Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) is a standard for organizations that store, process, or transmit credit cards and credit card data. PCI DSS is required by the card brands (MasterCard, Visa, Discover, American Express, and JCB) and is administered by the Payment Card Industry Security Standards Council. PCI DSS was created to increase security controls around cardholder data in an attempt to reduce credit card fraud. Failure to validate compliance can result in fines or other penalties, even including the removal of credit card processing capabilities.

PCI DSS regulates cardholder data (CHD). Cardholder data is any personally identifiable information (PII) associated with a person who has a credit or debit card. This includes the primary account number (PAN), cardholder name, expiration date, or service code.

While PCI DSS does have more information in the full document than other standards, if implemented as-is, an environment will still be insecure if environment context is not taken in consideration. For example, this standard doesn’t require network segmentation (only recommends it), and permits the transmission of PCI DSS data of wireless protocols. While PCI DSS does specify that wireless requires a certain level of encryption, that practice is still not recommended to use for transmission. Other portions of the standard are very secure and reinforced by this book, such as, “Do not allow unauthorized outbound traffic from the cardholder data environment to the internet” and, “Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)”

Health Insurance Portability & Accountability Act

Health Insurance Portability & Accountability Act (HIPAA) was enacted in 1996 as law and establishes national standards for electronic healthcare records. It includes any organization that stores or processes ePHI (Electronic Protected Health Information) healthcare providers, health plans, and clearinghouses. Thankfully, we start to see a little more definition regarding technology in the verbiage of this act compared to others we’ll cover. There are fifty “implementation specifications,” divided into administrative, physical, and technical safeguards. Most of these involve having policies and procedures in place. Addressable specifications involve performing a “risk assessment” and then taking steps to mitigate the risks in a way that’s appropriate for your organization. One of the largest HIPAA penalties against a small organization was levied not because an event occurred, but because the organization failed to address the possibility that it might. Loss of ePHI can cause significant harm to not only the patients whose data has been compromised, but also the provider and individuals at fault as they are required to report violations to the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC). They are also the ones who would be on the receiving end of extremely large fines and possibly even jail time. The HHS provides a breakdown of each portion of the security rule portion of HIPAA and assistance with the implementation of the security standards.

Gramm-Leach Bliley Act

Gramm-Leach Bliley Act (GLBA) is a law that was passed in 1999 to reform and modernize the regulations affecting financial institutions. It is comprised of seven titles, and title five lists the two paragraphs on information security:

Title V – PRIVACY Subtitle A - Disclosure of Nonpublic Personal Information Section 501 – Protection of Nonpublic Personal Information (a) PRIVACY OBLIGATION POLICY It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. (b) FINANCIAL INSTITUTIONS SAFEGUARDS In furtherance of the policy in subsection (a), each agency or authority described in section 505(a), shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards- (1) to insure the security and confidentiality of customer records and information (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

GLBA compliance is mandatory for financial institutions including banks, mortgage brokers, real estate appraisers, debt collectors, insurance companies, and privacy companies. With such a broad and compact section it also leaves a large amount up to interpretation during implementation. However, there are two documents the Interagency Guidelines and the IT Examiners Handbook that were both created to assist with implementing security practices surrounding GLBA compliance.

Family Educational Rights and Privacy Act

Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records in both public and private schools, as well as in higher education. As this was enacted in 1974 it has no specific information related to technology, which leaves a large area open for interpretation in regards to information security practices and protections needed. It contains phrasing that should be interpreted as the prohibition of releasing or disclosing any PII (Personally Identifiable Information), directory information, or educational information of students to a third party.

PII can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made.

Directory information is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed”—for example, names, addresses, telephone numbers, and student ID numbers.

Educational records are defined as “records, files, documents, and other materials maintained by an educational agency or institution, or by a person acting for such agency or institution.” This includes students transcripts, GPA, grades, Social Security number, and academic and psychological evaluations.

Sarbanes-Oxley Act

Sarbanes-Oxley Act (SOX) is a law enacted in 2002 to set forth security requirements for all US public company boards, management, and public accounting firms. Portions also apply to privately held companies in regards to withholding or destroying information to impede any federal investigations. SOX has 11 sections and was created to ensure corporate corruption and scandals such as Enron and Worldcom don’t happen again. Many organizations that have SOX compliance also abide by either the COSO or COBIT frameworks, which we cover later in this chapter.

The two principle sections that relate to security are Section 302 and Section 404:

• Section 302 is intended to safeguard against faulty financial reporting. As part of this section, companies must safeguard their data responsibly so as to ensure that financial reports are not based upon faulty data, tampered data, or data that may be highly inaccurate.

• Section 404 requires the safeguards stated in Section 302 to be externally verifiable by independent auditors, so that independent auditors may disclose to shareholders and the public possible security breaches that affect company finances. Specifically, this section guarantees that the security of data cannot be hidden from auditors, and security breaches must be reported.

SANS has very in-depth documentation on SOX implementation and audits. 

Cloud Control Matrix

Cloud Control Matrix (CCM) is a framework built specifically with cloud security in mind by the Cloud Security Alliance (CSA). It assists in tying together specific cloud security concerns and practices to all major compliance standards and frameworks. CSA also has some great workgroups for specific sectors using cloud solutions.

