INFORMATION SECURITY
PROFESSIONAL CERTIFICATIONS
LEARNING OBJECTIVES
Distinguish between the U.S. DoD/military
8570.01 standard and the newer 8140 standard
Describe popular vendor-neutral professional
certifications
Identify popular vendor-specific professional
certifications
DOD DIRECTIVE 8570.01
"Information Assurance Training, Certification and Workforce Management"
Defines many training and certification requirements for DoD personnel and
contractors with respect to information security.
Gov IT Wiki (http://govitwiki.com/wiki/8570.01) - resource for additional
information; provides details about the specific certification requirements for
each job type.
Affects any DoD facility or contractor organization
DEFENSE INFORMATION SYSTEMS AGENCY
(DISA)
Agency arm of the U.S. Department of Defense that provides information
technology and communications support to the White House, Secretary of
Defense, and all military sectors that contribute to the defense of the United
States of America.
DISA is developing a new, operationally focused cybersecurity training
framework that will replace the previous 8570.01 standard.
The vision of this new cybersecurity training framework is to: "establish a
robust workforce training and certification program that will better prepare
DoD cyberwarriors to operate and defend our networks in an increasingly
threat-based environment."
U.S. DOD/MILITARY—8140 STANDARD
A"Training Strategy Roadmap" for role-based and crew certification will be provided.
Commercial certifications, which have long been relied on, although they are often just too broad for
military use, will be adapted and tightened to meet Defense Department needs better.
DISA can produce focused, relevant qualifications and certifications for the cyberwarriors of the
United States.
Crew certification is a grouping of qualified role-based operators who obtain the desired effects
necessary to defend and operate in cyberspace.
A"Cyber Defense Academy" will qualify role-based individuals to work effectively as part of crews and
teams.
Joint Cyberspace Training & Certification Standard (JCT&CS) is the current baseline for work-role
definition.
The National Initiative for Cybersecurity Education (NICE) will be the baseline for federal and DoD
work-role definitions
DOD INITIATIVES SUPPORTING 8140 STANDARD
DoD 8140 workforce requirements initiative (This will define the
requirements for the cybersecurity roles identified by the JCT&CS.)
Learning Management System selection by Office of the Under
Secretary of Defense for Personnel and Readiness (OSD P&R)
JCT&CS concept of operations (CONOPs) and Implementation Plan
Department of Homeland Security (DHS) and National Security Agency
(NSA) Centers of Academic Excellence
DISA Cyber Workforce Developments
JOINT CYBERSPACE TRAINING AND
CERTIFICATION STANDARDS
U.S. DOD/NSA TRAINING STANDARDS
The DoD and NSA have adopted several training standards to serve as a
pathway to satisfy Directive 8570.01.
These training standards include long lists of learning objectives for topics
related to specific job responsibilities.
They were developed by the Committee on National Security Systems (CNSS)
and the National Security Telecommunications and Information Systems Security
(NSTISS) Committee.
They provide guidance for course and professional certification vendors to
develop curriculum and materials that meet the DoD/NSA requirements
U.S. DOD/NSA TRAINING STANDARDS
Some of the standards define different levels of expertise, such as entry,
intermediate, and advanced.
Others address general requirements targets at a single level
These training standards provide comprehensive descriptions of job
competencies.
They provide guidance for potential and existing InfoSec professionals.
Anyone who currently works in InfoSec or wants to work in the field can use
these standards to ensure they possess the necessary skills
U.S. DOD/NSA TRAINING STANDARDS
NSTISS-4011
National Training Standard for Information Systems Security (INFOSEC)
CNSS-4012
National Information Assurance Training Standard for Senior System
Managers
CNSS-4013
National Information Assurance Training Standard for System
Administrators (SA)
CNSS-4014
Information Assurance Officer (IAO) Training
NSTISSC-4015
National Training Standard for System Certifiers
CNSS-4016
National Information Assurance Training Standard for Risk Analysts
VENDOR-NEUTRAL PROFESSIONAL
CERTIFICATIONS
A certification is an official statement that validates the fact that a person has satisfied specific
requirements
A certification does not guarantee that a person is good at a specific job.
An organization that is empowered to state that an individual has met the certification's requirements
issues the certification.
Obtaining them is a standard way for security professionals to further their security education and
training.
Certifications show that a security professional has invested time, effort, and money into learning
more about security.
Many prospective employers consider security certifications as they screen job applicants.
True security expertise involves more than just holding a certification
QUESTION
How have government programs and standards for information
security influenced the information security profession? Does
government still have the same influence that it once did?
VENDOR-NEUTRAL PROFESSIONAL
CERTIFICATIONS
Certifications target specific areas of knowledge and expertise.
There is at least one certification for most security-related job
functions and expertise levels.
The first type of certification is the vendor-neutral certification
which covers concepts and topics that are general in nature
and does not focus on a specific product or product line
(ISC)2
International Information Systems Security Certification
Consortium, Inc. (ISC)2
One of the most respected global certification
organizations.
Not-for-profit organization that focuses on educating and
certifying security professionals from all experience levels.
(ISC)2 CREDENTIALS
SSCP
Systems Security Certified Practitioner
Enables security practitioners to demonstrate their level of competence.
Covers the seven domains of best practices for information security published in SSCP Common Body of Knowledge
(CBK).
Ideal for those who are working toward or already hold positions as senior network security engineers, senior security
systems analysts, or senior security administrators.
CISSP
Certified Information Systems Security Professional
Was the first ANSI/ISO-accredited credential in the field of information security.
Provides information security professionals with an objective measure of competence and a globally recognized
standard of achievement.
Demonstrates competence in the 10 domains of the (ISC)2 CISSP CBK.
Targets middle and senior-level managers who are working toward or already hold positions as chief information
security officers (CISOs), chief security officers (CSOs), or senior security engineers.
(ISC)2 CREDENTIALS
CAP
Certified Authorization Professional
Provides a method to measure the knowledge and skills necessary for professionals involved in the process of
authorizing and maintaining information systems.
Personnel responsible for developing and implementing processes used to assess risk and for establishing security
requirements.
Professionals seeking the CAP credential could include authorization officials, system owners, information owners,
information security officers, and certifiers.
This credential is appropriate for both private-sector and U.S. government personnel.
CSSLP
Certified Secure Software Lifecycle Professional
One of the few credentials that address developing secure software.
Evaluates professionals for the knowledge and skills necessary to develop and deploy secure applications.
Appropriate for software developers, software architects, and anyone involved in the software development and
deployment process.
(ISC)2 CREDENTIALS
ISSAP®
Requires a candidate to demonstrate two years of professional experience in the area of
architecture and is an appropriate credential for chief security architects and analysts, who may
typically work as independent consultants or in similar capacities.
ISSEP®
Developed in conjunction with the NSA, providing an invaluable tool for any systems security
engineering professional.
Road map for incorporating security into projects, applications, business processes, and all
information systems.
ISSMP®
Requires that a candidate demonstrate two years of professional experience in the area of
enterprise-wide security operations and management.
Contains deeper managerial elements such as project management, risk management, setting up and
delivering a security awareness program, and managing a business continuity planning program.
GIAC/SANS INSTITUTE
Background
Global organization that is ANSI accredited.
