245
10
Information Security
Legislation
One of the drivers for information security initiatives is legislation. As the U.S.
Congress and the legislative bodies of other governments have begun to recognize the
need to protect the confidentiality and maintain the integrity of data, various laws
either have been passed or are being considered to force organizations to have good
information security practices. Much of the legislation is related to protecting the
privacy of consumers’ information; the Health Insurance Portability and Accountabil-
ity Act (HIPAA) and the Gramm–Leach–Bliley Act (GLBA) are examples. In addition,
other legislation has resulted from specific events; one example is the Sarbanes–Oxley
Act, which was a reaction to corporate scandals, specifically the Enron debacle.
Each of these pieces of legislation is an attempt to protect consumers. For
example, although a major portion of HIPAA is concerned with standardizing how
transactions are performed between health care entities, two sections of the HIPAA
law are devoted to privacy and security. The HIPAA security-related requirements
primarily deal with the requirement that companies have an information security
program consisting of various key elements including security policies and proce-
dures, ongoing risk analysis, certain security technologies, and other provisions.
This information security program along with the privacy provisions is there to
protect the confidentiality of patients’ electronic patient-identifiable information.
GLBA is similar to HIPAA and is applicable to the financial services industry.
A closer look at the laws related to information security reveals that they
essentially require companies to have good information security practices. For exam-
ple, many of the HIPAA security requirements really just force health care entities
to have good information security programs. Some of these requirements include
having a formal security management process and having security assigned to an
individual or organization to place a focus on information security. These are all
elements of an information security program that we would want to see. The other
information security laws are similar in their approach.
RELEVANCE OF LEGISLATION
IN SECURITY ASSESSMENTS
As discussed at various points in this book, legislation is a major driver for infor-
mation security. When conducting a security assessment for a company that is subject
to legislation, those laws must be taken into account. Although a company might
argue that some elements of security do not make business sense and choose to
accept business risk, security requirements driven by legislation do not allow that
option. With certain legislation, companies are subject to government audits and
AU1706_C10.fm Page 245 Thursday, August 19, 2004 7:51 PM
246
A Practical Guide to Security Assessments
potential fines for not being in compliance. From a security assessment perspective,
compliance with security requirements that are laws is mandatory and must be
considered when performing a security assessment. The only question is how strin-
gently or how loosely the requirements are applied. Noncompliance can result in
regulatory penalties and damage to a company’s reputation. In some cases, if a
company hires a consultant to conduct a security assessment or if the client is using
internal resources, knowledge of the legislation the company is subject to should be
a part of the criteria when selecting who will do the assessment.
If you are conducting a security assessment for a company that is subject to
regulatory requirements, it is critical that you are knowledgeable about the relevant
legislation. The questionnaires you use for the assessment as well as the resulting
recommendations should reflect the requirements of the legislation. To provide real
value to clients, these recommendations should map back to specific requirements
of the law. The recommendations you make should explain how to achieve compli-
ance with the law.
As you read about the different laws in this chapter, it will become evident that
the requirements are broad and in some cases leave significant room for interpreta-
tion. Being able to interpret the regulatory requirements and then translate that into
recommendations that ensure regulatory compliance and properly address a given
company’s security risks is critical in conducting a security assessment for clients
subject to regulations. This requires knowledge about the specific requirements and
the acceptable ways of ensuring compliance. The gray area is that in most cases,
because of the broad nature of the requirements, different ways to achieve compli-
ance exist. Companies should look for consultants who have this knowledge and
can recommend the most cost-effective ways to achieve compliance although still
having a solid information security program.
This chapter contains a summary and discussion of some of the major informa-
tion security–related legislation today related to companies having certain informa-
tion security measures in place. There are other pieces of legislation that impose
penalties for criminal behavior related to exploiting security vulnerabilities such as
the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, which
are not discussed in this chapter. The focus of this chapter is on legislation that is
forcing information security standards on organizations. When conducting a security
assessment, you should do the appropriate research and talk to the client about what
regulatory requirements the company may be subject to and ensure that they are
incorporated into the assessment.
HIPAA (HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT)
HIPAA was introduced in the mid 1990s and had three main purposes:
• Standardization of health care–related electronic transactions to facilitate
efficiencies in health care delivery
• Provision of standards for the privacy of patient information
• Provision of standards for securing patient information in electronic form
AU1706_C10.fm Page 246 Thursday, August 19, 2004 7:51 PM
Information Security Legislation
247
The regulations associated with each of the sections above have been issued at
different times. The HIPAA Security requirements were issued on February 20, 2003.
The compliance date for most health care entities is April 21, 2005. Small health
plans have until April 21, 2006 to achieve compliance.
