Info_Sec_Discussion

Colin Horn

Wk3_risk_pptx.pptx

Home >Information Systems homework help >Info_Sec_Discussion

Managing Risk in Information Systems

Lesson 3

Maintaining Compliance

www.jblearning.com

Learning Objective and Key Concepts

Learning Objective

Identify compliance laws, standards, best practices, and policies of risk management.

Key Concepts

Compliance laws and regulations

U.S. risk management initiatives

Standards and guidelines used for compliance

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

U.S. Compliance Laws

Federal Information Security Management Act (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley Act (SOX)

Family Educational Rights and Privacy Act (FERPA)

Children’s Internet Protection Act (CIPA)

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Federal Information Security Management Act (FISMA)

A U.S. federal law enacted in 2002 that requires each federal agency to develop an agency-wide program to provide information security.

Health Insurance Portability and Accountability Act (HIPAA)

Provides patients with access to their medical records and provides more control over how their personal health information is used and disclosed.

Gramm-Leach-Bliley Act (GLBA)

Also known as the Financial Services Modernization Act of 1999, opening up the market among banking companies, securities companies, and insurance companies.

Repealed part of the Glass-Steagall Act of 1933, which prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company.

Sarbanes-Oxley Act (SOX)

Sarbanes–Oxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections.

Family Educational Rights and Privacy Act (FERPA)

Regulations protect the privacy of student records. FERPA applies to all schools that receive any funding from the U.S. Department of Education.

Children’s Internet Protection Act (CIPA)

CIPA is one of many bills that the United States Congress proposed to limit children's exposure to pornography and explicit content online.

Law	Applicability
FISMA	Federal agencies
HIPAA	Any organization handling medical data
GLBA	Banks, brokerage companies, and insurance companies
FERPA	Educational institutions
CIPA	Schools and libraries using E-Rate discounts

U.S. Compliance Laws and their Applicability

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

FISMA

Federal agencies

The act recognizes the importance of information security to the economic and national security interests of the United States.

HIPAA

Medical organizations

Provides privacy standards to protect patients' medical records and other health information.

GLBA

Banks, brokerage companies, and insurance companies

Companies must securely store personal financial information.

Companies must advise consumers of their policies on sharing of personal financial information.

Companies must give consumers the option to opt-out of some sharing of personal financial information.

FERPA

Educational institutions

The right to access educational records kept by the school.

The right to demand educational records be disclosed only with student consent.

The right to amend educational records.

The right to file complaints against the school for disclosing educational records in violation of FERPA.

CIPA

Schools and libraries using E-Rate discounts

To operate "a technology protection measure with respect to any of its computers with Internet access that protects against access through such computers to visual depictions that are obscene, child pornography, or harmful to minors..." .

This technology protection measure must be employed during any use of computers by minors.

The law also provides that the school or library "may disable the technology protection measure concerned, during use by an adult”.

Schools and libraries that do not receive E-Rate discounts do not have any obligation to filter under CIPA.

HIPAA Compliance Process

HIPAA covers any organization that handles health data

Medical facilities

Insurance companies

Any company with a health plan if employees handle health data

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

U.S. Compliance Regulatory Agencies

Securities and Exchange Commission (SEC)

Federal Trade Commission (FTC)

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Securities and Exchange Commission (SEC)

Oversees the exchange of securities to protect investors.

Holds primary responsibility for enforcing the federal securities laws and regulating the securities industry, the nation's stocks and options exchanges, and other electronic securities markets in the United States.

Federal Trade Commission (FTC)

Created in 1914, its purpose was to prevent unfair methods of competition in commerce.

Deals with issues that touch the economic life of every American.

U.S. Compliance Regulatory Agencies

Federal Deposit Insurance Corporation (FDIC)

Department of Homeland Security (DHS)

State Attorney General (AG)

U.S. Attorney General (U.S. AG)

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

State Regulations

Each state has its own regulations and regulatory agencies.

Attorney General - the main legal advisor at the state level in most common law jurisdictions.

Organizational Policies for Compliance: Fiduciary Responsibility

Fiduciary

Refers to a relationship of trust

Could be a person who is trusted to hold someone else’s assets

Trusted person has the responsibility to act in the other person’s best interests and avoid conflicts of interest

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Organizational Policies for Compliance: Fiduciary Responsibility (Cont.)

Examples of trust relationships:

An attorney and a client

A CEO and a board of directors

Shareholders and a board of directors

Fiduciary is expected to take extra steps:

Due diligence

Due care

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

PCI

DSS

NIST

GAISP

COBIT

ISO

IEC

ITIL

CMMI

RMF DoD

Standards and Guidelines

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

PCI DSS

Payment Card Industry Data Security Standard

A worldwide information security standard defined by the Payment Card Industry Security Standards Council.

NIST

National Institute of Standards and Technology

A measurement standards laboratory which is a non-regulatory agency of the United States Department of Commerce.

GAISP

Generally Accepted Information Security Principles

Industry-wide guidelines for information security.

COBIT

Control Objectives for Information and Related Technology

A set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute.

ISO

International Organization for Standards

ISO is the world's largest developer and publisher of International Standards, including those in the IT industry.

IEC

International Electrotechnical Commission

The IEC is the world's leading organization that prepares and publishes international standards for all electrical, electronic, and related technologies.

ITIL

Information Technology Infrastructure Library

A set of concepts and practices for IT services management, IT development, and IT operations.

CMMI

Capability Maturity Model Integration

A process improvement approach to management that helps organizations improve their performance.

RMF for DoD IT (as of March 2014)

Risk Management Framework (RF) for Department of Defense Information Technology (IT), formerly Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP)

Defines DoD-wide formal and standard sets of activities, general tasks, and a management process for lifecycle cybersecurity risk to DoD IT.

PCI DSS Compliance

Created by Payment Card Industry Security Standards Council

American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Modernized by the Security Standards Council

Effort to obstruct and prevent further theft of personal information

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

PCI DSS Standards

Use of personal identification numbers (PIN)

Installation of software used to store, process, and/or transmit cardholder data

PCI DSS standards serve as PCI DSS goals

Merchants who store, process, and/or transmit cardholder data must comply

Merchants should establish processes that work toward PCI DSS goals

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Goals	Process Steps
Build and maintain a secure network that is PCI compliant	Install a firewall system Perform testing when configurations change Identify all connections to cardholder information Review configuration rules every six months Change all default passwords

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Goals	Process Steps
Protect cardholder data	Display the maximum of the first six and last four digits of the primary account number Encrypt all online information
Maintain a vulnerability management program	Install anti-virus software Install vendor-provided security patches

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Goals	Process Steps
Implement strong access control measures	Limit the accessibility of cardholder information Assign an unreadable password Monitor the physical access to cardholder data Maintain a visitor log and save the log for at least three months

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Goals	Process Steps
Regularly monitor and test networks	Use a wireless analyzer to check for wireless access points Scan internal and external networks Install software to recognize any modification by unauthorized personnel

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Goals	Process Steps
Maintain an information security policy	Include annual and day-to-day security procedures and policies to recognize security breaches Perform background checks on potential employees Educate employees on compliance regulations

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

PCI DSS Process

Build and maintain a secure network that is PCI compliant

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Seven COBIT Enablers

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

ITIL Lifecycle

Phases

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

CMMI

Primary areas of interest

Product and service development

Service establishment, management, and delivery

Product and service acquisition

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Risk Management Framework (RMF) for Department of Defense Information Technology (IT)

Government transitioned from DIACAP to RMF for DoD IT in March 2014

Six steps of RMF:

Step 1: Categorize system

Step 2: Select security controls

Step 3: Implement security controls

Step 4: Assess security controls

Step 5: Authorize system

Step 6: Monitor security controls

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Summary

Defining risk

Balancing risk

Seven domains of a typical IT infrastructure

Addressing confidentiality, integrity, and availability

Compliance laws and regulations

U.S. risk management initiatives

Standards and guidelines used for compliance

Page ‹#›

Managing Risk in Information Systems