The GLBA, otherwise known as the Financial Modernization Act of 1999, is primarily aimed at the financial services industry. This not only covers banking but also insurance, securities, brokers, lenders, real estate settlement, tax preparers, and others.

GLBA takes compliance and information security outside of an IT-only world and into the realm of the entire company, requiring every department to be responsible for the security of consumer privacy. Information technology is a major component of the process, but the overall implementation of the security processes is not the sole responsibility of IT.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has two main parts. Title I protects health insurance coverage for workers and their families if they change or lose their job. Title II, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. It also addresses security and privacy of health data. Title II has the most significant impact on IT departments.

The following Title II rules directly affect an IT department:

• Privacy Rule
• Transactions and Codes Set Rule
• Unique Identifier Standards Rule
• Security Rule
• Enforcement Rule

The Sarbanes-Oxley (SOX) Act of 2002 was created to protect investors by improving the accuracy and reliability of the financial disclosures of publicly traded companies. SOX accomplishes this by strengthening existing penalties and making corporate officers personally responsible for the disclosures. It imposes harsher punishment, large fines, and prison sentences for any individual who knowingly alters or destroys information with the intent to obstruct an investigation. This affects IT departments in the form of record retention policies and access to an organization’s electronic records such as email and accounting system data.

SOX contains 11 titles that describe specific mandates or requirements for financial reporting:

• Title I: Public Company Accounting Oversight Board (PCAOB)—Provides independent oversight of public accounting firms. The PCAOB exists to prevent third-party accounting firms from using fraudulent accounting practices on behalf of their clients. The PCAOB’s Auditing Standard No. 5 specifies a top-down approach that might limit the scope of review of IT systems.
• Title II: Auditor Independence—Establishes standards that require external auditors to be completely independent from the firms they audit, which limits conflicts of interest.
• Title III: Corporate Responsibility—Mandates that executives must take individual, personal responsibility for the accuracy and completeness of corporate financial reports. It also deals with the integrity of financial data contained within those reports.
• Title IV: Enhanced Financial Disclosures—Describes enhanced reporting procedures required for financial transactions. Also requires internal controls that ensure that financial reports and disclosures are accurate.
• Title V: Analyst Conflicts of Interest—Establishes standards designed to prevent conflicts of interest among securities analysts and to improve investor confidence in analysts’ reporting.
• Title VI: Commission Resources and Authority—Defines the conditions under which the Securities and Exchange Commission (SEC) has the authority to censure or bar securities professionals from practice.
• Title VII: Studies and Reports—Defines the studies the Comptroller General and the SEC are required to perform and report upon.
• Title VIII: Corporate and Criminal Fraud Accountability—Imposes documentation retention requirements on companies and auditors. It also describes specific criminal penalties for manipulation, destruction, or alteration of financial records.
• Title IX: White Collar Crime Penalty Enhancement—Increases the criminal penalties associated with white-collar crimes and conspiracies.
• Title X: Corporate Tax Returns—States that the chief executive officer should sign the company tax return.
• Title XI: Corporate Fraud Accountability—Identifies fraud and records tampering as criminal offenses and specifies penalties for those offenses.

SOX regulations, especially parts I, III, IV, and VIII, have a direct impact on corporate IT. Your organization needs to secure financial data with strong access controls to guarantee its integrity. If your company is a public entity, you are obligated to secure financial data so it is not modified or removed by anyone.

The role of IT in a SOX environment comes in the form of controls. You must put controls in place to handle how information is generated, accessed, collected, stored and processed, transmitted, and used throughout the organization. Implementing controls makes your organization more efficient and protects the integrity of those data.

For example, SOX Section 404 requires publicly traded companies to have policies in place to secure, document, and process any information dealing with financial results. This requires IT to have strict procedures when dealing with the electronic versions of these documents. You must have these controls and procedures certified by an outside auditing firm.

The Family Educational Rights and Privacy Act (FERPA) of 1974 is a federal law that protects the privacy and ensures the accuracy of student educational records. Educational institutions are required to protect educational records by adhering to the strict guidelines set in the act. The faculty and staff must be familiar with FERPA before they may release any student’s educational record. This regulation requires physical access controls, requiring people to adhere to established regulations.

FERPA establishes a student’s right to know the information, location, and purpose of an educational record. Information in that record must be kept confidential unless the student has explicitly given permission for its disclosure. Educational institutions must control access to a student’s record by physical, logical, and administrative processes and procedures.

Educational records may appear in the following forms:

• Written documents stored in the students’ folders
• Computer media
• Microfilm and microfiche
• Video tapes, audio tapes, or CDs
• Film
• Photographs
• Any record that contains personally identifiable information

The following items are exempt from FERPA:

• Private notes made by faculty or staff for the purpose of assisting memory; as long as they are kept in the sole position of the maker, they may be shared with substitute teachers
• Law enforcement records
• Medical records
• Statistical data that do not contain personally identifiable information
• Pregraded materials before the final grade is determined by the faculty

There are two types of educational records under FERPA, each with its own rules for disclosure:

• Directory information: May be released by the educational institution without the written consent of the student. Directory information includes name, address, phone number, email address, dates of attendance, degree earned, enrollment status, and field of study. Students have the right to limit the release of directory information. This can be done by submitting a formal written request to the school to limit disclosure.
• Non-directory information: Any educational information not explicitly considered directory information. Nondirectory information may not be disclosed to any party including the parent or guardian of the student without the student’s written consent. Faculty and staff can only access nondirectory information for legitimate academic purposes.