Center for Internet Security

Center for Internet Security (CIS) not only has a framework for assisting with cyber attacks, but also provides benchmarks, workforce development, and other resources such as whitepapers, publications, newsletters, and advisories. It offers in-depth system-hardening guidelines for specific operating systems and applications. CIS also couples with NIST to combine frameworks for the purposes of securing critical infrastructure, and other cross framework and compliance references.

Control Objectives for Information and Related Technologies

Control Objectives for Information and Related Technologies (COBIT) is a high-level framework created by Information Systems Audit and Control Association (ISACA) to assist in creating secure documentation, implementation, and compliance. COBIT is subdivided into four domains—Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate—and aims to align itself with other more detailed standards. While some frameworks are free, COBIT is available for purchase through its website.

The Committee of Sponsoring Organizations of the Treadway Commission

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is made up of five organizations: the American Accounting Association, American Institute of CPAs, Financial Executives International, The Association of Accountants and Financial Professionals in Business, and The Institute of Internal Auditors. It aims to provide guidance on enterprise risk management, internal control, and fraud deterrence.

ISO-27000 Series

International Organization for Standardization (ISO) is an independent, non-governmental international organization that has created over 20,000 sets of standards across a variety of industries including food services, technology, and agriculture.  Out of these frameworks, the 27000 series has been used for the topic of information security, specifically 27001-27006. ISO standards are also a paid framework.

ISO-27001

Provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System.

ISO-27002

Establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.

ISO-27003

Information Security Management System implementation guidance.

ISO-27004

Provides guidance on the development and use of measures and measurement for the assessment of the effectiveness of an implemented Information Security Management System and controls.

ISO-27005

Provides guidelines for information security risk management (ISRM) in an organization.

ISO-27006

Requirements for bodies providing audit and certification of Information Security Management Systems.

NIST CyberSecurity Framework

The National Institute of Standards and Technology operates as part of the United States Department of Commerce, creating standards for many sections of US infrastructure. This framework was created with both industry and government participation, and it consists of standards, guidelines, and practices surrounding critical infrastructure security. The framework uses common industry business drivers to guide and manage risks, protect information, and safeguard the people using the business’s services. It consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers, which all put a majority focus on risk management. 

Financial

The financial industry includes thousands of institutions, such as banks, investment services, insurance companies, other credit and financing organizations, and the service providers that support them. They can vary widely in size and the amount of data processed, ranging from some of the world’s largest global companies with thousands of employees and many billions of dollars in assets, to community banks and credit unions with a small number of employees serving individual communities.

Some of the major risks the financial sector must be concerned with are account takeovers, third-party payment processor breaches, ATM skimming and other Point of Service (POS) vulnerabilities, mobile and internet banking exploitation, and supply chain infiltration. While all of these risks should be taken into account, the Bitglass security firm 2016 study shows that between 2006 and 2016, the largest percent of breaches in the financial sector can be attributed to lost or stolen devices (25.6%). Other studies have also pointed out that this sector is one of the most common to see outdated legacy systems throughout organizations, giving would-be attackers an easy foothold once access has been gained.

Government

The government, and specifically in this case, the United States government, has pretty much every type of data imaginable to protect. From the large three-letter acronym agencies such as NSA, FBI, IRS, and FDA to smaller local government offices that contract with their own IT guy, there is an extremely broad landscape covered in this one sector. With the fast changing security landscape it has been seen to hinder progress due to the fact that government organizations can vary greatly from commercial businesses with the process length of approving changes and upgrades, ability and willingness to adopt new technology, and overall atmosphere of personnel.

The breadth of information contained within government agencies means a constant stream of high-profile attacks by organized crime, hacktivists, and state-sponsored agents.  One of the biggest breaches in 2015 happened to be the government Office of Personnel Management (OPM), which shed some light onto the department’s lack of security. The attack was ongoing for an entire year and an estimated 21.5 million records were stolen. Other data breaches included voting records and information, USPS employee information, IRS tax return data, NSA exploits and attack tools used against foreign adversaries, and other highly sensitive and potentially harmful data.

Healthcare

The healthcare industry at this point in time continues to be one of the least secured industries. Healthcare companies saw a rapid change from a majority of paper records to almost fully electronic patient records, and just like the financial sector, it is riddled with out-of-date legacy devices. For a long time the FDA had strict control over the operating system revision and patch level, restricting the ability for medical devices to be upgraded and still maintain FDA approval. This, coupled with the rapid growth and underestimation of the inherent risk of a large quantity of sensitive medical and patient data stored electronically, creates a largely complicated, insecure environment. While the FDA has relaxed its requirements to allow security patches to be applied, software vendors and organizations have yet to keep up and implement best practice security controls.

Both the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and attorneys general have the power to issue penalties for the failure of following HIPAA guidelines and as the result of PHI breaches. Not only can they enforce financial penalties, but can also include criminal lawsuits. In just over the first half of 2016 alone, HHS recorded close to $15 million in HIPAA settlement payments. There are several tiers for both financial and criminal penalties:

Financial

• Tier 1: Minimum fine of $100 per violation up to $50,000

• Tier 2: Minimum fine of $1,000 per violation up to $50,000

• Tier 3: Minimum fine of $10,000 per violation up to $50,000

• Tier 4: Minimum fine of $50,000 per violation

Criminal

• Tier 1: Reasonable cause or no knowledge of violation—Up to 1 year in prison

• Tier 2: Obtaining PHI under false pretenses—Up to 5 years in prison

• Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to 10 years in prison