StudyDaddy Information Systems Auditing IT Infrastructures for Compliance

Auditing IT Infrastructures for Compliance

T CHAPTER 2 Overview of U.S. Compliance Laws O STAY COMPLIANT WITH REGULATIONS first means you must interpret the regulation. You must understand the gap between the regulation and your organization. The next step is coming up with a plan.

Finally, you must execute the plan and implement measures to report compliance. Without compliance laws and industry regulations, compliance means adhering to an organization’s internal policies. However, it is likely that, whatever your industry, compliance laws exist to which you must adhere. Many industry standar ds and government regulations affect IT operations. Remember, each country has its own laws and regulations. Thus, the number of compliance laws and regulations expands greatly. In this chapter, you will learn about many of the major regulations. Keep in m ind that you are only scratching the surface. Other compliance regulations exist and are often specific to a particular industry. Introduction to Public and Private Sector Regulatory Requirements Dealing with regulatory requirements is a hard task for many organizations. Troubles come from two directions.

First, information technology personnel rarely have a legal background. Second, most requirements lack Chapter 2 Topics • • • • • • • •What the Children’s Online Privacy Protection Act is • • • What the Red Flags Rule is Chapter 2 Goals • • • • technical depth. This is because people drafting the regulations lack the information technology background.

Many regulations are vague in their requirements. Therefore, proper technologies, depth of controls, and control frameworks become an important tool. Nevertheless, it is first important to understand why these requirements exist. In addition, you must have a broad understanding of which requirements exist. Regulatory requirements exist at different levels. Those levels include state, federal, and in ternational. In addition, industry consortiums propose requirements. It is important to know which regulations apply to your organization. This helps you ensure you stay compliant and prevents you from trying to solve the same problem twice. In most cases, you should consult corporate counsel or legal to help identify which regulations apply. technical TIP Your internal policies should execute the regulatory policies with which you need to comply. Policies should follow a framework or complete structure. Having a framework demonstrates a company’s planned approach. Meanwhile, the policies demonstrate a compa ny’s drive and support to be compliant. Take the time to properly build your internal policies. This rids you of many headaches in the event you must undergo an audit. In other words, ensuring your policies follow a solid framework to comply with different regulations really pays off. Aside from legal, there are many available sources for IT compliance requirements. These include, for example: • Text of laws • Administrative code • External auditors • Internal auditors • Industry associations • Third-party guidelines Regulatory compliance is nothing new. However, government oversight and strong compliance regulations greatly increased in the early 2000s. This was mainly due to corporate scandals —Enron, WorldCom, and others.

Consider how quickly the Web and other inform ation technologies advanced. Then, the increased focus on IT and IT security becomes more apparent. Yet regulatory requirements and industry standards are not without their critics. Critics accuse requirements regulating publicly traded companies of puttin g U.S. corporations at a disadvantage. At the same time, they discourage listing on the U.S. stock exchanges. Further, critics describe laws regulating federal information systems as bureaucratic without helping security. Furthermore, consider the WARNING WARNING payment card standards. Critics call these standards unfair for small businesses and criticize the standards for failing to provide enough security. Federal Information Security Management Act The Federal Inf ormation Security Management Act of 2002 (FISMA) is contained within the E-Government Act of 2002, Public Law 107- 347, as Title III. This act grants the importance of sound information security practices. It also controls the interest of national security and the economic well-being of the United States. This act was amended in 2014 by the Federal Information Security Modernization Act of 2014, which provides several key changes. The purpose of FISMA is to do the following: • Provide a framework for effective information security resources that support federal operations, data, and infrastructure. • Accept the interconnectedness of IT. Ensure effective risk management is in place. • Ensure coordination of information security efforts between civilian, nat ional security, and law enforcement communities. • Facilitate the development and ongoing monitoring of required minimum controls to protect federal information systems and data. • Provide for increased oversight of federal agency information security programs. • Recognize that information technology solutions may be acquired from commercial organizations. Leave the acquisition decisions to the individual agencies. The need for FISMA evolved during the 1990s. Government agencies’ IT systems became more l ike those of commercial organizations. They started to transition from traditional mainframe computing to internetworked systems. As the Web became commonplace, federal agencies started to develop their own Web sites and offer online services. There was a sudden awareness that systems were more open and vulnerable than before. This eventually got the attention of Congress. WARNING FISMA tasked the National Institute of Standards and Technology (NIST) to develop and set standards and guidelines. These apply only to federal information systems. Standards help categorize information and the systems. They are developed using a risk -based approach. They include the minimum information security controls. For example, standards include the management, operational, and technical controls to apply to information systems. In support of FISMA, NIST developed the following publications: • Federal Information Processing Standard (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems” • FIPS Publication 200, “Minimum Security Requirements for Federal Information and Information Systems” • NIST Special Publication 800 -18, “Guide for Developing Security Plans for Federal Information Systems” • NIST Special Publication 800 -30, “Risk Management Guide for Information Technology Systems” • NIST Special Publication 800-37, “Guide for Applying the Ris k Management Framework to Federal Information Systems: A Security Life Cycle Approach” • NIST Special Publication 800 -39, “Managing Information Security Risk: Organization, Mission, and Information System View” • NIST Special Publication 800 -53, “Recommended Security Controls for Federal Information Systems” • NIST Special Publication 800 -53A, “Guide for Assessing the Security Controls in Federal Information Systems” • NIST Special Publication 800 -59, “Guideline for Id entifying an Information System as a National Security System” • NIST Special Publication 800 -60, “Guide for Mapping Types of Information and Information Systems to Security Categories” To comply with FISMA, the appointed inspector general of the agency per forms a separate, annual evaluation.