Global Information Assurance Certification (GIAC)
Credentials
Over 20 individual credentials spanning several information security job disciplines:
Audit
Forensics
Legal
Management
Security administration
Software security
GIAC/SANS INSTITUTE
SANS
Institute
Close relationship with GIAC
Provides specific training that prepares students for each of the GIAC
credentials.
Technical
papers
Anyone who holds a GIAC credential can submit a technical paper that
covers an important area of information security.
An accepted technical paper adds the Gold credential to the base GIAC
credential.
GIAC
Security
Expert (GSE)
Requirements include holding three GIAC credentials (with two of the
credentials being Gold), passing a GSE exam, and completing an intensive
two-day hands-on lab. The GSE represents the highest-level credential
within GIAC.
GIAC CREDENTIALS
CERTIFIED INTERNET WEBMASTER (CIW)
Background
Offers several credentials that focus on both
general and Web-related security.
Advanced credentials require a combination
of passing an exam and holding at least one
recognized credential from another vendor.
Uses this blended approach to encourage a
breadth of security knowledge and skills.
Credentials List
CIW Web Security Associate
CIW Web Security Specialist
CIW Web Security Professional
Credentials from other vendors that satisfy
the CIW Web Security Specialist and CIW
Web Security Professional credentials.
(ISC)2 SCCP or CISSP
Various GIAC credentials, such as GSE,
GCFW, GCIH, and so on.
CompTIA Security+
Several vendor-specific credentials
COMPTIA
Administers a testing process to validate knowledge
within specific IT support functions.
Security certification has become the entry-level
information security certification of choice for IT
professionals who want to pursue further work and
knowledge in this area.
INFOTEC SECURITY CERTIFIED PROGRAM (SCP)
Security Certified
Network
Specialist (SCNS)
A credential for IT professionals entering the network security environment.
Security Certified
Network
Professional
(SCNP)
An intermediate credential for experienced network security professionals.
Security Certified
Network
Architect
(SCNA)
A credential primarily targeted for IT managers and advanced IT security professionals.
Foundational credential that covers important knowledge and skills necessary for solid network security.
Covers prevention techniques, risk analysis, and security policy to address a complete network security
environment.
Focuses on more than just the technical aspects of security.
It tackles management and environmental issues such as legal, forensics, organization security policy, and
security architecture.
INFORMATION SYSTEMS AUDIT AND CONTROL
ASSOCIATION (ISACA)
Certified
Information Security
Manager (CISM)
The CISM certification program is a credential for experienced information security professionals who are involved in security
management.
Certified
Information Systems
Auditor (CISA)
The CISA certification program targets information systems audit, control, and security professionals.
Certified in the
Governance of
Enterprise IT
(CGEIT)
The CGEIT is a new ISACA certification program. It targets security professionals who ensure their organization satisfies IT
governance requirements.
Certified in Risk and
Information Systems
Control (CRISC)
The CRISC certification applies to a wide range of security professionals.
It provides a way to measure the knowledge and skills necessary to design, implement, and manage enterprise security programs.
It defines and promotes the skills and practices that are the building blocks of success in the IT audit and control field.
The CGEIT bases its requirements on the ISACA and the IT Governance Institute's (ITGI's) audit and control guidelines, which come
from global subject-matter experts.
This certification focuses on the knowledge and skills required to design, deploy, monitor, and manage security controls to address
risk. CRISC addresses all risk-management areas, including identification, assessment, response, and monitoring.
OTHER PROFESSIONAL CERTIFICATIONS
International
Council of ECommerce
Consultants (ECCouncil)
Certified Ethical Hacker (CEH)
Software
Engineering
Institute—
Carnegie Mellon
University
CERT—Certified Computer Security Incident Handler
High Tech Crime
Network
Certified Computer Crime Investigator (Basic, Advanced)
Computer Hacking Forensic Investigator (CHFI)
EC-Council Certified Security Analyst (ECSA)/ Licensed Penetration Tester (LPT)
SEI—Authorized CERT Instructor
Certified Computer Forensic Technician (Basic, Advanced)
OTHER PROFESSIONAL CERTIFICATIONS
Mile 2
Certified Wireless Network Professional
International Society of Forensic Computer Examiners Certified Computer Examiner (CCE)
CyberSecurity Institute - CyberSecurity Forensic Analyst
(CSFA)
VENDOR-SPECIFIC PROFESSIONAL
CERTIFICATIONS
Vendor-specific certifications help identify professionals who
possess in-depth product knowledge.
Holding a certification for a specific vendor does not
guarantee competence, but it does imply it.
If an applicant meets the requirements for a certification, it
means he or she has a certain level of knowledge and skills.
CISCO SYSTEMS
Levels of certification
Certification Paths
Entry
Design
Associate
Security
Professional
Voice
Expert
Wireless
Architect
Routing and switching
Service provider operations
CISCO CERTIFICATIONS
Entry
Cisco Certified Entry Networking Technician (CCENT))
Cisco Certified Technician (CCT)
Associate
Cisco Certified Design Associate (CCDA)
Cisco Certified Network Associate (CCNA) Data Center
Cisco Certified Network Associate (CCNA) Routing and Switching
Cisco Certified Network Associate (CCNA) Security
Cisco Certified Network Associate (CCNA) Service Provider
Cisco Certified Network Associate (CCNA) Service Provider Operations
Cisco Certified Network Associate (CCNA) Video
Cisco Certified Network Associate (CCNA) Voice
Cisco Certified Network Associate (CCNA) Wireless
CISCO CERTIFICATIONS
Professional
Cisco Certified Design Professional (CCDP)
Cisco Certified Network Professional (CCNP)
Cisco Certified Network Professional (CCNP) Data Center
Cisco Certified Network Professional (CCNP) Security
Cisco Certified Network Professional (CCNP) Service Provider
Cisco Certified Network Professional (CCNP) Service Provider Operations
Cisco Certified Network Professional (CCNP) Voice
Cisco Certified Network Professional (CCNP) Wireless
CISCO CERTIFICATIONS
Expert
Cisco Certified Design Expert (CCDE)
Cisco Certified Internetwork Expert (CCIE) Data Center
Cisco Certified Internetwork Expert (CCIE) Routing and Switching
Cisco Certified Internetwork Expert (CCIE) Security
Cisco Certified Internetwork Expert (CCIE) Service Provider
Cisco Certified Internetwork Expert (CCIE) Service Provider Operations
Cisco Certified Internetwork Expert (CCIE) Voice
Cisco Certified Internetwork Expert (CCIE) Wireless
Architect
Cisco Certified Architect (CCAr)
JUNIPER NETWORKS CERTIFICATION LEVELS
AND TRACKS
RSA
RSA
Symantec
Certified
Specialist
(SCS)
RSA is a global provider of security, risk, and compliance solutions for enterprise environments.
