essential guide to - Bitpipe

I N F O R M A T I O N

ECURITY S

®

E SS E NTIAL G U I D E TO

COMPLIANCE

Compliance with federal and industry regulations drives spending and how most information security programs are shaped. There’s no avoiding it. We’ll help you sort and prioritize your responsibilities.

Q INSIDE

8 PCI Update: Clarity or Confusion?

15 New Mandates: Massachusetts and Nevada 23 HIPAA Gets Some Teeth 32 Disproportionate Pain

39 Prioritize Information Security over Compliance

INFOSECURITYMAG.COM

Database protection and compliance made simple. Guardium, an IBM Company, provides the simplest, most robust solution for continuously monitoring access to high-value databases and automating compliance controls for heterogeneous environments – assuring the integrity of trusted information and enabling enterprises to drive smarter business outcomes. •

Gain 100% visibility and control over your entire DBMS infrastructure.

•

Reduce complexity with a single set of cross-DBMS auditing and access control policies.

•

Enforce separation of duties and eliminate overhead of native DBMS logs.

•

Monitor privileged users, detect insider fraud and prevent cyberattacks.

•

Automate vulnerability assessment, data discovery, compliance reporting and sign-offs.

For more information, visit www.guardium.com/InformationSecurity

Copyright © 2010 Guardium, an IBM company. All rights reserved. Information is subject to change without notice. IBM, and the IBM logo are trademarks of International Business Machines Corporation in the United States, other countries or both.

contents ESSENTIAL GUIDE

COMPLIANCE

F E AT U R E S

8

PCI Update: Clarity or Confusion?

PCI DSS What you can expect from this fall’s update to the Payment Card Industry’s Data Security Standard. BY GEORGE V. HULME

15 New Mandates Massachusetts and Nevada usher in a new generation of data protection laws.

STATE DATA PROTECTION ACTS BY RICHARD MACKEY

23 HIPAA Gets Some Teeth The HITECH Act expands on HIPAA’s security requirements and increases penalties for non-compliance.

HIPAA

BY MARCIA SAVAGE

32 Disproportionate Pain Smaller public companies bear significantly higher pain in terms of revenue and costs per employee complying with Sarbanes-Oxley. BY NEIL ROITER

SOX

39 Prioritize Information Security Over Compliance RISK MANAGEMENT Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation. BY TONY SPINELLI

44

3

Advertising Index

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL G UIDE • COMPLIANCE

Find the cybercriminal. (Never mind. ArcSight Logger already did.)

Just downloaded the customer database onto a thumb drive.

Stop cybercriminals, enforce compliance and protect your company’s data with ArcSight Logger. Learn more at www.arcsight.com/logger. © 2010 ArcSight. All rights reserved.

EDITOR’S DESK

No Token Gesture

BY MICHAEL S. MIMOSO

The PCI Security Standards Council needs to embrace tokenization. TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS

STATE DATA PROTECTION ACTS

HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

5

t

“There are things being negotiated now that are gonna solve all your problems and answer all your questions. That’s all I can tell you now…” —Michael Corleone.

OK, so it’s a stretch to associate The Godfather with tokenization, but it’s a segue to a shoutout to the PCI Security Standards Council: Move swiftly and formally approve and recognize tokenization as a means of protecting cardholder data and achieving PCI compliance. It’s the right thing to do. Tokenization makes so much sense on so many levels that it’s silly not to do so. Let’s hope that it’s true that the standards council is indeed mulling this over and rolls out some guidance for merchants in the near future. For the uninitiated, tokenization is technology that replaces credit card numbers, or any identifiers, with unique symbols. Tokenization technology, unlike encryption, can either replace data with similar data types, use reversible algorithms to replace characters, mask data or randomize data with ranges of similar data types, according to expert Randall Gamby. In a transaction, the actual credit card number is present only in the initial request and not stored on the point-of-sale system. This is a key for merchants. It’s also kept out of the transaction data as it moves across and between networks. The token is useless to an attacker because it holds no real value in terms of sensitive data. This is unlike encryption, which does a great job of scrambling information, but the sensitive data is still moved on the wire. And at several points during a transaction, it can be decrypted and encrypted again, putting the data and keys in harm’s way. What merchant wouldn’t want this scenario? What auditor wouldn’t approve this scenario and facilitate compliance with PCI, for example? Tokenization would remove the burden from the merchant of storing credit card numbers, one of the biggest money pits in all of compliance. So what’s standing in the way? Well, Forrester Research says that tokenization is immature and vendors are trying to build products that are solid and up to industry specs. They recommend slow rollouts of tokenization, watching caefully for changes in the attack landscape that could quickly make current tokenization implementations obsolete (think: WEP for wireless security). They also urge merchants to have a clear understanding of how card numbers are captured (whether the card is present) and how tokenization systems handle each scenario. And finally, Forrester says you need to leverage tokenization for more than PCI, i.e., personal employee data or tokenize production data for testing environments.


TABLE OF CONTENTS

Just as encryption has enjoyed a resurgence, we’re looking at tokenization as a disruptive technology. Tokenization requires in most cases a server that will reverse the tokenization process and render the correct information. It eliminates the need for expensive encryption and key management solutions and processes data much more efficiently. It’s a no-brainer. So PCI Security Standards Council, do what you have to do behind the scenes to appease the encryption vendors. Educate the QSAs. Talk to the merchants. Listen to the experts. Tokenization makes too much sense. It’s an offer you shouldn’t refuse.w Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget.

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

6


Building Trust Around The Globe When you want to establish trusted relationships with anyone, anywhere on the internet, turn to Thawte. Securing Web sites around the globe with: • strong SSL encryption • expansive browser support • multi-lingual customer support • recognized trust seal in 18 languages Offering outstanding value, Thawte is for those who know technology. Secure your site today with a Thawte SSL Certificate.

www.thawte.com

© 2010 Thawte, Inc. All rights reserved. Thawte, the Thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.

PCI DSS

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

PCI UPDATE:

CLARITY OR CONFUSION What you can expect from this fall’s update to the Payment Card Industry’s Data Security Standard.

p

BY G E O R G E V. H U LM E

PCI DSS has become one of the most controversial standards on the

books. Many argue that PCI DSS has made great inroads in improving credit card security. Others contend the standard is a distraction from true security, and that the effort is too prescriptive, confusing, and artificially sets the bar for security and compliance too low. This fall, the PCI Security Standards Council is expected release a series of updates to the standard.

8


PCI VIRTUALIZATION AND IN-SCOPE GUIDANCE COMING

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

9

What can retailers, merchants and others who handle credit card data expect? Most are hoping for a number of updates that will remove perceived overly subjective interpretations, questions of scope and answer long-awaited virtualization security questions. Sometime this summer, summaries on the updated clarifications and guidance will be released publicly for review, and after the final review and comment process, the updates will be finalized for release in the first week of November. According to Bob Russo general manager, PCI Security Standards Council, most of the updates this year will come in the form of standard clarifications, as well as the release of guidance. The virtualization update, led by the virtualization special interest group (SIG) is expected to clarify existing ambiguity around how merchants can utilize virtualization technologies and still maintain compliance. “The council does need to provide a supplementary guide for virtualization as there has been plenty of confusion in the marketplace,” says Anton Chuvakin, Ph.D, independent security consultant and co-author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. “Section 2.2.1 states that there can only be one function —ANTON CHUVAKIN, Ph.D, per server. If the council means physical server, independent security consultant and author then that would, in effect, ban virtualization. But it could also mean virtual servers; and in that case merchants can use one physical server running separate, but dedicated virtual servers,” he says. “But they have yet to officially explain what is allowed, and how that all fits together.” How is such haziness in the standard currently clarified should retailers deploy virtualization? Those that do must assert to their Qualified Security Assessor (QSA) that each virtual machine is, in fact, a dedicated server. And, unfortunately, the outcome boils down to the interpretation of the standard by their individual QSA. “Some merchants are moving forward and adopting virtualization, while others have put off embracing it around payment systems,” says Josh Corman, research director, for research firm 451 Group’s enterprise security practice. But the question remains why, with virtualization hitting stride back in 2006, has it taken the PCI Security Standards Council so long to address virtualization? “Everyone initially thought virtualization guidance was coming out in October 2008, and it didn’t. We had to wait another two years to adopt cost savings technology? That is just ridiculous,” says Corman. Scott Crawford, managing research director, Enterprise Management Associates, however, argues that developing the appropriate level of virtualization security controls isn’t as straightforward as it may seem. “Virtualization technology, for example, can be deployed in a number of different ways. And some approaches are vendor- or implementation-specific to boot. Defining an approach that is too prescriptive may not address the full scope


“The council does need to provide a supplementary guide for virtualization as there has been plenty of confusion in the marketplace.”

