Presentation on theme: "Legal Requirements & Regulatory Compliance Yevgeniy Shupikov Boris Gitelman Polytechnic University, Spring 2005 Information Security ManagementCS996."— Presentation transcript:
Legal Requirements & Regulatory Compliance Yevgeniy Shupikov Boris Gitelman Polytechnic University, Spring 2005 Information Security ManagementCS996
Overview Why legal Major U.S. laws HIPAA Gramm-Leach-Bliley Act FISMA Basel II Sarbanes-Oxley Act USA PATRIOT Act California’s SB 1386 COPA & COPPA Systems and Security Engineering Process Integration Summary Questions & Discussion Homework References Examples: SB 1386 precedent Examples on SB 1386 Example on legal liability
Why legal The focus of this presentation is To present briefly various major laws; To describe their intention, impact, and significance; To show how laws lead to security requirements for systems. We will show some examples of cases Because U.S. legislature is vastly precedent driven; To show how laws impact the real world; and To emphasize the cost of compliance and non- compliance.
Framework for each law General introduction Motivation, overall goal Specific clauses with security implications What are the implied security requirements? Cost of compliance Cost of non-compliance fines, jail, other penalties, etc… Examples from news Precedent cases leading to the law’s creation Court cases after the law was passed
What is HIPAA? Health Insurance Portability and Accountability Act A comprehensive federal law passed in 1996 that institutes major medical reform HIPAA’s main theme: KEEP INDIVIDUALS’ HEALTH INFORMATION SECURE AND CONFIDENTIAL
HIPAA Structure HIPAA Title II: Administrative Simplification Title I: Insurance Portability Security Rule Privacy Rule Other Standards
HIPAA Security Rule Ensure Confidentiality (only the right people see it) Integrity (the information is what it is supposed to be – it hasn’t been changed) Availability (the information can be obtained when needed ) Covers what safeguards must be in place to protect health information from unauthorized access, alteration, deletion, or transmission. Applies only to electronic health information Compliance data: April 21, 2005
HIPAA Security Rule Provisions Three types: Administrative – relates primarily to policies, procedures and organizational practices Physical – physical measures, policies and procedures to protect electronic information systems, buildings and equipment from natural, man-made and environmental hazards, and unauthorized access Technical – relates to the processes that must be put in place to protect, control and monitor information access; mechanisms to be employed to guard data integrity, confidentiality and availability
HIPAA Privacy Rule The Privacy Rule covers what patient health information is to be protected, the use and disclosures of this information, and what rights patients have with respect to their information Rule applies to health information in any form (electronic or paper based) Compliance date: April 14, 2003
Privacy Rule Provisions Designation of a privacy officer Privacy training for all employees Reasonable safeguards to prevent intentional or incidental disclosure or misuse of PHI Formal sanctions for employee violations. Provide individuals “Notice of Privacy Practices” statement Provide written authorization for the disclosure of any medical information
Cost of HIPAA Non-Compliance $ 100 for each violation Maximum of $25,000 per year per incident u Penalties up to $250,000 u Prison time up to 10 years Non-Compliance (Civil Penalty) Unauthorized Disclosure or Misuse of Patient Information (Criminal Penalty) Penalties may apply to the individual violator but they may also apply to the organization or even to its officers
Costs of HIPAA Compliance The government made 5-year, “conservative” cost estimates of the privacy regulation alone at $3.8 BILLION The American Hospital Association estimates that hospitals alone may spend up to $20 BILLION over 5 years on information systems changes & upgrades In the long run, however, significant savings may be realized due to industry standardization, automation, and lower overhead PAPER ELECTRONICFor example, a PAPER-based claim costs $6.00 to $8.00 to process… The same claim in ELECTRONIC form costs $0.17 to process
Gramm-Leach Bliley (GLB) Act GLB Act is a 1999 Federal law which requires “financial institutions” to ensure the security and confidentiality of customer personal information Financial institutions include mortgage lenders, loan brokers, financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors College’s and Universities are considered financial institutions under the Act Has two main provisions Privacy Rule, Safeguards Rule
What is “Customer Information”? Social security numbers Bank account numbers Credit card account numbers Date and/or location of birth Account balances; payment histories; credit ratings; income histories Drivers license information ACH (Automated Clearing House) numbers Tax return information
What is the Privacy Rule? Requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices. Customers have the right to limit some sharing of their information. Companies that receive personal financial information from a financial institution may be limited in their ability to use that information.
