Industry Standards

After you get out of the general corporate security policy doldrums, you can now begin to focus on the standards set forth by other governing bodies, such as DISA, NIST, or the PCI-DSS|SSC. We have focused on just a few here that seem to be hot-button topics for clients and lawyers alike. The first question someone will ask if there is a problem or an issue is, “Were you conforming to industry standards and best practices?” Your answer had better be a resounding YES!

Following are specific regulations addressed by industries:

• Financial Services: Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SARBOX), USA Patriot Act, PCI Data Security Standard (PCI DSS), and the Basel II Accord (EU)

• Healthcare and Pharmaceuticals: Health Insurance Portability and Accountability Act of 1996 (HIPAA) and FDA 21 CFR Part 11

• Infrastructure and Energy: Guidelines for FERC and NERC Cybersecurity Standards, the Chemical Sector Cyber Security Program, and Customs-Trade Partnership Against Terrorism (C-TPAT)

• Federal Government: Compliance with FISMA and related NSA Guidelines and NIST Standards

• Security Methodologies: Security and control frameworks such as ISO 1-7799, COSO, and COBIT

• Consumer Protection and Data Privacy: Children’s Online Privacy Protection Act (COPPA), Children’s Internet Protection Act (CIPA), CAN-SPAM - Federal law about unsolicited electronic mail, Bill C-6: personal information protection and electronic documents Act (Canada), California Individual Privacy Senate Bill - SB1386, and MA State Law CMR 17.99

Payment Card Industry Data Security Standard (PCI DSS)

This is a worldwide information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). It was put in place to prevent credit card fraud through increased controls around data and its exposure to external threats.

PCI DSS began as five separate but similar programs from the “Big Five”: Visa, MasterCard, American Express, Discover, and JCB Data Security Program. The PCI SSC was formed to standardize the industry security practices and on December 15, 2004, the PCI DSS was released.

In July 2009, the PCI SSC published the wireless guidelines for PCI DSS recommending the use of Wireless Intrusion Prevention Systems (WIPS) to automate wireless scanning for large organizations. These guidelines apply to the deployment of wireless LAN in cardholder data environments.

The current version of the standard is version 2.0; as of October 2010, it sets forth 12 requirements for compliance, organized into six logically related groups called control objectives.

To learn more on the PCI standard go to https://www.pcisecuritystandards.org/ as referenced earlier in this chapter.

Sarbanes-Oxley Act of 2002 (SOX)

Enacted July 30, 2002, this is also known as the “Public Company Accounting Reform and Investor Protection Act” and “Corporate and Auditing Accountability and Responsibility Act.” It set new, or better defined, standards for all U.S. public company boards, management, and public accounting firms. It was enacted as a reaction to a number of major corporate scandals (Enron, Tyco International, Adelphia, WorldCom, and so on). It does not apply to privately held companies.

Sarbanes-Oxley contains 11 titles that outline specific mandates and requirements for financial reporting: 1) Public Company Accounting Oversight Board, 2) Auditor Independence, 3) Corporate Responsibility, 4) Enhanced Financial Disclosure, 5) Analyst Conflicts of Interest, 6) Commission Resources and Authority, 7) Studies and Reports, 8) Corporate and Criminal Fraud Accountability, 9) White Collar Crime Penalty Enhancement, 10) Corporate Tax Returns, and 11) Corporate Fraud Accountability.

Health Insurance Portability and Accounting Act (HIPAA) of 1996

The HIPAA Act was put in place to protect you and your family during times of crisis when you lose your job, and it put in place (in Title II) Administrative Simplification (AS) provisions. This is the requirement to establish national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. This AS provision also addresses security and privacy of health care data.

The Final Rule on Security Standards was issued on February 20, 2003, taking effect on April 21 of that same year and a compliance date of no later than 2005. The security rule deals specifically with Electronic Protected Health Information (EPHI) and it lays out three types of security safeguards required for compliance: 1) administrative, 2) physical, and 3) technical. Each safeguard contains various standards, and for each standard it lists required and addressable implementation guidelines:

• Administrative safeguards: Policies and procedures designed to clearly show how the entity will comply with the act

• Physical safeguards: Controlling physical access to protect against inappropriate access to protected data

• Technical safeguards: Controlling access to computer systems and enabling covered entities to protect communications containing Protected Health Information (PHI) transmitted electronically over open networks from being intercepted by anyone other than the intended recipient

Massachusetts 201: Standards for the Protection of Personal Information of Residents of the Commonwealth

This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. I want to focus on one section in particular, specifically section 17.04: Computer Systems Security Requirements.

Section 17.04 establishes eight elements that each computer system containing personal information must have, as follows:

1. Secure user authentication protocols.

2. Secure access control measures.

3. Encryption of all transmitted records and files containing personal information that will traverse public networks, and encryption of all data containing personal information to be transmitted wirelessly.

4. Reasonable monitoring of systems, for unauthorized use of or access to personal information.

5. Encryption of all personal information stored on laptops or other portable devices.

6. For files containing personal information stored on a system that is connected to the Internet, there must be reasonable up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

7. Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

8. Education and training of employees on the proper use of the computer security systems and the importance of personal information security.

Compliance with MASS 201 is mandatory for every person who owns or licenses personal information about a resident of the Commonwealth on or before March 1, 2010.

If you’d like to read the regulation in its entirety, you can find it here: www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.

SAS 70 Series

Statement on Auditing Standards (SAS) No. 70, or SAS 70, is an industry-recognized standard published by the American Institute of Certified Public Accountants (AICPA). SAS 70 provides third-party validation of the internal controls of service organizations, enabling them to disclose control activities and processes to their customers and auditors in a constant and uniform format.

The SAS 70 standard does not specify a required set of control objectives. So, making sure you have well-written, concise security policies will be a boon when your organization gets audited. A significant component of the SAS 70 audit involves the evaluation of an organization’s information security controls.