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

of the issue, or may add substantially to the sheer volume of requirements if regulators attempt to cover all of the potential bases,” he warns. Another highly anticipated update this year is expected to be clarification surrounding what systems are in, and out, of PCI DSS regulatory scope. “I would argue some of the clarifications coming from the scoping SIG are going to be the most important,” says Michael Dahn, PCI principal at Verizon Business, and member of both the virtualization and scoping SIGs. “That’s where people find the most gray areas under the mandate.” Generally, PCI DSS scope is defined as any system that stores or processes unencrypted credit card data. Sounds clear-cut. Yet while a business may separate all systems that store or process credit card data, they still may use a shared Active Directory, or perhaps a shared administrative LAN to manage other areas of their infrastructure as well as those systems dedicated to payments. “There’s nothing to say that the Active Directory or administrative LANs are in scope, but there’s nothing to say that they aren’t, either. And it’s a gray area that continuously comes up,” Dahn says. What is not expected to be in the update is any further guidance when it comes to cloud computing. “Ultimately, it is the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner,” says Russo. “As part of their due dili—BOB RUSSO, general manager, PCI Security Standards Council gence, merchants need to make sure they are dealing with someone reputable,” he adds. “The council will continue to rely on section 12.8, which governs the use of third-party providers, and states that the merchant must ensure that the provider is compliant to PCI DSS,” says Chuvakin. For many, that’s not enough clarity, and will continue to be a sticking point for some time to come. “There are too many vagaries associated with making sure service providers are compliant,” says Gartner IT security, fraud, and PCI compliant analyst Avivah Litan. “What’s needed and warranted is specific advice on how to make sure service providers are compliant, and what that means to the compliance status of the service providers.”

“Ultimately, it is the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner.”

PCI’S UPDATE TIMETABLE UNDER SCRUTINY Some contend that PCI DSS moves too slowly to adapt to rising new technologies and attack trends. For instance, years ago a number of high-profile retail breaches were blamed, at least partially, on insecure wireless LANs such as the famous TJX Companies attack discovered in December 2006. But it wasn’t until July 2009 when the PCI Security Council released a 28-page wireless security guide that provided guidance on how merchants could safely utilize wireless LANs in their operations. “There is turbulent, rapid change in the IT industry, and to have a list of static controls

10


I M PACT

For Better, or Worse? Experts debate whether PCI has improved credit card security.

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

Is PCI DSS a merchant security savior, or antagonist? Strong arguments are made on both sides of the debate. Some contend prior to PCI DSS that retailers and payment processors did hardly anything to ensure credit card security. “PCI has improved security," says Gartner IT security, fraud, and PCI compliance analyst Avivah Litan. “Unfortunately, compliance typically drives implementation of security solutions and the fact that merchants have had to comply with PCI has forced them to pay attention to the security in their environments and work on improving it,” she adds. That was certainly the spirit of PCI DSS when, by 2004, it became clear that when it came to securing credit card data something had to improve. Roughly a year after California enacted its data breach notification act, SB 1386, reports of breached credit card and other financial information was beginning to flow furiously. Among the breaches in that era included one of the largest of all time, CardSystems Solutions, encompassing 40 million credit card records in 2005. Going into effect in 2004, the Payment Card Industry Data Security Standard (PCI DSS) aimed to stem the tide of credit card breaches and lower the costs of fraud on the industry and consumers. PCI’s 12 discrete security requirements establish common procedures and security practices for handling, processing, storing and transmitting credit card data. Those mandates call on retailers and payment processors to create a risk management program that includes: segmenting cardholder data; encryption; vulnerability management; running antivirus software and intrusion detection systems; among other requirements. However, many merchants argue that the standard has been confusing to comply with, and excessively expensive to maintain. That’s a contention many PCI DSS experts disagree. “I say PCI DSS ‘done wrong’ is usually expensive,” says Anton Chuvakin, Ph.D, independent security consultant and co-author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. “For instance, securing a flat network is very hard and expensive, and securing card data on legacy systems is expensive. In those scenarios, it is usually cheaper to reconsider business processes that utilize card data and streamline them,” he says. Scientific data as to whether those efforts have increased overall merchant security is difficult, if not impossible, to uncover. However, according to the DataLoss Database, run by the Open Security Foundation, there were 24 incidents involving credit card data in 2005, while for all of 2009 there were 86. “There’s no doubt that the frequency of credit card breaches, and the number of cards involved in those breaches, as been increasing,” says Josh Corman, research director, for research firm 451 Group’s enterprise security practice. Still, that data doesn’t necessarily mean that PCI DSS has failed, as the trend could be attributed to an increase in the number of states with database breach disclosure laws on the books as well as more merchants accepting online payments. When it comes to the overall impact PCI DSS has had on retailer security, some argue that the standard actually creates a disincentive among some businesses to get by with less security than they would have otherwise. “I think a lot of people miss the point that PCI was really intended to be the floor, not the ceiling. It was intended to define at least a minimum standard. Many organizations subject to it, however, too often see it as the ceiling. “If I’m in compliance, then I don’t need to do more,” says Scott Crawford, managing research director, Enterprise Management Associates.w —GEORGE V. HULME

11


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

12

just doesn’t seem to make sense,” says Corman. “You can regulate things such as car seat belts because the laws of physics don’t change, but attack techniques change all of the time, and PCI DSS moves too slowly to adapt to the threats,” Corman says. Others argue that compliance to PCI DSS should be agnostic of technological change. “If we constantly wait for someone to be prescriptive about how we are going to apply a control, then we are thinking about it the wrong way,” says Dahn. “Each of the PCI DSS requirements: restricting access, access controls, audit logging, network segmentation, antivirus, two-factor authentication, and others can all be applied to any technology,” he says. However, some businesses have shied away from innovative technologies out of the simple fear that they may not pass a PCI DSS audit. “Sometimes these mandates can stop innovation,” says Corman. “If your business wants to change and outsource or embrace costsaving technology, PCI DSS mandates can force them to put on the brakes,” he says. Those who would like to see a more agile, rapidly updated standard could be in for even more disappointment as the council is currently looking at the possibility of moving to a threeyear update cycle for the standard. “We are always looking for ways to improve the standard, and one of those is how to improve the update cycle. Some feel the standard is changed too often, others feel it’s not updated enough,” says Russo. “But if you look at the standard over the past number of years, it’s stood the test of time and hasn’t changed much. And we are currently evaluating moving PCI to a three-year cycle, we may have a change in the next few —JOSH CORMAN, research director, 451 Group months,” he says. No matter what the final updates to the standard look like later this fall, chances are they won’t be detailed enough for some while too detailed for others. “The notion of being prescriptive can be both good and challenging,” says Christofer Hoff, director, cloud and virtualization solutions, Cisco Systems STBU (Security Technology Business Unit). “Just consider the business ecosystem involved with what the PCI DSS affects. When you make a change to something like that, it cascades down through hundreds of thousands if not millions of merchants. So one seemingly simple change to security folks could affect the operational capabilities of lots of businesses,” he says. “I’m not making an excuse for it, but it is a very delicate situation.” Analyst Crawford agrees. “Particularly in IT security, compliance is a bit like trying to correct astigmatism. A lens that sharply focuses on one area may distort the focus elsewhere. Make requirements too prescriptive and you may be forcing organizations to comply with something that may no longer be relevant, especially if attack trends have moved on since the requirement was defined,” he says. “Make them less prescriptive, and you make it difficult to hold subject organizations to a well-defined standard,” adds Crawford.


“You can regulate things such as car seat belts because the laws of physics don’t change, but attack techniques change all of the time, and PCI DSS moves too slowly to adapt to the threats.”

