Information Security Management in a Regulation Driven World

Similar documents
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Tracking and Reporting

Complete document security

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Why you MUST protect your customer data

Building a Case for Mainframe Security

Security and Privacy Governance Program Guidelines

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Operational Network Security

Safeguards on Personal Data Privacy.

What is Penetration Testing?

Demonstrating Compliance in the Financial Services Industry with Veriato

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Putting It All Together:

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

01.0 Policy Responsibilities and Oversight

Secret Server HP ArcSight Integration Guide

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

VANGUARD POLICY MANAGERTM

Protecting your data. EY s approach to data privacy and information security

Cybersecurity in Higher Ed

VANGUARD Policy Manager TM

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

The Honest Advantage

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

PROFESSIONAL SERVICES (Solution Brief)

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

WHITEPAPER. THE INGRES DATABASE AND COMPLIANCE Ensuring your business most valuable assets are secure

Managing Cybersecurity Risk

What To Do When Your Data Winds Up Where It Shouldn t

Tokenisation: Reducing Data Security Risk

HIPAA Compliance Checklist

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

IBM Internet Security Systems October Market Intelligence Brief

Compliance in 5 Steps

Compliance and Privileged Password Management

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

DeMystifying Data Breaches and Information Security Compliance

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Sales Training for DataMotion Products. March, 2014

Information Security in Corporation

Information Security Risk Strategies. By

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

TEL2813/IS2820 Security Management

Using GRC for PCI DSS Compliance

Keeping It Under Wraps: Personally Identifiable Information (PII)

Sarbanes-Oxley Act (SOX)

Threat and Vulnerability Assessment Tool

CCISO Blueprint v1. EC-Council

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Top Five Privacy and Data Security Issues for Nonprofit Organizations

HIPAA Security and Privacy Policies & Procedures

a publication of the health care compliance association MARCH 2018

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Getting Ahead of the Compliance Curve ADOPTING A MANAGED APPROACH TO WEB SECURITY AND REGULATORY COMPLIANCE

Workday s Robust Privacy Program

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Balancing Between Risk and Compliance

The Impact of Cybersecurity, Data Privacy and Social Media

QuickBooks Online Security White Paper July 2017

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

HIPAA Compliance Assessment Module

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Security Breach Notification Reflections on the U.S. Experience

REPORT. proofpoint.com

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Cybersecurity and Hospitals: A Board Perspective

Implementing an Audit Program for HIPAA Compliance

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

USE CASE FINANCIAL SERVICES

Tieto Compliance Cloud For a more secure IT environment

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Analyzer runs thousands of integrity checks for both RACF and z/os Security Server.

The Unseen Leak: Faxing in the era of SOX, Gramm-Leach Bliley/PIPEDA and HIPAA

Integrating HIPAA into Your Managed Care Compliance Program

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Transcription:

Information Security Management in a Regulation Driven World By: Christina M. Freeman ICTN 6823 Information Security Management

Abstract: This paper will explore the positive aspects and the challenges to managing information security in a world that is full of regulatory requirements. While the United States has the most requirements, such as Sarbanes Oxley, Payment Card Industry Data Security Standard, Gramm- Leach-Bliley Act, Health Insurance Portability and Accountability Act, etc., providing direction for the management of information security in the US, there are many other regulations that affect other countries as well, sometimes in contrast to US requirements. In many other countries there are, at the very least, some type of privacy or personal information protection regulation. In addition to examining these regulatory requirements, I will analyze how these regulatory requirements affect information security management as a whole and how global organizations handle the different regulations in which compliance is required.

