DSS Standards A White Paper Author: Constantine Gikas, Program Manager 11 Canal Center Plaza, Floor 2 Alexandria, VA

2 Introduction Information security today is the focus of both the public and private sectors in the U.S. and worldwide. In an effort to protect data and information, private organizations and federal, state and local agencies spend billions of dollars and go to great lengths to protect their digital assets while at the same time trying to comply with legislation that mandates the implementation of security measures, and to produce the substantiated appearance of the organizations due diligence in this domain. Congress has passed a number of legislative acts, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), which prescribe general information assurance and security guidelines that apply to private and Government organizations, and the Federal Information Security Management Act (FISMA), which provides specific and detailed information on security and assurance guidelines for federal agencies as documented by the National Institute for Science and Technology (NIST). In the private sector, the recent advent of the Payment Card Industry Data Security Standard (PCI-DSS) and the ISO standard from the International Standards Organization (ISO) provide information security and assurance guidelines for private organizations, but public organizations also borrow concepts from both these standards. For example, the European Network and Information Security Agency (ENISA) that is the body of expertise, set up by the European Union to carry out very specific technical or scientific tasks in the field of Information Security, borrows ISO standards and guidelines in fulfilling its mission. This paper will focus on two legislative acts (FISMA and HIPAA), and on two IT security standards (Payment Card Industry Digital Security Standard (PCI-DSS), and International Security Standard series ISO 27000) in an effort to point out gaps and overlaps, and to suggest possible simplifications in the process of implementing them in IT environments. It will also provide a brief description of all four entities, and it will also provide a high-level comparison of suggested and/or mandated guidelines to point out gaps and overlaps, and suggest a possible threshold model that could incorporate security settings that satisfy requirements from all four entities. In an effort to protect data and information, private organizations and federal, state, and local agencies spend billions of dollars and go to great lengths to protect their digital assets while at the same time trying to comply with legislation. Page 2

3 The Growth of IT Security Practices and Standards In recent years, information security has received overwhelming publicity as our world becomes increasingly reliant on the electronic exchange of information, and as governments, organizations, and individuals use the Internet to conduct their day-to-day business. An increasing number of hacker attacks, cyber-intrusions, and information loss have resulted in embarrassing incidents for the U.S. federal government and private organizations. In an effort to avoid similar incidents, and to standardize and streamline IT security practices, the Federal Government has passed legislation that mandates government Agencies to institute IT security practices, processes, and procedures to protect their IT systems and information. In the private sector, other organizations have taken similar initiatives to prescribe theoretical and practical security measures and standards. This increased impetus in the generation of IT security practices and standards has resulted in the overwhelming production of IT security documentation, and in the creation of a very lucrative business niche that caters to the information security needs of government and private organizations. At the same time, these organizations, lost in, and intimidated by, the produced voluminous IT security documentation, either struggle to interpret and implement the proposed practices, measures, and standards using their own resources, or they hire costly security consultants to protect their IT assets, data, and information, without always producing the desired outcome. There have been multiple reports of hacking incidents in both U.S. government agencies (Department of Defense, U.S. Department of State, Department of Homeland Security, etc.), and the private sector (multiple banks have lost credit card numbers to hackers, and have had to re-issue new credit cards to customers). These incidents and security breaches reflect the ineffectiveness in implementing security standards, and the disanalogy of security standards volume versus their effectiveness. These incidents and security breaches reflect the ineffectiveness in implementing security standards, and the disanalogy of security standards volume vs. their effectiveness. Page 3

4 A Look at FISMA The Federal Information Security Management Act (FISMA) of 2002 is a U.S. federal law enacted in The act recognized the importance of information security to the economic and national security interests of the United States. According to FISMA, all federal agencies must develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA also requires agency program officials, Chief Information Officers, and Inspectors General (IG) conduct annual reviews of the agency s information security program and report the results to the Office of Management and Budget (OMB). The OMB uses this data as part of its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the Act. FISMA also assigned specific responsibilities to the National Institute of Standards and Technology (NIST) to provide specific guidelines in the form of Special Publications that prescribe processes and makes recommendations to strengthen federal information system security. NIST has published and is also in the process of publishing a number of Special Publications that cover the entire spectrum of Information Assurance (IA). The following figure provides a high-level overview of the NIST-recommended processes for Information Assurance with a reference to the Special Publications that apply in each phase. SP / SP A MONITOR FIPS 199/ SP FIPS 200 / SP CATEGORIZE SELECT Information Systems SP AUTHORIZE Information Systems SP A ASSESS RISK MANAGEMENT FRAMEWORK Security Life Cycle SP IMPLEMENT SP / SP SUPPLEMENT SP DOCUMENT Figure 1- FISMA Risk Management Network Page 4