No doubt even after the final updates are published this fall, the debates surrounding PCI DSS won’t subside any time soon. However, the council’s Russo is sure of this about the standard: “If you are a retailer, and you want to stay secure, becoming compliant to PCI DSS is the best thing you can do.”w George V. Hulme is a freelance writer in Minnesota. Send comments on this article to [email protected]. TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

13


© 2010 Trend Micro Inc. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Inc. All other company and/or product names may be trademarks or registered trademarks of their owners. *Per Gartner Group Vice President Neil MacDonald, as quoted in: McLaughlin, Laurianne; “How to Find and Fix 10 Real Security Threats on Your Virtual Servers,” CIO Magazine, 14 November 2007, www.cio.com/article/print/154950 **Per Gartner Group Vice President Neil MacDonald, as quoted in: “Gartner: Rush to Virtualization Can Weaken Security,” On-Demand Enterprise, 09 April 2007, http://www.ondemandenterprise.com/offthewire/gartner__rush_to_virtualization_can_weaken_security_07-29-2008_08_52_18.html


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

NEW MANDATES Massachusetts and Nevada usher in a new generation of data protection laws. BY R I C HAR D MAC KEY

t

THE DEADLINE was a moving target, but as of March 1, Massachusetts’ new data protec-

tion law finally took effect. 201 CMR 17.00, along with Nevada’s 603A, which took effect in January, represent a new class of state regulations that require organizations to deploy specific controls to protect personal identifying information from unauthorized access. Massachusetts and Nevada have established a new standard for personal data protection and appear to have set the stage for more prescriptive laws at the federal level. These new laws are the result of pressures on lawmakers to do something to combat the countless compromises of credit cards, Social Security numbers, and bank account information we hear about every day. They provide clear guidance on how personal data must be protected and who is ultimately responsible for its protection.

15


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

Instead of just requiring organizations to notify data security breach victims, the new regulations go a step further by trying to prevent breaches from occurring in the first place. Furthermore, both the Massachusetts and Nevada regulations require organizations to employ a defined set of administrative and technical controls rather than simply “implement and maintain reasonable security measures” as most existing regulations do. The Massachusetts law explicitly lists administrative and technical controls for all data collectors. Nevada lists only a few controls that apply to all data collectors, but refers to one of the most prescriptive industry security standards when dealing with merchants that accept credit cards: the Payment Card Industry Data Security Standard (PCI DSS). Both approaches represent a significant increase in the complexity and depth of controls required of data collectors. They require organizations to expend substantial time, effort, and money to implement policies, locate personal information, and establish access controls and monitoring. Read on to learn what’s required, some tips for complying, and the implications of a proposed federal data protection law.

WHAT NEEDS TO BE PROTECTED? Any organization with personal information pertaining to a Massachusetts resident needs to protect it, according to Massachusetts’ 201 CMR 17.00 regulation. So, what is “personal information?” Massachusetts defines it as: “A Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.” The law excludes personal information that includes data lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. This definition is almost identical to the one used in the Nevada data protection law and California’ data breach notification law and also matches most of the language in the proposed federal Data Accountability and Trust Act (H.R. 2221). This consistency helps immensely in identifying the data that needs to be tracked and protected. The one significant difference is that both Nevada and the federal bill require the security code/PIN to accompany a financial account ID while the Massachusetts law considers a name and financial account ID to be personal information even in absence of a PIN.

201 CMR 17.00: A TALL ORDER The Massachusetts law has sent shock waves through businesses with Massachusetts resident data as it requires organizations to implement a full-fledged written information security program (WISP) complete with governance, risk assessment, partner management, preventive and detective technical controls, and an incident response process. Companies, both large and small, that have not had to comply with other

16


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

17

data protection regulations like PCI DSS or HIPAA may be hard pressed to find the expertise or time to dedicate to the development of a security program. It’s important to note that the Massachusetts data protection law is not meant to be one size fits all. In other words, the regulation is designed to take risk into account. There is language that allows an organization’s security controls to be judged in light of its size, the resources it has to apply to implement the program, the amount of data it stores, and the sensitivity and risk of identity theft associated with the data. Here is a summary of 201 CMR 17.00’srequired administrative controls: • A designated person or group responsible for managing the security program • A risk assessment and management program • A method of assessing the effectiveness of controls protection personal data • An employee and contractor training program • A set of security policies and procedures • A method of monitoring compliance • A means for detecting and preventing security system failures (monitoring and review) • Specific policies and procedures relating to the storage, access, transmission, and handling of personal data • Disciplinary measures for non-compliance • A reliable method of promptly disabling access of terminated employees • A program to ensure that third parties with access to personal data are competent to protect it and contractually obligated to maintain appropriate safeguards on the information • A set of physical controls to ensure that systems, media, and paper containing personal data are protected from unauthorized access • An annual review of security measures and reviews whenever there is a material change in business practices that may affect the security of personal information In addition to this long list of administrative controls, Massachusetts also requires the following technical controls: • Secure user authentication methods, including secure protocols that do not expose passwords on the network, strong passwords, secure password storage, unique user identifiers, and optional two-factor authentication technologies • Access control mechanisms that restrict access only to active users • Automatic lockout after multiple failed access attempts • Tight access controls on files and records containing personal information • Restriction of access to those with a business need • Removal of all vendor default accounts • Encryption of personal records when transmitted across public networks and wireless networks • Monitoring of systems for unauthorized use and access to personal information • Encryption of all personal information stored on laptops or other portable devices • An Internet firewall protecting systems and files containing personal information


• A vulnerability and management program that keeps software and virus definitions up-to-date

BUILDING THE PROGRAM TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

201 CMR 17.00 requires organizations to have a formal written security program. In other words, you need to have a document that describes who is responsible for managing the security program, a set of security policies governing protection and treatment of personal information, and mechanisms to implement technical controls. If you have a security program in place, your best course of action is to fold these controls into your existing policies and procedures. If the list of controls seems daunting, take heart. It’s likely that many of the technical requirements of the regulation can be met by configuring your current systems to implement the necessary policies. For example, strong passwords, automatic lockout on multiple login failures, and automatic download and installation of necessary patches are supported by most enterprise operating systems and application suites. Tight access controls on files and databases may take some technical knowledge, but should not be a problem for a competent IT administrator once the information is isolated. Encryption of laptop file systems and storage on portable devices is often supported natively or can be added. While configuring system policies will not solve all your problems, it will allow you to meet many of the requirements and allow you to concentrate on addressing the more challenging areas of monitoring access, encrypting transmission, and administering your overall program. However, your first order of business is to reduce the amount of information stored to absolute minimum. If you can eliminate certain databases or pieces of information, you may be able to avoid employing the more administratively demanding controls at least on particular systems. Once you have isolated the information to a few systems, encryption of information is much easier. Likewise, maintaining strict access controls and access monitoring will become more practical. Patch management, account management, and encryption of portable devices (like backup media)—to the degree required by this regulation and others like PCI DSS—can be major task if you attempt employ them across an entire enterprise.

NEVADA CODIFIES PCI Unlike the Massachusetts law, the Nevada data protection law began as a rather vague requirement for organizations to employ “reasonable measures” to protect personal information of residents of Nevada. It has since been amended to be much more prescriptive. Here is a summary of the required controls: • Implement and maintain reasonable security measures to protect personal data records from unauthorized access, acquisition, destruction, use, modification or disclosure

18


• Comply with current PCI DSS (if a merchant) • Encrypt personal information transmitted outside the secure system of the data collector • Encrypt data on storage devices moved outside the physical controls of the data collector • Contract with business associates to maintain reasonable security measures • Notify affected individuals in the event of a breach TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


Nevada’s law is similar to Massachusetts’ regulation in its requirement for encryption of information transmitted on public networks and on portable media. However, there is one item in this list that distinguishes Nevada 603A from all other data protection statutes: The reference to PCI DSS. Prior to this law, PCI DSS was a contractual requirement between a merchant bank and a merchant. With the reference to PCI DSS in Nevada’s law, failure to comply with PCI DSS can be held against a merchant in legal actions by injured parties or the state in the event of a breach. This clause alone makes PCI DSS compliance and the results of merchants’ PCI assessments more important than ever.

FEDERAL PREEMPTION? HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

The proposed federal Data Accountability and Trust Act (DATA), which was passed by the U.S. House of Representatives in December, would replace the groundbreaking state law requirements we have just detailed with similarly prescriptive requirements. The bill is awaiting Senate approval.