To protect student privacy and maintain compliance with FERPA, an educational institution must implement administrative and technical safeguards to disclosure. To ensure compliance, an institution must get a student’s written consent for the release of any educational information. Administrative measures can consist of consent forms that outline the specific records being disclosed, with a space for the student’s signature. Technical safeguards need to be both physical, such as a locking cabinet; and logical access controls on all electronic documents. Procedures and controls must be in place to prevent unauthorized access to the educational records.

The Communications Assistance for Law Enforcement Act (CALEA) of 1994 requires that telecommunications carriers and the makers of equipment used by the telecommunications industry take steps to facilitate the electronic surveillance activities of law enforcement agencies.

Firms subject to CALEA must cooperate with legitimate law enforcement requests to conduct electronic surveillance on an individual and provide detailed calling records of individuals under investigation. This normally involves providing law enforcement officers with a network tap that enables their surveillance activities. In addition, it may include the provision of detailed communications records gathered by either a pen register or a trap-and-trace device. Pen registers are used to capture the destination address information for outbound electronic communications. Trap-and-trace devices are used to capture the source information of inbound electronic communications.

The Children’s Internet Protection Act (CIPA) is the federal law enacted in 2000 that addresses Internet access in public schools and libraries. Any school or library using the federal E-Rate program is subject to CIPA. E-Rate offers discounts to libraries and schools ensuring that they have affordable access to modern telecommunications and information services.

CIPA deals with the implementation of protection systems meant to handle inbound threats, such as viruses and spam, and outbound information leaks. Failure to be in compliance will result in a loss of federal funding.

The safety measures that are required by this regulation are as follows:

• Filter or block pictures that are obscene, contain child pornography, or are harmful to minors on computers that minors can access.
• Adopt a policy addressing the following:
  • Access by minors of inappropriate materials
  • The safety and security of minors when using electronic communications such as email
  • Unauthorized access, including hacking and other unlawful activities by minors
  • Unauthorized disclosure of personal information regarding minors
  • Restricting minors’ access to materials that are harmful to them

Having effective access controls is imperative for entities covered by CIPA. Other security safeguards are also necessary, which include web filtering, firewalls, virus and spyware protection, and monitoring systems. These regulations affect all Internet-accessible computers in the covered entities including staff, administrative, and student workstations. There are provisions within CIPA to permit disabling of these safeguards for adults conducting research or for other lawful purposes.

Title 21 CFR Part 11 of the Code of Federal Regulations (21 CFR Part 11) deals with Food and Drug Administration (FDA) guidelines on electronic records and signatures. This title requires industries that fall under FDA regulation to implement controls such as audits, audit trails, electronic signatures, and policies for software and systems that process electronic data.

21 CFR Part 11 calls for all FDA-regulated organizations to implement the following:

• System access limited to authorized individuals
• The use of operational system checks
• The use of authority checks
• The use of device checks
• Appropriate education and task training for anyone who develops, maintains, or uses electronic systems
• Appropriate controls for documentation in place
• Controls for both open systems and closed system requirements related to electronic signatures

In addition, there are requirements for entities that keep paper copies of all records. Organizations can use paper copies for regulatory purposes, but the paper copies must be certified as being complete and accurate.

Other sections of FDA regulations may be applicable to healthcare organizations. For example, manufacturers of medical devices are governed by 21 CFR Part 806, which covers reports and records, while 21 CFR Part 802 applies to the quality controls around medical devices.

The North American Electric Reliability Council (NERC) handles regulation of energy and utility companies. NERC was created in 1968 to ensure that the North American energy network is secure, adequate, and reliable. IT security is mostly concerned with the creation of guidelines for strong access controls and processes.

Physical guidelines include physical protective measures for all critical infrastructures. A physical barrier must be in place, access points identified and controlled, and all access must be logged, either electronically via video or written in a logbook.

Electronic security guidelines include procedures meant to provide protective measures for assets. If your organization falls within this industry, you should ensure you’ve accurately inventoried your systems, limited access to systems by role, created an electronic security perimeter, and implemented account management procedures. These procedures include audits, passwords, and network security policies. You are also required to create a disaster recovery plan that includes backup and data restoration strategies and the documentation of spare parts and equipment. You must document all procedures, which can be subject to yearly audits and reviews.

You must also have requirements in place to handle background checks for employees and contractors. You are required to document procedures for contractor and vendor risk assessments.

It is also mandatory that you provide training for anyone with access to the energy or utility infrastructure, including contract workers, employees, and vendors.

The Homeland Security Presidential Directive 12 (HSPD 12) was issued in August of 2007 and was initiated to enforce the standardization of security identification credentials for government employees and contractors. This standard covers both physical and logical access to government resources.

The standard is broken into two parts with the requirements of Part 2 built upon the requirements of Part 1.

The Americans with Disabilities Act (ADA) includes provisions ensuring that everyone has equal access to public accommodations, regardless of any disability they might have. While this regulation is not directly germane to cybersecurity, federal compliance officials should be aware that ADA Section 508 does govern accessibility to websites run by the federal government.