Safeguards Rule The Safeguards Rule requires “financial institutions” to develop an information security program that includes these components: Designate a Security Program Coordinator responsible for coordinating the program Conduct a risk assessment to identify reasonably foreseeable security and privacy risks. Ensure that safeguards are employed to control the identified risks; regularly test and monitor the effectiveness of these safeguards.
Objectives of the Safeguards Rule 1. to ensure the security and confidentiality of customer records and information. 2. to protect against any anticipated threats or hazards to the security or integrity of such records. 3. to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
GLB Safeguards There are three types of safeguards that must be considered as part of the safeguards rule: Administrative Physical Technical
Administrative Safeguards Reference checks for potential employees Confidentiality agreements that include standards for handling customer information Training employees on basic steps they must take to protect customer information Assure employees are knowledgeable about applicable policies and expectations Limit access to customer information to employees who have a business need to see it Impose disciplinary measures where appropriate
Physical Safeguards Locking rooms and file cabinets where customer information is kept Using password activated screensavers Using strong passwords Changing passwords periodically and not writing them down Encrypting sensitive customer information transmitted electronically Referring calls or requests for customer information to staff trained to respond to such requests Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies
Technical Safeguards Storing electronic customer information on a secure server that is accessible only with a password -or has other security protections -and is kept in a physically-secure area Avoiding storage of customer information on machines with an Internet connection Maintaining secure backup media and securing archived data Using anti-virus software that updates automatically Obtaining and installing patches that resolve software vulnerabilities Following written contingency plans to address breaches of safeguards Maintaining up-to-date firewalls particularly with broadband Internet access or allows staff to connect to the network from home Providing central management of security tools and keep employees informed of security risks and breaches
FISMA Federal Information Security Management Act Title III of the Electronic Government Act of 2002 Applies to Federal Agencies, including government contractors Purpose is to secure Information Infrastructure used in all of the Federal Agencies
FISMA Requirements for Federal Agencies Plan for security Ensure that appropriate officials are assigned security responsibility Review periodically the security controls in their information systems Annual security reporting to Office of Management and Budget Security awareness training Follow guidelines issued by NIST for information security controls
FISMA Requirements continued Report to Congress provides: A summary of government-wide performance in the area of information technology security management An analysis of government-wide weaknesses in information technology security practices, and, A plan of action to improve information technology security performance
FISMA Requirements continued Report to congress includes: Certification and accreditation of systems Security costs Annual testing of system controls Contingency planning Implementation of security configuration requirement
Patch Management* Standards, Baselines & Config* Security within System Lifecycle Management* Contractor Assessments* C&A Process Management* Risk Management* Document Management* Policy Management & Integration* Security Roles & Responsibilities* Congressional Reporting* Performance Measurements* Sec within CPIC (Funding)* ISSO Management* Contractor Compliance* Computer Incident Response Capability* Sec Awareness, Training, & Education* Critical Infrastructure Protection* Security Response (COOP)* Physical Security (IT)* FISMA Areas IS Program Management (Strategic) Information Security Operations Policy & Compliance Mgmt System Integration, Configuration, & Lifecycle Mgmt Vulnerability, Certification & Accreditation Mgmt
Inspector General Roles and Responsibilities for IT Security Management Team Verify that security program elements exist Validate Plan of Action & Milestones Identify all known security weaknesses and that a robust process exists for maintaining the POA&M Agency Head Held accountable ultimately for the protection of an agency’s systems Expected to include security as a part of strategic and operational planning Assign CIOs compliance responsibility ISSO Chief Information Officer Designate a senior information security officer who reports directly to the CIO Held accountable for agency- wide security program Develop and implement policies, procedures and controls Report on progress quarterly to OMB Carry out responsibilities of the CIO Security is the ISSO’s primary responsibility, not an other duty as assigned Maintain professional qualifications Program Officials and System Owners Assess risk and test controls Update system documentation Ensure systems are certified and accredited
FISMA Cost of non-compliance Probable exploitation of security vulnerabilities Unauthorized access and/or modification of sensitive data Jeopardize funding for current and future IT projects
FISMA Cost of compliance “In F[iscal] Y[ear] 2004, the Federal agencies spent $4.2 billion securing the government’s total information technology investment of approximately $59 billion or about seven percent of the total information technology portfolio.”