United States Regulatory Requirements Regulatory compliance can be defined as an organizations adherence to laws, regulations, guidelines and specification relevant to its business. (Rouse, Regulatory Compliance, 2012) The United States has many regulations which organizations in specific industries must implement to maintain information security compliance. Regulations that contain information security requirements are intended to improve the level of information security of the organizations which implement them. The difficulty is knowing which regulations apply and the best way to implement them. The following regulations are a few of the more well-known and more widely implemented regulations in the United States. Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) Federal Information Security Management Act of 2002 (FISMA) Gramm Leach Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI-DSS) (Vanderburg, n.d.) HIPAA Every healthcare agency or any organization which handles patient health information must be in compliance with HIPAA. (*John A. Cassini, 2008) HIPPA is a two part bill which was designed to protect the health care of people who are switching jobs or are laid off and to simplify the healthcare process by mandating providers utilize electronic means to store patient data. In addition, and probably most important, it protects the privacy of individual patients. (Vanderburg, n.d.) HIPAA requires agencies to develop and implement policies and procedures that will result in the protection of patient medical information from disclosure or loss. Organizations must limit the risk of disclosure of a patient s personal medical information by: 1) providing the proper training of employees ensuring they follow privacy requirements; 2) providing oversight of the organization s privacy efforts and; 3) ensuring access to the patient s electronic records is secure. (*John A. Cassini, 2008) SOX SOX required that publicly held companies have stringent corporate governance procedures, including the disclosure of financial records, accounting and auditing. In addition, Section 404 of the act mandates that all management must assess the effectiveness of internal controls over their financial reporting, by ensuring that controls are in place to prevent tampering of the financial records. (*John A. Cassini, 2008) FISMA FISMA was the first regulation that acknowledged that an organization s information security affects national security. This regulation mandates that all federal agencies develop ways to ensure the protection of information systems. (Vanderburg, n.d.) FISMA defines a framework to protect government information, operations and assets from threats. It requires that organizations conduct annual reviews of information security

ensuring these programs are mitigating risks. (Rouse, Federal Information Security Management Act (FISMA), 2013) GLBA GLBA mandates that organizations such as insurance companies, commercial banks, and investment banks ensure the security of customer s private information. The GLBA contains three parts: 1) the Financial Privacy Rule; 2) the Safeguards Rule and 3) the act of obtaining financial data under false pretenses. The Financial Privacy Rule restricts what organizations who obtain a person s financial data can do with that data. Under this regulation, organizations cannot sell or trade financial or account data to another organization or display over the Internet. The Safeguards Rule protects and secures the customer financial information ensuring the confidentiality, integrity, and overall security of the data. The last part of the GLBA prohibits falsely imitating a customer in an effort to obtain their personal financial data. (*John A. Cassini, 2008) PCI-DSS PCI-DSS has 12 requirements which are designed to reduce fraud and protect customer credit card information. Organizations which accept payment cards are required to comply with the requirements or implement compensating controls in an effort to maintain compliance. Requirements can be summarized as follows: 1) Installing and maintaining firewall configurations to protect data 2) Ensuring default passwords are changed 3) Protecting stored data 4) Encryption of data across public networks 5) Use of regularly updated antivirus software 6) Ensuring systems and applications are secure 7) Restricting access to data by need-to-know 8) Ensuring unique IDs are used for access management 9) Restricting physical access 10) Monitoring network access to data 11) Testing security systems and processes regularly 12) Ensuring policies address Information Security (Rouse, PCI DSS 12 requirements, 2012) Information Security Regulations enforced outside of the United States. While the United States leads the way in Information security regulations, some of these same regulations are enforced outside of the United States, especially in global organizations. For example, global organizations which accept payment cards, must ensure compliance with PCI- DSS in their international countries. Additionally, foreign organizations which file financial reports to the United States Securities and Exchange Commission must follow SOX internal control requirements. However, some international countries have their own standards and must comply with additional regulations specific to the country.

