Security Compliance and Industry Standards

GLBA was enacted, in part, to allow financial services institutions to consolidate. Prior to GLBA, banks, securities firms, and insurance companies were required to remain separate as per the Glass-Steagall Act of 1933.

In addition to repealing the Glass-Steagall Act, GLBA includes requirements for financial services institutions to protect consumers' "nonpublic personal information.” This is provisioned through the "Financial Institutions Safeguards" section in GLBA that requires institutions to implement safeguards to achieve the following:

• to insure the security and confidentiality of customer records and information
• to protect against any anticipated threats or hazards to the security or integrity of such records
• to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

GLBA tasks a number of federal agencies with enforcement of GLBA. In addition to enforcement, GLBA requires that these agencies establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards. Some examples of governing bodies that have created a "Safeguards Rule" in accordance with section 501(b) of GLBA include:

• FFIEC (Federal Financial Institutions Examination Council)
• FTC (Federal Trade Commission)
• NCUA (Part 748) (National Credit Union Administration)
• SEC (Regulation S-P) (Securities and Exchange Commission)

FERPA (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

Under FERPA, schools must generally provide:

• access to their education records
• an opportunity to seek to have the records amended
• Ac sodales tellus vulputate
• some control over the disclosure of information from the records

Schools are required to redact and protect personally identifiable information about students not designated as directory information and prevent disclosure of information without appropriate consent or conditions.

FISMA was established in 2002 to protect the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Agencies must adhere to a framework provides for the following:

• Inventory of Information Systems
• Categorize information and information systems according to risk level
• Security controls
• Risk assessment
• System security plan
• Certification and accreditation
• Continuous monitoring

The standards to achieve FISMA compliance are dictated by the following:

• NIST (National Institute of Standards and Technology)
• FIPS (Federal Information Processing Standards)

HIPAA was established in 1996 to protect health insurance coverage for individuals who lose or change jobs, and to establish standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers (“Covered Entities“).

While there are numerous sections to HIPAA, there are two that stand out regarding information security requirements:

• The Privacy Rule dictates how covered entities protect, share, and manage Protected Health Information (PHI).
• The Security Rule details administrative, physical, and technical safeguards for Electronic PHI (EPHI).

Covered entities must develop policies and procedures governing the protection of PHI, implement physical safeguards to PHI, and implement technical controls to computer systems to protect PHI.

The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009. It dictates additional privacy and security requirements over the transmission of electronic health information (EPHI) and extends requirements to business associates of covered entities.

The HITECH Act includes a number of new or enhanced requirements:

• Breach notification rules dictating timeliness and minimum requirements
• Audits and enforcement by the Department of Health and Human Services
• Protection of Electronic Health Records (EHR)
• Signed Business Associate Agreements on file with covered entities

Meaningful Use

Meaningful Use standards for security and privacy are required in compliance with the incentive programs, including Electronic Health Records (EHR) modules for the following:

• Access Control
• Emergency Access
• Automatic log-off
• Audit log
• Integrity
• Authentication
• General Encryption
• Encryption when exchanging electronic health information
• Account of disclosure (optional)

Learn more about test procedures for Meaningful Use from the NIST.

The North American Electric Reliability Corporation (NERC) publishes Reliability Standards for the Bulk Electric Systems of North America. One section of this standard addresses Critical Infrastructure Protection (CIP). CIP is broken into nine distinct standards as follows:

• Sabotage Reporting
• Critical Cyber Asset Identification
• Security Management Controls
• Personnel & Training
• Electronic Security Perimeter
• Physical Security of Critical Cyber Assets
• Systems Security Management
• Incident Reporting and Response Planning
• Recovery Plans for Critical Cyber Assets

In order to achieve and remain compliant with CIP, entities must execute a number of regular tasks, including:

• Annual Cyber Vulnerability Assessments
• Annual Approvals
• Regular Testing/Exercising of Controls (e.g., physical, data recovery, incident response)

The SOX Act was established as a reaction to numerous financial scandals (e.g., Enron, WorldCom) and is designed to increase corporate accountability and implement measures to defend against corporate and accounting fraud.

While there are numerous sections to the SOX Act, there are two that stand out regarding information security requirements:

Section 302 requires that officers of the company (CEO and CFO) sign off on quarterly and annual reports to, amongst other items, attest that the report is complete and accurate and to report on the effectiveness of internal controls.

Section 404 requires that an assessment of internal control over financial reporting be conducted and included as part of the annual report. While the assessment of controls focus on those relevant to financial reporting, the requisite level of control is dependent on IT functionality. Due to this relationship, the assessment must include an evaluation of the design and operational effectiveness of general IT controls.

Addressing SOX Section 404 will require the organization to incorporate information technology controls in a manner consistent with a control framework such as ISO 27001 or Control Objectives for Information and related Technology (COBIT).

ISO/IEC 27001, established in 2005, is an Information Security Management System standard that formally specifies a management system for bringing information security under explicit management control.

ISO/IEC 27002, established in 2005, is a best practice standard for Information Security. It consists of the following 12 main sections:

• Risk assessment
• Security policy – management direction
• Organization of information security – governance of information security
• Asset management – inventory and classification of information assets
• Human resources security – security aspects for employees joining, moving and leaving an organization
• Physical and environmental security – protection of the computer facilities
• Communications and operations management – management of technical security controls in systems and networks
• Access control – restriction of access rights to networks, systems, applications, functions and data
• Information systems acquisition, development and maintenance – building security into applications
• Information security incident management – anticipating and responding appropriately to information security breaches
• Business continuity management – protecting, maintaining and recovering business-critical processes and systems
• Compliance – ensuring conformance with information security policies, standards, laws and regulations

Learn more at their official websites:

• International Organization for Standardization (ISO)
• International Electrotechnical Commission (IEC)

The PCI DSS was created by the Security Standards Council (SSC) to provide a set of standards designed to protect cardholder information. The PCI DSS is enforced by VISA, MasterCard, American Express, Discover, and JC Brands.

The PCI DSS contains twelve major requirements that are broken down into over 250 sub-requirements:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Protect all systems against malware and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need to know
• Identify and authenticate access to system components
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

Annual validation of these requirements varies depending on credit card transaction volume, however, any organization that processes, stores, or transmits credit card information is expected to adhere to the PCI DSS in its entirety.