Presentation is loading. Please wait.

Presentation is loading. Please wait.

Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28,

Similar presentations


Presentation on theme: "Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28,"— Presentation transcript:

1 Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28, 2004

2 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Examine laws Policy formulation processes Steps to achieve policy compliance

3 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Common Themes Transparency Review and evaluation to ensure compliance Accountability

4 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Information Security Program Risk assessment Business Continuity Incident Response Information Security Plans Education and awareness training Audit processes

5 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Family and Educational Rights and Privacy Act of 1974 (known as the Buckley Amendment) an early model a high bar for the privacy and protection of student records set of principles reflected in subsequent laws

6 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation FERPA Principles Transparency - open records ability to inspect - to know what is happening to ones records ability to correct the record institutional obligation to maintain a record of disclosure and provide notice requirement to secure all records

7 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Sectoral Privacy Law Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley (G-L-B)

8 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation HIPAA Establishes national standards for electronic health care transactions and national identifiers for providers, health plans, and employers Privacy Regulations - effective April 14, 2003 Security Regulations - due April 21, 2005

9 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation G-L-B Objectives ensure security and confidentiality of customer records and information protect against any anticipated threats or hazards to the security or integrity of such records protect against any authorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer

10 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation California: Social Security Numbers SB 25 - Personal Information: Security AB 763 – Privacy: Social Security Numbers Intent is to prevent identity theft and to protect social security numbers from being stolen electronically or from paper documents Effective: January 1, 2004

11 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation California legislation prohibits public posting of SSNs printing SSNs on access cards requiring individuals to transmit SSN over unsecured Internet requiring use of SSN to access internet web sites printing of SSN on materials mailed to individuals encoding SSN on a card or document using bar code, chip, magnetic strip

12 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Identity Theft California Civil code section (SB 1386) effective July 1, 2003 Requires notification to any California resident whose unencrypted personal information is reasonably believed to have been acquired as a result of a security breach

13 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Intellectual Property Laws DMCA and the Teach Act DMCA Do we monitor our networks to identify illegal file sharing? How does that practice comport with your network management practice?

14 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Teach Act – requires institutions to apply technological protection measures to reasonably prevent Retention for longer than is necessary Prevent downstream copying or dissemination

15 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation USA PATRIOT ACT Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001 impacts or modifies more than 15 existing statutes enhances governments ability to engage in surveillance activities

16 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation USA PATRIOT ACT Establishes lower threshold for obtaining records than required by FERPA Reduces requirements for requests for information (subpoenas, search warrants, pen/trap or wiretap order) Accelerates and expands foreign student visa monitoring program - SEVIS

17 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation USA PATRIOT ACT be sure you have a protocol for any information requests establish a single point of entry for all information or surveillance requests maintain a confidential log of these requests establish procedures for requests establish emergency and computer trespasser procedures involve legal counsel if requests are received

18 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Common themes Establish policy and procedures Identify roles and assign responsibility Conduct education and awareness programs

19 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Risk Assessment Conduct classification of data/records Identify vulnerabilities and threats

20 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Workforce Issues Education and training Background checks Identify individuals authorized to access data Establish access controls relative to need to know Establish procedures for noncompliance

21 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Implement Risk Controls Physical security Technical (logical) security Evaluate: test and monitor controls

22 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Business Continuity Planning recovery back up work in emergency mode test plans and procedures

23 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Outsourcing Select and retain capable vendors Update/create contracts containing safeguard requirements

24 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Why common themes? International Information Security Standard ISO/IEC 17799

25 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation SANS Institute See Sheldon Borkin, The HIPAA Final Security Standards and ISO/IEC 17799, July 15, HIPAA security standards contain some requirements not covered by ISO ISO has some controls not required by HIPAA

26 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Creating Policy must take into account the culture of your organization must engage the entire campus community

27 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Look to your local governance structure defines the principles of the institution establishes the risk appetite of the institution

28 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Institutional Governance Structure defines the academic and business values of the institution establishes priorities and allocation of resources

29 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Institutional Governance Structure Is IT at the table? Is IT a partner in the institutional decisions?

30 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Policy a broad statement describes what and why

31 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation How includes: Standards and Guidelines: Specify technologies and methodologies to be used to secure systems Procedures: detailed steps to accomplish particular security-related tasks

32 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Flavors of policy Program policy Issue-specific policy System-specific policy

33 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Flavors of policy Program policy : high-level policy that determines your IT security program has a longer life-span defines scope within the institution, assigns responsibilities establishes strategic direction may assigns resources for implementation

34 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Issue-specific Policy must periodically revisit and modify in response to current environment addresses such elements as contingency planning risk assessment methodology implementation of laws

35 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation System-specific policies Configuration of systems - setting business rules to ensure compliance with policy, such as permission sets or access control measures System specific - terms and conditions of use of systems, mailing lists policies, or web-use policies

36 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Security Policy common elements designate authority conduct risk assessments establish security plans conduct education/awareness training communicate review and evaluate

37 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Policy must be known and understood to be effective websites handbooks procedures meetings

38 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation National Institute of Standards and Technology Guide to Information Technology Security Services /NIST-SP pdf

39 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation IT Security Program A set of security controls grouped under the terms management operational technical

40 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation May need multiple security programs to address different business sectors Broad - institutional view or Sectoral views healthcare services financial services

41 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Information Security Program guided by institutional policy provides supporting guidelines, standards, procedures offers clarity converts policy to reality

42 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Information Security Program risk assessment classification of assets determination of level of security appropriate to protect operations and assets

43 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Information Security Program identifies security controls and techniques incorporates capital planning to ensure future security needs defines metrics to effectively assess the adequacy of current controls, policies, procedures, and that justify security control investments

44 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Security Plans separate security plans for individual systems supporting operations and assets security incident response processes for sharing information regarding vulnerabilities

45 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Risk Assessment information is an asset a broad campus issue information no longer controlled by the central campus must identify where information is held on the campus

46 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Risk Assessment must undergo a culture change to achieve better levels of protection failures often lie at the interface traditional risk assessment isolates a problem to a traditional view

47 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation More than 85% have experienced one or more of the following IT incidents in past 12 months Major system disruption due to virus Denial of services attack Altered/vandalized website Unauthorized access to sensitive institutional data Threats or abuse behavior via or other digital communication Chronicle of Higher Education/Gartner survey of selected subscribers December 2003

48 Secure IT 2004 April 28, 2004 Challenges of Recent Legislation Sarbanes-Oxley Applicable for companies registered with SEC, but raises the bar for corporate accountability Established new standards - requires improved internal controls to protect information assets from abuse, loss or fraud Focuses upper managements attention on data safeguards


Download ppt "Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28,"

Similar presentations


Ads by Google