The U.S. government has set significant penalties for noncompliance with
HIPAA requirements. Fines for noncompliance include:
• Up to $100 for individual cases of noncompliance with HIPAA provisions
• Up to $25,000 per year for multiple violations of the same HIPAA require-
ment
• Up to $50,000 and one year in jail for wrongful disclosure of identifiable
health information
• Up to $100,000 and five years in jail for wrongful disclosure of individ-
ually identifiable health information under false pretenses
• Up to $250,000 and 10 years in jail for wrongful disclosure of individually
identifiable health information with intent to sell, transfer, or use for
commercial advantage or personal gain
The goal of the HIPAA security requirements is to protect electronically stored
health information. As stated earlier, the HIPAA security regulations essentially
require health care organizations to have sound information security programs. The
requirements include the different phases of the information security life cycle
including:
•
Assessment —
e.g., conducting a security assessment to determine security
weaknesses
•
Development —
e.g., developing security policies and procedures as the
foundation of the information security program
•
Deployment —
e.g., deployment of security technologies such as encryp-
tion to protect individually identifiable health care information
•
Monitoring —
e.g., technology and processes for monitoring security
The actual structure of the HIPAA security requirements contains three major
areas — Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
Below are these major headings with some examples of what areas are covered in
each:
• Administrative Safeguards
– Security management processes
–Awareness training
– Business associate contracts
•Physical safeguards
–Facility access controls
–Workstation security
–Device and media controls
AU1706_C10.fm Page 247 Thursday, August 19, 2004 7:51 PM
248
A Practical Guide to Security Assessments
•Technical safeguards
– Access controls
– Audit controls
–Transmission security
Although some elements of the HIPAA security requirements are health care
specific, the majority of the security requirements are the same measures that any
company would take when developing an information security program. Many of
the requirements can be mapped back to the ISO 17799 standard. HIPAA security
requirements, like the ISO 17799, are not process oriented. HIPAA security require-
ments define what needs to be done from a security perspective. It is up to companies
to implement processes that will achieve compliance with the HIPAA security
requirements.
One of the difficulties with HIPAA security requirements is that how compliance
will be achieved is not very clear, for two reasons. First, the HIPAA security
requirements are broad and leave room for interpretation. Multiple ways to achieve
compliance with some of the security requirements exist. Second, because the
compliance date for the HIPAA security requirements is not until 2005 for most
health care entities, no government audits have been done. As a result, no information
exists on what HIPAA security compliance measures the government finds accept-
able. HIPAA security is starting to gain more attention, and as we approach the
compliance deadline for it, more guidance will inevitably appear.
GLBA (GRAMM–LEACH–BLILEY ACT)
The GLB Act (GLBA) was signed into law in 1999 and was effective as of July
2001. The GLBA security requirements became effective on May 23, 2003. The
main purpose of the GLBA was to repeal earlier laws so financial services companies
could expand their markets into other areas of financial services such as insurance.
The other key element of the GLBA, which is relevant to security assessments, is
that these financial service companies must ensure that individuals’ personal infor-
mation is protected.
As with HIPAA, the GLBA security requirements are related to having a com-
prehensive information security program. With the amount of personal financial
information residing on the systems of financial service companies, tremendous risk
is associated with the loss or breach of confidentiality of data.
The GLBA requires financial service companies under the jurisdiction of the
Federal Trade Commission to have the appropriate level of security to protect the
confidentiality of customers’ information. The requirements of the GLBA, which
are discussed below, are not very specific. As with HIPAA, the GLBA security
requirements are focused on the overall information security program and ensuring
that the right mechanisms are in place so that customer information is adequately
protected. Below are the key GLBA security requirements (information below was
obtained from the official 16 CFR Part 314 document at http://www.ftc.gov/os/
2002/05/67fr36585.pdf):
AU1706_C10.fm Page 248 Thursday, August 19, 2004 7:51 PM
Information Security Legislation
249
•
Information security program —
The entity must have an information
security program that is “written in one or more readily accessible parts
and contains administrative, technical, and physical safeguards that are
appropriate to your size and complexity, the nature and scope of your
activities, and the sensitivity of any customer information at issue.”
1
This
requirement essentially says that the information security program should
be aligned to the risks that the company is facing.
•
Coordination of the information security program —
There must be an
individual or group of individuals responsible for interfacing with the
relevant groups and acting as a coordinator or “single point of contact”
for the information security program. This aspect of the GLBA is related
to the whole concept of ownership and helps ensure that proper commu-
nication takes place between the relevant parties.
•
Regular risk analysis —
An ongoing risk analysis for any company is very
important because it is a mechanism to discover any potential security
issues for the company.
•
Implementation of controls to mitigate risks discovered in the risk
analysis —
One of the results of the risk assessment is the discovery of
security risks. Once discovered, the requirement is to implement measures
to mitigate these risks and monitor, on a regular basis, that these measures
are working as intended.
•
Overseeing of service providers —
Because of the complexity of business
today, many companies try to focus on their core competencies. The
financial services industry is no exception; companies in this field frequently
use third-party service providers for various parts of their operations. The
security concern with these providers is that customer information is
residing on their systems, and companies using these providers sometimes
have no sense of how this information is being secured. This requirement
obligates the company to ensure that the service providers have security
measures in place to properly safeguard customer information. Companies
should perform the appropriate due diligence when selecting a provider
and also have the appropriate provisions in the contract with the service
provider.
•
Evaluation and adjustment of the information security program —
This
requirement is really a byproduct of the requirement related to risk anal-
ysis. As new risks are identified, new controls should be implemented to
address those risks. In achieving compliance with this requirement, com-
panies should constantly evaluate their information security programs and
make adjustments as necessary.
Based on the requirements, it is clear that the objective is for financial services
companies to implement and maintain good information security programs, which
will ultimately protect customer information.
When conducting a security assessment with a financial services company, it is
best to become familiar with the GLBA security requirements and ask the appropriate
AU1706_C10.fm Page 249 Thursday, August 19, 2004 7:51 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.