5 A Look at HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, HIPAA requires that the Secretary of HHS publicize standards for the electronic exchange, privacy, and security of health information. All HIPAA provisions are known collectively as the Administrative Simplification provisions. On December 28, 2000 Health and Human Services (HHS) published the final regulation, the Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) to implement the HIPAA requirements. The Privacy Rule standards address the use and disclosure of individuals health information (protected health information) by organizations subject to the Privacy Rule (covered entities) as well as standards for individuals privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. A major goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public s health and well being. The Administrative Simplification provisions of HIPAA required that HHS establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. NIST publishes its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST SP REV 1). This Special Publication (SP) discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule. The HIPAA security rule implements the general Information Assurance guidelines that apply to all federal systems according to FISMA. As such, the NIST Special Publication recommends FIPS 199 as a starting point, and follows a trail of other recommended NIST publications that apply to most federal systems. The HIPAA-specific NIST publication (SP ) narrows the security-oriented focus by examining the controls that safeguard HIPAA-related information based on the Act s provisions, rules, and regulations. A major goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public s health and well being. Page 5

6 Figure 2 below outlines HIPAA s starting point for Information Security processes and procedures. Architecture Description FEA Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Repeat as necessary Step 6 MONITOR SP / SP A Step 5 AUTHORIZE Information Systems SP Plan of Actions & Milestones ORGANIZATIONAL VIEW Risk Executive Function Starting Point Step 1 CATEGORIZE Information Systems FIPS 199/ SP Step 2 SELECT FIPS 200 / SP RISK MANAGEMENT FRAMEWORK Security Life Cycle Step 4 ASSESS SP A Security Assessment Report Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Security Plan Step 3 IMPLEMENT SP Figure 2 - NIST Risk Management Framework And Starting Point for HIPAA Information Security Page 6

7 A Look at Payment Card Industry Digital Security Standard (PCI-DSS) In contrast to the comprehensive NIST recommendations provided to federal agencies within the framework of FISMA, the Payment Card Industry-Digital Security Standard (PCI-DSS) provides a general set of security requirements allowing private organizations the flexibility to implement and customize organization-specific security measures to enhance payment account data security. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI-DSS uses a practical IT security implementation approach with the use of very clear and concise guidelines and questionnaires. The standard was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. This comprehensive standard is intended to help organizations proactively protect customer account data. Rather than utilizing FIPS, PCI-DSS suggests the adoption of six security principles that include twelve high-level security requirements. These security principles and requirements are contained in the following table (Figure 3). 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Requirement 5: Use and regularly update antivirus software. Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security. Figure 3 PCI-DSS Principles and Requirements Page 7

8 A Look at ISO IT Security Series The International Standards Organization (ISO) standards series includes ISO27001, 27002, 27003, 27004, 27005, and The ISO standard was published in October 2005, essentially replacing the old BS standard. It is the specification for an Information Security Management System (ISMS). BS7799 itself was a long-standing standard, first published in the 1990s as a code of practice. As it matured, a second part emerged to cover management systems, against which certification is granted. Today in excess of a thousand certificates are in place across the world. ISO enhanced the content of BS and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification. This standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. The objective of the standard itself is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System. Adoption should be a strategic decision. Further, the design and implementation of an organization s ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization. The standard defines its process approach as the application of a system of processes within an organization, together with the identification and interactions of these processes, and their management. It employs the Plan-Do-Check-Act (PDCA) model (Figure 4) to structure the processes, and reflects the principles set out in the OECG published by the Organization for Economic Cooperation and Development (OECD). It addresses confidentiality, integrity, and availability aspects of IT systems and information, and it provides both physical and security practices and procedures. ISO is as comprehensive as the NIST provisions within FISMA. It is also a live standard updated and supplemented frequently. Today in excess of a thousand certificates are in place, across the world. Page 8