Basel II Objectives - 2004 An international set of recommendations aimed at producing uniformity in the way banks approach risk and asset management Requires all banking institutions to have sufficient assets to offset any risks they may face Compliance by end of 2006 Advance a “three-pillar” approach
PILLAR 1 PILLAR 3 PILLAR 2 Increased Supervisory Power Increased Disclosure Requirements Minimum Capital Requirement Market Discipline Requirements Supervisory Review Process Rules To Calculate Required Capital New Regulatory Structure Based on Three Pillars Capital Adequacy Basel II – the Three Pillars
Credit risk – the risk that a borrower or counterparty might not honour its contractual obligations Market risk – the risk of adverse price movements such as exchange rates, the value of securities, and interest rates Operational risk – the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events Role of IT is to minimize the Operational Risk of an organization, by ensuring Confidentiality, Integrity, and Availability (CIA) Types of risk in Basel II
Sarbanes-Oxley Act (SOX) SOX effective July 30, 2002 House: 107 H.R. 3763, H. Rept. 107-414, H. Rept. 107-610 Senate: 107 S. 2673, S. Rept. 107-205 Law: Pub. L. 107-204, 116 Stat. 745 Named after Senator Paul Sarbanes and Representative Michael G. Oxley a.k.a. Public Company Accounting Reform and Investor Protection Act of 2002 Precedent: series of corporate financial scandals Enron, Arthur Andersen, WorldCom, Tyco Motivation: revise outdated legislature on audit requirements for public companies Applies to public companies filing form 10-K with Securities and Exchange Commission
SOX Structure Organized into 11 titles: Title I: Public Company Accounting Oversight Board Title II: Auditor Independence Title III: Corporate Responsibility Title IV: Enhanced Financial Disclosures Title V: Analyst Conflicts of Interest Title VI: Commission Resources and Authority Title VII: Studies and Reports Title VIII: Corporate and Criminal Fraud Accountability Title IX: White Collar Crime Penalty Enhancements Title X: Corporate Tax Returns Title XI: Corporate Fraud Accountability
SOX: Excerpts Title I: Evaluation of whether internal control structure and procedures include records that accurately reflect transactions and disposition of assets Title III: internal controls have been reviewed for their effectiveness within 90 days prior to the report Title IV: Requires senior management, directors, and principal stockholders to disclose changes in securities ownership or securities based swap agreements within two business days (formerly ten days after the close of the calendar month). Mandates electronic filing and availability of such disclosures one year after the date of enactment.
SOX: Major Provisions CEOs, CFOs, and directors May not get personal loans from company Must publicly report their compensations, profits & additional disclosures Must certify truthfulness and completeness of company’s financial reports and reports on presence and effectiveness of internal controls (structures to detect, prevent, and correct errors and fraud within company) Criminal and civil penalties for securities violations Significantly longer jail sentences and larger fines
SOX: Major Provisions Independent auditor Auditor rotation [at most 5 consecutive years] Mandatory internal audit certified by external auditors Annual independent audit reports regarding internal controls and financial reporting 7 year retention period on audit documents (includes everything from reports to internal emails) Numerous restrictions on employment of/by auditors, services auditing firms provide to the corporation and vice versa, affiliate/sub-divisions involvement, other conflicts of interests arrangements and etc. Attorneys liable to disclose violations.