Two of the most well-known regulations outside of the United States are: 1995 EU Data Protection Directive UK Companies Act 1985 (*Heiser, 2004) 1995 EU Data Protection Directive The EU Data Protection Directive mandated organizations to protect consumer private data. Organizations are required to implement the appropriate technical and organizational controls to protect the personal data of customers. One year later the United States developed HIPAA in response. (*Heiser, 2004) UK Companies Act 1985 The UK Companies Act was developed to prevent the falsification of accounting records, including electronic records. SOX internal controls mandate similar requirements for the United States. (*Heiser, 2004) In addition to these more general regulations, many other countries have their own laws which contain very similar regulations for their country. For example, countries such as; Argentina, Belgium, Canada, China, France, Hong Kong, Iceland, Japan, Korea and many more have a specific country consumer data protection regulation. (Laws and regulations on information security and business continuity, 2015) Why Comply with Information Security Regulations? Most experts would argue that organizations should desire to and make every attempt to comply with the information security standards and regulations because there are multiple benefits that come when you make the investment in information security. Some of these benefits are: Business success With the implementation effective information security controls, organizations can ensure that their information is secure and that the organization can strive to meet their goals. Increased trust from external sources Ensuring good security controls will only build on your public image. When people feel confident that their information is secure with your organization, business relations will continue to grow. Accountable executives can relax Ultimately security is the responsibility of the head of the organization and executives may face penalties if the organization does not comply with mandated regulations. While not one hundred percent effective, when appropriate security controls are in place executives do not have to constantly worry about what could possibly occur. Integration of security into business processes Building the businesses processes while ensuring the appropriate information security controls are considered will streamline and enhance the overall processes. Implementing these controls after the fact in a reactionary manner, make the process more convoluted. Mature risk management Risk management is the protection of the organizations assets so the organization can carry on its mission. Ensuring the appropriate information security controls are in place will help to mitigate potential risks that emerge.

Decreased operational risks Implementing information security regulations invests in security and helps to mitigate an organizations operational and business risk. An important thing to remember is that technology is ever-changing and as information security regulations are being modified and improved upon, security efforts will need to be re-visited on a periodic basis in an effort to maintain compliance. Performing ongoing monitoring to information security programs can ensure that: the ongoing security activities are providing appropriate levels of security and support to the organization and its mission; policies and procedures are up to date and being followed; and the information security controls in place are performing effectively and as intended. (Pauline Bowen, 2007) Information security regulations, standards and polices are the foundation of your organizations information security program. If an organization fails to build out strong policies and standards, security controls will not be in place and therefore; organizations do not have an effective way to secure sensitive and critical information. This is why information security regulations require information security policies and standards as part of the basic foundation and use these policies and standards to build the information security programs. Strong information security policies and procedures help to: 1) secure management s commitment to ensuring the security of critical data in the environment; 2) ensure uniform standards across the organization are implemented to secure critical data; 3) spell out the roles and responsibilities for managers and employees for keeping organizational data safe and secure; 4) provide configuration standards for Information Technology personnel to build and maintain the organization s network and infrastructure; 5) guide management as to the requirements for compliance with legal responsibilities for organizations which handle the sensitive information of others and; 6) provide the foundation on which to build the security for the entire organization. (Stan Stahl, 2011) Information security regulations play an important role in assuring an organization has an effective information security program. One of the hardest things for organization management to do in regard to information security regulations is to understand how the specific information security laws, regulations and standards apply to their particular organization. Only some regulations will be applicable and sometimes only to certain parts of the organization. For example, a healthcare provider will have to comply with HIPAA, and quite possibly SOX or PCI-DSS, but probably not GLBA or FISMA. (Pauline Bowen, 2007) Since the foundation of information security regulations is strong policies and standards, the Citadel Information Group provides seven requirements for the implementation of information security policies and standards, which will provide a better chance that the policies and standards will actually affect and enhance security and pave the way for compliance to information security regulations. 1) Identify organizational issues that impact information security policy. Management needs to make sure that the implemented policies and standards actually reflect the type of business and/or services provided by the organization. If the policies and organization type do not mesh, there will be a clash between the security policies in place and business practice processes.