9 The ISO standard is the rename of the ISO standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO The purpose of the proposed ISO development is to provide help and guidance in implementing an ISMS. This will include focus upon the Plan-Do-Check-Act (PDCA) method, with respect to establishing, implementing reviewing and improving the ISMS itself. ISO is the official number of the emerging standard covering information security management measurement and metrics. However, it is not expected to be published in the immediate term. ISO is the name of the prime series standard covering ISRM. The standard provides guidelines for ISRM in an organization, specifically supporting the requirements of an ISMS defined by ISO ISO27006 is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements. Interested Parties Plan Establish ISMS Interested Parties Do Implement and operate the ISMS Maintain and improve the ISMS Act Information security requirements and expectations Monitor and review the ISMS Check Managed information security Figure 4 - ISO Information System Security Approach Page 9

10 Standards Comparisons FISMA/NIST/HIPAA provisions and ISO and PCI-DSS standards present a wide array of overlapping IT security features. With the exception of two initial steps where Government systems comply with a) Federal Information Processing Standard (FIPS) 199, 200, 201 provisions, and b) System Categorization provisions (Low, Moderate, High Impact), they follow similar (though not identical) processes and procedures to ensure system security. From a comprehensive security provisions perspective, NIST provides a detailed array of standards that address all aspects of information technology and telecommunications security. To fully grasp the overlapping information systems security features among the four security standards, we need to compare the detailed NIST IT security standards provisions with the security provisions of the other three security provisions. Figure 5 is a detailed comparison of security domains covered by FISMA/NIST, HIPAA, PCI-DSS and ISO Technical Security Features FISMA HIPAA PCI- DSS ISO FIPS Compliance No No Categorization of System (FIPS) No No Identification of System Risks Establish Security Policies Identification of Network Security Reference Configuration Specifications User Data Privacy Provisions Security Considerations in the System Development Life Cycle No Cell Phone and PDA Security No No General Server Security Protection of Confidentiality of Personally Identifiable Information (PII) Bluetooth Security No No No EAP Methods Used in Wireless Network Access Authentication Use of PIV Credentials in Physical Access Control Systems No Page 10

11 Technical Security Features FISMA HIPAA PCI- DSS Information Security Testing and Assessment Securing External Devices for Telework No No No and Remote Access SSL in VPNs Storage Encryption Technologies for End User Devices ISO Key Derivation Using Pseudorandom No No No Functions Applications Using Approved Hash No Algorithms Randomized Hashing for Digital Signatures No PIV Visual Card Topography No No No Cell Phone Forensics No No No Security of Radio Frequency Identification No No (RFID) Systems Wireless Robust Security Networks No IEEE i PIV Card to Reader Interoperability No No No Secure Web Services Intrusion Detection and Prevention Systems (IDPS) Computer Security Log Management Random Number Generation Using No No No Deterministic Random Bit Generators Assurances for Digital Signature Applications No No Media Sanitization No No No Integration of Forensic Techniques into No No Incident Response PIV Data Model Test Guidelines No No No PIV Card Application and Middleware No No No Interface Test Guidelines Test, Training, and Exercise Programs for IT Plans and Capabilities Page 11

12 Technical Security Features FISMA HIPAA PCI- DSS Malware Incident Prevention and Handling Secure Domain Name System (DNS) No No No Deployment Guidelines for the Accreditation of No No Personal Identity Verification (PIV) Card Issuers (PCI s) Cryptographic Algorithms and Key No No Sizes for Personal Identity Verification Biometric Data Specification for Personal Identity Verification PDA Forensics No No No No No No Checklist Program for IT Products Guidelines for Checklist Users and Developers ISO Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer Security of Microsoft Windows XP No No Security of Microsoft Windows XP No No Systems for IT Professionals Triple Data Encryption Algorithm No No (TDEA) Block Cipher IT Security in the Capital Planning and Investment Control Process No No Security Considerations in the System Development Life Cycle No No Electronic Authentication Guidelines No Computer Security Incident Handling No Mapping Types of Information and Information Systems to Security Categories Security Considerations for Voice Over IP Systems No No No Key Management No Performance Measurement Guide for No Information Security Border Gateway Protocol Security No No Page 12

13 Technical Security Features for Federal Information Systems and Organizations Selection and Use of Transport Layer Security (TLS) Implementations FISMA HIPAA No No PCI- DSS No Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme No No No Building an Information Technology Security Awareness and Training Program Guide to Securing Legacy IEEE Wireless Networks Security in Interconnecting Information Technology Systems Enterprise Tele-work and Remote Access Security Security for Telecommuting and Broadband Communications No No No ISO No No No No No Guidelines on Electronic Mail Security Securing Public Web Servers Firewalls and Firewall Policy Patch and Vulnerability Management Program Management of Risk from Information Systems Security Certification and Accreditation Selection of Information Technology No No Security Products Information Technology Security Services Contingency Planning for Information Technology Systems Public Key Technology and the Federal PKI Infrastructure Engineering Principles for Information Technology Security No Page 13

14 Technical Security Features FISMA HIPAA PCI- DSS PBX Vulnerability Analysis No No No Security Assurance and Acquisition/ Use of Tested/Evaluated Products Information Security Training Requirements Security Guidelines for Telecom Management Network No ISO No Figure 5 - Standards Overlaps and Differences If we look at HIPAA, PCI-DSS, and ISO Information Technology security provisions (leaving out the detailed provisions on data privacy for HIPAA and PCI-DSS and focusing only on data security), and compare it to NIST (FISMA) security standards, we arrive at Figure 6, which illustrates security provisions overlap. HIPAA PCI/DSS ISO FISMA/NIST Figure 6 - Security Provisions Overlap/Comparison Page 14

15 The PCI-DSS and HIPAA areas outside the FISMA/NIST circle cover data privacy provisions, whereas ISO currently entirely within the NIST circle will eventually create its own protrusions as the standard continues to develop as more security features are added beyond its current standard basis. Common Compliance Approach for All Four Standards The relational table in Figure 5, and the relational graphic in Figure 6 both suggest a possible approach in structuring a compliance matrix that satisfies all four standards, as they relate to Systems and Information security and assurance (with the exception of Information Privacy). When we extract the technical security features for all four standards from Figure 5, we observe the formation of a very strong common technical security base of 31 security features as shown in Figure 7 (next page). From these common security features, we can deduce that despite the difference in the approach these standards use for the implementation of their security provisions, by implementing any one of the above features, organizations are also in compliance with security provisions from any and all four standards. This observation can also be stated in the following formula: If we name:» X the table in Figure 7» (x1, x2, x3, x4 x31) the individual rows of X, and» S the collective representation of FISMA/NIST, ISO 27000, PCI- DSS and HIPAA We can state that: (x1, x2, x3, x4 x31) X (x1, x2, x3, x4.x31) S That is, for any organization implementing any one of the 31 technical security features in the table of Figure 7, that organization is in compliance with all four standards (FISMA/NIST, ISO 27000, PCI-DSS and HIPAA) in their current form. From the graphic in Figure 5, we observe the overwhelming presence of NIST Special Publications provisions that despite the different implementation approach and the reference to U.S. federal organizations envelop all provisions from the other three standards (with the exception of information privacy). We can also represent this relationship mathematically in the following formula: Page 15

16 In Figure 5, if we name:» F the FISMA/NIST circle» S the collective representation of the three ISO 27000, PCI-DSS, and HIPAA circles» (f1, f2, f3,..fx) all FISMA/NIST security provisions present in S We can state: (f1, f2, f3, fx) F (f1, f2, f3, fx) S Common Technical Security Features for FISMA/NIST, ISO 27000, PCI-DSS, and HIPAA 1. Identification of System Risks 2. Establish Security Policies 3. Identification of 4. Network Security Reference 5. Configuration Specifications 6. User Data Privacy Provisions 7. General Server Security 8. Protection of Confidentiality of Personally Identifiable Information (PII) 9. Use of PIV Credentials in Physical Access Control Systems 10. Information Security Testing and Assessment 11. SSL in VPNs 12. Storage Encryption Technologies for End User Devices 13. Secure Web Services 14. Intrusion Detection and Prevention Systems (IDPS) 15. Computer Security Log Management 16. Test, Training, and Exercise Programs for IT Plans and Capabilities 17. Malware Incident Prevention and Handling 18. Biometric Data Specification for Personal Identity Verification 19. Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer 20. Mapping Types of Information and Information Systems to Security Categories 21. Building an Information Technology Security Awareness and Training Program 22. Guidelines on Electronic Mail Security 23. Securing Public Web Servers 24. Firewalls and Firewall Policy 25. Patch and Vulnerability Management Program 26. Management of Risk from Information Systems 27. Security Certification and Accreditation Page 16

17 Common Technical Security Features for FISMA/NIST, ISO 27000, PCI-DSS, and HIPAA 28. Information Technology Security Services 29. Contingency Planning for Information Technology Systems 30. Public Key Technology and the Federal PKI Infrastructure 31. Information Security Training Requirements Figure 7 Common Technical Security Features for FISMA/NIST, ISO 27000, PCIDSS and HIPAA That is, for any organization implementing the related security features in compliance with FISMA/NIST, this organization is also in compliance with ISO 27000, PCI-DSS, and HIPAA information security provisions. Conclusion As public and private agencies and organizations in the United States and around the world begin to tackle and adopt the comprehensive FISMA, HIPAA, ISO and PCIDSS information technology security provisions and standards, and based on the present paper s findings, we can deduce that there is a comprehensive common security feature base that cuts across all four security standards. Because FISMA/NIST Special Publications cover an extensive number of public and private security features, irrespective of the compliance model they adopt (ISO, PCI-DSS and/or HIPAA), organizations can surely save time and resources by implementing wide-reaching (free) automation tools for FISMA compliance, such as OpenFisma ( that, with the exclusion of information privacy, can also cover compliance with the other three standards. The private sector would also greatly benefit from R&D funding of similar efforts to automate the implementation of ISO and PCI-DSS security features that could possibly be used by government agencies. Standardization has traditionally proven its value as a cost-saver and a quality improver, and the field of information and systems security and assurance is no exception. NIST has a comprehensive set of information security and assurance guidelines that are focused on the U.S. IT security environment, but we should not overlook the equivalent and wide-reaching international potential of ISO As ISO evolves, proves its efficiency, and gains the approval of, and its adoption by, the international community, it will definitely introduce provisions not included in the NIST bibliography, and it will also provide a fresh IT security perspective with an international outlook. Page 17

18 We should also appreciate and not overlook the no-nonsense IT security approach adopted by PCI-DSS. This standard s structured approach with questionaires and concise guidelines leaves little room for confusion and misinterpretation, and ensures a clear-cut and effective IT security documentation package. In addition, the PCI Security Standards Council continues its rigorous IT security activities, and looks increasingly promising in producing additional security standards. HIPAA s IT security and information assurance is more than adequately covered by NIST provisions contained in its Special Publications. HIPAA s main challenge lies in maintaining information privacy. The legislative act s provisions are complex, and open to legal interpretation, and require further development to standardize and streamline. All in all, the field of IT and Information security domain is in an evolutionary flux. There is more work to be accomplished that will require the collaboration and the consensus of all IT security stakeholders worldwide. The introduction of a unique, comprehensive and global body of knowledge that can be easily implemented under the current circumstances still remains a chimera. Until its advent, research should be focused on integrating existing security standards to further safeguard existing IT and information security and assurance before the proliferation of disparate security standards create a state of chaotic documentation plethora that can only complicate the process of securing both technology and information security. For more information about Catapult and/or this project: Call [email protected] Visit References» csrc.nist.gov/publications/pubssps.html» Implementing the ISO/IEC Information Security Management System Standard, Edward Humphreys, Artech House, 2006 Page 18

19 11 Canal Center Plaza, Floor 2 Alexandria, VA [email protected] QP