Information technology (IT) providers, both those within companies and those providing IT services, are expected to provide for information protection and privacy well beyond what was expected less than a decade ago. Although regulation is new to many in IT, businesses at large have worked within well-established regulatory frameworks and shareholder oversight for decades to the benefit of all. Some regulations—such as Securities Exchange Commission (SEC) rules for publicly traded companies and Occupational Health and Safety Administration (OSHA) requirements for worker safety—apply to a broad range of companies. Others are more targeted—for example, the Environmental Protection Agency (EPA) regulations on water quality are more relevant to manufacturers than to financial service providers. Changes in the regulatory environment have expanded the scope of coverage from traditional business areas, such as financial reporting and manufacturing processes, to include IT. In particular, preserving the integrity of data and protecting the confidentiality of personal information have driven several regulations that either directly or indirectly impact IT operations.
This chapter will examine the some of the broader information protection regulations that exist today as well as best practices for effectively and efficiently meeting those requirements. The first section of the chapter will examine financial integrity regulations and the recent business history that provided the motivation for passage of these types of regulations. The second section of the chapter shifts attention from businesses to individuals and looks into privacy regulations that are emerging from state, federal, and trans-national governments. The chapter closes with a discussion of best practices and frameworks that provide a broad structure for addressing requirements defined in a range of regulations (rather than attempting an ad hoc approach to individual regulations).
Reducing bureaucracy and eliminating regulations are favorite topics in some political circles, but regulations exist for a reason—especially with regard to keeping free markets functioning efficiently. It may not be obvious, but government oversight of markets has been one of the factors that have ensured their success. Speaking on corporate governance, United States Federal Reserve Chairman Alan Greenspan noted "[G]enerally speaking, the resulting structure of business incentives, reporting, and accountability has served us well. We could not have achieved our current level of national productivity if corporate governance had been deeply flawed" (Source: Alan Greenspan, "Remarks by Chairman Alan Greenspan," 2003 Conference on Bank Structure and Competition, May 8, 2003).
Although it is not deeply flawed, corporate governance has failed. Enron, Arthur Anderson, WorldCom, Tyco, and HealthSouth are some of the best-known examples of this failure. The corporate scandals of the past several years helped raise awareness for the need for more effective regulatory frameworks. High-profile corporate scandals helped lead to the passage of corporate governance legislation such as the Sarbanes-Oxley Act of 2002 (SOX). In addition to government regulations, some frameworks for protecting information originate from outside government agencies. These tend to be promoted by self-regulating industry bodies or nongovernmental standards bodies. The following sections will examine four regulations/frameworks:
SOX and 21 CFR Part 11 are United States federal regulations. SOX is the well-known legislation addressing broad issues in corporate governance. 21 CFR Part 11 is a more specialized regulation targeting pharmaceutical manufacturing and quality.
Basel II and ISO 17799 are frameworks created by non-governmental bodies that contribute to generally accepted principals for particular types of business operations. Basel II, for instance, addresses how banks measure and report credit risks. ISO 17799 addresses best practices in information security management. Regulations can be grouped along two dimensions—the creator of the regulation and the scope of the regulation.
Although these regulations are from different types of regulating bodies and cover diverse topics, three fundamental aspects of information security meet the regulations' objectives: confidentiality, integrity, and availability (see Figure 2.1).
Figure 2.1: Regulations are addressed by three fundamental aspects of information security.
A string of corporate corruption cases that developed in the fall of 2001 brought to light the need for effective corporate governance. These scandals devalued shareholders equity, cost employees jobs and pensions, and contributed to a widespread distrust in corporate governance. As one legal analyst put it "Enron was, quite simply, the opening chapter in a series of sordid tales about corporate governance run amok" (Source: Kathleen F. Brickley, "From Enron to WorldCom and Beyond: Life and Crime After Sarbanes-Oxley," available at http://law.wustl.edu/WULQ/812/Brickey.pdf). Although the high-profile scandals have faded into history, their consequences have not.
The ripple effects of these scandals are still evident several years later. A Wall Street Journal/Harris Interactive poll published in October 2005 found that 55 percent of United States investors surveyed feel that corporate governance standards are too lenient and 30 percent of investor respondents have divested or reduced holdings in firms as a result of poor corporate governance.
One of the most widely recognized attempts to improve corporate governance is the passage of the Public Company Accounting Reform and Investor Protection Act of 2002, more commonly known as SOX. This legislation, which applies to publicly traded companies, addresses several governance topics:
Some of the legislation is particularly relevant to information management and protection, as this chapter will explore.
Three SOX sections are especially relevant to IT operations: sections 302, 404, and 409. None of these sections of the law dictate how firms should implement IT; they simply state the regulatory requirements that IT must address.
Section 302: Corporate Responsibility for Corporate Reports describes the actions required of corporate officers to ensure the integrity of financial reports. The act specifically states that officers signing financial reports are responsible for establishing and maintaining internal controls to protect the integrity of that information.
A relatively short and unthreatening passage addresses the heart of IT responsibilities under SOX—section 404. This part of the act states that the SEC will enact rules that "state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." This passage reinforces the need for internal controls that was also made clear in section 302.
In addition to calling for accurate reports on the financial state of a public company, section 409 requires that material changes in the financial condition of the company must be reported in a timely manner.
The sections of SOX relevant to IT focus on maintaining adequate information systems so that information about the financial state of the company is readily available and is not—and has not been—in a compromised position. This translates into several requirements:
Like the legislation, these requirements are broad and can be implemented in many ways. Regardless of how they are implemented, the implementations will share some common characteristics.
IT managers and designers must ensure that business requirements are accurately accommodated in information systems. Some of the more mundane aspects of this directive include maintaining reliable backups and ensuring business continuity plans are in place in the event of a service disruption. The more challenging issues arise when trying to accommodate, for example, complex business rules about how to categorize revenues, forecast production levels, or quantify some element of the competitive landscape. The crucial aspect of this requirement is to make sure business procedures and policies are accurately reflected in operational systems.
Another requirement centers on information integrity. Systems and network administrators must ensure that data is not changed in any unauthorized way, assuming all operational systems collect, process, and analyze data correctly. For example, access controls to applications must be in place so that only those responsible for adding and updating financial data can make those changes. File permissions contribute to file security and prevent accidental or intentional deletion of database files. Antivirus and other malware detection solutions are necessary to prevent malware from changing, stealing, or destroying data on both servers and desktop devices. Maintaining secure systems requires a comprehensive security program that addresses vulnerabilities across the entire path that data flows—database to server to client.
It is difficult to imagine an IT system that does not change. Information management procedures and tools need to respond to changing business requirements and adapt to new situations. At the same time, dependencies between systems prevent developers from freely modifying code without possibly affecting other applications. With appropriate change management procedures, however, IT managers can update their systems as needed while coordinating those changes with others impacted by the changes.
The reach of SOX goes far beyond the boardroom and the finance department. Information integrity is a central element of corporate governance; therefore, information management is also crucial. The law does not dictate how companies are to maintain information integrity and meet reporting requirements; however, commonly used system development, security, and operational procedures are recognized as applicable to meeting regulatory requirements:
Fortunately, these methods apply to regulations other than SOX as well.
Regulations targeting information integrity are not limited to financial information. Understandably, pharmaceutical manufactures are strictly regulated in both manufacturing processes and record keeping. Just as audits of financial records are needed to trace the movement of funds through a company, well-defined documentation is needed to ensure that manufacturing processes continue to meet stringent standards and that appropriate monitoring controls are in place. 21 CFR Part 11 is maintained by the United States Food and Drug Administration (FDA) and governs electronic records and electronic signatures in the pharmaceuticals industry.
CFR is the set of rules and regulations published by the executive department and federal agencies in the United States. Title 21 is the set of regulations published by the FDA and Drug Enforcement Administration (DEA).
Unlike SOX—legislation passed by the United States Congress that does not dictate specific procedures—21 CFR Part 11 was developed by an agency with expertise in the field of pharmaceuticals. This regulation and supporting publications from the FDA provide much more detailed guidance about what must be done to meet the objectives of the regulation. For example, in an industry-guidance document, the FDA identifies several necessary information protection practices:
An organization can implement the previously listed information protection practices for managed devices, such as database servers, application servers, and desktop systems. Access controls, for example, are based on the identity of the user and can be used to limit access to an information resource from any device. However, potential problems can arise from the sometimes difficult-to-anticipate vulnerabilities that emerge when security mechanisms are used in a variety of ways.
For example, consider a pharmaceutical representative who employs a Web portal that provides a single point of access to email, collaboration tools, research libraries, and other tools. While at an industry conference, the representative uses a public PC in the hotel's business center to check email and download sales collateral from the company portal. Running late for a presentation, the representative logs off the portal and clicks the home icon in the browser, unknowingly creating an information theft vulnerability. When working in the office, logging off the portal may be enough to maintain adequate levels of security; on public devices, this action is not enough. Unless the buffer cache and cookies are cleared after that session, identifying information may be accessible to the next user.
Regulations in 21 CFR Part 11 require that the integrity of electronic documents be protected; however, common practices, such as remote access, can expose vulnerabilities in access control procedures as well as other security measures. When assessing the steps necessary to meet information protection regulations, it is essential to consider the combination of ways that information is accessed and how to minimize the threat exposure to information integrity created by those practices.
Both SOX and 21 CFR Part 11 are government regulations that emphasize information integrity. Industry organizations also have an interest in defining and enforcing minimal acceptable practices in this area—if for no other reason than to establish and control standards rather than wait for governments to step in and do the job.
The Bank of International Settlements (BIS) is an international organization established in 1930 to promote cooperation between banks. Although it was created under the auspices of international law, it competes with private banks and has had private investors in the past. BIS is currently owned by member central banks. Its primary objectives are:
In addition, it seeks to promote improved accounting standards. To that end, BIS has established a set of standards known as Basel II (the formal title of this standards set is "International Convergence of Capital Measurement and Capital Standards: A Revised Framework"). These standards address:
Like SOX, the goal of the Basel II framework is to establish reporting standards to ensure investors and other stakeholders have an accurate description of a bank's financial position. The framework does so by establishing three regulated areas: minimum capital requirements, managerial oversight, and disclosure. To effectively manage and report on the state of a bank, the organization must have mechanisms in place to ensure integrity and availability of information. Access controls, network and server defenses, threat assessments, security policies and procedures, and business continuity plans are fundamental to meeting Basel II requirements.
Basel II and 21 CFR Part 11 are examples of industry-specific regulations. Although they apply to unrelated industries, they have the same core objective—information integrity—and their implementations depend on similar sets of security measures. The same pattern is seen in regulations ranging from those that apply to federal government agencies, such as the Federal Information Processing Standards (FIPS), to cyber security programs promoted in the electric power generation industry by the North American Electric Reliability Council (NERC). Regardless of an organization's business or role in society, the need to gather, store, protect, and analyze information is pervasive.
Given this widespread need for information protection frameworks, it is not surprising that a broad standard has been developed in addition to those legislated by governments or created by industry-specific bodies.
ISO 17799 is an information security standard published in 2000 and revised in 2005 by the ISO. The 2005 version of the standard defines best practices in 11 key areas of information security:
ISO 17799 is a set of best practices that applies to virtually any organization. Unlike regulations such as SOX, the ISO 17799 framework does not require adherence by any companies, nonprofit, or government agency—adoption is voluntary. This framework does, however, provide a comprehensive structure for establishing security policies and procedures.
As discussed earlier, information integrity is one of the two drivers behind the adoption of information-related regulations. Privacy is the other.
As economic institutions face growing concerns about corporate governance, individuals are becoming increasingly concerned about personal privacy. Consider the opinions of Internet users from 8 or 9 years ago:
Today, those and broader privacy concerns are reflected in privacy legislation that has been enacted by state, national, and trans-national governments. This section includes a discussion of some of the best-known privacy regulations, such as the Gramm-Leach-Bliley Act (GBLA), the Heath Insurance Portability and Accountability Act (HIPAA), and California Senate Bill (SB) 1386.
The confluence of corporate governance interests demanding more integrity in business operations and reporting and individuals' concern about the potential for information abuse emerging with advancing IT has created a new regulatory environment that brings IT within the regulatory scope. As Figure 2.2 illustrates, privacy regulations require the data be protected, regardless of where or how it is transmitted and stored. Fortunately, a common set of measures and best practices can provide the foundation for meeting the existing and evolving requirements to maintain information integrity and confidentiality.
Figure 2.2: Organizations must protect privacy information regardless of where or how it is stored.
GLBA, formally known as the Financial Modernization Act of 1999, revised rules that governed the banking industry since the Great Depression. In addition to changing restrictions on combining investment and banking activities, the act imposes restrictions on how financial services companies collect, use, and share consumers' private financial information. (Financial information includes name, address, phone number, bank account numbers, Social Security numbers, and credit and income histories.) The legislation defines financial services firms in a broad manner to include banks, insurance companies, investment firms, consumer lenders, funds transfer services, tax preparation services, and financial counselors.
The bill defines three main requirements related to non-public financial information:
Together, these three parts of the legislation constitute the privacy protection mechanism of the law.
The Financial Privacy Rule of GLBA establishes several requirements for financial institutions:
The Safeguards Rule of GLBA requires financial services companies and companies that receive financial information from financial services companies to adequately protect consumer information. The safeguards put in place must include a written security policy that describes how non-public information is protected. In addition, institutions must
The Safeguards Rule also requires firms to address three areas central to information security: employee management and training, information systems security, and system failure management.
With regard to employee management and training, the guidance from the United States Federal Trade Commission (FTC), the agency responsible for enforcing GLBA, suggests several actions on the part of financial service companies:
In addition to employee training, it is vital to implement appropriate security measures in information systems.
The guidance on information systems security outlines procedures that should be in place but leaves implementation details to firms managing the systems. The FTC includes the following suggestions:
An especially challenging suggestion is to not "store sensitive customer data on a machine with an Internet connection" (Source: FTC, "Financial Institutions and Customer Data: Complying with the Safeguards Rule," September 2002). Financial services firms may be willing to isolate mainframes and database servers used for backend processing from the Internet, but Web-based applications used in branch offices, programs that transmit consumer information to brokers and third-party affiliates, and employees that remotely access a company's applications all run the risk of storing sensitive information on devices with Internet connections.
In today's Web-enabled environment, nearly every user has access to the Internet via a Web browser, which is arguably the most powerful application on the client desktop. This Webenabled environment has shifted control away from IT into the hands of individual users. Users can immediately access a limitless supply of applications and content, which can create unnecessary security threats for an organization. For example, sensitive or confidential information may leave the company without anyone's knowledge, compromising corporate governance and compliance regulations. In addition, harmful malware or spyware could be introduced into the network, increasing the probability of information security breaches and performance problems. Thus, it is important for IT to implement technologies and methodologies such as encrypting information during transmission, implementing proxy appliances, implementing information usage policies and controls, and removing all cached copies of the data.
These suggestions assume sensitive information is tightly coupled to devices that can be reasonably well secured. Such is not always the case. Rather than depend on device-centric security, an on-demand security model—in which security is associated with the data wherever it is transmitted—is more appropriate. This security model is emerging and will likely become a preferred method for addressing some of the more challenging aspects of the Safeguards Rule.
The third key area the FTC addresses is how to manage system failures.
Natural disasters, fires, and cyber-attacks can all disrupt operations. Under the Safeguards Rule, financial service companies are required to plan for those events and take appropriate precautions:
The FTC also suggests notifying customers if their non-public information is lost, damaged, or subject to unauthorized access. A similar requirement is found in California SB 1386 (discussed later in this chapter); such requirements have lead to wide publicity of significant security breaches at banks and credit card processing companies—all the more incentive to implement effective security measures to protect consumer information.
Another set of requirements in GLBA related to securing consumer information is a form of social engineering known as pretexting.
Pretexting is a form of social engineering in which a person uses false pretenses to obtain nonpublic information. This threat can include the perpetrator calling a bank pretending to be a customer who has lost his checkbook and account number. In another example, someone could call customers pretending to conduct a survey on customer service for the bank and asking for account information. GLBA explicitly prohibits pretexting, including make false statements to financial services personnel or consumers of such firms.
Pretexting is similar to the online problem of phishing in which scammers use email to solicit private information used for identity theft. The most common forms of identity theft, according to the FTC, are credit card fraud, bank fraud, communications services fraud, and fraudulent loans. GLBA has been used in prosecutions of phishing scams, including one that tricked victims into revealing credit card numbers by pretending to be messages from America Online and PayPal (see http://www.ftc.gov/os/caselist/0323102/0323102zkhill.htm for details about this case). In another case, perpetrators of a mortgage scam were charged with violating GLBA (see http://www.ftc.gov/os/caselist/0223224/0223224.htm for details).
Financials services companies regularly use countermeasures to pretexting, such as asking predetermined privacy questions (for example, asking customers to provide their favorite color or the name of their first pet). Consumers, however, are still targets of phishing scams and other pretexting schemes.
Financial services firms have little choice but to take the privacy protection regulations seriously—severe penalties are defined for violations. Under GLBA, institutions may be fined $100,000 per violations, and directors can be fined $10,000 per violation.
GLBA revised decades-old regulations governing the financial services market as well as introduced privacy measures to protect non-public information. As IT improves the ability to share information and business consolidations, such as bank and investment companies mergers, increase the motivation for such sharing, regulations are evolving to ensure the privacy concerns of consumers are met along the business objectives of the market. The healthcare industry also benefits from improved information sharing but must address privacy concerns as well.
HIPAA became law in the United States in 1996, enacting broad privacy protections for health and medical information. The objective of the law is to promote efficiencies in the health care system through the use of electronic records. As with changes in the banking industry, the quest for efficiency was balanced with demands for patient privacy protections. The key privacy provisions are:
In addition to the general provisions of HIPAA, regulations define specific administrative requirements with regard to information security. In general, health care providers must ensure the confidentiality, integrity, and availability of protected health care information. They must implement countermeasures to anticipated threats and protect against anticipated hazards and disclosures. The regulation further defines several required safeguards:
The list is, not surprisingly, similar to the requirements under GLBA. There is also significant overlap with security standards addressed in ISO 17999. Clearly, there is a great deal of overlap in the development of information security regulations. Fortunately for businesses, government agencies, and other organizations, this overlap means a common set of best practices can meet many of the requirements of different regulations. Of course, there may be regulation- or industry-specific requirements but there should be no need for silos of security measures for individual regulations. Many of the same security procedures used to comply with SOX can equally well apply to HIPAA and GLBA.
HIPAA carries stiff penalties for violations. Firms may be fined $100 per violation up to $25,000 per year for each requirement violated. Penalties for individuals range from $50,000 in fines and 1 year in prison to $250,000 in fines and 10 years in prison.
As noted at the beginning of this section, there is significant public concern about the ability of individuals to protect their privacy. In the United States, the federal government has reacted to this concern with targeted, industry-specific regulations such as GLBA and HIPAA. The state of California has also addressed privacy concerns with legislation.
The State of California, in response to growing concern over identity theft, enacted legislation in 2002 requiring firms, government agencies, and persons doing business in California that gather personal financial information to notify victims when there is a security breach that compromises victims' private information. The bill, known as California SB 1386, defines personal information to be the person's first name or first initial and last name in combination with one of the following:
The act defines a security breach as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information." Individuals whose personal data is compromised to hacking or other unauthorized release and has suffered damage from it may seek civil damages against the organization that compromised the data.
California SB 1386 is a state law that applies to companies outside of the state who are doing business with customers in California. With roughly 12 percent of the population of the United States in California, many national and international businesses find themselves under the reach of this law.
Thus far, the discussion of privacy regulations has focused on those originating in the United States. In fact, some of the most stringent privacy regulations are enacted by other nations and trans-national governments.
Privacy laws have been enacted in countries around the world. Although the scope of coverage, the methods of enforcement, and the effectiveness of different laws will vary, the fact that there is such widespread adoption of some form of privacy regulation indicates these types of laws will likely be in force for the foreseeable future. Examples of countries enacting privacy legislation include:
Canadian privacy legislation embodies a series of 10 principals that are common to broadly understood definitions of privacy. To begin, organizations are responsible for personal information they collect and should appoint someone to be directly responsible for complying with privacy legislation and regulations. When organizations collect information, it must be done with a person's consent and the purpose for collecting the information should be identified. Information collected should be limited to what is necessary for the stated purpose. Moreover, the information should not be shared without the person's consent and should be retained only as long as needed. Organizations are custodians of data and should maintain adequate safeguards to ensure the information is not disclosed to unauthorized users or for unauthorized purposes. The information that is maintained should be accurate and up to date. Finally, individuals should have access to their information and have the right to challenge compliance with the principals of privacy legislation.
The EU has enacted privacy legislation with similar principals, which has created issues for United States companies doing business with Europeans.
The EU's Data Protection Directive enacts privacy protections guaranteed by the European
Convention on Human Rights. Many of the principals are similar to those embodied in Canada's PIPEDA, but one provision of the legislation was troubling for international trade. The legislation included a requirement stating that protected information not be transferred to a country outside of the EU that does not adequately protect private information. The United States' approach to privacy protection did not meet that standard.
The EU and the United States negotiated a framework known as Safe Harbor, which provides sufficient privacy protections for European companies to share private information about EU citizens. Any United States company that abides by the provisions of the framework is eligible to receive protected information from European businesses. The framework consists of seven basic principles:
The principals adopted in the Safe Harbor framework are similar to those found in privacy legislation both in the United States and Europe.
The need to protect personal information is well established in many countries. In the United States, legislation is targeted to particular types of privacy, such as financial and health care privacy, while in Europe, a consolidated approach protects personal information in general.
Financial integrity and personal privacy regulation both depend upon adequate procedures and controls in IT. Without a comprehensive view of information security, organizations run the risk of implementing multiple schemes to comply with multiple regulations.
Compliance with the regulations outlined in this chapter depends upon IT. Although information security, in a narrow sense, is not enough to meet regulatory demands, it is an essential part of the broader issue of IT governance that does enable compliance. The three aspects of governance that must be in place to comply with existing regulations are:
As noted earlier, these are the fundamental objectives of information security. Ensuring that the objectives are met requires a broad view of governance.
Governance is the oversight, management, and implementation that ensures security practices are in place and effective. There are many ways to implement governance procedures, and organizations should adapt those practices to their specific needs; however, many organizations will benefit from starting with existing frameworks such as ISO 17999 or the Control Objectives for Information and Related Technology (COBIT). Rather than delve into more of the details of ISO 17999 or discuss the specifics of COBIT, the following section explores how such frameworks are structured and then used to meet the needs of confidentiality, integrity, and availability.
The purpose of frameworks is to impose structure on what can appear to be an unwieldy collection of the business requirements, hardware devices, applications, processes, and procedures that make up IT operations. Using COBIT terminology, you can understand frameworks for managing these operations in terms of four levels of objects:
The domains are high-level areas of IT management and include planning and organization, acquisition and implementation, delivery, and support and monitoring. Within each domain is a set of processes that identifies an IT strategic plan, defining information architecture, acquiring and maintaining application software, ensuring continuous service, and assessing internal control adequacy. Control objectives are policies and procedures designed to ensure that business requirements are met and include items such as developing an information architecture model, developing hardware and software acquisition plans, and managing security measures. Control processes are the procedures taken to realize control objectives.
IT professionals are subject to levels of regulatory overview that was uncommon even several years ago. Demands for improved corporate governance have lead to legislation such as SOX. At the same time, non-governmental and quasi-governmental agencies have developed frameworks and standards to improve the integrity of business practices. Regulations are not limited to business operations and reporting. Significant public concern about private information has grown with improvements in IT that allow for relatively easy sharing of information. The concern is fostered by increasing fear of identity theft, which has prompted even state governments to legislate protections of personal information.
With the increasing number and growing complexity of regulations, IT professionals could be unduly burdened with compliance efforts if proper practices are not in place. First and foremost, IT practitioners should view compliance as an outcome of best practices in IT governance and information security management. With a focus on well-defined objectives and implementing best practice controls for identity management and access controls, confidential data transmission and storage, blocking and removal of malicious software, and business continuity maintenance, compliance will follow. The next chapter will build on this foundation of security best practices knowledge by exploring the key technologies for on-demand security to prevent information theft.