The evaluation first tests the value of the IT security policies, procedures, and practices. A subset of the information systems within the particular agency is tested. If no inspector general exists, an independent ext ernal auditor performs it. The external auditor submits the results to the Office of Management and Budget (OMB). The OMB is a cabinet -level office within the Executive Office of the President of the United States with oversight responsibilities. The OMB c ompiles the data from each agency. The OMB then prepares an annual report to Congress on compliance with the act. At first, it appears only federal agencies need to worry about compliance, but this is not true. Federal agencies, for example, must care abou t their own systems as well as the systems of other contractors or organizations supporting the agencies. Any company or organization that expects to conduct business with the federal government needs to concern itself with FISMA. The changes signed into law in 2014 authorize the Secretary of the Department of Homeland Security (DHS) to assist the OMB. In addition, the changes affect reporting and notification requirements. Agencies are required to provide timely notification of ma jor security incidents to the OMB. Agencies also are required to provide much more specific information related to threats and compliance. TIP U.S. Department of Defense Requirements The United States Department of Defense (DoD) is a federal department. It is responsible for all agencies of the government relating to national security and the military. The DoD imposes many requirements on the manage ment of their information systems. The same goes for organizations that work with, contract with, and provide services for the DoD. These requirements are within many federal laws and regulations. These laws span over a period of decades. Given the fast -paced changes around information technology, requirements have been rapidly evolving. This is especially true as systems have moved from traditional mainframe computing to more distributed and interconnected computing. Information resource management (IRM) is the process of managing information resources to improve performance and accomplish the mission of defense agencies. The Paperwork Reduction Act of 1980 introduced IRM into law. This act provides the OMB wi th oversight concerning IRM. This oversight assumes that within the OMB’s policies, individual agencies can maintain their own IRM. In later years, various amendments strengthened the original implementation of the law. Most notably, agencies needed to develop processes to acquire, control, and assess information systems. In spite of these laws, the 1990s saw a large rise of distributed networking technology. This only created more IT management issues for the DoD. In 1996, Senator William Cohen led furt her reform. The reform streamlined the process of acquisition of IT resources. The position of chief information officer (CIO) was formed within federal departments and agencies.

This CIO position was previously the senior IRM official. Now the title was more like the civilian role and reported directly to the agency head. This gave it a more strategic focus with greater accountability to solve the IT problems plaguing the agencies.

There are many laws and regulations that apply to the DoD. These laws are both external and internal. They guide the operation, management, and protection of information systems. Three key United States federal laws are as follows: • The Paperwork Reduction Act of 1995 • The Clinger -Cohen Act of 1996 • The E -Government Act of 2002 The Paperwork Reduction Act of 1995 furthers the goal of the original act (1980) to have federal agencies take more responsibility and be held more publicly accountable for reducing the paperwork they generate. The Clinger -Cohen Act of 1996 , formerly the I nformation Technology Management Reform Act, improves upon the acquisition, use, and disposal of federal IT resources. This act is the basis for designating the Chief Information Officer within the Department of Defense. The Act includes 10 U.S. Code Section 2223, Information Technology: Additional Responsibilities of Chief Information Officers and 10 U.S. Code Section 2224, Defense Information Assurance Program, which provide the basis for the following DoD directives: • DoD Directive 5144.01, Assistant Security of Defense for Networks and Information Integration/DoD Chief Information Officer— This assigns responsibilities, functions, relationships, and authorities to the DoD CIO . • DoD Directive 8000.01, Management of the Department of Defense Information Enterprise — This provides guidance for creating an “information advantage” for the DoD and those that support its mission. The E-Government Act of 2002 improves the management of el ectronic government services by establishing a framework that requires using the Internet and related technologies to improve citizen access to government information services. The act includes the following provisions: • Federal Information Security Management Act of 2002 (FISMA) —This law establishes a framework for effective information security with regard to information resources that support federal operations. • OMB Circular, A-130, Management of Federal Information Resources — This includes procedural guidelines for the management of federal information resources and how to fulfill the mandate set by FISMA. • OMB Circular A -11, Section 53, Information Technology and E -Government — This allows the agencies and OMB to review and asse ss IT spending across the federal government to provide for more effective operations, including ensuring privacy and compliance with other acts. Certification and Accreditation and Risk Management Framework As part of FISMA, all federal systems and applications must adhere to well -known security requirements. These requirements are documented and authorized. This process has traditionally been known as certification and accreditation (C&A) . It is essentially a process of auditing systems before putting them in a production environment. The C&A process ensures that efforts are made to mitigate risks. Security controls on information systems must be properly implemented and maintained. It supports risk -managemen t activities. In fact, the government has moved from its traditional C&A process, which relied on DoD -specific methodologies, to a six- step risk management framework (RMF) developed by NIST as part of NIST Special Publication 800 -37, “A Guide for Applying the Risk Management Framework to Federal Information Systems.” At a high level, this allows the government to conduct consistent and repeatable assessments of security controls. They also gain awareness of risks and allow authorized officials to more confidently accredit or validate a system on an ongoing basis. Specifically, the RMF takes a less static approach over traditional C&A. RMF provides for better dynamic risk management, which is required in diverse and rapidly changing environments and threat landscapes. The RMF includes an emphasis on the following: • Near real-time risk management • Continuous monitoring • Building information security into enterprise architecture planning and the system development lifecycle • Aligning information systems security risk with the organization’s overall strategy • Establishing responsibility and accountability for security controls As part of a C&A or process of producing in formation for senior or authorizing officials about the state of information systems, the following are required: • System security plan —The requirements, agreed security controls, and supporting documents. Examples are network diagrams, data flows, and risk assessment. • Security assessment report —The evaluation results of security controls. This report might also include recommendations. • Plan of action and milestones —The details mitigating controls. You may plan or apply controls to reduce vulnerabilities . You can also plan or apply measures to correct any deficiencies. FIGURE 2-1 Six steps of RMF. The six steps of the RMF are shown in Figure 2- 1 and include the following: 1. Categorizing the information system, giving consideration to the related data and the impact as a result of an incident 2. Selecting a baseline set of controls based on the previous categorization and supplementing the baseline as appropriate 3. Implementing and documenting the security controls 4. Assessing the security controls to ensure they are producing the desired results 5. Authorizing the operation of the information system based on an acceptable level of risk 6. Monitoring the security controls continuously FYI Before adoption of the RMF, the DoD Information Assurance Certification and Accreditation Process (DIACAP) and its predecessor, the DoD Information Technology System Certification and Accreditation Process (DITSCAP), were other methodologies for evaluating and accrediting information systems with the Department of Defense. Cybersecurity Cybersecurity is the practice of protecting computers and electronic communication systems as well as the associated information. Department of Defense Instruction 8500.1 establishes cybersecurity policy and assigns responsibilities under Section 2224 of title 10 USC. T he DoD cybersecurity program operates through defense in depth and integrating personnel, operations, and technology. This includes all DoD -owned and DoD -controlled information systems that use DoD information. The Department of Defense cybersecurity progr am outlines the controls that protect and defend information and information systems by ensuring confidentiality, integrity, and availability . It also provides authentication and nonrepudiation.

