250
A Practical Guide to Security Assessments
questions. Because of the broad nature of these requirements, questions can be taken
from a number of the questionnaires in the appendices of this book as well as other
resources, such as the standards listed in Chapter 9 of this book.
SARBANES–OXLEY ACT
The Sarbanes–Oxley Act was passed largely as a result of the Enron scandal to help
restore investor confidence. The legislation makes management and the auditors
more accountable for the numbers on financial statements. The first major piece of
this legislation was Section 302 — Corporate Responsibility for Financial Reports,
which requires chief executive officers (CEOs) and chief financial officers (CFOs)
of publicly traded companies to certify that the financial statements are accurate.
Technically, management is responsible for the financial statements, but this require-
ment brought attention to the fact that management certifies and attests to the
accuracy of the financial statements.
The relevant section of Sarbanes–Oxley as it relates to security assessments is
Section 404 — Management Assessment of Internal Controls. Most eligible com-
panies are required to be in compliance with Section 404 by June 15, 2004. Smaller
companies must achieve compliance by April 15, 2005. Specific guidance on deter-
mining the compliance date for a company is contained in Section 404-1: Introduction.
This act essentially requires auditors to issue an internal control–related report,
which contains two key elements, as part of the annual report:
• Management responsibility for establishing an adequate internal control
framework to support accurate financial reporting
• The auditor’s assessment of the effectiveness of the internal control structure
To achieve compliance with Sarbanes–Oxley, auditors must have a thorough
understanding of the internal control framework. Before Sarbanes–Oxley, auditors
may or may not have reviewed internal controls. If these controls were reviewed,
one of the main purposes was to determine the amount and nature of substantive or
detailed testing that was performed to certify the numbers on the financial statements.
If auditors did not have a very high comfort level with the internal control structure,
more detailed testing was required on certain numbers in the financial statements to
have the required assurance. Auditors could even choose to do minimal internal
control review and do a significant amount of detailed testing to certify financial
statements. With Sarbanes–Oxley, auditors must understand the internal control
framework associated with financial reporting. As a result, auditors must review areas
such as application access for certain applications, information flow between systems,
and how the integrity of information is maintained. For audit firms, Section 404
increases their work and brings about the need for auditors with different skill sets.
From a security assessment perspective, the internal control report is a good
resource when gathering the initial information for a security assessment. The
effectiveness of the internal control framework is a significant component of the
AU1706_C10.fm Page 250 Thursday, August 19, 2004 7:51 PM
Information Security Legislation
251
overall information security program, and this report can provide some good pre-
liminary information before you talk to clients.
To understand the full value of Sarbanes–Oxley, you should fully review the
contents of Section 404, which is available at http://www.sarbanes-oxley.com. Some
of the other relevant sections of Section 404 worth reviewing include:
• 404-4: Quarterly Evaluations of Internal Control over Financial Reporting
• 404-6: Types of Companies Affected, Transition Period
• 404-9: Cost-Benefit Analysis
The other sections listed above are important and can affect what is done to achieve
compliance with Sarbanes–Oxley.
21 CFR PART 11
21 CFR (Code of Federal Regulations) is a regulation by the Food and Drug
Administration (FDA) that outlines requirements regarding the use of electronic
records and electronic signatures for “any records or signature requirement set forth
in the Federal Food, Drug, and Cosmetic Act (the Act), the Public Health Service
Act (PHS Act), or any FDA regulation.”
2
One of the areas where this rule is signif-
icantly applied is the pharmaceutical industry.
21 CFR Part 11 was initially passed in 1997 and was meant to provide rules
and regulations pertaining to the use of electronic records to support compliance
related to maintaining or submitting information to the FDA. The key components
of this legislation are very much focused around security and more specifically, the
integrity of electronic records and signatures. Some of the key requirements of 21
CFR Part 11 include (as documented in the 21 CFR Part 11 guidance on the FDA
Web site — http://www.fda.gov/cber/gdlns/esigcopies.htm#I):
• Ensuring the authenticity, integrity, and confidentiality of electronic
records
• Nonrepudiation of electronic signatures
• Audit trails for electronic signatures
To achieve some of the requirements in 21 CFR Part 11, the company should
have a sound information security program in place. These requirements are what
one would expect if electronic records were being managed properly and if electronic
signatures were in use.
If a security assessment is being conducted for a company subject to 21 CFR
Part 11, these requirements should be considered. Although a security assessment
cannot ensure that a company is compliant with 21 CFR Part 11, it can uncover
some issues that potentially lead to noncompliance. A review to determine compli-
ance with 21 CFR Part 11 requirements should be done by someone with expertise
in these requirements.
AU1706_C10.fm Page 251 Thursday, August 19, 2004 7:51 PM
252
A Practical Guide to Security Assessments
SAFE HARBOR
The Safe Harbor provision is a result of the European Commission’s Directive on
Data Protection, which went into effect during October 1998. This directive is
comprehensive legislation that describes requirements for ensuring the privacy of
data. One of the significant elements of this legislation is that personal data cannot
be transmitted between European companies and any non-European company that
does not meet the European Commission’s standard for privacy. “While the United
States and the European Union share the goal of enhancing privacy protection for
their citizens, the United States takes a different approach to privacy from that taken
by the European Union. The United States uses a sectoral approach that relies on a
mix of legislation, regulation, and self-regulation. The European Union, however,
relies on comprehensive legislation that, for example, requires creation of govern-
ment data protection agencies, registration of data bases with those agencies, and
in some instances prior approval before personal data processing may begin.”
