IS345 Information Security Module 5 | Cyber Regulations and Standards Agenda ● Cyber Regulations and Standards Outcomes ● Develop policies and procedures needed to respond and remediate cyber attacks on an organization’s core systems and describe a plan to restore functionality to the infrastructure. ● Implement systems, apply tools and use concepts to minimize risk to an organization’s cyberspace to address cybersecurity threats. Objectives ● Become familiar with the U.S. HIPAA, PCI, Sarbanes Oxley and other U.S. specific laws and regulations ● Define and discuss IT security policies ● Define attributes of an effective and an ineffective IT security policy ● Review legal and regulatory requirements relative to your country ● Identify two laws (for your country) that protect data and privacy ● Examine data, electronic and privacy protection laws in other countries ● Discuss Legal and Regulatory requirements affecting Information Security. Standards ● Standards are mandatory requirements, code of practice approved by a recognizable external standards organization. ● ISO, ISACA, IAPP, NIST, PCI ● Cybersecurity has many different standards ISO 27000 series The International Standards Organization puts out many standards. However, the 27000 series specifically focuses on cybersecurity. ISO 27000 series Examples 27000:2016 This standard describes how an information security management system (ISMS) should work 27001:2013 This standard describes the main information security techniques 27002:2013 This standard provides detailed descriptions of the controls 27002:2017 This standard provides guidance on planning and information security management system 27004:2009 This standard covers the types of metrics and measurements 27005:2011 This is the main standard used when conducting an information risk management program 27010:2015 This standard was developed with the express intention of exchanging information securely between organizations. Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Payment Card Industry Data Security Standard (PCI DSS) ● PCI DSS provides a baseline of technical and operational requirements designed to protect account data. ● PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS PCI DSS Example Free writing exercise - 30 minutes ● ● Review the PCI Standards Discuss which PCI Standard you feel is the most important and why National Institute of Science and Technology ● NIST is a U.S. government research and standards agency. ● The organization focuses on many types of engineering research including cyber security ● Special Publication Series ● National Vulnerability Database https://nvd.nist.gov/ National Institute of Science and Technology ● https://csrc.nist.gov/publications/sp ○ NIST SP 800-83 – Guide to Malware Incident Prevention and Handling ○ NIST SP 800-100 – Information Security Handbook: A Guide for Managers ○ NIST SP 800-153 – Guidelines for Securing Wireless Local Area Networks (WLANs) Cyber Security Laws ● European Union ○ Network and Information Security (NIS) Directive ■ Member states are required to adopt a national strategy that sets out concrete policy and regulatory measures to maintain a level of network and information security. Cyber Security Laws ● European Union ○ Network and Information Security (NIS) Directive ■ The competent authorities in EU member states and the European Commission will form a cooperation network to coordinate against risks and incidents affecting network and information systems. Cyber Security Laws ● European Union ○ Network and Information Security (NIS) Directive ■ EU member states must ensure that public bodies and certain market operators take appropriate technical and organizational measures to manage the security risks of networks and information systems. Cyber Security Laws ● European Union ○ Network and Information Security (NIS) Directive ■ Public bodies and selected private sector companies must also notify the competent authority of incidents that have a significant impact on the continuity of these services Cyber Security Laws ● European Union ○ General Data Protection Regulation (GDPR) ■ Extends Privacy rights of individuals and how their data is managed and moved Cyber Security Laws ● United States has no comprehensive cyber security laws, but some areas are covered by other laws. ○ HIPAA ○ Sarbanes Oxley Act ○ COPPA Free writing exercise - 30 minutes ● ● Review one HIPAA, SOX, or any other law Discuss which aspects pertain to information security Information Security Lifecycle Assignment ● Students will review and discuss the IT security life cycle as it relates to a particular program or system. ● Students will explain the steps taken at each point in the lifecycle to respond to IT security vulnerabilities and risks. ● 4-6 pages excluding the title page, table of contents and references. ● APA formatting is required References Payment Card Industry. (2018). PCI Data Security Standards v3.2.1. Retrieved from https://www.pcisecuritystandards.org/document_library Sutton, D. (2017). Cyber security: a practitioner’s guide. Swindon, UK: BCS Learning & Development. IS 464 – Policy and Audits Week 5 – Audit Role in Information Technology 1  IT auditing, while often not popular, is necessary given:  Importance of IT systems and services to the business including needing to meet regulations and laws  Complexity of a company’s cyber-ecosystem (multiple different vendors, different devices, different software)  Public and business NEED to rely on data integrity Senft & Gallegos Chapter 3  Corporate ‘cooking’ of the books has been around a long time and happens on electronic systems. In the past we failed to recognize electronic systems also could be modified to represent false data (especially financial data)  A number examples of electronic system manipulation have occurred (Enron, EFCA, and others) – led to various acts (SOX, FCPA, and others)  Section 404 of SOX is relevant to IT (discusses IT expectations)  SOX insists on separation of financial advisors from auditors and auditors can only audit the same client for five years in a row  In electronic systems can use software to audit some aspects Slide 2  Professional organizations (AICPA, ISACA, IIA, AGA) help guide audit expectations  Generally accepted auditing standards (GAAS) and generally accepted accounting procedures (GAAP) that must be followed  GAAS includes: Senft & Gallegos Chapter 3  General standards regarding competence, independence and due diligence  Fieldwork standards in planning and examination of evidence on which findings will be based  Reporting standards which include appropriate disclosure, specifics on accepted auditing standards, and a clear summary of audit  1974 was first issue of an audit control (SAS3) for electronic systems, followed by SAS 48 and now SAS 136 and includes:         How complex systems and services are IT involvement in the business Data availability How much electronic systems used in accounting efforts Are there computer-assisted audit techniques (CAAT) to assist audit Need for IT knowledge (to audit Other considerations as noted NOTE: The auditor is responsible to look for errors or irregularities, BUT not does not insure or guarantee the systems Slide 3  The National Institute of Standards and Technology (NIST) issues standards for electronic systems. One such is Federal Information Processing Standards (FIPS) – applies to companies doing business with U.S. federal government (NIST 800-53 & NIST 800-171)  There are a number of control frameworks such as Control Objectives for Information and Related Technology (COBIT) IT organizations can use for compliance guidance Senft & Gallegos Chapter 3  Financial auditing goes back to 1933 & 1934 instituted by SEC for publicly traded companies. Audits musts be done by CPAs  IT auditing and governance is needed:        Found issues with electronic systems in the past → decreased trust Controls could be circumvented Financial institutions suffered losses due to software changes Data security was being compromised Mobile hardware to access data from anywhere Increasing amounts of data (needing more audit automation) Ever increasing numbers of attackers Slide 4  IT auditing requires many skills from standard auditing skills through to specific IT skills such as: Senft & Gallegos Chapter 3      IT security knowledge (including how to perform security tests) Telecommunications Knowledge of different vendor database types How to assess a disaster recover plan IT system and services change control  All formal auditors are professionals with designations (and must adhere to specific requirements, have high ethical standards, and be able to act independently to ensure objectivity)  All of the above increases trust in their findings  Training in IT auditing can be on the job and through in company programs, through professional organization seminars, and in universities (usually on the job primarily)  Must do continuous training (as with other professions) Slide 5  IT auditors need IT knowledge and experience as well as auditing experience  There are 11 skill areas suggested for IT auditors  8 technical areas are suggested for any program beyond a bachelor’s degree  Communication and negotiation skills are needed  Ability to learn from errors as experience grows Senft & Gallegos Chapter 3  IT auditors will : audit, may counsel (businesses on standards and controls), is likely to partner with senior management, be an investigator (including computer forensics)  Forensics has become increasingly important with escalating attacks – to capture proof of malfeasance for prosecution of attackers  Currently can expect there will be internal auditor(s) to assist companies with evaluation of IT systems and services  As well must have external auditors perform audits to confirm internal auditor findings (at arms length – objective)  The many stories of corporate financial malfeasance have led to multiple laws which are enforced → need to confirm electronic systems and services comply with regulations and laws Slide 6  Key #5: Ensuring Compliance Through Auditing and Monitoring  Auditing differs from monitoring in that monitoring is ongoing and proactive while auditing is retrospective and often uses sampling  Both auditing and monitoring help: Kahn & Blair Chapter 16  Catch issues before they become known to regulators, shareholders or others  Catch issues before they become so severe as to impact business  Increase trust in IT systems and services (measures compliance to policies and procedures)  Find security issues (including breaches) earlier, or even stop them (see the latest Verizon Data Breach Investigations Report)  Auditing and monitoring may be required by law (such as HIPAA, NASD Conduct Rule 3010, and IRS Revenue Procedure 97-22) Slide 7  Audits can be expected to include: Kahn & Blair Chapter 16  Interviews of personnel (to confirm compliance with policies and procedures)  Will review written documentation from policies and procedures to records of system and services status’  Review of equipment configuration  May include review of physical equipment in place for security and how running  Audit guidance is available from multiple sources  Companies are expected to perform audits using internal resources AND on a regular basis have an external source perform an audit (for confirmation)  Some laws and/or regulations require regular external audits of IMC systems and services (such as GDPR for the EU, and Sarbanes-Oxley) Slide 8  Software Licensing  Do not use any software without it being licensed – companies are increasingly pursuing those that do – perform license audits regularly  Need a software licensing policy from executive management  Monitor software to ensure it is not pirated or installed too many times  Do monitor employee activity Kahn & Blair Chapter 16  We can monitor when, where, what employees do  There are HR considerations, however if the policy is clear and well communicated there are very few issues  Monitoring employee activity often discovers intruders Slide 9  IT auditors are professionals focusing on IT system and services compliance  Can be employed within a company or may be hired from another IT experienced company  Both IT system auditing and computer forensics are part of IT auditing Take Aways for Week 5  Multiple episodes of corporations ‘cooking the books’ has led to multiple laws governing corporate financial reporting, which involves corporate electronic systems  Monitoring and auditing are necessary and can be automated  Require ‘at arms length’ or external auditing on a regular basis for more sensitive systems and services, or due to legal requirements  Be sure to audit software licenses  Some employee monitoring is advisable Slide 10
Purchase answer to see full attachment