SB 1386

Trendsetter California led the charge on data breach notification laws. CALIFORNIA PAVED THE way for data breach notification laws back with SB 1386, which took effect in 2003. The law requires that organizations with personal information about California residents notify them if their data is compromised. Since then, 44 other states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal data, according to the National Conference of State Legislatures. Many of the laws, including California’s, make exceptions for encrypted data. The state regulations have led to a flurry of disclosures and a constant stream of breaches involving credit card numbers and other personal information. According to the nonprofit consumer organization Privacy Rights Clearinghouse, as of late January, more than 344 million records containing sensitive personal data have been compromised since 2005.w —MARCIA SAVAGE

19


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

As stated in Section 6 of H.R. 2221, DATA would supersede any state statute or regulation that requires information security for data containing personal information or notification to individuals of a data security breach involving personal information. Here is a summary of the salient points of H.R. 2221 as it stood in January: • Like Nevada’s law, bank account information must include an access code to be considered personal information • Like other laws, DATA would allow compliance with other federal laws such as HIPAA that require protection of personal information to establish compliance • The law would have special requirements for information brokers, including submission of policies to the Federal Trade Commission, mandatory postbreach audits, controls to ensure the accuracy of information collected, provisions for individual access to information collected, and a set of extensive limitations and exclusions • The law is meant to be enforced by the FTC According to the bill, data collectors must have the following controls in place: • A security policy governing treatment of personal information • An appointed responsible party to run the compliance program • A process for identifying and assessing vulnerabilities, including monitoring for breaches • A process to take corrective action to address vulnerabilities • A secure data destruction process • A process to notify individuals of a breach (with special requirements for service providers) As drafted, this set of controls falls somewhere between the specificity of Massachusetts’ regulation and the general requirements of Nevada, without the reference to PCI DSS. However, the general intent of requiring a compliance program and the fact that the law requires the FTC to specify further regulations and guidance is likely to make the law more like the Massachusetts regulation over time. One of the most curious differences between the proposed federal law and the state laws is the selection of the FTC as the enforcing body. The FTC’s jurisdiction does not extend to a number of organizations, including nonprofits, government agencies and depository institutions.

FACT OF LIFE The Massachusetts and Nevada laws have changed the way the state and federal governments will deal with personal data protection. It appears to be a fact of life that organizations that handle protected data in whatever form (health care, financial or identity) need to maintain formal security and compliance programs. While the formality and extent of the programs are allowed to be structured according to the size and resources of a given organization and geared to risk of compromise, it is unlikely that the courts will look favorably on any organization that does not implement a formal security program. It is important for organizations to recognize that the time and expense in com-

20


plying with new state data protection laws will produce benefits over time, reducing the likelihood of compromise while at the same time avoiding costly non-compliance penalties. The release of personal data—whether through human error or criminal activities—is both disruptive and costly and can be disastrous for customers and the organizations that serve them.w

TABLE OF CONTENTS

Richard Mackey is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to [email protected].

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

21


Q: What do SOX, PCI, HIPAA, FERC/NERC have in common? A: The requirement to control and track user access to systems and data and eliminate sharing of privileged passwords

Solution: FoxT Enterprise Access Management FoxT Enterprise Access Management makes it easy to keep systems secure and achieve regulatory compliance with centralized administration, contextual authentication, granular authorization and consolidated audit across diverse physical and vitual servers and business applications. And robust privileged account management also means you no longer have privileged users sharing root and other functional account passwords.

FOR MORE INFORMATION: www.foxt.com

Enterprise Access Management

HIPAA

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

HIPAA GETS SOME TEETH The HITECH Act expands on HIPAA’s security requirements and increases penalties for non-compliance. BY MAR C IA SAVAG E

THE HEALTH CARE INDUSTRY was buzzing with the news: For the first

time, a hospital was being audited for compliance with HIPAA security requirements. The audit of Piedmont Hospital in Atlanta by the U.S. Department of Health and Human Services’ inspector general in 2007 was surprising for hospitals, health insurers and others in an industry accustomed to a lack of enforcement of federal privacy and security requirements. A year later, HHS took another unusual step, meting out a $100,000 fine to Seattlebased Providence Health & Services for HIPAA security and privacy violations. The organization had lost backup tapes, optical disks and laptops containing unencrypted protected health information on more than 360,000 patients. But those enforcement actions could be small potatoes compared to what’s ahead. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act signed into

23


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

24

law last year, earmarks about $19 billion in incentives to encourage adoption of electronic health record technology but also expands on HIPAA’s security and privacy requirements. In addition to instituting new breach notification rules and extending the rules to health care business associates, HITECH implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations. “HITECH is perceived as the enforcement arm of HIPAA,” says Barry Runyon, research vice president covering health care IT at Gartner. “The stakes are higher and more people can enforce it. “What it’s done has kind of jump-started HIPAA. Health care delivery organizations’ programs languished for a while,” he adds. “When there’s no enforcement, people tend to get complacent. HITECH is making them revisit their security plans and look at their controls—essentially what they should have been doing.” Let’s take a look at the ramifications of the HITECH Act on security and privacy in the health care industry and its impact so far.

HIPAA: UNEVEN COMPLIANCE For years, organizations that had to comply with HIPAA were frustrated not only by the lack of enforcement but the lack of specifics in the federal law’s requirements for protecting electronic personally identifiable health information. The Health Insurance Portability and Accountability Act was enacted in 1996; health care providers, health plans, clearinghouses and other covered entities were required to comply with the law’s privacy rule in 2003 and with the HIPAA security rule in 2005. “HIPAA security [compliance] is all over the map. The security rule is just too open to interpretation,” says Bryan Cline, director of information security at Newtown Square, Pa.-based Catholic Health East. Some organizations do the bare minimum to comply while some take a mature, risk-based approach to information security and devote enough resources and training to have a strong program, he says. Historically, the health care industry hasn’t spent as much as other industries on security, says Khalid Kark, —BRYAN CLINE, director of information vice president and principal analyst at Forrester Research. security, Catholic Health East “There’s always this tension: Do you want to improve service and how you treat people, or would you rather spend that money on security?” A survey of 196 health care IT and security professionals by the Chicago-based nonprofit Healthcare Information and Management Systems Society (HIMSS) released last fall showed that security accounts for three percent or less of overall IT spending in a majority of health care organizations. Even if HIPAA wasn’t ambiguous, it had “no teeth or enforcement,” says David Finn, health IT officer at Symantec and former CIO at Texas Children’s Hospital.

“HIPAA security [compliance] is all over the map. The security rule is just too open to interpretation.”


“The fines weren’t significant enough to raise the risk management flag for a lot of institutions.” HITECH removes a lot of ambiguity with its breach notification rules and increased penalties, he says.

BREACH NOTIFICATION TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

“Even if HIPAA wasn’t ambiguous, it had “no teeth or enforcement.”

Under rules released last August by HHS, an organization with a breach involving unsecured protected health information (PHI) must notify the affected individuals. The notifications must be provided no later than 60 days following the —DAVID FINN, health IT officer, Symantec, discovery of a breach and must include a description of the and former CIO, Texas Children’s Hospital breach and what the organization is doing to investigate it, among other details. If more than 500 individuals are affected, then the organization must notify major media outlets in affected states and HHS; HHS will list the breaches and the entities involved on its website. “That’s not something any hospital wants to do,” Finn says of the media notification. Organizations need to have a process to assess whether there’s been a security breach that requires notification, says Kathryn Coburn, founder of Pacific Palisades, Calif.-based Coburn IT Law, which focuses on health care IT. The security or privacy of protected health information is deemed to be compromised only if the disclosure poses a significant risk of harm to the individual, she says. The process requires a risk assessment that considers the amount of data lost and potential exposure of that data to determine whether notification is required, says Joseph Granneman, CTO/CSO of Rockford Health System in Rockford, Ill. “If a folder of information is left at a restaurant and someone returns it to you, there may not be much risk for that patient information. Whether you consider this a breach or not will be based on what the information was,” he says. “If it was just a listing of names without other financial/medical identification, it may not be considered a breach because there is little risk to the patient.” Notification isn’t required if the PHI is unreadable or indecipherable through encryption according to National Institute of Standards and Technology (NIST) standards. Paper records must be shredded so the PHI can’t be reconstructed, and electronic media purged or destroyed per NIST guidelines. Many health care organizations are looking closely at encryption and need to assess the appropriate levels of encryption for their systems, says Beau Woods, solutions architect for SecureWorks, an Atlanta-based security-services firm. “Some of the older software doesn’t allow you to encrypt to a standard that is compliant with HITECH,” he notes.