Protecting confidentiality, integrity, and availability are c ommon security objectives for information systems.

This forms the foundation for cybersecurity. • Confidentiality —Ensuring that information is not disclosed to unauthorized sources. Loss of confidentiality occurs when data is open to some unauthorized entit y or process. • Integrity —Ensuring the protection against unauthorized modification or destruction of data. Integrity also includes the quality of an information system regarding logical completeness and reliability of the hardware, software, and data structures.

• Availability —Ensuring timely and reliable access to data and services for authorized users. Figure 2 -2 shows these three security objectives as a protective triangle. If any side of the triangle fails, security fails. In other words, threats to the confidentiality, integrity, or availability represent risk. NOTE FIGURE 2-2 The C -I- A triad. In addition, the DoD considers authentic ation and nonrepudiation as two additional measures. These two are joined with confidentiality, integrity, and availability. Authentication establishes the substance of a transmission, message, and originator. It also verifies an entity that has authorized access to information. Nonrepudiation provides assurance of proof of delivery and proof of identity. This way, neither party can later deny having processed or received the data. Sarbanes -Oxley Act The Sarbanes -Oxley Act of 2002, also known as Sarbox or SOX, is a U.S. federal law. It is the result of the Public Company Account Reform and Investor Protection Act and Corporate Accountability and Responsibility Act.

Sarbanes -Oxley dramatically changed h ow public companies do business. The bill stems from the fraud and accounting debacles at companies such as Enron and WorldCom. Former President Bush characterized the act “as the most far reaching reforms of American business practices since the time of F ranklin Delano Roosevelt.” The act’s primary purpose was to restore public confidence in the financial reporting of publicly traded companies. As a result, the act mandated many reforms to enhance corporate responsibility, enhance financial disclosures, an d prevent fraud. Sarbanes-Oxley consists of the following 11 titles: • Title I, Public Company Accounting Oversight Board (PCAOB) —This establishes the Public Company Accounting Oversight Board (PCAOB) . The PCAOB has several responsibilities, including overseeing public accounting firms, defining the process for compliance audits, and enforcing SOX compliance. • Title II, Auditor Independence — This establishes the conditions of services an auditor can perf orm while remaining independent. For example, a public accounting firm that performs external auditing services cannot provide financial information systems design or internal audit outsourcing services. • Title III, Corporate Responsibility —This requires the formation of audit committees. It also establishes the interactions between the committee and external auditors. Perhaps one of the more notable mandates of SOX is contained in Section 302, which requires the chief executive officer (CE O) and the chief financial officer (CFO) to take individual responsibility in certifying and approving the integrity of the company’s financial reports. • Title IV, Enhanced Financial Disclosures— This addresses the accuracy and features of financial disclosu res. For example, this title specifically addresses and prevents what Enron did, such as selling liabilities on its balance sheet as assets to special purpose entities (SPEs). This title also contains the controversial Section 404. Section 404 requires com panies to report the adequacy of their internal controls. • Title V, Analyst Conflicts of Interest —This fosters public confidence in securities research. This title defines code of conducts between firms. • Title VI, Commission Resources and Authority —This provides greater authority to the SEC to fault or bar a securities professional from practice. This title also addresses the prevention of fraud schemes involving low- volume, low -price stocks. • Title VII, Studies and Reports —This requires the comptroller general and the SEC to conduct studies and report their findings. Examples include studying the effects of the consolidation of public accounting firms as well as studying previous corporate fraud and accounting scandals. • Title VIII, Corporate and Criminal Fraud Accountability —This provides the ramifications for corporate fraud and addresses the destruction of corporate audit records. This is a direct response to the auditing firm, Arthur Andersen, which shredded documents. • Title IX, White Collar Crime Penalty Enhancement — This reviews the rules and penalties regarding white -collar criminal offenses. • Title X, Corporate Tax Returns — This simply states that the CEO should sign the company tax return. • Title XI, Corporate Fraud Accountability—Also known as the Corporate Fraud Accountability Act of 2002, this title provides additional guidelines regarding consequences of corporate fraud. It also provides the SEC with the authority to freeze the funds of companies suspected of violating laws. Sarbanes -Oxley is quite large and contains many reforms to rally public confidence. It also improves corporate accountability and helps to avoid corporate fraud and dishonesty. Two sections receive much of the atten tion, especially of IT. The first is Section 302, “Corporate Responsibility for Financial Reports.” The second is Section 404, “Management Assessment of Internal Controls.” These two sections place vast constraints on IT security.

