Week 2 Discussion Posting

profileAJ2020
risk3e_ppt_ch03.pptx

CHAPTER 3

Understanding and Maintaining Compliance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Identify compliance laws, standards, best practices, and policies of risk management.

Compliance laws that affect information technology (IT) systems

Regulations related to compliance

Organizational policies for compliance

Standards and guidelines for compliance

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

U.S. Compliance Laws

Federal Information Security Modernization Act (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley Act (SOX)

Family Educational Rights and Privacy Act (FERPA)

Children’s Internet Protection Act (CIPA)

Children’s Online Privacy Protection Act (COPPA)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

U.S. Compliance Laws and Their Applicability

Law Applicability
FISMA Federal agencies
HIPPA Any organization handling medical data
GLBA Banks, brokerage companies, and insurance companies
SOX All publicly traded companies
FERPA Educational institutions
CIPA Schools and libraries using E-Rate discounts
COPPA Websites or online services directed at children under 13 and you collect personal information from them

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Health Insurance Portability and Accountability Act

Covers any organization that handles health data

Medical facilities

Insurance companies

Any company with a health plan if employees handle health data

HIPPA Compliance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Assessment

Risk analysis

Plan creation

Plan implementation

Continuous monitoring

Gramm-Leach-Bliley Act (GLBA)

Also known as the Financial Services Modernization Act

Most of GLBA relates to how banking and insurance institutions can merge

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Financial Privacy Rule

Requires companies to notify customers about privacy practice

Explains how the bank or company collects and shares data

Safeguards Rule

Requires companies to have a security plan to protect customer information

Ensures data isn’t released without authorization; ensures data integrity

Companies must use a risk management plan, provide security training

Sarbanes-Oxley (SOX) Act

Applies to publicly traded companies

Designed to hold company executives and board members personally responsible for financial data

Chief executive officers (CEOs) and chief financial officers (CFOs) must be able to:

Verify accuracy of financial statements

Prove the statements are accurate

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Family Educational Rights and Privacy Act (FERPA)

Protects the privacy of student records, which includes education and health data

Applies to all schools that receive funding from the U.S. Department of Education:

State or local educational agencies

Institutions of higher education

Community colleges

Schools or agencies that offer a preschool program

All other education institutions

For students under 18, parent can inspect records and request corrections

Protects student personally identifiable information (PII)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Children’s Internet Protection Act (CIPA)

Designed to limit access to offensive content from school and library computers

Covers schools and libraries that receive funding from the E-Rate program

Requires schools and libraries to block or filter Internet access to pictures that are obscene or harmful to minors

Requires schools and libraries to:

Adopt and enforce a policy to monitor online activity of minors

Implement an Internet safety policy that addresses:

Access by minors to inappropriate content

Safety and security of minors when using email and chat rooms

Unauthorized access

Unlawful activities by minors online

Unauthorized use of minors’ personal information

Measures restricting minors’ access to harmful materials

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Children’s Online Privacy Protection Act (COPPA)

Designed to protect the privacy of children under 13

Sites must require parental consent to collect or use personal information of young website users

Sites must post:

Contents of privacy policy

When and how to seek verifiable consent from a parent or guardian

Responsibility of a website operator regarding children’s privacy and safety online, including restrictions on the types and methods of marketing that targets those under 13

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Regulations Related to Compliance

Securities and Exchange Commission (SEC)

Federal Trade Commission (FTC)

Protects consumers

Prevents anticompetitive practices

Evaluates economic impact of actions

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Federal Trade Commission (FTC)

Bureau of Consumer Protection

Bureau of Competition

Bureau of Economics

U.S. Compliance Regulatory Agencies

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Federal Deposit Insurance Corporation (FDIC)

Department of Homeland Security (DHS)

State Attorney General (AG)

U.S. Attorney General (U.S. AG)

Organizational Policies for Compliance

Fiduciary

Refers to a relationship of trust

Could be a person who is trusted to hold someone else’s assets

Trusted person has the responsibility to act in the other person’s best interests and avoid conflicts of interest

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Organizational Policies for Compliance (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Examples of trust relationships:

An attorney and a client

A CEO and a board of directors

Shareholders and a board of directors

Fiduciary is expected to take extra steps:

Due diligence

Due care

Organizational policy could include:

Mandatory vacations

Job rotation

Separation of duties

Acceptable use

Standards and Guidelines for Compliance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Payment Card Industry Data Security Standard (PCI DSS)

National Institute of Standards and Technology (NIST)

Generally Accepted Information Security Principles (GAISP)

Control Objectives for Information and Related Technology (COBIT)

International Organization for Standardization (ISO)

Standards and Guidelines for Compliance (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

International Electrotechnical Commission (IEC)

Information Technology Infrastructure Library (ITIL)

Capability Maturity Model Integration (CMMI)

General Data Protection Regulation (GDPR)

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

Payment Card Industry Data Security Standard

Created by Payment Card Industry Security Standards Council

American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Key pieces of data:

Name

Credit card number

Expiration date

Security code

Merchants using credit cards are required to comply

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Payment Card Industry Data Security Standard (Cont.)

Goals Process Steps
Build and maintain a secure network that is PCI compliant Install and maintain a firewall Do not use defaults, such as default passwords
Protect cardholder data Protect stored data Encrypt transmissions
Maintain a vulnerability management program Use and update antivirus software Develop and maintain secure systems
Implement strong access control measures Restrict access to data Use unique logins for each user Don’t share usernames and passwords Restrict physical access
Regularly monitor and test networks Track and monitor all access to systems and data Regularly test security
Maintain an information security policy Maintain a security policy

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Payment Card Industry Data Security Standard (Cont.)

Build and maintain a secure network that is PCI compliant

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Assess

Report

Remediate

National Institute of Standards and Technology (NIST)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Promotes U.S. innovation and competitiveness

Hosts the Information Technology Laboratory (ITL)

Special publications, SP 800-30: Guide for Conducting Risk Assessments

Generally Accepted Information Security Principles (GAISP)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Includes two major sections:

Pervasive principles

Broad functional principles

Control Objectives for Information and Related Technology (COBIT)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Meet stakeholder needs

Cover the enterprise end to end

Apply a single integrated framework

Enable a holistic approach

Separate governance from management

Control Objectives for Information and Related Technology (Cont.)

Adapted from COBIT 5 for Risk ©2013 ISACA. All rights reserved. Used with permission.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

International Organization for Standardization (ISO)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

ISO 27002

Security Techniques

ISO 31000

Principles and Guidelines on Implementation

ISO 73

Risk Management—Vocabulary

International Electrotechnical Commission (IEC)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Meet the requirements of the global market

Ensure maximum use of its standards

Assess and improve products and services covered by its standards

Aid in interoperability of systems

Increase the efficiency of processes

Aid in improvement of human health and safety

Aid in protection of the environment

Information Technology Infrastructure Library (ITIL)

ITIL life cycle:

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Capability Maturity Model Integration (CMMI)

Primary areas of interest:

Product and service development

Service establishment, management, and delivery

Product and service acquisition

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Level 5

Optimized

Level 4

Defined

Level 2

Managed

Level 1

Initial

Level 0

Nonexistent

Quantitatively Managed

Level 3

General Data Protection Regulation (GDPR)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Regulates how companies protect the personal data of EU citizens and those in the European Economic Area (EEA)

Applies to all businesses that deal with the personal data of individuals living in the EU or EEA

Key changes to GDPR in 2018:

Increased territorial scope (extraterritorial applicability)

Penalties

Consent

Data subject rights

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Phase 1

Initiate and Plan

Phase 2

Make Certification and Accreditation Decisions

Phase 4

Maintain ATO/Review

Phase 5

Decommission

Implement and Validate

Phase 3

Summary

Compliance laws that affect information technology (IT) systems

Regulations related to compliance

Organizational policies for compliance

Standards and guidelines for compliance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/8/2020

30