HIGHER PENALTIES HITECH ups the ante on enforcement and penalties for HIPAA violations in several ways. The new law provides a tiered system of civil monetary penalties based on the level of knowledge of the non-compliant organization (from knowing to willful

25


TABLE OF CONTENTS

neglect), and corrective actions taken, says Lisa Gallagher, senior director of privacy and security at HIMSS. For example, if a violation was due to reasonable cause and not willful neglect, the penalty is $1,000 for each violation. But if the violation was due to willful neglect and not corrected, the penalty is $50,000 per violation with a maximum fine of $1.5 million for all such violations in a calendar year. Previously, the civil penalties for HIPAA security and privacy violations set a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical requirement during a calendar year, according to Gallagher. HIPAA also provided for criminal penalties of fines of up to $250,000 and up to

EDITOR’S DESK

TO O LS PCI-DSS


HITRUST Framework aims to bridge the compliance gap Tool updated to reflect new HITECH requirements.

HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

HEALTH CARE ORGANIZATIONS looking for some help in meeting HIPAA and HITECH security requirements might want to check out the Health Information Trust Alliance (HITRUST) Common Security Framework. Frisco, Texas-based HITRUST, in collaboration with health care, IT and professional services executives, introduced the CSF last year. The CSF, designed to be used by any organization that stores or exchanges personal health or financial information, incorporates security requirements from HIPAA and HITECH as well as other standards and frameworks, including the Payment Card Industry Data Security Standard, NIST and COBIT. HITRUST released the 2010 version of the CSF last month with updated references to HITECH and improvements based on industry feedback. The CSF is available free of charge at HITRUST Central. Daniel Nutkis, HITRUST CEO, says HITRUST has worked to reach out and educate organizations on risk management and how the CSF can help. Tracking the level of adoption is difficult, but HITRUST is working with about 30 states on their use of the CSF, he says. Under HITECH, states’ health information exchanges and the organizations that connect to them must be secure. Khalid Kark, vice president and principal analyst at Forrester Research, says the CSF fills a void in the health care industry and that adoption of it by states could have a huge impact on its acceptance. HITRUST also offers the CSF Assurance program, which the company says can help streamline the process of security assessments for health care organizations and their business associates. The program, which has authorized CSF assessors, aims to provide a consistent approach to assessing and reporting compliance to multiple parties. The HITRUST CSF “indicates there’s a focus on security in our industry that didn’t exist in the past,” says David Finn, health IT officer at Symantec and former CIO at Texas Children’s Hospital.w —MARCIA SAVAGE

26


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


10 years in prison for disclosing or obtaining health information with the intention of selling it for commercial or personal gain, or for malicious purposes. Previously, the U.S. Justice Department ruled that a covered entity could be criminally liable for HIPAA violations, not individuals, but HITECH makes it clear that individuals— hospital employees or others—can be held liable, Gallagher says. “There are some real teeth in there,” Symantec’s Finn says. In addition, the new law broadens the number of potential HIPAA enforcers. It allows state attorney generals to file a federal civil action on behalf of residents of their states who they believe were adversely affected by a HIPAA violation, Gallagher says. Already, one such lawsuit has been filed: In January, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, alleging the company violated HIPAA when it lost a portable disk drive containing health and financial information of about 446,000 enrollees last May. “There’s a bigger army coming after you now,” Finn says of the new state-level authority to enforce HIPAA. Having enforcement at the state level increases the chances that a health care organization’s HIPAA compliance might be examined, which could help bolster a security department’s ability to win funding, says Jeff Pentz, assistant director of information technology of the University Health Center at the University of Georgia.

HIPAA

PRIVACY SOX

New disclosure rules RISK MANAGEMENT

SPONSOR RESOURCES

Organizations will need to provide three-year histories of disclosures of protected health data. AMONG THE Health Information Technology for Economic and Clinical Health (HITECH) Act’s expanded privacy requirements are new rules for disclosure of protected health information (PHI). Organizations using electronic health record (EHR) technology must be able to provide a patient with a three-year history of PHI disclosures, including disclosures previously considered exempt, such as those for treatment like lab work, and those made for payment purposes. “That will require logging of all those disclosures and creation of a process to prepare a disclosures list,” says Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS). “The volume of audit logging that is going to is kind of mind numbing,” says David Finn, health IT officer at Symantec and former CIO at Texas Children’s Hospital. “No human could comb through all that, so at some point it has to be automated.” Also, if a company keeps a patient’s data in electronic format, it must provide an electronic copy if the patient requests one. “You can’t just print something on paper,” Gallagher says. Federal guidance on accounting of disclosures is expected June 30.w —MARCIA SAVAGE

27


“More teeth, more money,” he says. “Going to your administrator with details of the HITECH Act may help to get more funds for security or at least reduce the amount that might be cut for security.” HITECH also requires the HHS secretary to provide for periodic audits to ensure covered entities and their business associates comply with HIPAA’s security provisions.

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


THIRD-PARTY SECURITY Perhaps one of the most far-ranging changes HITECH makes is in its extension of HIPAA’s provisions to business associates. Effective Feb. 17, companies that provide services such as claims processing and billing and handle personal health information for health care providers are directly covered by the HIPAA security rule. “The biggest impact the HITECH Act will have on health care companies are the requirements on third-party security,” Kark says. That’s a challenge, even for companies with mature security programs in other sectors, he adds. For CIGNA, the expanded requirements for business associates cuts both ways. The health insurer is both a covered entity that works with vendors that handle protected health information and a business associate in cases where it operates as a third-party administrator for clients who fully insure their workforce.

HIPAA

TH REATS SOX

RISK MANAGEMENT

SPONSOR RESOURCES

Study reveals increased attacks on health care SecureWorks detected doubling of attacks targeting its health care clients last year. CYBER ATTACKS targeting health care organizations doubled in the fourth quarter of last year, according to a data compiled by Atlanta-based SecureWorks. The company’s findings were based on a 12-month study of 38 of its health care clients using the SecureWorks’ Managed Intrusion Detection and Prevention service. Attempted attacks increased from an average of 6,500 per health care customer per day in the first nine months of 2009 to an average of 13,400 per client per day. In other industries, attempted attacks did not increase in the fourth quarter. From October through December 2009, SecureWorks blocked hundreds of SQL injection and Butterfly/Mariposa bot malware attacks launched at its health care clients, according to Hunter King, SecureWorks security researcher. Criminals can use SQL injection attacks and the Butterfly/Mariposa malware, which SecureWorks says surfaced last fall, to steal sensitive data. Health care companies often store valuable data and have a large attack surface because of the nature of their business, making them targets for cybercriminals, the company says.w —MARCIA SAVAGE

28


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

“We are now looking at not just being a covered entity but also a business associate under those enhanced provisions,” says Georgia Dodds Foley, chief compliance, ethics and privacy officer at CIGNA.”We want to make sure with both of those hats that we’re doing what we need to do to evaluate our current processes, programs, and documentation.” That’s meant verifying all its business associates, making sure any necessary contractual amendments are made or additional oversight is added. It’s also meant dealing with a lot of contract amendments from clients for whom it is a business associate, which is administratively complicated, Dodds Foley says. Despite the complications, the entire industry is dealing with them at the same time and “there’s a certain amount of collegiality and [sense of] community going through the compliance efforts,” she adds. However, Gallagher of HIMSS says many health care business associates aren’t aware of their HITECH obligations. A survey by HIMSS Analytics, a HIMSS subsidiary, last fall showed that while many health providers are aware of the new requirements, few business associates are.

ELECTRONIC HEALTH RECORDS Many health care providers, of course, are focused on HITECH’s incentives for “meaningful use” of EHR technology. Some companies have calculated that the combination of federal reimbursements and efficiencies gained in switching to electronic health records would mean a big return on investment, Forrester’s Kark said. In late December, the Centers for Medicare & Medicaid Services (CMS) released proposed provisions for meaningful use of EHR technology and the Office of the National Coordinator for Health Information Technology (ONC) released an interim final rule that specifies standards and certification criteria for EHR technology. While ONC’s document includes a baseline of security controls such as encryption and authentication, the meaningful use document only cites the need for a security risk assessment, which is what HIPAA requires, Gallagher says. Catholic Health East is working to fully understand the meaningful use criteria before conducting a gap analysis, Cline says. “Probably every hospital in the country is doing this but apparently working in a silo,” he says, adding that industry-wide collaboration would be helpful. CIGNA’s operations include some health care delivery facilities, which are ready to do what is known to be required for EHRs at this point, Dodds Foley says. But like other health care organizations, it’s waiting for additional federal guidance on EHR standards for other types of providers, like pharmacies, which likely won’t be released until later this year. The company has project plans and has done some high-level gap assessment work, but has no choice but to take a wait and see approach in that area, she says.