2) Identify the various classes of policy users. Organization personnel have different roles and responsibilities and therefore different levels of security access. There need to be different standards that will apply to these different access levels. For example, access provided to an administrative assistant will be different from the access provided to executive management and even that access must be different than the access provided to an information security manager. 3) Organize information security policies and standards into meaningful categories. Industry best practices indicate that information security policies are best organized in meaningful ways. Specifically, separating policies such as physical security apart from personnel security and infrastructure standards separate from application development standards. 4) Review draft policies and standards with management, users, and legal counsel. This is a very important step that is often overlooked and can be detrimental in the long term when trying to ensure compliance with information security regulations. Creating and implementing policies and standards that do not have the support of management, users and the organization s legal and privacy department will not last. Legal and privacy departments need to review to ensure the implementation of these policies and standards are adequate to maintain compliance with various information security regulations and consistent with business practices. 5) Train all personnel in the organization s information security policies and standards. Regular mandated security awareness training needs to be provided to all personnel. Without this training, users will not be aware of their roles and responsibilities in regard to information security. 6) Enforce the information security policies and standards. Once policies and procedures are in place and users are aware of their roles, strict application of the standards must be maintained. Overtime it is natural for management to pay less attention to compliance; however if and when this happens, organizations could find themselves in a legal mess. Information technology allows for organizations to implement ways to ensure policies are maintained. For example, configuring controls to monitor Internet usage and block certain sites which should be prohibited. 7) Review and modify policies and standards, as appropriate but at least annually. Technology, business needs and regulations change periodically. It is important to review policies and standards to reflect changes. (Stan Stahl, 2011) The Challenges in complying with Information Security Regulations? The challenge of complying with multiple different information security regulations has become the norm for many organizations. Maintaining compliance and performing the required reporting and monitoring functions, while ensuring the daily operations continue to run smoothly, have become a major hurdle for management. In an effort to overcome these hurdles, management needs to evaluate the requirements within the specific regulations and determine how they are similar as well as how they are different. When regulations have similar requirements, management should develop a set of policies that

will address the more restrictive parts of each regulation, instead of creating separate paths to compliance with each regulation. One expert stated that Instead of approaching regulations as separate sets of rules to adhere to, look for a common approach to complying with multiple sets of regulations that often overlap. In an effort to evaluate the requirements, the advice of legal representatives and compliance experts should be sought. Legal and compliance experts can provide guidance on how these regulations fit with a risk assessment and once the organization can determine the risk assessment they can use it to develop the processes on how to absorb the regulation requirements into the environment of your organization. When regulation requirements are similar from state to state or country to country, organizations typically adopt the most restrictive. However, how should an organization handle a situation when information security regulations conflict? The simplest response is to develop state specific practices and processes which provide how the organization will perform certain requirements in that particular state. There may not be a need to develop a completely separate policy for that state, just to provide additional policies and processes for that state in order to be in compliance with the regulation. (Apgar, 2005) With these conflicts in mind, it is important to note that the more an organization can standardize their practices throughout the environment to cover the multiple regulatory compliance requirements, the more simple compliance becomes. As technology continues to become more and more advanced and more and more countries become more technology savvy, regulations will become more prevalent and complex. Another side to the challenge of complying with information security regulations is that they can present a false security for the organization. While most regulations are developed in order to make things more secure or more standardized, focus is often put on basic policies and procedures and not how to actually secure the environment. Security experts have noted that an organizations compliance to information security regulations may not adequately address the potential security concerns. One expert went on to state that It is very rare that you will find auditors focused on performance-based issues. Instead, they are mainly focused on documentation supporting compliance to a particular rule or requirement. In some cases, adhering to the compliance program and related paperwork actually gives management an inaccurate and potentially risky perception that the organization is secure, when it may not be the case. (Richards, 2013) Even with this in mind, organizations spend money in order to be compliant to the regulations and are not focused on true information security. Analyzing recent data breaches, it is clear to see that just because an organization is compliant with a particular standard, does not mean they are secure. Take the Target breach for example, it was determined that Target was in fact compliant with PCI-DSS, however, they still were victim to a major data breach. (Jr, 2014) The following table puts into perspective and summarizes the pros and cons of information security regulation compliance.

