Compliance Concerns for Security Architectures

1. Compliance Concerns for Security Architectures Ken Rowe ISSAP, CISSP, IAM Rowe Systems Security

2. Industry Pressure on Compliance • Three major regulations: • Sarbanes-Oxley Act (SOA or SOX) • Gramm-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA) • Compliance – providing assurance that controls are in place and effective. • Not Sufficient to just implement security services – must demonstrate continual control and management involvement. Rowe Systems Security

3. SOX Overview(Tracking Information Flows) What can happen to the data on the way to statements? Internal Corporate IT Systems External Systems End User Computing Business Event Financial Statement Data Applications Systems Networks Facilities Data Slide from Jan Hertzberg, Grant Thornton, Inc. Rowe Systems Security

4. SOX Overview - 2 See itgi.org website Rowe Systems Security

5. SOX Overview - 3 COBIT is a framework for managing risk and control of Information Technology COSO is a framework for an internal control environment See itgi.org website Rowe Systems Security

6. SOX Overview – 4a • General IT Controls • Implementation Lifecycle • Acquire or Develop • Authorized Requirements • Include Security Considerations • Application Specific Controls • Operating Environment Controls • User Acceptance Testing Rowe Systems Security

7. SOX Overview – 4b • General IT Controls (continued) • Formal Change Management Process for: • Application Programs • Operating Environment • Infrastructure Components • Regular and Emergency Changes • Incident Reporting • Monitoring, Logging, Tracking to Closure • Defined Process for Management Reporting Rowe Systems Security

8. SOX Overview – 4c • General IT Controls (continued) • System Infrastructure Audit • Includes FW, Routers, Switches, etc. • Examine settings on devices • Perform periodic vulnerability testing • e.g., Nessus • Corporate Security Policy • High Level Policy Statement (example) • Non-Repudiation Services Rowe Systems Security

9. SOX Overview - 5 • Outsourced Processing • SAS 70 Type II • Documented Controls relevant to outsourced processes. • Independent Audit • Review of flow to/from outsourced process. Rowe Systems Security

10. GLBA Overview • Addresses: • Protection of Non-Public Information • Security and Confidentiality • Anticipate Threats • Unauthorized Use or Access Rowe Systems Security

11. GLBA Overview - 2 • Examples of Non-Public Information: • “Customer Records” • Social Security, Drivers License, Birthdate • Credit Card Numbers • Loan and Account numbers Rowe Systems Security

12. HIPAA Overview • Covered by HIPAA: • Claims or equivalent encounter information • Payment and Remittance Advice • Claim Status Inquiry/Response • Eligibility Inquiry/Response • Referral Authorization Inquiry/Response • Self-insured Health Care Programs and Health Savings Accounts Rowe Systems Security

13. HIPAA Overview - 2 • The Administrative Simplification Requirements of HIPAA consist of four parts: • 1) Electronic transactions and code sets; • 2) Security; • 3) Unique identifiers; and • 4) Privacy. Rowe Systems Security

14. Discussion – Outsourced Service • Payroll Processing is Outsourced to Acme Business Services (ABS) • What information is sent? • What controls would you expect ABS to have in place? • What controls would you expect Company A to have in place? Rowe Systems Security

15. Discussion – Merchant / Check Scenario • Customer writes check at Merchant for over $250.00 • Merchant requires Thumbprint on Check. • Where does the check go? • Regular vs Electronic Clearing • Under GLBA, how do you safeguard the Thumbprint? • What if you are using a Thumbprint for Electronic User ID? Rowe Systems Security