3
As
this would affect many U.S. companies, the Safe Harbor was created to ensure that
U.S. companies had some minimum standards related to privacy so that they can
continue to do business in Europe.
For U.S. companies to take advantage of Safe Harbor, they must go through a
process to join, which is handled by the U.S. Department of Commerce
(http://www.export.gov/safeharbor/index.html). To join Safe Harbor, companies
must have a privacy program and comply with seven specific principles. Two of
these principles that have security implications are:
•
Security —
“Organizations must take reasonable precautions to protect
personal information from loss, misuse, and unauthorized access, disclo-
sure, alteration and destruction.”
4
•
Data Integrity —
“Personal information must be relevant for the purposes
for which it is to be used. An organization should take reasonable steps
to ensure that data is reliable for its intended use, accurate, complete, and
current.”
5
When conducting a security assessment for companies conducting business in
Europe, the Safe Harbor provisions should be investigated — i.e., you should
determine whether the company should join Safe Harbor and if it should, whether
the appropriate security and data integrity measures are in place.
FEDERAL INFORMATION SECURITY MANAGEMENT
ACT (FIMSA)
FISMA was passed in late 2002 as Title III of the 2002 E-Gov Act. The Government
Information Security Reform Act (GISRA), which expired in 2002, had many of the
same provisions as FISMA. The basic purpose of FISMA is to strengthen information
security programs at federal agencies by providing a framework for information secu-
rity. FISMA itself does not provide any hard standards or guidelines that federal
AU1706_C10.fm Page 252 Thursday, August 19, 2004 7:51 PM
Information Security Legislation
253
agencies must follow. It is really just mandating having an information security pro-
gram in place that is aligned with the risks being faced by the agency. Some of the
key responsibilities of the agencies under FISMA are summarized below and include
(items below are from the FISMA documentation on the Department of Homeland
Security’s Web site — http://www.fedcirc.gov/library/legislation/FISMA.html):
• Providing information security commensurate with the associated risk
• Performing a risk assessment
• Implementing policies and procedures that reduce information security
risks in a cost-effective manner
• Conducting periodic testing of information security measures
•Having a qualified Chief Information Security Officer whose primary
responsibility is information security
• Conducting ongoing evaluation and adjustment of the information security
program
The requirements above are, for the most part, very similar to those of GISRA.
The main difference with FISMA is the integration with National Institute of Stan-
dards and Technology (NIST). Under FISMA, federal agencies are to use the standards
proposed by NIST to determine information security measures for their operations.
Per the legislation, “the Secretary shall make standards [NIST Standards] … com-
pulsory and binding to the extent determined necessary by the Secretary to improve
the efficiency of operation or security of federal information systems.” Essentially,
federal agencies must achieve compliance with NIST standards under FISMA.
In addition to modifying GISRA, FISMA had a number of other effects including:
• Repealing the Computer Security Act of 1987
• Documenting inventory of information systems
Similar to legislation such as HIPAA and GLBA, FISMA is mandating federal
agencies to have an information security program that includes the full life cycle of
information security including risk assessments, security policies and procedures,
use of technology, and ongoing compliance efforts. FISMA also provides some room
for agencies to determine what information security measures are best for them.
From a security assessment perspective, FISMA should be reviewed in detail if
working with a federal agency.
OTHER LEGISLATIVE ACTION
Information security has become a significant issue with significant dollars associ-
ated with it. It is also an issue vital to national security in the U.S. As a result,
lawmakers have given and continue to pay significant attention to information
security. The federal government is very focused on protecting the nation’s critical
infrastructure. Due to the interdependencies of different organizations including the
government, private companies, and academia, some level of cooperation is needed.
AU1706_C10.fm Page 253 Thursday, August 19, 2004 7:51 PM
254
A Practical Guide to Security Assessments
One of the areas receiving more attention lately is cybersecurity. In mid-2003,
Congressman William “Mac” Thornberry commented that if companies do not take
action in improving the state of cybersecurity, Congress would consider mandating
certain information security measures.
6
The other option that would potentially be
considered is giving tax incentives to improve the state of security.
For most of these organizations, cost is a major factor in determining to what
extent security initiatives are performed. Legislation and regulation are often the
drivers for implementing information security measures because they are mandated
and companies have no choice. We have seen this already in financial services with
GLBA and will see it more with health care companies and HIPAA as the compliance
dates draw near. In both of these cases, the information security–related requirements
are designed to protect consumers. As other industries are identified as critical to
the public, it is possible that the government will consider appropriate legislation.
When conducting a security assessment, it is not only important to know what
regulations affect the customer, but what may affect them later. As legislation is
considered, it is very valuable to be able to advise clients on future regulatory activity
that can affect them and how to effectively plan for this.
NOTES
1. Federal regulations concerning GLB Act — http://www.ftc.gov/os/2002/05/67fr36585.pdf
2. 21 CFR Part 11 — Section 2.1 Applicability — http://www.fda.gov/cber/gdlns/esig-
copies.htm
3. Safe Harbor Overview — U.S. Department of Commerce — http://www.export.gov/
safeharbor/sh_overview.html
4. Ibid
5. Ibid
6. Congressman: Businesses Must Help Protect Net —
PC World,
August 15, 2003 —
by Grant Gross http://www.pcworld.com/news/article/0,aid,112048,00.asp
AU1706_C10.fm Page 254 Thursday, August 19, 2004 7:51 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.