Administration of Veritas Storage Foundation 6.0 for UNIX
Administration of Veritas Cluster Server 6.0 for UNIX
Administration of Symantec NetBackup 7.5 for UNIX
Administration of Symantec Enterprise Vault 10.0 for Exchange
Administration of Symantec Endpoint Protection 12.1
Administration of Symantec Backup Exec 2012
Administration of Veritas Storage Foundation and High Availability Solutions 6.0 for Windows
Administration of Symantec NetBackup 7.5 for Windows
Administration of Symantec Client Management Suite 7.1 / 7.x
Administration of Symantec Management Platform 7.1
Administration of Symantec Clearwell eDiscovery Platform 7.x
Administration of Symantec Data Loss Prevention 11.5
Administration of Symantec Network Access Control 12.1
Symantec Certified Professional (SCP)
CHECKPOINT
Associate
Check Point Certified Security Principles Associate (CCSPA)
Administrator
Check Point Certified Security Administrator (CCSA)
Checkpoint Endpoint Administrator (CCEPA)
Expert
Check Point Certified Security Expert (CCSE)
Check Point Certified Managed Security Expert (CCMSE)
Check Point Certified Endpoint Expert (CCEPE)
Master
Check Point Certified Master Architect (CCMA)
Check Point Certified Master Architect (CCMA)
ADDITIONAL INFORMATION SYSTEMS SECURITY
CERTIFICATIONS
QUESTION
What do you feel is the value of certifications? Should
everyone pursue a certification? Why or why not?
DISCUSSION
U.S. COMPLIANCE LAWS
GOALS
Explain
What compliance is and how it's related to information security
Describe
the main
features
of
Federal Information Security Management Act
Health Insurance Portability and Accountability Act
Gramm-Leach-Bliley Act
Sarbanes-Oxley Act
Family Educational Rights and Privacy Act
Children's Internet Protection Act
COMPLIANCE IS THE LAW
Organizations
Use
And store a lot of data.
Information as one of their most important assets.
Information to conduct business.
Large and complex databases to keep track of customer product preferences.
The same information technology (IT) systems to manage the products and services that they offer customers.
Transfer data to other businesses.
Sensitive
Data
Data is often collected that you can use to identify a person.
Is called personally identifiable information (PII)
PERSONALLY IDENTIFIABLE INFORMATION (PII)
First, middle, and last name
Home mailing address
Social Security numbers
Driver's license numbers
Financial account data, such as account numbers or personal identification numbers
(PINs)
Health data and biometric data
Authentication credentials, such as logon or usernames and passwords
PERSONALLY IDENTIFIABLE INFORMATION (PII)
Organizations sometimes don't do a very good job of
protecting PII.
They might lose the data in a security breach.
They also could use it in ways their customers and clients
don't approve.
When organizations don't voluntarily protect PII,
governments create laws that force them to.
Once the laws are enacted, these organizations must follow
them.
COMPLIANCE
Compliance is
An important legal concept.
Act of following laws, rules, and regulations that apply to your
organization.
Involves not only following laws and regulations, but
interpreting them so policies and procedures can be defined.
Organizations
must
Document policies, standards, procedures, or guidelines as
part of its compliance activities.
Be able to prove it is compliant in case of a lawsuit or
litigation
COMPLIANCE
Organizations under a compliance law should do the following:
Review the compliance law and its requirements.
Assign a designated compliance officer or individual responsible and
accountable for your organization's compliance.
Create policies, standards, procedures, and guidelines to comply with
legal and regulatory requirements.
Identify your organization's gaps in compliance and prioritize the gap
remediation.
Implement proper security controls and countermeasures throughout
your IT infrastructure in support of the compliance law's requirements.
Create and deliver annual security awareness training that educates
employees about the organization's legal requirements for compliance.
COMPLIANCE
Not only includes the actual state of being compliant, but it also
includes the steps and processes taken to become compliant.
Compliance usually asks the questions: What are the rules? How
must the rules be followed?
If an organization fails to meet its obligations, it can be subject to
penalties.
An organization must be able to prove that it's complying with laws
every day. It does this by implementing policies, standards,
procedures, and guidelines
COMPLIANCE
Comprehensive
data protection
law.
Doesn’t exist in the U.S.
Many laws focus on different types of data found
in different industries.
These laws contain privacy and information
security concepts.
They also focus on how that data is used.
A number of federal agencies regulate
compliance with these types of laws.
PRIVACY
Information
security
and privacy
Are closely related.
Privacy
A person's right to control the use and disclosure of his or
her own personal information.
Most federal data protection laws contain both privacy and
information security requirements.
It means that people have the opportunity to assess a
situation and determine how their data is used.
Information
security
The process used to keep data private.
Security is the process; privacy is a result
PRIVACY
Means that a person
Simple term that describes a number of
different but related concepts.
Has control of his or her personal
data - can decide how his or her data
can be collected, used, and shared.
This is accomplished via an
organization's Privacy Policy statement.
Gets to decide how to share his or
her personal data with third parties
Individuals are provided with an "OptIn" or "Opt-Out" option regarding the
organization's use of their privacy data
PRIVACY
Belief that the government's power to interfere in the
privacy of its citizens is limited.
This means that people and their information must be free
from unreasonable government intrusion.
The government must not investigate people or their
personal information without a good reason.
Courts spend a lot of time defining the reasons to allow
governments to investigate their citizens.
This is a core privacy concept for most Americans
QUESTION
How do you feel that privacy and security are related? How
are they different?
INFORMATION SYSTEMS SECURITY
Is about ensuring the confidentiality, integrity, and availability of IT
infrastructures and the systems they comprise.
Information security is about maintaining the confidentiality of data.
Data can be business data or customer privacy data.
Data encryption can secure the data. Role-based access controls can
keep the data private.
Systems grant access to data based on the role that employee has.
By implementing security controls, privacy of data can be achieved
within an organization.
LAWS FOR INFORMATION SECURITY
COMPLIANCE
The United States doesn't have one single data protection law resulting in many
laws focus on different types of data at federal and state levels
It's not practical to have separate information security programs for each law an
organization must follow - organization's information security program must be
comprehensive and be able to accommodate a general response to many laws.
Systems security professionals must understand what each law has in common
from an information security standpoint.
All of the federal data protection laws have some elements of C, I, A
LAWS THAT INFLUENCE INFORMATION
SECURITY
Children's Internet
Protection Act
Internet access in certain schools and libraries
Family Educational
Rights and Privacy
Act
Student educational records
Federal Information
Systems
Management Act
Federal information systems
Gramm-Leach-Bliley
Act
Consumer financial information
Health Insurance
Portability and
Accountability Act
Protected health information
Sarbanes-Oxley Act
Corporate financial information
FTC
U.S. Department of Education
Office of Management and Budget
FTC
Department of Health and Human Services
Securities and Exchange Commission
COMPLIANCE IS THE LAW
Security professionals must be familiar with the compliance laws
Your job is not to understand the legal implications of the law but
rather know how that law impacts your organization and what you
must do from an IT security perspective.
As an information systems security professional, you will be
responsible for working with your organization's legal counsel,
executive management, and IT organizations.
Your key responsibility is to help bridge the gap between the
compliance law's requirements and your organization's
implementation of security controls to achieve compliance.
FEDERAL INFORMATION SECURITY
MANAGEMENT ACT
Federal government is the largest creator and user of information in
the United States
Government IT systems hold data that's critical for government
operations.
They contain data that's important for running the business of the
federal government.
They also hold sensitive military data.
These systems also hold personal information about U.S. citizens.
Federal IT systems and the data in them are attractive criminal targets.
FEDERAL INFORMATION SECURITY
MANAGEMENT ACT
Created by Congress in 2002 - partly in response to the September 11,
2001, terrorist attacks.
The attacks stressed the need for better information security in the
federal government.
After the attacks, the government realized that computer security for
federal IT systems wasn't what it should be.
FISMA changed the government's approach to information security.
It superseded most of the federal government's previous computer
security laws.
It's now the main law that defines how federal agencies must secure
their IT systems.
FEDERAL INFORMATION SECURITY
MANAGEMENT ACT
Applies to federal agencies and their IT systems.
Federal agencies fall under the executive branch of the U.S. government.
The Office of Management and Budget (OMB) is responsible for FISMA
compliance
FISMA defines information security as protecting federal agency IT systems
to provide confidentiality, integrity, and availability
Agencies must protect their IT systems (and data in those systems) from
unauthorized use, access, disruption, modification, and destruction.
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
Risk
assessments
Agencies must perform risk assessments.
They must measure the harm that could result from unauthorized access to or use of their
IT systems.
Agencies must base their information security programs on the results of these risk
assessments.
Annual
inventory
Agencies must inventory their IT systems.
They must update it each year.
Policies and
procedures
Agencies must create policies and procedures to reduce risk to an acceptable level.
The policies must protect IT systems throughout their life cycles.
Agencies also must create configuration management policies.
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
Subordinate
plans
Agencies must make sure they have plans for securing networks, facilities, and systems or
groups of IT systems.
These plans are for technologies or system components that are a part of the larger
information security program.
Security
awareness
training
Agencies must give training to employees and any other users of their IT systems, including
contractors.
This training must make people aware of risks to the agency's IT systems.
It also must make them aware of their duties to protect these systems.
Testing and
evaluation
Agencies must test their security controls at least once a year.
They must test management, operational, and technical controls for each IT system
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
Remedial
actions
Agencies must have a plan to fix weaknesses in their information security program.
Incident
response
Agencies must have an incident response procedure.
They must state how the agency detects and resolves incidents.
Agencies also must report incidents to the Department of Homeland Security (DHS).
Continuity
of
operations
Agencies must have business continuity plans as part of their information security
programs
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
Agencies must name a senior official in
charge of information security.
In most cases, this is the chief information
security officer (CISO).
These officials must be information security
professionals with security experience
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
An agency's information security program applies to any other
organization that uses the agency's IT systems or data.
An agency must protect the IT systems that support its operations.
It must protect them even if another agency or contractor owns the IT
systems.
This can broaden the scope of FISMA beyond a federal agency.
This is important because IT systems and functions are often
outsourced.
Systems security professionals must know if any of their organization's
IT systems use or process information belonging to federal agencies
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
One of the most important parts of a FISMA information
security program is that agencies test and evaluate it.
FISMA requires agencies to test their IT systems at least
yearly.
They must test IT systems with greater risk more often.
Agencies also must review the information security
controls on these systems
FEDERAL INFORMATION SECURITY
MANAGEMENT
ACT
FISMA requires each federal agency to create an agency-wide information security program that includes:
Each agency must report yearly to the OMB on its FISMA
compliance work.
The report must review the agency's information security
program.
It also must assess the agency's progress on fixing any
weaknesses in the program or security controls.
An agency must send a copy to certain congressional
committees and other federal agencies.
The FISMA yearly reporting process is time consuming.
NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY (NIST)
FISMA requires the U.S. Department of
Commerce to create information security
standards and guidelines – this has been
delegated to the NIST
Creates guidance that all federal agencies
use for their information security
programs
NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY (NIST)
Federal
Information
Processing
Standards
(FIPSs)
Special
Publications
(SPs).
Standards
Agencies use to classify their
data and IT systems
States mandatory actions that
an organization must take to
protect its IT systems.
Guidelines
Minimum information security
controls for IT systems
States recommended actions
that an organization should
follow.
UNITED STATES COMPUTER EMERGENCY
READINESS TEAM (US-CERT)
Under FISMA, the government must have a
federal incident response (IR) center.
In 2003, the Department of Homeland Security
was given the responsibility to run a federal IR
center.
The DHS center is called the United States
Computer Emergency Readiness Team, or USCERT
UNITED STATES COMPUTER EMERGENCY
READINESS TEAM (US-CERT)
Under FISMA, all federal agencies must report security incidents to the US-CERT.
This includes incidents involving national security systems.
An incident is a violation of computer security policies or practices.
It also includes an imminent threat of violation of these policies or practices.
The government has six incident response categories.
Agencies must report incidents within certain time periods.
The reporting period depends upon the incident category.
NIST RISK MANAGEMENT FRAMEWORK (RMF)
NIST recommends using a risk management framework (RFM)
approach for FISMA compliance
Government agencies that organize and prioritize risk can adopt
an information systems security program to mitigate that risk.
NIST's RMF recommends a continuous process of categorization
and assessment.
It also requires continuous monitoring
RISK MANAGEMENT FRAMEWORK (RMF)
PROCESS
NIST RISK MANAGEMENT FRAMEWORK (RMF)
Categorize
information
systems
An agency must sort its IT systems based on risk.
Select the
minimum security
controls
An agency must select controls for its IT systems based on their risk category.
Implement
security controls
in IT systems
An agency must apply controls in certain areas that are specified by NIST.
Assess security
controls for
effectiveness
An agency must assess its controls on a continuous basis to make sure that they're effective in reducing risk.
Authorize the IT
system for
processing
An agency must test its IT systems and approve their operation.
Continuously
monitor security
controls
An agency must monitor its security controls continuously to make sure they're effective. They also must document
any changes to their IT systems. They must assess changes for new risks
Included in these areas are access control, contingency planning, and incident response.
An agency specifically must accept the risks of operation prior to allowing a system to operate.
This process used to be known in FISMA terminology as "certification and accreditation."
NATIONAL SECURITY SYSTEMS
National Security Systems
(NSS)
FISMA requires federal agencies to secure national security
systems (NSSs) using a risk-based approach.
These systems must be specially protected due to their
national security significance.
The Committee on National Security Systems (CNSS)
oversees FISMA activities
Federal agencies with national security systems must follow
CNSS policies, which use a six-step process for protecting
these systems.
This process is the same as the NIST RMF. NIST and the
CNSS worked together to create them.
Intelligence activities
National defense
Foreign policy
Military activities
OFFICE OF MANAGEMENT AND BUDGET (OMB)
The OMB is responsible for making sure that federal agencies meet
their FISMA obligations.
It has broad powers. It can withhold funding from agencies that fail
to follow the law.
The OMB shares some oversight responsibility with other agencies.
The responsibility is shared for NSSs. The DoD has FISMA
responsibility for NSSs that hold military data. The CIA has
responsibility for NSSs with intelligence data
QUESTION
Do you think that the federal government takes as much time
and interest in securing its own data as it does establishing
rules for other industries? What are some of the basic
requirements that federal agencies have to secure their data?
HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT
Most people consider their health information to be among the most sensitive types of personal
information - full of private details.
People share this information with health care providers to receive treatment.
Their medical records include details on illness diagnoses, lab results, and treatment options.
These records also contain details about lifestyle, chronic conditions, or mental health counseling.
People fear they will be embarrassed if their health data isn't kept secret.
Some people may even fear for their lives if particularly intimate facts, such as reasons for health
counseling, are disclosed.
Other people may fear that insurance companies or employers could reject them because of
information in their health records.
People often feel that they have little control over how their health information is shared and
protected
HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT
Congress passed the Health Insurance Portability and
Accountability Act (HIPAA) in 1996.
It was amended in 2009 by the Health Information Technology
for Economic and Clinical Health (HITECH) Act.
HIPAA is best known for its data protection rules - address the
security and privacy of personally identifiable health information
Oversight is by the Department of Health and Human
Services/Office for Civil Rights
PROTECTED HEALTH INFORMATION (PHI)
HIPAA applies to PHI - any individually identifiable information about a
person's health.
It includes mental and physical health data.
PHI includes past, present, or future information
It also includes information about paying for health care.
PHI can be in any form.
It's commonly considered to be all information that is put in a person's medical
record including medical notes, billing information, and insurance data
HIPAA APPLICABILITY
Covered
Entity
Covered entities may only use PHI in certain ways
Health plans
Health care clearinghouses
Any health care provider that transmits PHI in an electronic form
Business
Associates
HIPAA also applies to the business associates of covered entities.
A business associate is an organization that performs a health care activity for a
covered entity.
Covered entities may outsource some health care functions, such as claims and
billing, to these organizations.
They must comply with HIPAA. Under the HITECH Act, HHS may directly require
business associates to comply with HIPAA.
HITECH ACT
Enacted as part of the American Recovery and Reinvestment Act of
2009
Designed to promote the widespread adoption and standardization
of health information technology.
Providers that adopted electronic health record (EHR) systems can
apply for meaningful use incentives to help pay for transition to EHR
platforms.
Participation in federally funded programs such as meaningful use
requires providers to maintain HIPAA security and privacy rule
compliance.
HIPAA PRIVACY RULE
Determines how covered entities must
protect the privacy of PHI.
Published in December 2000; compliance
required in April 2003
First time the U.S. government has specified
federal privacy protections for PHI
HIPAA PRIVACY RULE
Covered entities may not “use” or
“disclose” a person's PHI without
his or her written consent.
“Use”
Refers to how a covered entity
shares or handles PHI within
its organization.
“Discl Refers to how a covered entity
osure” shares PHI with other
organizations that may not be
affiliated with it
HIPAA PRIVACY RULE EXCEPTIONS
Treatment, Payment,
Healthcare Operations
Allow a covered entity to share a person's PHI
without a person's written consent.
Main permitted use and disclosure of PHI under the Privacy
Rule
There are other times a covered entity may
disclose PHI without consent such as reporting
victims of child abuse and neglect.
A covered entity doesn't need a person's written consent to
share PHI for this purpose because it's assumed that most
people want their health care providers to use their PHI to
provide medical treatment.
The rules for disclosing PHI without consent are
complicated.
Common covered entity activities. Requiring a person's
written consent to complete these functions would be
inefficient
Covered entities must analyze the rules carefully
to make sure that they follow them
HIPAA PRIVACY RULE – MINIMUM NECESSARY
Even if a covered entity is allowed to use or disclose PHI without
written consent, it must follow the minimum necessary rule
A covered entity may disclose the amount of PHI necessary to
satisfy the reason why the information is being used or disclosed,
but no more.
A covered entity must use its professional judgment and make
reasonable efforts to limit its use or disclosure.
A health care provider shouldn't disclose a person's entire medical
record if only a portion of it is needed to respond to a request
HIPAA PRIVACY RULE – PRIVACY NOTICE
A covered entity must inform people about how it uses and
discloses PHI using a privacy notice.
The covered entity must only use and disclose PHI in the
ways described by this notice.
The Privacy Rule has many requirements for how these
notices must be written.
The most important requirement is that a covered entity
use plain language to draft its notice.
An average person must be able to understand it
HIPAA BREACH NOTIFICATION RULE
Under HIPAA, a breach is any impermissible use or disclosure of unsecured PHI
that harms its security or privacy.
The use or disclosure must cause a significant risk of harm to the affected person.
The harm can be financial or reputational
The Privacy Rule requires covered entities to mitigate an unauthorized use or
disclosure of PHI
Prior to the HITECH Act, a covered entity didn't have to notify people if their PHI
was used or disclosed in an unauthorized manner.
The HITECH Act now requires them to do so. It creates notification requirements
that covered entities must follow in the event of a breach of unsecured PHI
PHI must be encrypted through an HHS-approved process to be considered secure
HIPAA BREACH NOTIFICATION RULE
Both covered entities and business associates must follow the breach notification rules.
If a covered entity has a breach of unsecured PHI, it must notify the victims within 60 days of the discovery.
A breach is "discovered" on the first day that the covered entity knows about it.
Individuals must be notified without "unreasonable delay."
A covered entity may delay notification if a law enforcement official requests it.
HIPAA has many rules for how notice of a breach must be given.
Under the breach notification rules, business associates also are required to notify covered entities
following their discovery of a breach of unsecured PHI.
The business associate must tell the covered entity no later than 60 days after it discovers the breach.
It must help the covered entity notify victims.
HIPAA SECURITY RULE
Requires
Covered
Entities
to
Protect the confidentiality, integrity, and availability of electronic PHI that they
create, receive, maintain or transmit
Use security safeguards to protect electronic protected health information (EPHI).
Protect EPHI from reasonably anticipated threats.
Guard PHI from uses or disclosures that aren't allowed by the Privacy Rule.
Security
Rule
First time the federal government addressed security safeguards for electronic PHI
HIPAA SECURITY RULE
Information Security
Programs
Covered entity must consider
Requires covered entities to create an
information security program
Its size and complexity
They have flexibility in creating these programs.
They don't have to use specific types of security
technology.
Its technical infrastructure, hardware,
and software security resources
An information security safeguard is also called
an information security control
The costs of security measures
The potential risks to EPHI
HIPAA SECURITY RULE
Safeguards and Specifications
“Addressable”
Requires covered entities to use
information security principles to
protect EPHI.
Covered entities have discretion in
implementing addressable specifications.
Must use administrative, physical,
and technical safeguards.
For addressable specifications, the entity must
assess whether the control is reasonable and
appropriate in its environment
“Required” - Covered entities must
implement them
If it is, then the covered entity must use it. If it
isn't, the covered entity doesn't have to use it
HIPAA SECURITY RULE - SAFEGUARDS
Administrative
Actions, policies, and procedures that a covered entity must
implement to follow the Security Rule.
Physical
Controls put in place to protect a covered entity's physical
resources.
They protect information systems, equipment, and buildings
from environmental threats.
Technical
Applied in the hardware and software of an information
system
SECURITY RULE ADMINISTRATIVE SAFEGUARDS
SECURITY RULE PHYSICAL SAFEGUARDS
SECURITY RULE TECHNICAL SAFEGUARDS
HIPAA - OVERSIGHT
HHS/Office
for Civil
Rights
Enforces both rules against covered
entities and against business associates.
Investigates and responds to complaints
from people who claim that a covered
entity has violated HIPAA.
Can levy fines on a covered entity that is
in violation of HIPAA security or privacy
rule compliance
HIPAA - PENTALTIES
Tier A
For violations in which the offender didn't realize he or she violated the act and
would have handled the matter differently if he or she had.
Tier B
For violations due to reasonable cause, but not "willful neglect."
Tier C
For violations due to willful neglect that the organization ultimately corrected.
Tier D
For violations of willful neglect that the organization did not correct.
This results in a $100 fine for each violation, and the total imposed for such
violations cannot exceed $25,000 for the calendar year.
The result is a $1,000 fine for each violation, and the fines cannot exceed $100,000
for the calendar year.
The result is a $10,000 fine for each violation, and the fines cannot exceed $250,000
for the calendar year.
The result is a $50,000 fine for each violation, and the fines cannot exceed
$1,500,000 for the calendar year.
in 2013 as an update to HIPAA and HITECH
HIPAA -Released
OMNIBUS
Modifications
to
Standards for reporting breaches of unsecured personal health information (PHI)
Requirements for business associate agreements
Limitations
on
The sale of PHI
And clarifications concerning the use and disclosure of PHI for marketing
Relaxation of certain limitations on the use of PHI for fundraising
Removal of limitations on the liability of covered entities for the acts and omissions of business associates
Other
Improvement to the regulations concerning authorizations for the use or disclosure of PHI for research
Extension of HHS enforcement authority over business associates
Expansion of the definition of the term business associate to include Health Information Organizations, E-prescribing Gateways, entities that provide
data transmission services for PHI and which require routine access to such PHI, and personal health record vendors
New obligations for business associates to enter into business associate agreements with their own subcontractors
Changes to the requirements for notices of privacy practices
GRAMM-LEACH-BLILEY ACT (FINANCIAL
SERVICES MODERNIZATION ACT OF 1999)
Addresses the privacy and security of consumer financial information.
Purpose was to allow banks, securities, and insurance companies to
merge
After GLBA, these new, larger corporations would have access to large
amounts of consumer financial information and people feared that their
privacy would suffer – GLBA included privacy and security protections
The Federal Trade Commission tracks consumer complaints for
identity theft, fraud, and other consumer-related scams like Ponzi
schemes in the "Consumer Sentinel Network Data Book"
GRAMM-LEACH-BLILEY ACT
Consumer
financial
information
(CFI)
Personally identifiable information.
Information that a person provides to a vendor to get a good or
service.
Customers can provide it to get services from banks or other
financial institutions which use this data to provide home or car
loans, credit cards, or to open checking accounts.
Consumers demand that their financial institutions protect it.
GLBA
Because of their vulnerability to fraud, financial institutions
must follow GLBA privacy and security rules to help mitigate
data breaches and identity theft.
Any financial transaction, such as borrowing, lending, credit
counseling, debt collection, or similar activities, requires
special attention when maintaining privacy of consumer data.
GLBA applies to consumer financial activities only. They're
transactions made for personal, family, or household services GLBA doesn't apply to business transactions
GLBA
NPI includes
GLBA requires financial institutions to protect consumers'
nonpublic financial information.
Nonpublic personal information (NPI) is personally
identifiable financial information that a consumer gives to a
financial institution.
NPI also includes PII that an institution gets from sources
other than a consumer.
Social Security number
Financial account numbers
Credit card numbers
Date of birth
NPI can be in paper or electronic form.
Name, address, and phone numbers when collected
with financial data
Details of any transactions or the fact that an
individual is a customer of a financial institution
GLBA OVERSIGHT
Different federal agencies have GLBA oversight
responsibilities which makes compliance difficult
Their responsibilities are based on the type of financial
institution under review
The agencies that oversee GLBA compliance may take action
against the financial institution that they regulate.
Institutions that violate GLBA can be subject to
both criminal and civil penalties.
GLBA OVERSIGHT
Securities and
Exchange
Commission (SEC)
Oversees securities brokers and dealers
Federal Reserve
System (the Fed)
Oversees state-chartered member banks and bank holding companies
Federal Deposit
Insurance
Corporation (FDIC)
Oversees state-chartered banks that aren't members of the Fed
National Credit
Union Administration
(NCUA)
Oversees federally insured credit unions
Office of the
Comptroller of the
Currency (OCC)
Oversees nationally chartered banks
Office of Thrift
Supervision (OTS)
Oversees all nationally chartered and some state-chartered thrifts
Federal Trade
Commission (FTC)
Oversees GLBA for any financial institution that isn't regulated by one of
the other agencies
GLBA – PRIVACY RULE
The GLBA Privacy Rule went into effect July 1, 2001.
Under this rule, a financial institution may not share a
consumer's NPI with nonaffiliated third parties
GLBA – PRIVACY RULE – NOTICE OF PRIVACY
PRACTICES
A financial institution can share this information only when it
first provides the consumer with notice of its privacy practices.
This notice must tell consumers about the types of data that the
institution collects.
It also must state how the institution uses the collected
information.
The notice also must describe how the institution protects a
consumer's NPI
GLBA – PRIVACY RULE – NOTICE OF PRIVACY
PRACTICES
Non-Affiliated Third Party
Affiliated Party
The Privacy Rule requires that consumers
have a chance to opt out of certain types of
data sharing with nonaffiliated third parties.
Has a legal relationship.
An entity that isn't legally related to a
financial institution
They are members of the same
corporate family.
An affiliated party is any entity that
controls, is controlled by, or is under
the common control of another entity
GLBA – PRIVACY RULE – CUSTOMERS AND
CONSUMERS
Consumer
Any person who gets a consumer financial product or
service from a financial institution.
A financial institution doesn't have to give a privacy
notice to a consumer if it doesn't share the consumer's
NPI with nonaffiliated parties.
Financial institutions must give their privacy notice to
consumers if they plan to share the consumer's NPI
with nonaffiliated parties.
The privacy notice must give the consumer a chance to
stop the financial institution from sharing the
consumer's NPI with nonaffiliated third parties
GLBA – PRIVACY RULE – CUSTOMERS AND
CONSUMERS
Consumer
The privacy notice must tell consumers how to opt
out.
If a consumer doesn't opt out, then the financial
institution can share NPI in ways described by its
privacy notice.
GLBA doesn't give consumers the right to opt out of
situations where a financial institution shares NPI with
its affiliates.
In some instances, consumers don't have the ability to
opt out at all. For example, consumers can't opt out of
a disclosure that is required by law
GLBA – PRIVACY RULE – CUSTOMERS AND
CONSUMERS
Customer
A consumer who has a continuing relationship with the institution.
An example of a consumer without a customer relationship is a person who
withdraws cash from an ATM that doesn't belong to his or her personal bank.
Customers must receive the financial institution's privacy notices.
An institution must give a customer notice of its privacy practices as soon as
the customer relationship begins.
Customers also must receive a copy of the privacy notice each year for as
long as the relationship continues.
The notice must be provided in writing and be understandable.
QUESTION
Should there be a single federal law that covers concepts of
information security, privacy, and breach notification? Why or
why not?
SARBANES-OXLEY ACT
Many large corporate scandals rocked the early 2000s.
Companies such as Enron, Adelphia, and WorldCom made news for their inaccurate and misleading financial
reporting practices.
These practices duped investors by making the corporations look more successful than they actually were.
Many of these investors, which included corporate employees, lost large amounts of money.
By the time everyone knew the truth, it was too late to recover investment losses.
When these scandals came to light, they shook investor confidence in the U.S. economy.
Accurate information is the "investor's best tool.“ People need accurate financial information so they can
invest wisely and make money
Congress passed the Public Company Accounting Reform and Investor Protection Act in 2002 to help
protect investors
This law is more commonly known as the Sarbanes-Oxley Act of 2002 (also known as “SOX” or “Sarbox”)
SARBANES-OXLEY ACT
The main goal of SOX is to protect investors from financial
fraud.
SOX supplements other federal securities laws.
It applies to publicly traded companies that must register
with the Securities and Exchange Commission.
Investors own a publicly traded company by buying its
stock on a stock exchange.
SOX doesn't apply to privately held companies
SARBANES-OXLEY ACT
When it was first enacted, most companies assumed that it didn't
have any IT components – IT not mentioned anywhere within the
act.
Many SOX provisions require companies to verify the accuracy of
their financial information.
Since IT systems hold many types of financial information,
companies and auditors quickly realized that these systems were
part of SOX compliance.
That meant that the way those systems are used and the controls
used to safeguard those systems had to be reviewed for SOX
compliance
SARBANES-OXLEY ACT – SECTION 404
Requires an organization's executive officers to establish, maintain,
review, and report on the effectiveness of the company's internal
controls over financial reporting (ICFR).
An organization's executives must understand how its IT systems
work in order to make these certifications
Management makes this certification on reports filed with the SEC
to help ensure that a company's financial reports are accurate.
It helps protect investors from fraudulent financial activities
SARBANES-OXLEY ACT - ICFR
A company must create, document, and test its
ICFR annually
After a company makes its yearly report, outside
auditors must review it and verify that the ICFR
specified in the report actually work.
Under SEC rules, ICFR are processes that
provide reasonable assurance that an
organization's financial reports are reliable
SARBANES-OXLEY ACT - ICFR
ICFR provide management with reasonable assurance that:
Financial reports, records, and data are accurately maintained.
Transactions are prepared according to accounting rules and are
properly recorded.
Unauthorized acquisition or use of data or assets that could affect
financial statements will be prevented or detected in a timely
manner
SARBANES-OXLEY ACT – SECTION 404
Companies trying to comply with Section 404 quickly learned that they needed to
review their IT systems - specifically, they needed to review the ICFR on their IT
systems.
An error in these systems could cause financial statements to contain errors or
mistakes.
To comply with Section 404, companies had to make sure that system data were
accurate.
They had to make sure that they had processes in place to detect inaccurate data.
Section 404 is very general about the types of ICFR that companies must
implement
SARBANES-OXLEY ACT – SECTION 404
In 2007, the SEC issued additional guidance to help companies assess
ICFR during their Section 404 review.
The SEC stated two broad principles in its guidance:
Management should assess how its internal controls prevent or detect
significant deficiencies in financial statements.
Management should perform a risk-based review of the effectiveness of
these controls.
The SEC also said that management must exercise its professional
judgment to limit the scope of a Section 404 review.
Reminded companies that SOX applies to internal controls, including IT
controls that affect financial reporting only
SARBANES-OXLEY ACT – SECTION 404
IT Controls
Management must review general IT controls to make sure that IT systems
operate properly and consistently.
The controls must provide management with reasonable assurance that IT
systems operate properly to protect financial reporting
Outsourcing
SOX requires companies to monitor ICFR for outsourced operations as well.
Many companies do this by asking their outsourcing companies to provide
them with a special audit report about the outsourced operations.
A company must review this report to determine if the outsourcing company's
controls are sufficient.
SARBANES-OXLEY ACT – RECORD RETENTION
Audit papers
Public companies are required to maintain their
financial audit papers for seven years to include
records used to assess ICFR
Most documents used in an audit - support
the conclusions made in an audit report.
Other federal and state laws contain record
retention requirements.
This includes work papers, memoranda, and
correspondence.
Organizations should develop document
retention policies to help them track their
different obligations.
It also includes any other records created,
sent, or received in connection with the audit
Penalties for failing to retain records for the
right amount of time can be severe and include
criminal penalties
Includes electronic records
SARBANES-OXLEY ACT - OVERSIGHT
Securities
and
Exchange
Commission
(SEC)
Provides oversight and enforcement
Created under the Securities and Exchange Act of 1934.
Mission is to protect investors and maintain the integrity of the
securities industry.
Has the power to investigate and sanction public companies that
don't comply with SOX.
Reviews a public company's yearly and quarterly reports at least
once every three years to try to detect fraud and inaccurate financial
statements that could harm the investing public
QUESTION
How are Internal Audit and Information Security similar?
How are they different? Are there skills necessary that are
used in both areas?
FAMILY EDUCATIONAL RIGHTS AND PRIVACY
ACT (FERPA)
Family
Educational
Rights and
Privacy Act
(FERPA)
Educational
institutions
Main federal law
protecting the
privacy of student
information.
Collect and store
student data:
Demographic information
Address and contact information
Parental demographic information
Parental address and contact information
Grade information
Disciplinary information
FERPA
Educational institutions
include:
Congress created FERPA in 1974
Community colleges
Colleges and universities
It applies to any education agency or
institution that receives federal funding.
Primary and secondary schools (kindergarten
through twelfth grade)
State and local educational agencies (such as a
school board)
Most educational institutions receive some
kind of funding from the U.S. Department of
Education - if a school chooses not to comply
with FERPA, it can't receive any federal funds.
Schools or agencies offering a preschool program
Any other educational institution that receives
federal funding
FERPA
Student
Record
Protects the privacy of student records.
Data about a student that a school keeps.
Written documents, computer media, video, film, and photographs.
Records maintained by an outside party acting on a school's behalf.
Can be in paper or electronic form.
Information
Security
Specific information security controls not specified to be
implemented to protect student records.
Systems security professionals must be aware of FERPA's
requirements.
The organization must then implement security controls in IT
systems to protect the privacy of electronic student records.
Or their parents
if the student is under 18
FERPA – STUDENT
RIGHTS
Know what data is in the student's student
record
Inspect and review that record
Request that a school correct errors in a
student record
Consent to have certain kinds of student data
released
FERPA - PII
Personally identifiable
information
Schools must protect the
personally identifiable
information that is located in
the records
Direct Identifiers: e.g., name, Social
Security number, and student number.
Indirect Identifiers: when they're
matched with a student name. Indirect
identifiers are personal characteristics
that can be used easily to identify a
student
FERPA – RELEASE OF INFORMATION
Exceptions
A school can't release a
student's records to a third
party without the student's
written consent
Some school officials can view student records
when required by their job duties.
A school can transfer a student's record from
the old school to a new school without the
student's consent.
Schools can transfer student records for some
financial aid or accreditation purposes.
Schools can disclose some student information
in order to comply with a court order or lawful
subpoena
FERPA – DIRECTORY INFORMATION
Special category of personally identifiable information to be disclosed without student consent.
A school can do this so long as it has given notice to the student that it will disclose this
information.
Information that is publicly available about all students.
Includes information such as a student's name, address, or telephone number.
Colleges and universities often provide this type of information in an online directory.