Although neither section mentions IT or IT security, financial accounting systems rely heavily on IT infrastructure. Thus, it has strongly driven the subject of IT security into the boardroom. Section 302 requires the CEO and CFO to personally certify the truthfulness and accuracy of financial reports. They start and make internal controls. Then, they must assess and report upon the internal controls around financial reporting every quarter. Section 404 goes a step further. Section 404 requires the company to provide proof. Again, they must assess the effectiveness of their internal controls, which a public accounting firm must audit and attest. They then publish this information in the company’s annual report.

SOX is lengthy and is specific in many areas —for example, criminal penalties for noncompliance. It still is very high level and leaves a lot of room for interpretation, especially concerning IT controls. SOX does not directly address IT control requirement s. As a result, you need to become familiar with a couple of publications.

These include the auditing standards created by the PCAOB and the SEC’s release on management guidance—17 CFR Part 241. In this codification, the SEC issued further interpretation a nd guidance regarding Section 404. It provides “an approach by which management can conduct a top -down, risk -based evaluation of internal control over financial reporting.” PCAOB also made a formal process to further define the criteria within Section 404. This process became Auditing Standard No. 2. This standard is now superseded by Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements.” Some notable changes to provide grea ter clarity and a more prescriptive approach include the following four areas: • Aligning Auditing Standard No. 5 with the SEC’s management guidance, mostly with regard to prescriptive requirements and definitions • Adjusting the audit to account for the particular circumstances regarding the different size and complexities of companies • Encouraging auditors to use professional judgment, particularly in using a risk -assessment methodology • Following a principles -based approach to determining when and to what extent the auditor can use the work of others to obtain evidence about the design and effectiveness of the control The standard also states that the auditor should use the “same suitable, recognized control framework” as the management of the company they are auditing. Furthermore, it even goes as far to suggest a suitable framework.

That framework is the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Gramm-Leach -Bliley Act Also known as the Financial Modernization Act of 1999, the Gramm -Leach -Bliley Act (GLBA) repeals parts of the Glass -Steagall Act from 1933. The Glass -Steagall Act prohibited banks from offering investment, commercial banking, and insurance services all under a single umbrella. GLBA deregulates the split of commercial and investment banking. GLBA also provides provisions for compliance within Sections 501 and 521 to protect the financial information held by the industry. This protection is on behalf of the consumers. GLBA generally applies to financial institutions or any organization “significantly engaged” in financial activities. Examples include banks and securities firms. More examples are firms dealing with mortgages, insurance, tax preparation, debt collection, and much more. The FTC maintains and enforces GLBA. To protect personally identifiable information (PII), GLBA divides privacy requirements into three principal parts: • Financial Privacy Rule—The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information.

• Safeguards Rule—The Safegu ards Rule requires financial institutions to develop, maintain, and implement policies. These policies should tell how they will protect customer information. • Pretexting provisions —The Pretexting provisions protect consumers. This protection is from both individuals and organizations that obtain personal financial information under false pretenses. The Financial Privacy Rule requires financial institutions to provide notices to their customers. The notices explain their privacy policies, specifically covering the information collection and sharing practices of the company. The consumer is also given control over limiting the sharing of their information or opting out. If the financial institution changes its policy, it must provide another notice to the consumer.

The Safeguards Rule requires financial institutions to develop an information security policy to consider the nature and sensitivity of the information they handle. The plan must include and the company must comply with the following: • Designate at least one employee to coordinate an information security program. • Assess the risks to customer information within each pertinent area of the company’s operation. Evaluate the effectiveness of the current safeguards and risk controls. • Implement a safeguard program. Regularly monitor and test it.

• Choose service providers t hat can maintain appropriate safeguards, and govern their handling of customer information. • Evaluate and adjust the security program in view of events and changes in the firm’s operations. Likely, most organizations will protect against pretexting as part of their information security program. The best defense against pretexting is not technical, but rather awareness and training. Training is for both employees and customers. The Pretexting provision makes it illegal to do the following: • Make a false, fictitious, or fraudulent statement or representation to obtain customer information from the financial institution or from its customers. • Use forged, counterfeit, lost, or stolen documents to obtain customer information from the financial institution or from its customers. Health Insurance Portability and Accountability Act Pretexting U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The primary purpose of the statute is twofold. First, it helps citizens maintain their health insurance coverage. Second, it improves efficiency and effectiveness of the American health care system. It does so by combating waste, fraud, and abuse in both healt h insurance and the delivery of heath care. The U.S. Department of Health and Human Services (HHS) is responsible for publishing requirements and for enforcing HIPAA laws. However, the Office of Civil Rights, a subagency of HHS, administers and enforces th e Privacy Rule and Security Rule of HIPAA. These laws are divided across five titles, which include the following: • Title I, Health Care Access, Portability, and Renewability • Title II, Preventing Health Care Fraud and Abuse, Administrative Simplification; Medical Liability Reform • Title III, Tax -Related Health Provisions • Title IV, Application and Enforcement of Group Health Plan Requirements • Title V, Revenue Offsets Much of the focus around HIPAA is within the first two titles. Title I offers protection of health insurance coverage without regard to pre- existing conditions to those, for example, who lose or change their jobs. Title II provides requirements for the privacy and security of health information. This is often referred to as Administrative Simplification. The broad er law calls for the following: • Standardization of electronic data— patient, administrative, and financial —as well as the use of unique health identifiers • Security standards and controls to protect the confidentiality and integrity of individually identifiable health information As a result, the HHS has provided five rules regarding Title II of HIPAA. These include the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. These five rules affect information technology operations within organizations. Specifically, the Privacy Rule and Security Rule affect information security. HIPAA is primarily concerned with protected health information (PHI) .

PHI is individually identifiable health information. PHI relates to physical or mental health of an individual. It can also relate to the delivery of health care to an individual as well as payment for the delivery of health care. The Privacy Rule went into effect in 2003. It regulates the use and disclosure of PHI by covered entities.

Covered entities, for example, include health care providers, health plans, and health care clearinghouses. In many ways, the Privacy Rule drives the Security Rule. Under the law, covered entities are obligated to do the following: • Provide information to patients about their privacy rights and how the information can be used. • Adopt clear privacy procedures. • Train employees on privacy procedures. • Designate someone to be responsible for overseeing that privacy procedures are adopted and followed. The Security Rule followed the Privacy Rule. Unlike the Privacy Rule, however, the Security Rule applies just to electronic PHI (ePHI). The Security Rule provides for the confidentiality, integrity, and availability of ePHI, and contains three broad safegu ards:

WARNING • Administrative safeguards • Technical safeguards • Physical safeguards Each of the preceding safeguards consists of various standards. All are required or addressable. Required rules must be implemented, but addressable standards provide flexibility. This way, an organization can decide how to reasonably and appropriately meet the standard. Bear in mind, however, that addressable does not mean optional. Administrative safeguards primarily consist of policies and procedures. They govern the security measures used to protect ePHI. Table 2-1 provides a summary of the administrative safeguards, including the required and addressable standards. TABLE 2 -1 HIPAA administrative safeguards and implementation specifications. TABLE 2 -2 HIPAA physical safeguards and implementation specifications. Physical safeguards include the policies, procedures, and physical controls put in place. These controls and documentation protect the information systems and physical structures from unauthorized access. The same goes for natural disasters and other environmental hazards. The physical safeguards include the four standards shown in Table 2 -2 , along with the implementation specifications. Technical safeguards consist of the policies, procedures, and controls put in place. These safeguards protect ePHI and prevent unauthorized access. Table 2-3 lists the five safeguards and corresponding implementation specifications. TABLE 2-3 HIPAA technical safeguards and implementation specifications. Although covered entities must comply with the previously listed safeguards and implementation specifications, there isn’t a safeguard listed that should surprise organizations. In fact, most of these safeguards are addressed through best practices for any sensitive information. In 2006, the Final Rule for HIPAA was issued —the Enforcement Rule—and set the penalties to be levied as a result of HIPAA violations. The Enforcement Rule also established the procedures for investigations and hearings into noncompl iance. The potential for increased enforcement of noncompliance to HIPAA was later introduced in 2009 when the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. HITECH was part of the American Recover and Reinvestment Act (ARPA). In addition to laying the groundwork for increased enforcement, HITECH also adds requirements for a breach notification. The notification is what an organization puts in action shoul d PHI become disclosed in a readable—that is, nonencrypted —format. Children’s Internet Protection Act The Children’s Internet Protection Act (CIPA) is a federal law introduced as part of a spending bill that passed Congress in 2000. The FCC maintains and enforces CIPA. This act addresses concerns about children’s access to explicit content (such as pornography) online at schools and libraries by requiring the use of Internet filters as a condition of receiving federal funds. CIPA is a result of previous failed attempts at restricting indecent content.

The Communications Decency Act and the Child Online Protection Act faced Supreme Court challenges over the United States First Amendment. The reason was the act violated the right of free speech contained within the Constitution. CIPA does not provide for any additional funds for the purchase of mechanisms to protect children from explicit content. Instead, conditions are attached to grants and to the use of E -Rate discounts. E-Rate is a program that makes Internet access more affo rdable for schools and libraries.

CIPA requires schools and libraries to certify compliance to implement an Internet safety policy and “technology protection measures.” This means having technology in place that blocks or filters Internet access that is either obscene, harmful to minors, or represents child pornography. This includes implementing a safety policy and controls that address the following: • Access by minors to “inappropriate matter” on the Internet • The safety and security of minors when using electronic communication such as e -mail, chat rooms, and instant messaging • Unauthorized access and unlawful activities by minors • Unauthorized disclosure, use, and dissemination of personal information regarding minors • Measures restricting minors’ access to harmful materials Before implementing the policy and controls, however, the law also requires schools or libraries to first provide public notice and to hold a public hearing to address the proposed Internet safety policy. You might have noticed that the term inappropriate matter could be considered vague and controversial. As a result, the act is clear in stating that the government may not establish the criteria for making such a determination. The act states that the determination is made at the local level by the school board, local educational agency, or library. Finally, schools and libraries must comply with one more step before they can receive the E -Rate. They must certify they have an Internet safety policy in place meeting the preceding requirements. Noncompliance with the law occurs if there is a failure to submit for certification. In this case, the institution will not be eligible for services at the discounted rate. In addition, failure to ensure the use of the computers in accordance with a certification will be required to reimburse all funds and discounts for the certification period. Children’s Online Privacy Protection Act Like CIPA, the Children’s Online Privacy Protection Act (COPPA) is a United States federal law designed to protect children. COPPA is maintained and enforced by the FTC. COPPA requires Web si tes and other online services aimed at children less than 13 years of age to comply with specific requirements of the law. In 2013, the FTC implemented new provisions, which provide additional protections to keep pace with the changes in technology. The FTC also introduced a six- step plan to understand if an organization is required to comply with COPPA, and if so, how to be compliant. The six steps are as follows: 1. Determine if your company is a Web site or online service t hat collects personal information from kids under 13. 2. Post a privacy policy that complies with COPPA. 3. Notify parents directly before collecting personal information from their kids. 4. Get parents’ verifiable consent before collecting information from their kids. 5. Honor parents’ ongoing rights with respect to information collected from their kids. 6. Implement exceptions to COPPA’s verifiable parental consent requirement. With Step 1, an organization will likely need to consult the law and to understand precisely how terms are defined. For example, what does it mean to collect, or what exactly is considered personal information? Online services are obliged to comply with CO PPA if asking for information that would even imply a child is less than 13 years of age —for example, “Do you now attend elementary school?” After it is determined that COPPA applies, the next step requires creation of a privacy policy. COPPA requires that the privacy policy list all operators who are collecting information. In addition, it must list an operator who will respond to any and all queries from parents. Next, the privacy policy must contain a complete description of the personal information that is collected and for what purposes. Finally, the policy must state the rights afforded to parents. For example, this must include a notice that parents have the right to review the information collected on their child and even provide direction that the collected data be deleted. Except under limited classes of information, COPPA requires that parents be notified before data is collected from their children. The rule provides for very specific requirements that must be met with regard to such notice.

Once notification requirements are met in Step 3, Step 4 requires verifiable consent. While the means of providing such consent is left up to the requesting organization, the rule does provide several examples of acceptable methods. One simple example is a sig ned consent form via fax, mail, or electronic scan. Another is entry of a credit or debit card number when coupled with a financial transaction. The final two steps require continual obligations upon the entity complying with COPPA. With Step 5, parents may ask to review, revoke, or delete the child’s information at any time. Such requests must be honored by the complying organization. At the same time, the organization must take necessary precautions, such as taking reasonable measures to ensure that parents are in fact who they say they are. The final step provides rules around the need to protect the confidentiality and integrity of the information collected as well as ensure that adequate retention and disposal practices are maintained. Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act (FERPA) of 1974 is a U.S. federal law. FERPA protects the privacy of student education records. It also provides parents certain access rights to the student’s educational records.

Parental access rights stop once the student enters post- secondary education or the student turns 18 years old.

The regulation applies to educational institutions that receive federal funding from the U.S. Department of Education.

Educational agencies or institutions should notify parents or eligible students of their rights under the l aw annually. The notice includes the right to do the following: • Review the student’s educational records. Under most situations, the school is not required to provide copies. They may charge to provide copies. • Seek correction or revision of the educational records if believed to be inaccurate or a violation of privacy. If the school doesn’t make any amendments, a formal hearing may be requested. If the school still doesn’t make any changes, the parent or eligible student may place a statement regarding the content in question. • Consent to disclosure of educational records. Schools may disclose directory information. However, schools must give parents or eligible students opportunity to restrict disclosure of the information. Disclosure of education al records and nondirectory information without consent is provided under certain conditions of the law. • File a complaint with the department regarding failure to comply with the act. As the name implies, directory information is personal data that you can find in publicly available sources. For example, a publicly available source could be a phone book or yearbook. Such information is not considered a harmful invasion of privacy. Examples of directory information include the fo llowing: • Name • Address • Telephone number • Date and place of birth • Honors and awards • Dates of attendance Nondirectory information, on the other hand, includes, for example, Social Security numbers and transcripts.

In 2008, two relevant documents were published. The first was “Joint Guidance on the Application of the Family Educational Rights.” The second was the “Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records.” Many schools and universities operate health clinics. Thus, it is important that educational and health records kept at health facilities on campus are only subject to FERPA and not HIPAA. If the institution is a post -secondary school that provides health care to nonstudents, the health information of the nonstudent patients is subject to HIPAA. Compliance with the law is typica lly the responsibility of the registrar’s office, which in turn works with legal counsel. However, IT professionals should be involved in the process and understand FERPA to ensure compliance. The act was originally drafted in 1974, so distributed networke d computer technology was not around yet. Therefore, interpretation of the law is sometimes needed. Recent changes do help accommodate this technical evolution. Consider that the real meaning of FERPA is access and confidentiality —access in that parents or eligible students must be permitted access to their records and confidentiality in that education records must be protected and not released without written consent. Then, consider the number of electronic records relating to students that are likely to b e stored on file servers and within databases. It is more difficult because IT makes tasks so easy, such as submitting and retrieving grades electronically, obtaining Web -based financial aid, and registering for courses. Under the FERPA Final Rules issued in 2008, FERPA does address further requirements and guidelines around information systems. The changes also urge “educational agencies and institutions to utilize appropr iate methods to protect education records, especially in electronic data systems.” The update also addresses several examples of data breaches and the unauthorized disclosure of information. It also expresses concerns that data may be compromised as a resu lt of failure to implement proper security controls. Yet the update does not dictate how to properly safeguard electronic records, but instead offers additional resources —for example, NIST—on how to protect the information. WARNING NOTE FERPA now provides suggestions on what to do in the case of an inadvertent release of data on the Internet or other unauthorized disclosure. In case of unauthorized disclosure, FERPA doesn’t require notification. That is, the school does not have to issue direct notices to the parents or students. However, it does require the school to maintain a record of the disclosure. FERPA advises that direct notification should occur if the unauthorized disclosure might lead to identity theft. Nevertheless, other laws might still requ ire institutions to provide direct notification. Payment Card Industry Data Security Standard You may recall that TJX is a company that suffered a serious breach in which it had millions of credit card numbers stolen. TJX was not the first, however, nor is it the last. Individual credit card companies started formulating programs to prevent breaches from occurring. These programs ensured that merchants meet baseline security requirements for how they store, process, and transmit payment card data. The five leading credit card companies —Visa, MasterCard, American Express, JCB, and Discover —came together and formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004. To help organizations that process card payments prevent credit card fraud, PCI SSC created the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of requirements that prescribe operational and technical controls to protect cardholder data. Adhering to PCI DSS requires three ongoing steps: • Assess —Identify cardholder data as well as all related IT infrastructure and processes. This involves making sure adequate controls are in place and testing for vulnerabilities. • Remediate—Eliminate the storage of unnecessary data and fix discovered vulnerabilities. • Report—Submit validation records and compliance reports. FYI Compliance with PCI DSS is required for merchants and credit card processors. However, the PCI Security Standards Council also provides guidance for software developers of payment application systems and for manufacturers of PIN transaction systems. PCI PIN Transaction (PTS) Security Requirements are geared to the management of the devices used to protect cardholder PINs. Payment Application Data Security Standard (PA -DSS) is for the software developers of payment applications. PCI SSC manages the overall program. However, card vendors have their own programs for compliance and enforcement. Determination of requirements depends on the volume of card transactions that take place. Any organization, however, that holds, processes, o r passes cardholder data must undergo annual assessment. The assessment is required regardless of amount. In general, organizations that process a smaller number of transactions might only need to complete a self- assessment questionnaire (SAQ). Organizations with high- volume transactions must meet other requirements, such as assessment by an independent firm. The firm must be designated as a Qualified Security Assessor (QSA) . (A QSA is an organization qualified and authorized to perform PCI compliance asse ssment.) In addition, requirement 11.2 requires vulnerability scans. The scans are done quarterly and are performed by a PCI Approved Scanning Vendor (ASV). (An ASV is a qualified and approved company able to perform PCI vulnerability scans and assessment. ) TIP PCI DSS is unlike most regulatory laws in one way. It is very specific with regard to requirements and expectations. The requirements generally follow security best practices and use the 12 high -level requirements, alig ned across six goals, as shown in Table 2-4 . Each requirement listed in the table consists of various subrequirements. Also included are procedures for testing. These must be documented as either being in place or not in place. Consider requirement 8, for example. It requires a unique ID to be assigned to each person with computer access. Within the security standard, this requirement actually consists of 21 subrequirements. Many of them are very specific. For example: • Incorporate two -factor authentication for remote access. • Set first -time passwords to a unique value and change immediately after first use. • Remove or disable inactive accounts at least every 90 days.

• Require a minimum password length of at least seven characters. TABLE 2-4 Goals and high -level requirements for PCI DSS. Since PCI DSS started, the Security Council has released several supplemental documents, including the following: • Information Supp lement: Requirement 11.3 Penetration Testing —This provides clarification around penetration testing. It also discusses the difference from the PCI DSS –required vulnerability assessments. GOALS HIGH -LEVEL REQUIREMENTS Protect cardholder data. Implement strong access control measures. Maintain an information security policy. nor its licensors endorse this work, its providers or the methods, practices, procedures, statements, views, opinions or advice contained herein. All PCI SSC. For questions regarding PCI SSC, its programs or materials, please contact PCI SSC through its Web site at https://www.pcise cur itystand ards.org . • Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified — This recognizes the complexity and the possible unfeasibility of the original requirement. It provides further guidance regarding the intent and alternatives. • Navigating the PCI SSC —Understanding the Intent of the Requirements — This provides further discussion regarding the purpose of each of the requirements. • Information Supplement: PCI DSS Wireless Guidelines —This provides further guidance and suggestions for deploying 802.11 wireless local area networks (WLANs). Red Flags Rule Based on the Fair and Accurate Credit Transactions Act of 2003, the Red Flags Rule was created to establish a procedure for identifying possible instances of identity theft. The FTC along with the credit union and banking regulatory agencies created the Red Flags Rule. They are also responsible for enforcing it. The Red Flags Rule requires all financial institutions and creditors to implement an identity theft prevention program. The goal is to detect warning signs or red flags of identity theft. The law applies to financial institut ions such as banks, savings and loan associations, and credit unions. The law applies to any entity where a consumer has an account that conducts payments or transfers, such as a checking account. In addition, the law applies to creditors. Creditors extend , renew, or continue credit. Examples include finance companies, mortgage brokers, utility companies, and automobile dealers. For both financial institutions and creditors, the law applies only to covered accounts. Creditors use a covered account when ther e is a foreseeable risk of identity theft. A common example is an account used for household purposes. This includes such things as credit card accounts, mortgage loans, broker margin accounts, checking accounts, and so on.

To comply with the Red Flags Rule, financial institutions and creditors must follow four basic elements. These involve having appropriate policies and procedures in place to do the following: • Identify red flags for covered accounts. • Detect red flags. • Respond to those red flags. • Upda te the program periodically. Financial institutions are first responsible for identifying red flags for covered accounts. The regulation does not demand specific red flags. Instead, it requires the financial institution or creditor to identify and create a list of red flags on its own. The regulation offers guidelines, however, in identifying red flags. Table 2 -5 lists the five categories provided by the regulation and includes an example of each. After creating the list of relevant red flags, the institutions must then put programs and procedures in place to be able to detect the red flags. The regulation provides very little guidance on how to do this, other than saying what most institutions are already doing. For example, guidance might include getting unique information, verifying the person opening the account gives accurate and real information, and ensuring transactions are monitored. For many organizations, effective detection relies on technology solutions that specifically focus on authentication and fraud monitoring. TABLE 2-5 Red flag categories and an example of each. NOTE The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace. In addition, it provides information to help consumers identify, prevent, and stop such activity. Next, the financial institutions and creditors must respond to the red flags. This prevents and lessens identification theft. Organizations must respond accordingly. For example, this ranges from contacting the customer to notifying law enforcement. Finally, financial institutions and creditors should know that risks to customers and themselves are constantly changing. On one hand, business changes can affect risk tolerance. Examples include mergers and acquisitions as well as changes in the type of accounts offered to customers. On the other hand, methods of identity theft and how it’s detected and prevented are constantly changing. A game of cat and mouse is the best way to describe the relationship among fraudsters, law enforcement, and vendors that provide prevention and detection tools. CATEGORY EXAMPLE Alerts, notifications, or other warnings r eceived from consumer A recent and significant increase in inquiry efficient and effective. KEY CONCEPTS AND TERMS 10 U.S. Code Section 2223, Information Technology: Additional Responsibilities of Chief Information Officers 10 U.S. Code Section 2224, Defense Information Assurance Program Acts of Congress Approved Scanning Vendor (ASV) Availability Certification and ac creditation (C&A) Children’s Internet Protection Act (CIPA) Children’s Online Privacy Protection Act (COPPA) Clinger -Cohen Act of 1996 Confidentiality Cybersecurity E -Government Act of 2002 Family Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act of 2002 (FISMA) Gramm- Leach-Bliley Act (GLBA) Health Information Technology for Economic and Clinical Health (HITECH) Act Health Insurance Portability and Accountability Act (HIPAA) Information resource management (IRM) Integrity Paperwork Reduction Act of 1995 Payment Card Industry Security Standards Council (PCI SSC) Pretexting Protected health information (PHI) Public Company Accounting Oversight Board (PCAOB) Qualified Security Assessor (QSA) Red Flags Rule Re gulatory agencies Risk management framework (RMF) 1. Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security? A. FISMA B. GLBA C. HIPAA D. FACTA E. FERPA 2. What organization was tasked to develop standards to apply to federal information systems using a risk -based approach? A. Public Entity Risk Institute B. International Organization for Standardization C. National Institute of Standards and Technology D. International Standards Organization E. American National Standards Institute 3. RMF provides for the authorization of the operation of an information system based on an acceptable level of . 4. Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems? A. NIST B. FISMA C. Congress D. PCI SSC E. U.S. Department of the Navy 5. What section of Sarbanes -Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting? A. Section 301 B. Section 404 C. Section 802 D. Section 1107 6. Sarbanes -Oxley explicitly addresses the IT security controls required to ensure accurate financial reporting. A. True B. False 7. Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits? A. COSO B. Enron C. PCAOB D. Sarbanes -Oxley E. None of the above 8. Which of the following is not one of the titles within Sarbanes -Oxley? A. Corporate Responsibility B. Enhanced Financial Disclosures C. Analyst Conflicts of Interest D. Studies and Reports E. Auditor Conflicts of Interest 9. Which one of the following is not considered a principal part of the Gramm -Leach-Bliley Act? A. Financial Privacy Rule B. Pretexting provisions C. Safeguards Rule D. Information Security Rule 10. Which regulatory department is responsible for the enforcement of HIPAA laws? A. HHS B. FDA C. U.S Department of Agriculture D. U.S. EPA E. FTC 11. Which one of the following is not one of the safeguards provided within the HIPAA Security Rule? A. Administrative B. Operational C. Technical D. Physical 12. In accordance with the Children’s Internet Protection Act, who determines what is considered inappropriate material? A. FCC B. U.S. Department of Education C. The local communities D. U.S. Department of the Interior Library E. State governments 13. While the Family Educational Rights and Privacy Act prohibits the use of Social Security numbers as directory information, the act does permit the use of the last four digits of a SSN. A. True B. False 14. PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data. A. True B. False 15. To comply with the Red Flags Rule, financial institutions and creditors must do which of the following? A. Identify red flags for covered accounts. B. Detect red flags. C. Respond to detected red flags. D. Update the program periodically. E. All of the above F. Answers B and C only

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!