SOX Cost of non-compliance Public companies in violation may be taken off NYSE and NASDAQ by SEC. SEC is authorized to freeze personal and corporate payments, funds, and accounts temporarily. Corporate fines up to $25,000,000. “Knowing” Fines of $1,000,000 and/or Jail sentences up to 10 years “Willing” Fines of $5,000,000 and/or Jail sentences up to 20 years
SOX IT Impact If top executives are liable for the data they sign off on, they will make sure that data is accurate and protected: Confidentiality: no one except financial officers, auditors, and executives should have access to it Integrity: better make sure it hasn’t been tampered with, or else jail Authentication, non-repudiation, etc Availability: obligated to disclose this data to SEC and Public Company Accounting Oversight Board (PCAOB) within 2 days
SOX IT Impact Data retention policy and the mechanisms to implement it correctly: How do you collect and store all data relating to financial and audit reviews, reports, electronic and voice communications, and other documents that contain analysis, reports, or opinions that served as basis in creating the financial and audit records. With respect to confidentiality, integrity, and availability
SOX IT Impact How do top executives know/ensure the data they sign was accurate to begin with? Internal Controls design, implement, and monitor complete, fast, reliable, and effective methods, mechanisms, and procedures to prevent, find, and correct inaccurate, incomplete, and/or fraudulent documents and activities within the company
SOX Impact Smaller companies may be affected when trading with a larger SOX compliant company SOX allegedly tends to increase quantity but not quality of financial reports. Companies have to think twice before going public: some stay private. Some private companies comply with SOX voluntarily as a measure of security and a show of industry competitiveness. CEOs, CFOs, directors, and auditors are much more cautious and concerned. Restored image of “greater corporate integrity” and “honest enterprise”
SOX: Guidance on Compliance COSO (Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management Framework:www.erm.coso.orgwww.erm.coso.org assess control environment, determine objectives, prepare risk assessment, monitor controls CobiT (Control Objectives for Information and related Technology) more at www.isaca.org/cobit.htmwww.isaca.org/cobit.htm ISO-17799 http://www.iso.ch/iso/en/prods-services/ISOstore/store.html Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Accountants (AICPA)
USA PATRIOT Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 USA PATRIOT Act effective October 26, 2001 H.R. 3162, S. 1510, Public Law 107-56 Incorporates an older Foreign Intelligence Surveillance Act Response to September 11, 2001 Broad, complicated, and lengthy legislation 342 pages with 158 sections and 15 amendments to federal statutes As of November 2004 372 suspected terrorists charged 194 convicted
USA PATRIOT Act: IT Sections Title I: Enhancing domestic security against terrorism Sec. 103. Increased funding for the technical support center at the Federal Bureau of Investigation. Sec. 105. Expansion of National Electronic Crime Task Force Initiative. Title II: Enhanced surveillance procedures Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism. Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses. Sec. 203. Authority to share criminal investigative information. Sec. 204. Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications. Sec. 209. Seizure of voice-mail messages pursuant to warrants. Sec. 210. Scope of subpoenas for records of electronic communications. Sec. 212. Emergency disclosure of electronic communications to protect life and limb. Sec. 217. Interception of computer trespasser communications. Sec. 220. Nationwide service of search warrants for electronic evidence. Sec. 223. Civil liability for certain unauthorized disclosures.
USA PATRIOT Act: IT Sections Title III: International money laundering abatement and anti- terrorist financing act of 2001 Sec. 312. Special due diligence for correspondent accounts and private banking accounts. Sec. 326. Verification of identification. Sec. 328. International cooperation on identification of originators of wire transfers. Sec. 361. Financial crimes enforcement network. Sec. 362. Establishment of highly secure network. Sec. 366. Efficient use of currency transaction report system. Title IV: Protecting the border Sec. 403. Access by the Department of State and the INS to certain identifying information in the criminal history records of visa applicants and applicants for admission to the United States. Sec. 405. Report on the integrated automated fingerprint identification system for ports of entry and overseas consular posts. Sec. 414. Visa integrity and security. Sec. 416. Foreign student monitoring program. Sec. 417. Machine readable passports.
USA PATRIOT Act: IT Sections Title V: Removing obstacles to investigating terrorism Sec. 507. Disclosure of educational records. Sec. 508. Disclosure of information from NCES surveys. Title VI: Providing for victims of terrorism, public safety officers, and their families Title VII: Increased information sharing for critical infrastructure protection Sec. 711. Expansion of regional information sharing system to facilitate Federal-State-local law enforcement response related to terrorist attacks. Title VIII: Strengthening criminal laws against terrorism Sec. 815. Additional defense to civil actions relating to preserving records in response to Government requests. Sec. 816. Development and support of cybersecurity forensic capabilities.
USA PATRIOT Act: IT Sections Title IX: Improved intelligence Sec. 903. Sense of Congress on the establishment and maintenance of intelligence relationships to acquire information on terrorists and terrorist organizations. Title X: Miscellaneous Sec. 1003. Definition of `electronic surveillance'. Sec. 1008. Feasibility study on use of biometric identifier scanning system with access to the FBI integrated automated fingerprint identification system at overseas consular posts and points of entry to the United States. Sec. 1015. Expansion and reauthorization of the crime identification technology act for antiterrorism grants to States and localities.
USA PATRIOT Act Expanded surveillance with reduced checks and balances wiretaps, search warrants, pen/trap orders, and subpoenas online activity, phones, faxes, ISP records DNA samples, bank records/accounts, surveys, college records/transcripts some “relevant” information vs. “probable cause” from 4th amendment no reporting back on results vs. report to judge with results valid for up to a year vs. up to 30 days Police, FBI, CIA, other; shared information
USA PATRIOT Act Concerns: Majority of sections were not carefully studied and debated in Congress nor advice taken from experts outside law enforcement. A large setback to Americans’ civil liberties, particularly privacy. Insufficient evidence that the provisions ARE needed and WILL provide a measure against terrorism.
SB 1386 precedent California state payroll database was compromised on April 5, 2002. personal records on 260,000 state employees Names, SSNs, and payroll information. The security breach was discovered on May 7, 2002. The state notified the people on May 24, 2002. Public opinion was that it took too long to issue the warnings.
California Security Breach Information Act (SB 1386) SB 1386 effective July 1, 2003 Applies to any person or company “conducting business” with unencrypted computerized personal information on CA residents first name or initial and last name, and one of the following SSN, driver license, account/card number, code/password, other access granting information must notify the people of the security breach publicly (reputations at stake), via mail (expensive), or via email (inexpensive, but comply with e-Sign Law). “in the most expedient time possible, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
California Security Breach Information Act (SB 1386) (continued) Intent: timely alert people about a possible occurrence of identity theft Motivation: Having to disclose breaches will push companies to review systems and policies in preparation to comply. to improve their network/computer security. to reduce the amount of personal information stored. to use encryption to secure their data. to use intrusion detection/prevention software to respond timely.
California Security Breach Information Act (SB 1386) (continued) Impact: Potentially high cost of compliance. Some companies are required to go public (ex. Over 500,000 records). Victims of violation of SB 1386 can/will/do take civil action. Think about 30,000 simultaneous cases against your company and the cost involved. Similar legislation may soon appear in other states and/or on the federal level. Notification of Risk to Personal Data Act (Senator Dianne Feinstein) Gray areas: Do CA companies notify non-CA residents? Do out-of-state companies have to comply? Law does not apply if data is encrypted with no minimum strength requirement. What if they use the Caesar’s cipher?
Examples on SB 1386 ChoicePoint Inc. had a breach in October 2004 Company database contains 19 billion records personal records on 30,000+ consumers stolen by social engineering means Names, SSNs, credit histories, criminal records, etc People outside CA are concerned they did not get the letter when they should have.
Examples on SB 1386 SAIC had a break-in in January 2005 Several desktops were stolen containing stockholders’ data Names, SSNs, address, phone numbers, shares bought/sold/held 45,000 current and former employees affected Other recent similar incidents (see references): Bank of America lost tapes (records on 1 million customers) LexisNexis break-in (records on 32,000 U.S. citizens) Boston College (records on 120,000 alumni) CSU Chico break-in (records on ~60,000 students/faculty)
Child Online Protection Act (COPA) Purpose: “protecting children from harmful sexual material on the Internet” COPA originally consists of two parts Children’s Online Privacy Protection Act (coming up) COPA (partial restatement of a broader Communications Decency Act) Concerns: U.S. law enforceable only on U.S. companies Law may violate adults’ freedom of speech History 1998: Child Online Protection Act is passed. 1998: Injunction blocking the law from enforcement is obtained. 1999: 3 rd Circuit Court of Appeal struck the law down. 2002: Supreme Court finds reasons for struck down insufficient. 2003: 3 rd Circuit Court of Appeal upheld the 2002 decision. 2004: Supreme Court upheld law as unconstitutional. (Ashcroft vs. American Civil Liberties Union)
Children’s Online Privacy Protection Act (COPPA) U.S. legislation in effect since April 21, 2000 The law applies to children under the age of 13. “Web site operator” must include a policy on how to obtain “verifiable” consent from a parent. Outlines how the “Web site operator” must protect the safety and privacy of children online. High cost of compliance. Impact: “Web site operators” choose to shutdown or to stop providing child contents and services rather than comply. Practically very few cases for COPPA violations.
Example on legal liability Currently open question of legal liability: “who is responsible for securing a consumer’s data – even on the consumer’s own computer” Joe Lopez (Miami) filed a lawsuit against Bank of America on Feb 7 His home PC was compromised by a trojan/keylogger (Coreflood) Resulting in loss of $90,348 in wire transfers to Latvia The argument: Joe Lopez: Bank of America had not alerted him about malicious code the could infect his computer Bank of America: customers “need to have reasonable computer security”
Example on legal liability Who is liable? The customer failed to secure his computer system. The bank failed to secure their customer’s system/instruct him to do so. The bank is responsible for accepting fraudulent ID. Implications E-commerce, Online shopping, Internet banking, etc The right answer Currently being decided in court of law Possible solution: awareness and education Discussion
System Engineering Process Integration Mission Need CONOPS System Arch. Primary Sec Rqmts Legal Rqmnts Assets at Risk Corp/Org Policy Security Arch Threat Analysis Vulner. Analysis System Design Security Design Derived Sec Rqmts Other Rqmts Prelim. Risk Analysis Functional Rqmts Risk Analysis Assess Courtesy of Dr. Hery
Summary Legal requirements affect the system development life cycle effect system and security design Compliance ensures the people and the company are protected that the business stays afloat when something goes wrong Impact Cost money, work, time Civil/criminal penalties Cultural
Questions & Discussion Any questions, comments, etc… Please feel free to contact Yevgeniy Shupikov: firstname.lastname@example.org Boris Gitelman: email@example.com
Homework The final homework assignment will be distributed to all by Dr. Hery http://isis.poly.edu/courses/cs996-management-s2005/
References California Security Breach Information Act (SB 1386): http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html http://searchsecurity.techtarget.com/topic/0,295492,sid14_tax300005,00.html http://www.andysullivan.com/choicepoint.html http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci912476,00.html Security Implications of California’s Senate Bill 1386 by www.credant.comwww.credant.com http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3- 5590989.html?tag=st.rc.targ_mb http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3- 5590989.html?tag=st.rc.targ_mb http://news.com.com/LexisNexis+break-in+spurs+more+calls+for+reform/2100-1029_3-5606911.html http://www.news10.net/storyfull1.asp?id=9784 http://www.signonsandiego.com/uniontrib/20050203/news_1b3saic.html Child Online Protection Act, Children’s Online Privacy Protection Act: http://en.wikipedia.org/wiki/COPA http://www.eff.org/legal/cases/ACLU_v_Reno_II/20020513_supreme_decision.pdf http://en.wikipedia.org/wiki/COPPA http://www.ftc.gov/ogc/coppa1.htm Example on legal liability: http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1062440,00.html http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1062076,00.html
References http://www.nhvship.org/download/hipaa101_Exec_Final.ppt HIPAA’s Final Security Rule: How Consul InSight™ Accelerates your Ability to Meet the Audit and Logging Requirements of HIPAA’s Final Security Rule – whitepaper provided by Bill Hery Strategies for Complying with the Final HIPAA Security Rule – whitepaper provided by Bill Hery Addressing HIPAA Auditing Requirements for Data Access Accountability with Lumigent® Entegra™ -- white paper provided by Bill Hery http://www.whitehouse.gov/omb/inforeg/2004_fisma_report.pdf http://csrc.nist.gov/policies/FISMA-final.pdf http://www.fcw.com/fcw/articles/2004/0823/web-fisma-08-27-04.asp http://www.marcorsyscom.usmc.mil/sites/ia/documents/Federal%20Information%20Security %20Management%20Act%20(FISMA).htm http://www.marcorsyscom.usmc.mil/sites/ia/documents/Federal%20Information%20Security %20Management%20Act%20(FISMA).htm http://csrc.nist.gov/organizations/fissea/conference/2004/presentations/Thursday/Fabius- FISSEA-031104.ppt http://csrc.nist.gov/organizations/fissea/conference/2004/presentations/Thursday/Fabius- FISSEA-031104.ppt
References continued http://www.ftc.gov/privacy/glbact/ http://www.ftc.gov/privacy/glbact/glbsub1.htm http://www.ffhsj.com/bancmail/bmarts/ecdp_art.htm http://www.epic.org/privacy/glba/ http://www.hr.niu.edu/resources/files/Protecting%20Non- Public,%20Personal%20Information%20Under%20the%20Gramm-Leach- Bliley.ppt#256,1,Protecting Non-Public, Personal Information Under the Gramm-Leach- Bliley Act http://csrc.nist.gov/fasp/FASPDocs/program- mgmt/NLRB_FISMA_CIO_Feb192004.ppt#297,9,Comprehensive Security Program Through Performance-based Risk Management http://www.Wikipedia.org http://www.fdic.gov/deposit/deposits/international/us_implementation.ppt#256,1, U.S. Implementation of Basel II: An Overview http://www.developer.com/security/article.php/3403901
Data Privacy Laws: US vs. EC Differences In the US There are strict laws on the collection and sharing of data about individuals by the government But the laws for corporate data collection and sharing are much looser, except in special cases (e. g., HIPAA) In the European Community (EC), the opposite is true: Governments are freer (but not completely free) to collect data about individuals Corporations must disclose what data they are collecting and what it will be used for. Other uses of that data and most sharing of that data are prohibited This has had an impact on international operations of US companies, which must distinguish between US and EC citizens or take the more stringent EC approach.
Example: Crypto Laws Until recently, the US closely controlled the export of crypto with key length greater than 40 bit except for specified uses (e. g., international banking) Some foreign countries ban or limit the use of crypto. http://www2.epic.org/reports/crypto2000/ provides a dated summary http://www2.epic.org/reports/crypto2000/ Until 1999, France required all crypto devices and keys used in France to be registered with the government Crypto is so widely used now (e. g., VPNs, SSL), that it is increasingly difficult to regulate. Many people do not even know they are using crypto when they are at a secure web site. Check laws in any country you plan to use crypto in (including crypto devices on laptops)