FIRST STEPS The federal schedule for incentives is accelerated, but compliance with HITECH will be a long-term process, Kark says. In building out compliance programs, organizations

29


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

should focus on process rather than technology, he says. “Don’t lead with technology,” Kark says. “Build a program and use technology to augment it.” Gallagher says meeting HITECH’s security requirements require a lot of work and organizations will be preoccupied with establishing meaningful use of EHRs, which involves extensive requirements for quality and efficient health care delivery. But the basic requirement for a security risk assessment is something that companies should have already been doing under HIPAA, she says. “That’s a process that needs to be institutionalized. It’s something an organization should be doing on a regular, continual basis,” she adds. According to Coburn of Coburn IT Law, other steps organizations should take to comply with HITECH’s security and privacy requirements include: documenting security policies and procedures; workforce training on the procedures; implementing physical safeguards; and restricting disclosures of protected health information to the minimum necessary information. Faced with either budget or human resource constraints, health care organizations need to realize they can’t meet every one of HITECH’s security requirements all at once, Symantec’s Finn says: “You’re going to have to prioritize based on level of risk.” Overall, HITECH escalates the importance of security and privacy in the health care industry, he says. “It’s no longer just the CIO’s problem.”w Marcia Savage is Editor of Information Security. Send comments on this article to [email protected].

RISK MANAGEMENT

SPONSOR RESOURCES

30


Malware Protection Data Protection Business Productivity IT Efficiency Compliance Hospital food

w or ry l e s s . a c c o m pl i sh m or e . w w w. s opho s . c o m

SOX

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS

Smaller public companies bear significantly higher pain in terms of revenue and costs per employee complying with Sarbanes-Oxley.


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

32

DISPROPORTIONATE

PAIN

m

BY NEIL ROITER

MENTION THE SARBANES-OXLEY ACT (SOX), and the conversation is likely to steer toward giant multinational corporations and the need for broad and deep governance, risk and compliance (GRC) programs, and the chilling image of CEOs and CFOs doing the Enron perp walk. SOX forced many of these companies to re-examine and overhaul their financial controls and accounting systems, file all sorts of new reports, and pay tons of cash to the Big Four audit firms. But thousands of smaller public companies are the ones feeling most of the pain. The cost of SOX compliance is disproportionate for these companies, both in terms of percentage of revenue and cost per employee, in some cases running into the thousands of dollars per head, as opposed to the hundreds for large enterprises. “Larger companies have been built to have audits going on frequently. They are complex, so they have compliance programs,” says Ed Moyle, a manager with CTG’s information security solutions practice and partner at SecurityCurve. “That’s where the bigger costs come in. Smaller companies have been focused on growing revenue, not focused on a compliance program, and it’s very costly to retrofit.” SOX put a real burden on smaller firms. There were anecdotal reports of some companies


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS

delaying or even shelving plans to go public because of it. More strikingly, Kiplinger reported in 2006 that 100-200 companies—including some big names—were reverting to private ownership each year since SOX was enacted in 2002, mainly because of the cost of compliance. Developing an efficient SOX compliance program is the key for midmarket companies. The right approach can help cut unnecessary costs and give your company the most benefit from improved financial controls and the insight gained from examining your practices and monitoring your systems. But it’s still going to cost you, and, if you are a smaller company, it will cost proportionately more than large enterprises. It’s unavoidable. “You still have to comply and there’s a lot of bureaucracy in compliance and you can’t spread the cost across as much of a base,” says Michael Rasmussen, president of Corporate Integrity. “So, there’s still all the overhead of a larger company. While it does scale down some, it doesn’t scale down proportionately.”

SEC GRANTS ‘RELIEF’ STATE DATA PROTECTION ACTS

The Security and Exchange Commission (SEC) took note of the basic inequity of holding smaller firms to the same requirements as mega-corporations, and issued new guidelines in 2007. The SEC delayed initial compliance for companies with less than $75 million in public equity and reduced some of the forms and reports required.

HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

WH O IS I N CHARG E?

CFO at Top of SOX Org Chart Expert say an organization’s chief financial officer usually runs SOX compliance; audits erase the possibility of conflicts of interest. YOUR CHIEF FINANCIAL OFFICER (CFO) is almost certain to be the person in charge of SOX compliance. Michael Rasmussen, president of Corporate Integrity, goes so far as to say it must be the CFO. In smaller companies, it’s common for IT to report to the CFO; it’s natural for finance and IT to come together under the CFO for SOX compliance. The CFO, he says, should “roll up his sleeves” and get involved in managing SOX compliance, because it’s fundamental to his job. Doesn’t that raise the possibility of conflict? “No,” Rasmussen says. “That’s why you have audit. Let the auditor be the independent validator.” SecurityCurve’s Ed Moyle and Diana Kelley agree that SOX responsibility typically falls to the CFO, although conditions vary from firm to firm. The CFO understands the company’s operations, the communications channels and can make sure the controls aren’t interfering with the business. “However, I’d caution small companies for collusion purposes,” says Kelley. “If the CFO is the one doing anything funky with the books, that puts them in oversight of what’s going on with IT checks and balances. So the COO—or the CEO if he serves operationally—should be observing.” w —NEIL ROITER

33


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

These companies did not have to include a management assessment of their financial controls in their annual report until the fiscal year ending December 15, 2007 or later, and don’t have to include an external auditor’s attestation until the report on the fiscal year ending December 15, 2009 or later. What’s more, companies going public don’t have to begin compliance reporting until their second year as a public company. The fresh SEC guidelines, the “Interpretive Guide for Management,” issued in May 2007, were designed to give smaller businesses clearer direction—there is no instruction manual for SOX 404—on how to implement and maintain a compliance program to cut cost and make the management assessment program more effective. The CliffsNotes version is available in a brochure, “Sarbanes Oxley Section 404: A Guide for Small Business” but after digesting that you’ll need to get very familiar with the full document. The guidelines stress that your management processes aren’t bound by any one method or that of your external auditor. You should also take a risk-based approach that focuses on the areas of highest risk of “material misstatement” in your financial statements. This point actually goes a long way to reduce the scope of your program. Previously, companies were expected to address all areas of risk; now they can zero in on the ones that really count. Finally, your evaluation can be customized for your company’s specific facts and circumstances—one size doesn’t fit all, especially for small companies with their businesses processes, perhaps specialized markets or services and management structure. The guide also provides better direction on appropriate supporting evidence and documentation, and for evaluating weaknesses in your controls. The guidelines do not replace internal control frameworks to be followed, particularly Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is the generally accepted framework for SOX (COSO expanded its original 1992 framework in —MICHAEL RASMUSSEN, president, Corporate Integrity 2004, with “Enterprise Risk Management—Integrated Framework”). However, Corporate Integrity’s Rasmussen sounds a note of caution, lest you expect too much from these guidelines. “With clarification comes some relief, but it’s still a burden on the organizations,” he says. “That’s not going away.”

“With clarification comes some relief, but it’s still a burden on the organizations. That’s not going away.”

YOUR SOX AUDITOR The Big Four—Deloitte Touche Tohmatsu, PricewaterhouseCoopers, Ernst & Young and KPMG—have created a whole industry around SOX compliance, hauling in most of the fees. But if you’re a smaller public company, that doesn’t have to include you. The upside of hiring one of these giants is their extensive expertise and vast resources in all matters SOX. If they’re good enough for Humongous International, they must be good enough for you, right? Not necessarily. The Big Four will, naturally, send their sharpest and most experienced auditors to work with their biggest clients; it just makes good business sense to focus your best service on the clients paying the most bucks. Not to mention that if a company does

34


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

35

have a rough audit, better it be a mom-and-pop shop than some high-profile, multibillion corporation. For the same steep fee, your $25 million or $50 million company is more likely to get a bright, eager and very inexperienced auditor, perhaps a year or two out of college. That person may have graduated at the top of his or her class, and have a good grasp of the regulation and guidelines, but little or no understanding of the business you run, its operational and sales practices, and the market in which it is engaged. If your company is new not just to SOX, but any regulatory requirements, you’re going to want an auditor you can draw on for advice and guidance, not just to pass or fail on your controls. “Where these auditors don’t have the knowledge is on the operational side,” says Moyle. “So, they may understanding the compliance process, but when it comes to understanding the business and how financial systems work and how they interrelate, there’s a dearth of knowledge.” One result can be a near-fanatic focus on every possible level of every control, rather than focus on evaluating the effectiveness of key controls over areas of greatest risk. Diana Kelley, co-founder and partner at SecurityCurve, tells of the security director at a brokerage house whose auditor was fixated on the fuel supply for the backup generators for her data center. “The data center had propane to fuel their backup power, but no backup for the propane,” she relates. “And the auditor dinged her on that for SOX. It’s a case of running down every possible check box without understanding compensating controls and other methods for providing resiliency.” Part of the problem is that SOX 404 and the guidelines are sufficiently vague to give audit firms a lot of leeway, and the wider the scope of the engage—ED MOYLE, manager information security ment, the more money they can charge. That’s why solutions practice, CTG; partner, SecurityCurve it’s important to work in close collaboration with your auditor early on in the compliance process and reach some understanding of the focus points and scope of the engagement. “Auditors must be held in check,” says Rasmussen. “They want to work very broadly because it means more work for them. Work with them and say, ‘what can we come to agreement on; let’s scope this together and come to some understanding.’” The aim, Rasmussen explains, is to understand what the auditor is looking for, and getting him to sign off on a control structure that’s reasonable for your company, “that’s not going to just bury it.” You should also involve the auditor early because of the “break” small companies get in not being required to have auditor attestation until year two of compliance. Your management assessment can easily go awry the first year without an understanding with your

“Where these auditors don’t have the knowledge is on the operational side. So they may understanding the compliance process, but when it comes to understanding the business and how financial systems work and how they interrelate, there’s a dearth of knowledge.”


TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS

RESO U RCES


HIPAA

auditor, and you can get badly bloodied when the auditor comes in later on. Auditors aren’t the only ones responsible for runaway scope. Sometimes IT managers use SOX as a pretext for pushing through pet IT or security projects that the CFO has turned down based on previous arguments. In addition to getting the auditor involved up front, hiring an outside consultant makes sense at the outset. If your management team lacks SOX expertise and experience, or if they simply have too much to do helping run the business, a consultant can help you make good choices—including the right audit firm—and avoid costly mistakes. Rasmussen advises small public companies to steer clear of the Big Four, because they are likely to get relatively inexperienced people. He says small companies will get better service and consistency with any number of the smaller, local audit companies that cater

Help Available There are many online resources that can help midmarket companies with Sarbanes-Oxley compliance. Unified Compliance Framework http://www.unifiedcompliance.com/ Provides “toolkits” that help build a compliance program that maps to any number of regulations.

SOX

SOX-Online RISK MANAGEMENT

SPONSOR RESOURCES

http://www.sox-online.com/ Independent source of information on SOX, COSO, COBIT, the SEC and the Public Company Accounting Oversight Board (PACOB).

COSO http://www.coso.org/ Independent source of information on SOX, COSO, COBIT, the SEC and the Public Company Accounting Oversight Board (PACOB).

COSO http://www.coso.org/ A source of information and documentation on the generally accepted framework for SOX; includes useful, including a very useful SOX guidance document for small public companies http://www.coso.org/Publications/erm_sb/sb_executive_summary.pdf.

BIG FOUR AUDITORS Audit companies offer white papers and other resources that help with SOX compliance. For example, Deloitte has a very useful document for small companies http://www.deloitte.com/dtt/cda/doc/content/us_sarbanes_NAF%20013108.pdf.

36


to SMEs and actually like doing business with smaller clients. He also suggests investigating mid-tier companies such as Jefferson Wells, Grant Thornton, BBO Seidman and Crowe Horwath, among others.

MORE THAN SOX? TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

37

Your company may be on the small side, but you still may have to deal with more than one regulation. For example, if you take credit cards, you also have to deal with PCI DSS. If you’re a financial services company, you’re probably subject to GLBA. And just about every company must be leery of the 40-plus state data breach disclosure laws. Even if you’re only subject to SOX now, it’s a good bet that a year, or two years or five years from now, there will be other regulations that you’ll have to deal with. Rasmussen says redundant multiple assessment programs are often “what’s burying organizations, large and small.” You’ll have hundreds of spreadsheets and questionnaires, often covering the same data and asking the same questions. GLBA, for example, involves identity and access controls around personal information, while SOX is going to be dealing with identity and access controls and separation of duties. “There’s a common infrastructure of controls —MICHAEL RASMUSSEN, president, Corporate Integrity that can be used for multiple compliance purposes,” he says. Better to develop a compliance program from the start, with a broad base of meta controls that you can map to particular requirements as they come along. Then you can fill the gaps as a particular regulation requires. “Be prepared for compliance, not just SOX,” says Kelley. “It’s going to be a painful investment if you haven’t been compliance aware. Do you want to spend that money heavily every time there is a new mandate?”w

“There’s a common infrastructure of controls that can be used for multiple compliance purposes.”

Neil Roiter is senior technology editor for Information Security. Send comments on this article to [email protected].


SECURITY IS ALL WE DO

30,000 Malware Specimens Daily 10 Billion Events Every Day 2,800 Clients in 50 Countries 10% of The Fortune 500®

NOT SURPRISINGLY, THE MOST POWERFUL WEAPON IN INFORMATION SECURITY IS INFORMATION.

At SecureWorks, we turn raw security data into actionable security information. With the massive volume of relevant incidents we collect and analyse every day, we are able to better understand the threat landscape across the globe. We use that information to identify threats sooner and better protect our clients. Of our largest competitors offering security services, we’re the only ones focused exclusively on security. Discover what makes us different, and learn how our information can help keep yours safer.

See what the leading analysts say at secureworks.com/focus

Contact SecureWorks at [email protected] or call +44 (0)131 718 0600. ©2010 SecureWorks. All rights reserved. SecureWorks and the SecureWorks logo are registered trademarks of SecureWorks.

RISK MANAGEMENT

Prioritize Information Security over Compliance TABLE OF CONTENTS

EDITOR’S DESK

Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation. BY TONY SPINELLI

b

BUSINESS LEADERS and chief security officers take note: when it comes to risk mitiga-

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

39

tion, compliance alone is not enough to protect your enterprise. It takes a broader security strategy—of which compliance is a part of the whole—to hit the high-water mark. In fact, those organizations that focus on security first to become compliant are seeing greater business impact. Instead of focusing solely on meeting compliance benchmarks, these companies are changing the way they achieve a high-water mark for security performance. Let’s face it, we are entering an era of tighter statutory requirements and rapidly changing regulations. But focusing solely on statute requirements can lead to a disjointed strategy that is neither comprehensive nor aligned with business goals. While compliance mandates are often used to drive security investments, compliance by itself does not ensure a company’s security posture. And while compliance cannot be the sole focus of a security strategy, technology by itself cannot safeguard an enterprise. Increasingly sophisticated threats and growing concerns over data losses are just a few of the issues facing CSOs. For this reason, businesses simply cannot afford to think about security in purely technical terms. Instead, businesses must look beyond their technology and compliance needs and understand the challenges of ensuring their company’s security posture. Achieving this level of transparency requires the right mix of innovation, talent and technology underscored by a strategy that addresses risk at the broadest level. This is where relationships with business partners and vendors can play a valuable role. By joining forces with industry-leading third-party providers, companies gain access to new thinking and innovation to address key needs and challenges. With the right strategy and technology partnerships, businesses can drive a consistent and global set of security practices focused on risk reduction and information security. At Equifax, we have implemented a strategy to minimize operational and information risk, which includes safeguarding data on hundreds of millions of consumers and businesses worldwide. Equifax tackled this complex undertaking by adopting a simple but powerful vision: that security must be treated as a business. Here’s a snapshot of how it worked.


While compliance mandates are often used to drive security investments, compliance by itself does not ensure a company’s security posture.

TABLE OF CONTENTS

EDITOR’S DESK

PCI-DSS


HIPAA

SOX

RISK MANAGEMENT

SPONSOR RESOURCES

Recognizing that compliance is not the only measure of security, Equifax set out to develop and implement a plan to consolidate all of its security functions into a centralized organization. Equifax chartered a process to assess the company’s risks globally and then developed an integrated strategy that aligns its risk mitigation and information security needs with real-world business requirements. In less than three years, Equifax made its vision a reality and not only transformed its security department into a global center of excellence but also enabled the company to drive greater synergies across its business units. Today, compliance is just one of the many benefits of Equifax’s comprehensive security program and strong security position. Faster access to information, enhanced business intelligence and increased visibility of enterprise-wide IT services are among some additional business benefits Equifax has reaped by applying the right mix of innovation, business acumen and technology. The ability to leverage this type of value from a security investment can go a long way in forging stronger ties with the businesses we protect. While it can be challenging to convince a business unit to dedicate significant capital to security initiatives, the process is well worth the return on investment. Applying security innovation to risk mitigation and data protection strategies can empower businesses to identify new growth opportunities and deliver better, customer-centric solutions. Here’s how we brought this approach to a few of our own business units: • Equifax Personal Information Solutions, which provides consumer credit and identity theft protection products, has seen first-hand the impact of innovative security solutions at work. Partnering with Equifax’s Security Engineering team, Personal Information Solutions enhanced the authentication process used by new customers to access their Equifax credit report online. As a result, customers were able to obtain their online credit report with greater ease and enhanced security functionality— resulting in increased revenue for the company’s U.S. and U.K. operations. • Another area gaining a competitive edge by working with our security team is Equifax Workforce Solutions, which provides employment and income verification as well as human resources business process outsourcing services. Workforce Solutions recently turned to Equifax Security to develop an authentication program for its commercial business portal. Benefits include increased security protection for business customers and a simpler and user configurable security interface. History has shown that companies that treat security as a business enabler are much more effective in managing risk, protecting their data assets and ultimately sustaining an industry edge. If the current economic crisis has taught us anything, it is that risk is a constant in our marketplace. For this reason, we must be vigilant in our pursuit of security innovation and new solutions that can mitigate risk and still drive greater business value. Companies that understand this correlation between risk and innovation are the ones that will set the high-water mark for security—and business performance.w Tony Spinelli is chief security officer of Equifax Inc.

40


Now there’s an online resource tailored specifically to the distinct challenges faced by security pros in the financial sector. Information Security magazine’s sister site is the Web’s most targeted information resource to feature FREE access to unbiased product reviews, webcasts, white papers, breaking industry news updated daily, targeted search engine powered by Google, and so much more. Activate your FREE membership today and benefit from security-specific financial expertise focused on: • Regulations and compliance • Management strategies • Business process security • Security-financial technologies • And more

www.SearchFinancialSecurity.com

The Web’s best information resource for security pros in the financial sector.

®

TECHTARGET SECURITY MEDIA GROUP I N F O R M A T I O N

S ECURITY EDITORIAL DIRECTOR Michael S. Mimoso EDITOR Marcia Savage

ART & DESIGN

TABLE OF CONTENTS

EDITOR’S DESK


HIPAA

PUBLISHER Josh Garland DIRECTOR OF PRODUCT MANAGEMENT

Susan Shaver DIRECTOR OF MARKETING Josh Garland

COLUMNISTS Marcus Ranum, Bruce Schneier, Lee Kushner, Mike Murray

CIRCULATION MANAGER Kate Sullivan

CONTRIBUTING EDITORS Michael Cobb, Eric Cole, James C. Foster, Shon Harris, Richard Mackey Jr., Lisa Phifer, Ed Skoudis, Joel Snyder

ASSOCIATE PROJECT MANAGER

Suzanne Jackson PRODUCT MANAGEMENT & MARKETING

Corey Strader, Andrew McHugh, Karina Rousseau SALES REPRESENTATIVES Eric Belcher [email protected] Patrick Eichmann [email protected] Jason Olson [email protected]

USER ADVISORY BOARD Edward Amoroso, AT&T Anish Bhimani, JPMorgan Chase Larry L. Brock, DuPont Dave Dittrich Ernie Hayden Patrick Heim, Kaiser Permanente Dan Houser, Cardinal Health Patricia Myers, Williams-Sonoma Ron Woerner, TD Ameritrade

Jeff Tonello [email protected]

SEARCHSECURITY.COM

CHIEF FINANCIAL OFFICER Jeff Wakely

NEWS EDITOR Robert Westervelt SITE EDITOR William Hurley

RISK MANAGEMENT

Doug Olender

SALES DIRECTOR Dara Such

SENIOR SITE EDITOR Eric Parizo

SOX

VICE PRESIDENT/GROUP PUBLISHER

CREATIVE DIRECTOR Maureen Joyce

TECHNICAL EDITORS Greg Balaze, Brad Causey, Mike Chapple, Peter Giannacopoulos, Brent Huston, Phoram Mehta, Sandra Kay Miller, Gary Moser, David Strom, Steve Weil, Harris Weisman

PCI-DSS

®

ASSISTANT EDITOR Maggie Wright

Nikki Wise [email protected] TECHTARGET INC. CHIEF EXECUTIVE OFFICER Greg Strakosch PRESIDENT Don Hawk EXECUTIVE VICE PRESIDENT Kevin Beam

EUROPEAN DISTRIBUTION Parkway Gordon Phone 44-1491-875-386 www.parkway.co.uk LIST RENTAL SERVICES Julie Brown Phone 781-657-1336 Fax 781-657-1100

ASSISTANT EDITOR Carolyn Gibney

INFORMATION SECURITY DECISIONS GENERAL MANAGER OF EVENTS Amy Cleary

SPONSOR RESOURCES

EDITORIAL EVENTS MANAGER Karen Bagley

INFORMATION SECURITY (ISSN 1096-8903) is published monthly with a combined July/Aug., Dec./Jan. issue by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111; Phone 617431-9200; Fax 617-431-9201. All rights reserved. Entire contents, Copyright © 2010 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or INFORMATION SECURITY.

42


sSec Fullpg Ad:Layout 1

2/5/09

11:39 AM

Page 1

Your One Stop Shop for All Things Security

Nowhere else will you find such a highly targeted combination of resources specifically dedicated to the success of today’s IT-security professional. Free. IT security pro's turn to the TechTarget Security Media Group for the information they require to keep their corporate data, systems and assets secure. We’re the only information resource that provides immediate access to breaking industry news, virus alerts, new hacker threats and attacks, security standard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused security newsletters and more — all at no cost. Feature stories and analysis designed to meet the ever-changing need for information on security technologies and best practices.

www.SearchSecurity.com

Learning materials geared towards ensuring security in high-risk financial environments.

www.SearchFinancialSecurity.com

Information Security strategies for the Midmarket IT professional.

www.SearchMidmarketSecurity.com

Breaking news, technical tips, security schools and more for enterprise IT professionals.

www.SearchSecurity.com

UK-focused case studies and technical advice on the hottest topics in the UK Security industry.

www.SearchSecurity.co.UK

Technical guidance AND business advice specialized for VARs, IT resellers and systems integrators.

www.SearchSecurityChannel.com

SPONSOR RESOURCES

Guardium, an IBM Company See ad page 2 • How Guardium Secures Your Data to Meet PCI DSS Requirements TABLE OF CONTENTS

• Your Enterprise Database Security Strategy 2010 (Forrester Research) • Top Scenarios for Real-Time Database Security & Monitoring: On-Demand Product Demo

EDITOR’S DESK

PCI-DSS

ArcSight, Inc. STATE DATA PROTECTION ACTS

See ad page 4 • Fulfill the 12 PCI DSS requirements through collection, storage and analysis of your data. • Learn more about healthcare security oversight for HIPAA audit and compliance requirements.

HIPAA

• Discover the three pillars of compliance: Automation, early detection and compliance controls.

SOX

RISK MANAGEMENT

Thawte See ad page 7

SPONSOR RESOURCES

• Extended Validation—the New Standard in SSL Security • Sign your Code and Content for Secure Distribution Online • Get a Free SSL Trial Certificate from Thawte

Trend Micro, Inc. See ad page 14 • Trend Micro Data Protection: Solutions for privacy, disclosure and encryption • Trend Micro Solutions for PCI DSS Compliance • Trend Micro Enterprise Security for the Healthcare Industry

44


SPONSOR RESOURCES

FoxT See ad page 22 • Proactively Controlling Access to Patient Data TABLE OF CONTENTS

• Top 10 Best Practices for Enterprise Access Management • The New Gold Standard for Privileged Account Management

EDITOR’S DESK

PCI-DSS

Sophos STATE DATA PROTECTION ACTS

See ad page 31 • The state of privacy and data security compliance • Protecting personally identifiable information: What data is at risk and what you can do about it

HIPAA

• Learn how to prove compliance

SOX

RISK MANAGEMENT

SecureWorks See ad page 38

SPONSOR RESOURCES

• Choosing an Effective Managed Security Services Partner • Maximising the Value of Intrusion Prevention Systems • Top 5 SIM Pitfalls: Ensuring Successful Security Information Management

45