Table 1. Do compliance requirements help or hurt Information Security Help Legally requiring long-held information security standards and practices. Increasing management awareness of security and how business risks are managed. Forcing management to address information security issues that they would not otherwise. Increasing public awareness of information security and privacy issues; the public then demands that businesses address the problems. Providing a solid new or improved foundation for information security within organizations that previously had no or insufficient information security programs. Clearly reducing subjectivity of interpretation of specific safeguard requirements when the regulations are written well. Moving information security higher up in importance and higher up in the organizational chart. Requiring organizations to implement controls that are able to track activities for personal and sensitive information. Source: (Herold) Hurt Causing confusion, conflict, and challenges for complying with multiple inconsistent laws, and leading to security implementation only where organizations think regulators will check. Establishing many requirements that are not feasible within many organizations. Being inadequate or leaving gaping loopholes, ultimately not improving security at all. Requiring compliance costs that take away resources from other, possibly more critical, information security initiatives. Resulting in compliance efforts that are more costly than self-regulation. Using compliance to justify unnecessary or poor information security solutions. Creating management duress and ultimately creating the view of information security as a business cost not a business enabler. Generating many compliance snake-oil solutions and outrageous billing rates that damage the information security reputation. Enabling subjective interpretation of poorly written regulations that allows organizations to bend the requirements to what is most convenient for them and not addressing the spirit of the law. Not addressing important risks outside the regulations compliance requirements. Applying information security solutions only to minimally meet regulatory requirements and without regard to the business. Finally, according to 2015 survey conducted by Protiviti and North Carolina State University, information security risks brought about by regulation remains the number one concern for organization management. The survey defines the risk as regulatory concerns and states that Regulatory changes and heightened regulatory scrutiny may affect the manner in which products or services will be produced or delivered. Therefore, there is a major concern regarding how much organizations are being forced to focus on information security regulatory

requirements which are resulting in lesser products or services being offered by said organizations. (*Tysiac, 2015) Conclusion While there are benefits to being compliant with information security regulations, such as standardizing policies and processes across the organization, state to state and even country to country, compliance must be balanced with ensuring your organization takes a risk-based approach to security as a whole. One of the most popular benchmarking agencies, Gartner, is predicting that security will become the focus of global risk management programs by 2020. Organizations will concentrate on security as a whole rather than simple compliance to regulatory requirements and the areas in which organizations spend their money will be consistent with this thinking. (Richards, 2013) While these predictions should be well received throughout the Information Security profession, the country and even the globe are a long way off from seeing this become reality. There needs to be a major shift in management thinking and management needs to embrace information security as a program and long term strategy, not focus on the minor security steps that come with regulatory compliance. Regulatory compliance is just the tip of the iceberg when it comes to Information Security Management.

References *Heiser, J. G. (2004). The regulation of information security. Intermedia, 29. *John A. Cassini, B. D. (2008). Laws and Regulations Dealing with Information Security and Privacy: an Investigative Study. International Journal of Information Security and Privacy, 70-82. *Tysiac, K. (2015). Regulation remains top risk for 2015. Journal of Accountancy. Apgar, C. (2005, September). Complying with multiple regulations and contending with conflicts. Retrieved from TechTarget: http://searchdatamanagement.techtarget.com/tip/complying-withmultiple-regulations-and-contending-with-conflicts Herold, R. (n.d.). Do Compliance Requirements Help or Hurt Information Security? RealtimePublishers. Jr, J. P. (2014, March 18). Target Breach Lesson: PCI Compliance Isn't Enough. Retrieved from TechNewsWorld: http://www.technewsworld.com/story/80160.html Laws and regulations on information security and business continuity. (2015). Retrieved from InfoSecPedia: www.infosecpedia.info/laws-regulations-information-security-business-continuity Pauline Bowen, E. C. (2007). Information Security Guide For Government Executives. Gaithersburg: National Institute of Standards and Technology. Richards, K. (2013, September). Cybersecurity: Global risk managment moves beyond regulations. Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/feature/cybersecurity- Global-risk-management-moves-beyond-regulations Rouse, M. (2012, April). PCI DSS 12 requirements. Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/definition/pci-dss-12-requirements Rouse, M. (2012, October). Regulatory Compliance. Retrieved from Whatis.com: http://searchcompliance.techtarget.com/definition/regulatory-compliance Rouse, M. (2013, May). Federal Information Security Management Act (FISMA). Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/definition/federal-information-security- Management-Act Stan Stahl, K. A. (2011). Seven Requirements for Successfully Implementing Information Security Policies and Standards. LA: Citadel Information Group, Inc.. Vanderburg, E. (n.d.). Information Security Compliance: Which regulations relate to me? Retrieved from Jurinnov: http://jurinnov.com/information-security-compliance-which-regulations/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback