A couple years ago I published a paper on regulations and compliance. While there have been improvements, many of tenents of this composition are relevant today. I will be posting additional (updated) materials over the next couple of weeks, and look forward to comment and feedback. This article is, of course, copyright protected by myself and the authors of the sections referenced throughout the report. Please, if you do distribute, provide a link and information regarding the author.
Regulations and Policy Compliance
Addressing government mandates for security controls
Tremendous expectations have been set by the United States, the European Union, and others for companies to comply with regulatory requirements. These requirements span all levels of privacy concerns relating to financial and health care providers. Additionally mandates are set forth requiring definitive implementation, continual improvement, and holistic information security frameworks. Therefore, this brief is provided to organizations as a primer for understanding what these regulations require. Several regulations are highlighted along with industry frameworks that meet some or all the criteria required for complying with the security components.
The regulations that are highlighted include The Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, Sarbanes-Oxley, Security Breach Notification Act, EU Data Protection Directive, and finally the Fair Credit Reporting Act. The frameworks discussed include: The Committee of Sponsoring Organizations of the Treadway Commission “COSO”, Control Objectives for Information and Related Technology “COBIT”, IT Infrastructure Library “ITIL”, and ISO 17799.
This document is not intended to be a complete guide or complete interpretation of the regulations described within, nor does this replace the necessity for a detailed review and risk assessment of the corporation’s environment when determining gaps and necessary controls.
Numerous organizations of various sizes must now prepare and continually maintain a healthy security posture as defined by the industry and government institutions. Previously only certain public companies or those that were subject to mandatory security requirements, such as the Federal Credit Reporting Act (FCRA), were required to establish certain security initiatives. These companies followed vague definitions and guidelines on implementation and enforcement. The original federal directives were loosely enforced, and broadly interpreted. The common sentiment for industries over those thirty years following the FCRA enactment allowed for mediocre adherence. The laws established did not properly address the environment that developed with the introduction of the Internet and the explosion of technology.
However, the leniency provided by the first 30 years is contrary to the present trend in legislative and industry wide information security directives. Recent regulatory and legislative requirements are broad in scope, command heavy penalties for non-compliance, apply to numerous industries, mandate implementation and maintenance of information security frameworks, and establish definitive timeframes for adherence.
The protection of consumer data is both a social responsibility and a business one. Due to the risks of data ownership by corporations, there is a necessity for businesses to provide a responsible role in society. Companies have a, “Responsibility for social impacts…” (Peter Drucker) and the impacts that would occur by the release, accidental or otherwise, of sensitive information must be deterred. Sensitive information is classified through a methodical process weighing government regulations, contractual obligations with vendors and customers, and identifying high value data relative to the organization.
Often, in society, business will react to such responsibilities by offering services or enhanced product lines that handle these responsibilities. However, when these offerings do not suffice nor corporate behaviors satisfy the general populace, regulations are called forth. It is a result of a lackluster effort by business to protect consumer data, and curb the usage of sensitive information that has given rise to recent regulatory requirements. In an effort to protect the consumer, governments of both the U.S. and the E.U. have consistently put forth guidelines, and requirements that demand adherence to best practices regarding data management. Australia and countries in the Orient have implemented broad information security management systems based on ISO 17799, and as a government standard are basing their business dealings on this best practice standard.
Implementation of a complete information security framework will bring an organization inline with the spirit of most domestic and international mandates regarding information security. The acceptance of a best practice framework offering recognized both internationally and within industry willow provide a multitude of benefits to those who develop their IT and business processes around these guidelines. Several recognized frameworks include ISO 17799, COSO, the Banking Agency Guidelines documents, and COBIT. Separately each framework addresses specific industry business requirements, while as a whole they outline and define analogous information security best practices. Achieving a certification under these standards allows for a competitive advantage in bidding, an international understanding that security is paramount to the organization, and signaling a continued effort by the organization to maintain a secure posture.
Policy and Regulations
In the past couple of years, companies have experienced a continuous drum of requirements and mandates defined by State and Federal Government authorities. Old stalwarts are being reinterpreted in a broader sense and new legislation is not only defining requirements but exacting penalties for failure to comply within set timeframes. All major sectors of business are subject to the new legislations.
A disappointing assortment of events over the past 10 years resulted in a public outcry for better controls regarding information security management. The regulations include a multitude of additional directives that do not directly relate to information security, however are necessary components. The regulations that most clearly require information security management or benefit from such a framework include: The Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, Sarbanes-Oxley, Security Breach Notification Act, and finally the Fair Credit Reporting Act. The numerous amounts of recent and existing legislation regarding information security highlights the importance data has in today’s society. Understanding the intent of the regulatory requirements is necessary prior to application of technological and human process measures.
“…to combat waste, fraud, and abuse in health insurance and health care delivery…
to simplify the administration of health insurance…” – HIPAA 104-191
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) passed into law during the 1999 Congress to provide several improvements for health care organizations. HIPAA requirements address four areas:
1. Electronic Transactions and Code Sets
3. Unique Identifiers
Administrative simplification aims to create standards regarding electronic transactions, code sets, and unique identifiers. The unique identifiers, National Provider Identifier (NPI), shall be adopted by all institutions within the health care system. The privacy component of HIPAA addresses the desire to, “maintain strong protections for the privacy of individually identifiable health information…” (HIPAA final Privacy Rule). The fourth component addresses Security for health care organizations:
“…health information is threatened not only by the risk of improper
access to stored information, but also by the risk of interception…”
– HIPAA final Security Rule
The spirit of the final security rule of HIPAA is to establish standards and requirements for health information systems, where presently none exist. The scope of HIPAA security requirements break down security into three traditional areas: confidentiality, integrity, and availability.
“It is the policy of the Congress that each financial institution has an
affirmative and continuing obligation to respect the privacy of its
customers and to protect the security and confidentiality of those
customers’ nonpublic personal information.” – (GLB Title V Sec 501(a))
The Gramm-Leach-Bliley Act (GLB), also known as the Financial Services Modernization Act of 1999, was authored to amend past legislation that prevented mergers between certain financial institutions. GLB instituted requirements for companies that share data, namely customer or consumer information, with respect to affiliates and marketing purposes. GLB included Title V in order to sway consumer privacy concerns, provide federal privacy legislation to placate EU concerns, and align U.S. financial services with the EU Data Protection Directive. The EU Data Protection Directive requires any international body that possesses an EU citizens’ data must provide at least the same security standard as the citizens’ home state. This legislation requires all institutions participating within the EU to institute proper safeguards of all consumer and customer data.
The act establishes that all financial institutions which the FTC, Federal Trade Commission, oversees and all data in possession, whether or not a customer relationship exists directly or indirectly, must provide appropriate safeguards. Title V Section 501(b) establishes safeguards to define a baseline of expectations regarding information security within the financial services industry. The final rule on Standards for Safeguarding Customer Information (16 CFR Part 314) is intended to:
“Ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.” – (16 CFR Part 314)
The Gramm Leach Bliley Act mandates information security measures regarding customer nonpublic personal information (NPI) on several specific areas.
1. Develop a continuous ongoing security program
2. Insure security and confidentiality for customer (NPI) records
3. Protect against anticipated threats or hazards
4. Protect against unauthorized access causing harm or inconvenience to customer
The commission mandates a continuous information security program that provides guidelines and standards across the business and industry. The necessity of a consistent approach for transactions involving NPI is defined under section 501(b), Financial Institutions Safeguards. The industry will benefit from a greater ROI through the standardizing of security technology. Institutions will gain greater efficiencies by implementing similar processes regarding data management and procedures. The commission mandates companies must protect against both assessed and unexpected intrusions or instances that may damage the integrity or violate the confidentiality required for NPI.
Similar to HIPAA, the spirit of section 501 under Gramm Leach Bliley is to establish an industry standard concerning information security. The final rule for Safeguarding Customer Information (16 CFR Part 314) outlines specific direction regarding whom is required to implement these controls, and how the institution may adhere to federal directives regarding information security. Inline with the GLB, the Securities Exchange Commission, the FCIA, the FFIEC, the NCUA, and Banking Agency Guidelines maintain an effort to standardize and provide consistency across financial government bodies. The cumulative effort and coordination by the financial services governing bodies illustrates the importance and necessity commanded by society, industry, and other world institutions.
SOX (Sarbox, Sarbanes-Oxley)
“To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” – Sarbanes Oxley
The manipulation of tax code and fallacious GAAP activities directed by executive management and facilitated by company accountants and auditors impacted public sentiment. When the accounting scandals became public, the economy was experiencing a recession: lifetime retirement funds vanished; trillions of dollars were lost in the markets; scores of jobs were lost as a direct result of fraudulent accounting; and a marked decline in market confidence. Domestic American companies such as Enron, Global Crossing, WorldCom, and Tyco damaged the capitalistic spirit and confidence in corporate governance of public company investments. As a result Sen. Paul Sarbanes (MD) and Rep. Michael G. Oxley (OH) submitted HR-3763 to address the several concerns facing Congress. Firstly the Sarbanes Oxley Act – SOX (P.L. 107-204) establishes immediate measures to monitor the auditors of SEC regulated businesses. The act details a new oversight board to regulate independent auditors, while placing tighter restrictions upon the auditors limiting the work they are capable of providing. The act specifically places accountability upon the principal executive and principal financial officer regarding the accuracy, completeness, and integrity of all financial disclosures with respect to “internal controls.” SOX places fines of $5 million and potentially twenty years prison for executives who violate this directive. Several sections within Sarbanes Oxley Act require information security technology and processes.
Section 302 – Corporate Responsibility for Financial Reports
Section 404 – Management Assessment of Internal Controls
Section 302 details the executive’s responsibility to ensure the accuracy of corporate financial reports. Such certification must provide the following assurances:
– Principal Officer vouches for the financial report
– The data within the report is completely accurate
– Principal has established and maintains internal controls
– “evaluation date for disclosure controls to ‘‘as of the end of the period’’ covered by the quarterly or annual report.”
– Continuous assessment of internal controls and improvement occur on a frequent basis
“Internal Controls” constitute a large burden on organizations that must comply with SOX. Internal Controls are addressed under Sections 302, and 404. The definition of internal controls over financial reporting, “provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements” specifically addressing:
1. Maintenance of records accurately and fairly reflect transactions
2. Transactions are recorded properly as mandated by GAAP and Federal directives
3. Institute reasonable preventive or timely monitoring methods of unauthorized acquisition, use, or disposition of assets that could have a material effect
This broadening of the term combined with the increased responsibility upper management requires thorough risk assessments and risk assurance programs to validate the requirements under SOX.
“We believe that each company should be afforded the flexibility to design its system of internal controls over financial reporting to fit its particular circumstances” – SEC Comments 33-8238
Section 404 requires principal executives and auditors to confirm the effectiveness of the internal controls.
– Maintain proper records
– Establish a suitable and recognized control framework
– Regular assessment of controls and disclosure of report outlining control effectiveness and identifying any material weaknesses
Section 404 encourages the implementation of an industry recognized standard that meets the criteria of both suitable and a recognized control framework. Currently the framework promulgated by The Committee of Sponsoring Organizations of the Treadway Commission “COSO” fully meets these requirements. However, this does not limit other frameworks that exist instead provides guidance concerning how these regulations can be adhered to completely. The efforts of the Basel Committee on Banking Supervision are developing the Basel Accord II. The efforts by this committee are similar to and measurably inline with COSO, however the Basel Accord II is not yet released. The committee producing the Basel Accord II includes numerous international banks providing an international perspective. ISO 17799 is another international standard that is being widely adopted for regulatory and information security management requirements.
“In April of 2002, hackers entered the California state government system and accessed personal information over 200,000 state employees ranging from the governor to janitors. Worse yet, the government did not notify the employees until weeks after the incident occurred.” – Kinley Levack (EContent)
Due to the identity theft concerns regarding this intrusion, the Security Breach Notification Act passed into law in California July 1, 2003 to address privacy notification concerns of the public. This is a state law, but has wide reaching impact for a majority of businesses across the nation which now must comply with this state law. The act mandates any business that releases accidental or otherwise, “personal information” of any resident of California must disclose such within a reasonable period. Due to the nature of the wording, any company conducting business with any California resident is required to comply with the law.
The Security Breach Notification Act addresses the following:
– Companies, Agencies, or persons conducting business in California must disclose any breach to California residents
– Timely disclosure must occur
– Companies may not share information with affiliates without consumer approval
“The disclosure shall be made in the most expedient time possible and without unreasonable delay” – (Sec. (2)(a)
The intention of this law is to ensure consumers are made aware when their data is received by unauthorized person(s). However, the wording within the bill provides entities that are not aware of a disclosure to not be liable for such disclosures or alerts to customers. “…reasonably believed to have been, acquired by an unauthorized person” (Sec. 2 (a)) SB-1386 provides ‘rights of action’ for consumers to file a civil case against any noncompliant organization. This legal pressure is unique to this state law as most federal cases do not provide ‘rights of action’ for consumers.
However some aspects of SB-1386 are considered void as a result of the Fair and Accurate Credit Transactions Act, an amendment to the Fair Credit Reporting Act, a federal law that preempts all state laws regarding the aspect of information sharing. Specifically provisions restricting information sharing, and the requirements and penalties concerning these actions.
The Fair Credit Reporting Act (FCRA), enforced by the FTC, promotes accuracy in consumer reports and is meant to ensure the privacy of the information in them. The FCRA enacted in 1970, amended in 1996 under the Consumer Credit Reporting Reform Act, and again in 2003 has become interwoven in state and federal legislation. In 1996 the act increased consumer protections and provided means of verifying and correcting erroneous credit reports. The Fair and Accurate Credit Transactions Act of 2003 (FACTA) (PL 108-159) amended the FCRA to include increased consumer protections, provide more oversight of the CRA (Credit Reporting Agencies), implement identity theft procedures and responses, and enhanced superseding provisions concerning consumer privacy. The FACT Act however also extended indefinitely numerous preemption provisions over state legislation. While this does prevent a mosaic of legislation regarding requirements to financial institutions FACTA institutes the requirements of FCRA irregardless if state laws were more restrictive or less.
The Fair Credit Reporting Act is concerned with privacy of consumers, and provides numerous mechanisms for consumers to monitor correct and be somewhat in control of the data and its usage. The act specifies all credit reporting agencies must maintain the data securely and properly manage the data that is being transferred to affiliates and others.
– FCRA mandates that CRAs maintain the security and integrity of consumer files
– The FCRA requires “Reasonable Procedures” with regards to consumer data
The FCRA is considerably less specific and direct then recent regulations that have passed through Congress. While other directives mandate explicitly what must be addressed, and under what frameworks institutions may find guidance. The FCRA infers that organizations must provide only ‘reasonable procedures’, and therefore the onus was placed upon these institutions regulated by FCRA to develop industry and private security mechanisms.
Ironically this self regulation has not been viewed favorably by international bodies, and as a result the lacking of federally regulated privacy mandates have forced recent international legal hurdles to be addressed. Inclusive of the regulations mentioned above an effort to meet international requirements regarding consumer privacy has developed. The institution of the Safe Harbor Act of 2000 provides a bridge for organizations under U.S. law to comply with the requirements held under the E.U. In addition individual companies are negotiating the requirements of security within deals as a means to address this and other international mandates.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 created nearly 8 years ago and recently signed in 1999 established the government’s intent to reform the health care system. HIPAA addresses several areas:
The first two areas address simplifying the administrative component of healthcare in general. The latter two specifically address the confidentiality and integrity of the data that is possessed by Health Care Organizations. Depending on the size of the organization, HIPAA defines explicit time frames of compliance that are necessary for each separate ruling of the aforementioned concerns.
HIPAA applies to every entity involved in electronic health care information – including all health care providers, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, universities, and single-physician offices. In addition, “A covered entity’s responsibility to implement security standards extends to the members of its workforce, whether they work at home or on-site.” (45 CFR Parts 160, 162, and 164 § 160.103) Therefore requiring the covered entities to implement and manage security for all external “at home” workforces, and all third party administrators (TPA). The regulation is not per-se bound to an industry more towards the type of information – PHI.
To tackle this requirement, companies must address both a technical and a process solution. The security area of the standard highlights certain areas that must be addressed. Organizations can address these requirements through the application of best practice frameworks, such as ISO 17799, which should become established in the organizations’ processes.
The dates health care entities must comply differs depending on when the final rule is issued for each section, and dependent upon the size of the organization. The security standards were released on April 21, 2003. Therefore entities that meet the ‘small health plans’ category must meet the requirements two years after this ruling, April 21, 2006. All other entities subject to HIPAA must comply with the final rule on security standards in one year, April 21, 2005.
Application of a complete information security management framework that addresses all three areas identified within HIPAA is advisable. All security implemented must be relative to the organizations size and the importance of the data. Traditional practices exist to help identify this type of information and provide guidance as to the measure of security expected. The HIPAA supports a relative security posture, but the organization must be able to defend positions taken with regards to the type and detail of security implemented. Identifying risk and classification are detailed later in this paper, and should be referenced in addition to an appropriate security framework.
HIPAA defines the covered data as electronic protected health information, and any data that meets this classification is subject to the rules as detailed within the final security standards rule of HIPAA as detailed by the Department of Health and Human Services. Once identification of what shall be protected, as enforced by HIPAA and other relevant regulations, the understanding of what is considered a violation is paramount. HIPAA specifically outlines what is considered a breach or security incident in terms of the protected data. Entities covered by this regulation must ensure that all human processes, frameworks, and technology deployed address these concerns.
‘‘Security incident’’ in § 164.304 as ‘‘the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’’ – HIPAA Final Security Standards Rule
HIPAA mandates 13 specific security implementations to be done in addition to the necessary controls identified and reflective of the organizations information. These security controls can be addressed incorporating available security frameworks, current reasonable security technology, and the development and propagation of improved human procedures.
– Administrative Safeguards:
– Security Management Process
– Assigned Security Responsibility
– Information Access Management
– Security Incident Procedures
– Contingency Plan
– Administrative Evaluation
– Business Associate Contracts and
– Physical Safeguards:
– Workstation Use
– Workstation Security
– Device and Media Controls
– Technical Safeguards:
– Access Control
– Audit Controls
– Person or Entity Authentication
Addressing the mandates outlined by HIPAA Privacy and Security Standards ruling requires a concerted effort by the organization effected by this legislation. As described the implementation of a security framework such as ISO 17799, COBIT, and even COSO provides the guidance and procedures necessary to comply with a majority of the requirements regarding information security. Entities should look towards improving and standardizing their internal processing, the workstation security, and means of storage and transfer of data, segmentation of user privileges, and an accurate means of monitoring and identifying security incidents.
Gramm Leach Bliley (GLB) defines areas that must be addressed to ensure the requirements for information security practices are met within financial institutions. Although this act pertained specifically to removing restrictions regulated upon financial institutions relating to mergers and information sharing section 501 included in the bill dictates security standards that are required. GLB regulates financial institutions: businesses that are engaged in banking, insuring, stocks and bonds, financial advice, and investing. In addition those affiliates of these institutions are subject to the regulation, and those who receive such protected data are expected to address the required safeguards in good faith to the financial institution distributing the sensitive data. Other entities also covered by Gramm Leach Bliley:
“…rule covers a wide range of entities, including: nondepository lenders; consumer reporting agencies; debt collectors; data processors; courier services; retailers that extend credit by issuing credit cards to consumers; personal property or real estate appraisers; check-cashing businesses; mortgage brokers, and any other entity that meets this definition…’financial institution’ means: any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956”
– (Section 314.1 of 16 CFG Part 314)
GLB specifically addresses pretexting, and the necessity of risk assessments within an organization. Gramm Leach Bliley Act states that individual(s) who engage in social engineering or pretext will be liable for large monetary fines and jail time depending on the number of offenses.
A critical point highlighted within the Gramm Leach Bliley Act focuses beyond the internal security framework of the organization and requires awareness and proper security processes to exist with partners or affiliates. The GLB describes the multiple types of relations that exist within such institutions and attempts to wholly define the necessary areas that must be secured. Specifically the GLB requires a comprehensive security plan that adequately protects the environment relative to its scale and the importance of the data. Therefore regular risk assessments to include a review of all third party relationships and the information systems where protected data is present. The standard clearly defines that the risk assessment include “all methods to access, collect, store, use, transmit, protect, or dispose of customer information.” This is required both internally and with all third party policies. The guidelines clearly establish that it is still the onus of the central organization to diligently ensure the data is protected internally and externally. The inability to outsource this problem forces financial institutions to continuously validate the information security systems that are employed with their partners.
The two components relating directly to security within the act concern the privacy final rule, and the standards for safeguarding customer information. The privacy rule compliance date was set for July 1, 2001. The safeguards issued on May 23, 2002 published in the Federal Register 16 CFR Part 314 are effective May 23, 2003. As the security requirements outlined within GLB require a continuous lifecycle management of information security entities must incorporate these mandates into the culture to perpetuate the spirit of section 501.
Gramm Leach Bliley defines under the safeguards final ruling what is necessary to comply with the security regulations. The requirements define the implementation of a full information security management framework, and mandate regular information risk assessments. The controls outlined within the safeguards of consumer information state the following:
“…shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” – (§ 314.3)
– Single point of contact to coordinate information security program
– Identify internal and external risks to organization
– Risk Assessment (internal / external)
– Application, and Procedure Assessments
– Baseline existing controls
– Risk Assess
– Security training (employees and management)
– Systems, Infrastructure, Applications
– Deploy safeguards to address identified risks within risk assessment
– Implement system to “regularly test or otherwise monitor the effectiveness”
– Require Service providers, by contract, to implement similar safeguards
– Re-assess and deploy appropriate safeguards to address, “any material changes to your operations or business arrangements…or have reason to know may have a material impact on your information security program” – (§ 314.4)
The commission upon developing these mandates did so to develop an industry initiative to increase the existing security posture of all entities covered by GLB, and develop efficiencies within the marketplace as a result of these consistencies. Understanding risks and placing safeguards today offer savings from the costs of future security incidents. Organizations should address the requirements within Gramm Leach Bliley through the application of numerous sources. Organizations must develop an information security framework that meets the above listed control requirements. Organizations can benefit from already published frameworks, or can utilize future educational documents released by FTC. GLB allows organizations to implement appropriate security programs relative to their size and the data sensitivity. Later in this document guidance is provided regarding identifying and classifying information. These are to be used as tools for approaching the security concerns outlined within GLB, but they are not enough to meet the regulations without a more complete system.
“…the Commission envisions that any entity that can demonstrate compliance with the Banking Agency Guidelines (including the substantively identical NCUA Guidelines) will also satisfy the Rule.” -(16 CFR Part 314)
The Sarbanes Oxley Act of 2002 included enhancements for tighter financial disclosures, improved whistle-blower processes, and the most highlighted section concerning principal CEO and CFO accountability. SOX mandates that these principals certify all financial statements, and places personal penalties against these individuals. The requirement placed upon organizations by Sarbanes Oxley requires both technology and a solid culture change to human procedures and routine.
Sarbanes applies to all institutions that are regulated under the jurisdiction of the Securities Exchange Committee (SEC). Section 404 of SOX makes no distinction between domestic and foreign institutions; therefore these organizations are expected to abide by the guidelines set forth by section 404. Penalties and sanctions are enforced by the SEC ranging from fiscal penalties, jail time, de-listing from the exchanges, or other appropriate penalties. Compliance to Sarbanes Oxley concerning internal controls is required by November 15, 2004.
Sarbanes Oxley section 404 addresses the necessity for internal controls over financial reporting. Information technology departments, internal and external audit teams, and management must develop a working relationship to ensure these controls are deployed across all required areas. Organizations, as stated previously, must certify the information they disclose by certifying internal controls adequately assure the integrity of the data included. Additionally the auditor of the company must concur with management regarding the sufficiency of the internal controls that are designed to protect the integrity and confidentiality of the information.
Organizations that are subject to the mandates outlined within Sarbanes Oxley must develop a plan for addressing the multitude of requirements. Concerning information security management firms should review the following:
– Business continuity
– Disaster Recovery
– Data backup procedures
– Monitoring and Incident Response
– Risk Assessments and continued baseline reviews
In addition Sarbanes Oxley explicitly identifies 3 frameworks that exist that are considered appropriate security management frameworks as outlined within SOX. These include COSO Framework maintained by the Committee of Sponsoring Organizations of the Treadway Commission, the Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants, and the Turnbull Report by the Institute of Chartered Accountants in England and Wales. The SEC also defines the necessary criteria to determine what alternate framework can be used as a substitute for the above.
– Recognized framework of operating procedures
– Evaluated by non-government entity of recognized standing
– Be unbiased
– Permit consistent measurement of internal control over financial reporting
– Include all factors relevant to evaluating the effectiveness of the company’s internal controls
– Be relevant to an evaluation of internal control over financial reporting
Organizations would benefit through the application and guidance provided by these frameworks. Specific controls and procedures are defined within each framework that when applied reasonably will provide principals within an organization a reassurance regarding the integrity and assurance of the financial reports. SOX does not explicitly define the security requirements, contrary to HIPAA, rather instead offers guidelines and establishes what is expected. These regulations rely upon the work produced by industry experts, and private parties to define the principles to be achieved. Understanding the spirit of SOX, and GLB, and utilizing the guidance provided management can better reach compliance by instituting appropriate frameworks. Organizations must address these requirements and deploy the necessary internal controls to ensure compliance, avoid legal penalties, reduce the likelihood and damage caused by unauthorized access, and maintain the spirit of SOX by providing confidence in the financial disclosures by companies to the stock market.
Currently efforts to apply the requirements of SOX to all businesses are occurring among several state legislatures, such as California and Massachusetts. Therefore it is imperative that all companies consider the mandates defined within the regulations, and proactively move the organization to fit a recognized information security framework.
Organizations must understand the threats that pose a risk to their operational and financial status with regards to information security. As highlighted within this brief, organizations are liable for the information security with regards to financial, health, and general nonpublic personal information. The threats to an organization consist of accidental and purposeful attacks that can directly impact earnings and future targets due to social damage. Organizations must identify the risks that they are exposed to, and only afterwards may a mitigation strategy be developed.
Assessments are the primary tool utilized by organizations to determine the existing security posture and as an ongoing measurement tool for continuing assurance. Such assessments should be conducted internally and through external parties. Internal assessments allow information owners to gain status reports on a regular basis by parties who are knowledgeable of the business processes within the organization. Companies also leverage external companies due to their impartial standing, and expertise in information security practices. The type of assessment varies on depth of application and specificity requirement of each assessment. Companies should consider a regular rotation of the assessments on all levels to provide the most coverage.
Controls must ensure at a basic level the Confidentiality, Integrity, and Availability of the data within the networks. Specifically, the technology must address the regulatory requirements, as outlined within this brief, requiring encryption at all levels of interaction with the system and proper authorization and authentication on an individual level. The ISO 17799 standard recommends the segmentation of duties of all users, and a proper definition of user privileges, providing management and the information technology owners a means of ensuring the corporation complies with all regulations as necessary.
Once the reports are produced the company must determine a means of measuring the threats that exist. Providing weights to threats is a challenging task; however, the results allow management to properly incorporate the appropriate risk mitigation strategies. Companies must individually determine a scale and a weight system that appropriately fits the organization. There are certain areas that should be reviewed for every area that are continuously identified in best practice guides for information security. The recommended frameworks mentioned within this paper provide instruction on classifying and addressing the necessary areas of concern. Basic tenets of security define classification to include the following.
The value of the data must be understood. When referring to value, one must consider how the exposure of the data will affect the company, society, or the stability of an environment. A corporation’s secret formula for a chemical will clearly receive a high value rating; while a 10k report after it has been released will receive a lower value.
As data becomes older or becomes public knowledge, it loses the valuation it may originally have been assigned. Companies should review how data is classified relative to the depreciation of data. As companies achieve a standard of determining the valuation with respect to useful life, the information owners will be able to apply proper security countermeasures. An example would concern the application of certain encryption key strengths – the longer the valuable life of the data, the stronger the encryption that must be incorporated.
The type of data also must be considered when classifying the data protected by the information systems. As regulations become more prevalent, companies must have a means of controlling the type of information through a standard classification profile. Personal Health Information, as defined and protected by HIPAA, must be classified and given diligent security measures to ensure the organization does not violate the spirit of the regulation.
Regulatory and contractual requirements must also be addressed similarly and usually in concert with ‘type of data’ classification scales. The weights applied should be relevant to the data. Such scaling must involve the data and technology owners of the information. All weights that are applied should be reviewed by those who work close to the information, and also include those who have a broader view of how the data is utilized to ensure proper security ranking.
Once these categories are defined, and everything is classified accordingly, the final requirement is to incorporate all the values into a single classification standard. The amalgamation of these values requires a bit of a personal touch to ensure those items that are definitely critical are properly addressed. However, such classification exercises will bring to light areas of the organization that were perhaps mistakenly not considered critical. Once all values are created, upper management must sign off on these decisions, and then proper security components should be developed following the new matrix. All efforts must be to address all critical points and work down towards less critical. All disaster recovery aspects should be updated to include the newly scaled systems.
Three possibilities (Reduce, Transfer, Accept)
The realm of risk management offers three separate means of mitigating risks that are identified through assessments and audits. The ability for the organization to establish a baseline and therefore predetermine a comfort level will allow for a more standard process for addressing risks relative to the needs of the organization. The three methods include reducing a risk, transferring the risk to another party, or merely acceptance. An organization must determine what an appropriate response for each threat is. If it is possible to deploy a countermeasure to mitigate a risk adequately, then reducing is the most appropriate. However, if the risks cannot be handled internally, an organization will look to third party contractors or insurance vehicles to handle the risks identified. Unfortunately some business functions must occur and therefore no countermeasure will be implemented.
Implementing technology and human process requirements are all actions designed to reduce a risk to an appropriate level. The determination of this level is critical to understanding what type of countermeasures must be implemented. This also will ensure that costs do not exceed benefits. Managing the costs and properly classifying the data will ensure that these areas are properly secured with a meaningful security posture.
The usage of contracts that require vendors to handle the responsibility of identified risks are also common means of addressing risks. Companies also can leverage insurance vehicles to hedge the threats. As in any business endeavor, companies will commonly engage in joint ventures or partnerships to displace the risks across a number of entities. However, each organization must be sure that the company is properly protected from the identified threats.
The Committee of Sponsoring Organizations of the Treadway Commission (or “COSO”) is highlighted within Sarbanes Oxley as an appropriate framework for compliance regarding necessary controls detailed under section 302, and 404. COSO first published in 1992 was developed from an extensive study by numerous private sector organizations. The publication that specifically addresses information security management is entitled Internal Control—Integrated Framework. The framework defines several objectives that are to be addressed with the controls outlined.
– “Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations”
COSO bases the components of the system to support ‘Internal controls’. Internal controls is defined as, “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement” of the above objectives. The components of the system include:
The components of the system are:
– Control environment
– Risk assessment
– Control activities
– Information and Communication
This information regarding COSO was gathered from the Executive Summary for the aforementioned controls document produced by the Committee of Sponsoring Organizations of the Treadway Commission. Organizations that decide to implement COSO must examine carefully all aspects of the framework, follow industry best practices, and guidance regarding such a significant organizational change.
The International Organization of Standardization (ISO) is a worldwide federation of national standards bodies from more than 140 countries. The standards maintained by ISO include all levels of industry and technology. ISO 17799, “Code of Practice for Information Security Management” is based on BS7799-1:1999. ISO 17799 is considered only as a reference document containing guidelines that can be adopted for most organizations. The standard offers business best practices for security that are continually reviewed and improved upon through open periods review. BS 7799-2:2002, “Specification for Information Security Management Systems” provides a mechanism for organizations to become certified based on the ISO 17799 standards. BS 7799-2 specifies specific requirements for an Information Security Management System (ISMS). The framework provided under ISO 17799 follows inline with other mainstream security frameworks such as COBIT, and COSO.
“Information security is characterized here as the preservation of
– Confidentiality: ensuring that information is accessible only to those authorized to have access
– Integrity: safeguarding the accuracy and completeness of information and processing methods
– Availability: ensuring that authorized users have access to information and associated assets when required”
ISO 17799 establishes procedures for identifying risks and threats to an organization’s information systems. As a standard ISO identifies risk from several areas:
– Risk Assessments – “threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.”
– Legal, Regulatory, and Contractual Obligations
– Internal or Industry defined, “principles, objectives, and requirements for information processing that an organization has developed to support its operations.”
ISO 17799 Controls include:
– Security policy
– Organizational security
– Assets classification and control
– Personnel security
– Physical and environmental security
– Communications and operations management
– Access control
– System development and maintenance
– Business continuity management
The International Organization of Standardization that publishes ISO 17799 can be applied to numerous organizations to demonstrate due diligence with regard to information security; while as a standard there exists flexibility and a globally recognized framework.
Numerous frameworks have developed that address both broad sweeping requirements, and those that identify niche market requirements. The application of a holistic framework that encompasses the organization provides a uniform and complete security posture improvement. The application of additional standards to an organization should occur only to address unique areas within a business, and efforts must be taken to ensure gaps do not develop as a result. Frameworks that address the concerns of information security include:
(IT INFRASTRUCTURE LIBRARY)
“…the most widely accepted approach to IT Service Management in the world.” – OGC
ITIL, developed by OGC (Office of Government Commerce) in the United Kingdom, is a cohesive set of best practice processes, drawn from the public and private sectors internationally. While published by a government body ITIL is not considered a standard. However, the processes are inline with the British Standards Institution’s Standard for IT Service Management (BS15000).
(CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY)
COBIT, developed by the IT Governance Institute, provides, “a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners”. COBIT provides guidance to enterprises for implementing effective governance over information technology systems. COBIT references COSO definitions and processes throughout the framework to provide consistency for organizations.
BASEL ACCORD II
The Basel Accord is a framework, “…that takes into account the total and specific uses of capital and attendant risks and seeks to account for these risks in a transparent manner.” This framework includes guidelines for information security for all aspects of the banking industries business. However, the publication specifically addresses the banks risk sensitivity. The framework is concerned with the capital adequacy, supervision and market disclosure methods of the banks that adhere to the Accord. The US mandates only the top tier global acting banks implement Basel Accord II, while many smaller banks will also comply with the guidelines. Banks within the European Union are subject to the capital adequacy directives (Capital Adequacy Directive III), that which require adherence to the Basel Accord regime. The final publication of Basel Accord II is expected by mid-year 2004, and adherence is expected to be done by year-end 2006.
Organizations will continue to be pressured to put into operation reasonable security frameworks. The onus for implementing and maintaining these information security systems is upon business. All industries can gain greater efficiencies, and reduce liability from security incidents through the application of these proper frameworks.
ISO 17799:2000 – Information Technology – Code of Practice for Information Security Management
COSO – The Committee of Sponsoring Organizations of the Treadway Commission
ITIL – Office of Government Commerce
Basel Accord II – Bank for International Settlements
OSSTMM – Open Source Security Testing Methodology Manual
HIPAA – Health Insurance Portability and Accountability Act
GLB – Gramm Leach Bliley
FTC – Publications regarding GLB
SEC – Securities Exchange Commission
“The Essential Drucker” – Peter Drucker, Harper Business; July 29, 2003 Available at all bookstores: ISBN: 006093574X
David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms