The Importance of Security Compliance

An emerging business driver for proactive security comes from federal and state government regulatory compliance requirements. These laws and regulations define high-level requirements for the protection of information. All organizations must comply with them. As a result, awareness about security compliance is increasing in every industry worldwide. Businesses face mandatory compliance with those legislative and regulatory requirements, and therefore they must protect their critical business and identity information, operations, systems, and applications. Some laws and regulations suggest guidelines and best practices by referring to industry standards and frameworks from NIST, COBIT, ISO 17779, and FFIEC.

Let's take a look at some of the core objectives of the major laws and regulations.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002 (SOX) is a United States federal law designed to rebuild public trust in corporate business and reporting practices and to prevent the recent corporate ethics scandals and governance problems from recurring. SOX requires all public U.S. companies to comply with a set of mandatory regulations dealing with financial reporting and corporate accountability. Any failure to comply with this law can result in federal penalties.

While SOX does not prescribe a solution to the compliance issue, it does make clear what obligations a company is under in order to be compliant. Section 404(a) of the Act requires establishing "adequate internal controls" around financial reporting and its governance. The term "internal controls" refers to a series of processes that companies must adhere to in the preparation of financial reports as well as in the protection of the financial information that goes into making the reports. This financial information must also be protected as stored in various locations throughout the enterprise (including enterprise applications, database tools, and even accounting spreadsheets). The information technology and its related processes generate the majority of data that makes up financial reports, and as such, it is critical that the effectiveness of these processes can be verified. The security and identity management aspects of IT play a critical part in ensuring that a company is in compliance with the law. If they do not properly work, the risk to the corporation and the potential personal liability of its executives can be significant.

From an IT security perspective, as mentioned in the previous paragraph, the SOX Act does not explicitly contain any prescriptive processes and definitions. It also does not articulate what "adequate internal controls" means or what solutions must be implemented in order to create them. However, by drawing from industry best practices for security and control of other types of information, several inferences can be made.

According to industry experts, a quick review of the legislation reveals the following common requirements for internal control:

• A readily available, verifiable audit trail and auditable evidence of all events, privileges, and so on should be established.

• Immediate notification of audit policy violations, exceptions, and anomalies must be made.

• Real-time and accurate disclosure must be made for all material events within 48 hours.

• Access rights in distributed and networked environments should be effectively controlled and managed.

• Companies should be able to remove terminated employees' or contractors' access to applications and systems immediately.

• Companies should be able to confirm that only authorized users have access to sensitive information and systems.

• Control over access to multiuser information systems should be put in placeincluding the elimination of multiple user IDs and accounts for individual persons.

• The allocation of passwords should be managed, and password security policies must be enforced.

• Appropriate measures must be taken to prevent unauthorized access to computer system resources and the information held in application systems.

The SOX Act has certainly raised the bar and the level of interest in the role of information security in improving application and system capabilities. Refer to [SOX1] and [SOX2] for details.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB), which was previously known as the Financial Services Modernization Act, is a United States federal law that was passed in 1999. The GLB Act was established primarily to repeal restrictions on banks affiliated with securities firms, but it also requires financial institutions to adopt strict privacy measures relating to customer data. The law applies to any organization that works with people who prepare income tax returns, consumer credit reporting agencies, real estate transaction settlement services, debt collection agencies, and people who receive protected information from financial institutions.

From an IT security perspective, there are three provisions of the GLB Act that restrict the collection and use of consumer data. The first two, the Financial Privacy Rule and the Pretexting Provisions, detail responsible business practices and are mainly outside the scope of information security duties. The third provision, the Safeguards Rule, went into effect during 2003 and requires subject institutions to take proactive steps to ensure the security of customer information. While financial institutions have traditionally been more security-conscious than institutions in other industries, the GLB Act requires financial institutions to reevaluate their security policies and take action if deficiencies are discovered.

The following are key information security actions that financial institutions must perform under the GLB Act:

• Evaluate IT environments and understand their security risks; define internal and external risks to the organization.

• Establish information security policies to assess and control risks; these include authentication, access control, and encryption systems.

• Conduct independent assessmentsthird-party testing of the institution's information security infrastructure.

• Provide training and security awareness programs for employees.

• Scrutinize business relationships to ensure they have adequate security.

• Establish procedures to upgrade security programs that are in place.

From a technical perspective, the security requirements set forth in the GLB Act seem to be enormous, but these requirements can be met by a robust security policy that is enforced across the enterprise. Refer to [GrammLeach1] and [GrammLeach2] for details.

HIPPA

HIPPA refers to the Health Insurance Privacy and Portability Act of 1996. HIPPA requires that institutions take steps to protect the confidentiality of patient information. Achieving HIPPA compliance means implementing security standards that govern how healthcare plans, providers, and clearinghouses transmit, access, and store protected health information in electronic form. HIPPA privacy regulations require that the use of personal health information (PHI) be limited to that which is minimally necessary to administer treatment. Such limitations must be based on the requirements of various HIPPA provisions regarding parents and minors; information used in marketing, research, and payment processes; and government access to authorization decisions. HIPPA security regulations further impose requirements to develop and enforce "formal security policies and procedures for granting different levels of access to PHI." This includes authorization to access PHI, the establishment of account access privileges, and modifications to account privileges. Furthermore, the HIPPA security regulations require the deployment of mechanisms for obtaining consent to use and disclose PHI. With regard to security, HIPPA defines technical security services in terms of the following:

• Entity authentication Proving your identity to gain access.

• Access control What you can access.

• Audit control What you have accessed.

• Authorization control What you can do once you have access.

• Message authentication Ensuring the data integrity and confidentiality of data.

• Alarms/Notifications Notifies out-of-compliance security policy enforcement.

• Availability of PHI Ensures high availability of PHI within a secure infrastructure.

These mandatory security requirements are intended to prevent deliberate or accidental access to PHI and to address concerns over the privacy of patient data. While most organizations that deal with patient records have implemented HIPPA in one form or another, the recent acceleration of e-mail viruses, spyware introduction, and personal data theft should prompt security architects and developers to reexamine their applications and systems. Refer to [HIPPA] for details.

The Children's Online Privacy Protection Act

The Children's Online Privacy Protection Act (COPPA) establishes privacy protection requirements for any organization holding information about children. If an organization releases personal data about a child (such as name, age, sex, or home address) and that information is used to support a crime involving that child, the organization can be prosecuted. Refer to [COPPA] for more information.

EU Directive on Data Protection

The European Union (EU) passed a data protection law called Data Protection Directive 95/46/EC in October 1995. Under the Directive (refer to [EU95] for details), a set of rules addresses the handling of all types of personal data. In essence, the EU countries that have enacted national legislation enabling the EU Directive on Data Protection generally impose the following obligations on enterprises that conduct business within their jurisdictions:

• Personal data must be kept confidential.

• Individuals need to know in advance, and in detail, what information will be collected about them, who will use it, how it will be used, where it will be stored, what procedure to follow to verify and update it, and how to effectively remove it.

The Directive also states that the baseline controls appropriate to achieve the required level of confidentiality and privacy of the identity should be drawn from the industry in which the subject organization operates. Thus, if an industry is generally pursuing ISO 17799 as a security baseline, then ISO 17799 will be the standard against which compliance will be measured.

California's Notice of Security Breach (1798.29)

California Civil Code Section 1798.29 requires organizations to disclose security breaches that result in compromise of personal information, identity theft, or loss of customer data in a timely fashion. The law defines a breach of the security of a system as a system breach that results in the disclosure of any personal information, particularly Social Security numbers, California driver's license or ID card numbers, financial account numbers, and credit or debit card numbers. Upon a security breach, the organization must notify the government in the most expedient time possible and without unreasonable delay when any California residents' personal information has been acquired, or believed to have been acquired, without authorization. Refer to [1798] for details.

Security Compliance in Other Countries

Canada has regulations similar to those of the Sarbanes-Oxley Act. The Canadian Public Accountability Board issued similar standards and guidelines for audit and control. In late 2002, the Ontario government introduced Bill 198, which allowed the Ontario Securities Commission to introduce new corporate governance requirements. Refer to [KMPG] for a comparison between the Sarbanes-Oxley Act and the local Canadian regulations. Canada also has a Privacy Act, which is similar to the Gramm-Leach-Bliley Act. Refer to [CanadaPrivacy] for details.

There are similar data privacy laws in many Asia-Pacific countries. The data privacy security requirements and risk implications are quite similar. Caslon Analytics Privacy Guide [Caslon] depicts a summary of these data privacy laws in Asian countries. For example, China (Hong Kong) has passed a Personal Data (Privacy) Ordinance based on the EU Directive. This ordinance sets forth specific guidelines about how positive and negative personal credit data can be shared electronically among financial services institutions.