A student can choose to forbid the release of this type of information - must tell the school not to
release this type of information; then school must put measures in place to make sure that this
information is not released
FERPA – ANNUAL NOTICE
Schools must give annual notice about the
school's FERPA practices
This notice informs students and parents about
their FERPA rights.
It tells students about the school officials who
have access to records without student consent
FERPA - SECURITY
IT and information systems security
professionals who work for highereducation institutions must also comply
with FERPA.
IT departments within higher-education
institutions are responsible and
accountable for maintaining the
confidentiality of student privacy data.
FERPA - OVERSIGHT
Family
Policy
Compliance
Office
(FPCO)
Oversees FERPA compliance.
Violations
Schools that violate FERPA can lose their federal funding.
Has the authority to review and investigate FERPA
complaints.
Students who have had their FERPA rights violated aren't
allowed to sue a school for that violation.
Only the FPCO is allowed to sanction schools that violate
FERPA
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
Protects children from exposure to offensive Internet content.
It requires certain schools and libraries to filter offensive Internet
content so that children can't access it
Requires public school systems and public library systems that
participate in E-Rate federal funding to be in compliance with CIPA.
The E-Rate program provides discounts to most primary and
secondary schools and libraries for Internet access.
Provides best practices for parents and providers of free, public Wi-Fi
access to protect our children from offensive content.
Congress passed CIPA in 2000
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
Minor
Defined as anyone under the age of 17.
Anyone who is not of legal adult age as a minor
A minor is a child - different laws may state
different ages for determining when a person is
a minor and when he or she is not.
Offensive
content
Includes any visual depictions that are obscene,
child pornography, or harmful to minors (if the
computers are accessed by minors).
“Harmful to minors“
Defined as any visual picture that:
Appeals to a prurient interest in nudity, sex, or excretion with respect to what is
suitable for minors
Depicts, describes, or represents sexual acts, contact, or genitalia in a patently
offensive way with respect to what is suitable for minors
Taken as a whole, lacks serious literary, artistic, political, or scientific value with
respect to what is suitable for minors
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
Obscene and
Objectionable
Material
Most people agree that children should be protected from obscene material
Miller v.
California.
A 1973 U.S. Supreme Court case helps define what is obscene.
Definition of obscene material is complex.
The Supreme Court said that for material to be identified as obscene, it must meet three conditions based on the
average person applying contemporary community standards.
Miller Test
Under the test, material is obscene if it:
Appeals predominantly to prurient interests; prurient indicates a morbid, degrading, and unhealthy interest in sex
Depicts or describes sexual conduct in a patently offensive way
Lacks serious literary, artistic, political, or scientific value
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
– E-RATE
Discounts range from 20 percent to 90 percent
of actual costs.
Schools and libraries don't have to accept these
funds.
They can either pay for the Internet access with
private funds, or choose not to use the Internet.
Federal Communications Commission (FCC)
manages the E-Rate program
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
Challenges
American Library Association and the American Civil
Liberties Union claimed
CIPA violated the free speech rights of adults and claimed the
law could prevent minors from getting information about
topics such as breast cancer.
First
Amendment
Sets forth the right to freedom of religion, speech, the press,
and assembly.
Implicit right of freedom of thought, which has a privacy
component.
Censorship actions can violate the First Amendment
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
Federal
courts
Agreed that CIPA violated free speech rights - temporarily overturned CIPA in 2002.
The government appealed the decision of the federal court to the U.S. Supreme Court (United
States et al. v. American Library Association, Inc. et al. )
Supreme
Court
In 2003, the Supreme Court overturned the lower court and upheld the law.
The Supreme Court held that only schools and libraries that receive E-Rate funding for Internet
access must comply with CIPA.
The case also specifically held that CIPA applies to minors only.
Schools and libraries must have some way to allow adults unfiltered Internet access - if they don't,
then they face scrutiny for censorship and violating the First Amendment rights of the adult
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
Filter
Covered schools and libraries must
filter offensive Internet content so that
children can't get to it.
Schools and libraries can use
technological tools to meet this
requirement.
CIPA states what must be filtered but
not how to filter it.
Technology
protection
measure
(TPM)
Any technology that can block or filter
the objectionable content.
Disabling
Library or school must be able to disable the TPM for any adult who needs to use a computer
as a First Amendment right
Federal Communications Commission
(FCC)
Recognizes that a TPM cannot be 100 percent effective - local authorities should determine
which measures are most effective for their community.
Neither CIPA nor the FCC defines what level is acceptable.
School or library is expected to take steps to resolve failures – if not resolved patron can file a
complaint with the FCC.
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
- INTERNET SAFETY POLICY
Basics
Be created to identify a method to address filtering
exceptions
Be able to monitor the online activity of children.
State how the school or library will restrict access to
objectionable online materials.
Address
The safety and security of children when using e-mail, chat
rooms, or other electronic communications.
Situations where a child uses the Internet for unlawful
activities
The unauthorized use of a child's personal information.
CHILDREN'S INTERNET PROTECTION ACT (CIPA)
- OVERSIGHT
Federal
Communications
Commission
(FCC)
Provides
oversight
Applications by a school or library for
E-Rate funding must certify CIPA
compliance
Investigations
If the FCC receives complaints that too
many objectionable images are getting
through, it may investigate.
Presumes that Congress never intended
libraries to be fined if they don't comply
with CIPA.
May require a library to refund the ERate discount for the period of time it
wasn't in compliance.
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS): PURPOSE AND SCOPE
Assists merchants and financial institutions in understanding
and implementing standards for security policies, technologies,
and ongoing processes that protect their payment systems
from reaches and theft of cardholder data
Helps vendors understand and implement PCI standards and
requirements for ensuring secure payment solutions are
properly implemented
PCI DSS: PURPOSE AND SCOPE (CONT.)
To validate compliance:
• On-site PCI audit by a qualified security assessor (QSA)
• Quarterly vulnerability assessment scanning performed by
an approved scanning vendor (ASV)
• Complete an annual self-assessment questionnaire (SAQ)
with quarterly vulnerability assessment scanning from an
approved ASV scanning company
• SAQ lists all security control requirements that are
needed for various SAQ levels
PCI DATA SECURITY STANDARD REQUIREMENTS
PCI DSS: MAIN REQUIREMENTS
Requirement 3.3
Updated requirement to clarify that any displays of the primary access number (PAN)
(e.g., a 16-digit credit card number) greater than first six/last four digits of the PAN
requires a legitimate business need
Added guidance on common masking scenarios
Requirement 8.3
Expanded Requirement 8.3 into subrequirements that require multifactor
authentication for personnel with nonconsole administrative access and personnel
with remote access to cardholder data environment (CDE)
PCI DSS: MAIN REQUIREMENTS (CONT.)
Requirement 10.8.1(effective February 1, 2018)
A new requirement for service providers to detect and report on failures of critical
security control systems
Requirement 11.3.4.1 (effective February 1, 2018)
A new requirement for service providers to perform penetration testing on
segmentation controls at least every six months
PCI DSS: MAIN REQUIREMENTS (CONT.)
Requirement 12.4 (effective February 1, 2018)
A new requirement for service providers’ executive management to establish
responsibilities for the protection of cardholder data and a PCI DSS compliance
program
Requirement 12.11.1 (effective February 1, 2018)
A new requirement for service providers to perform reviews at least quarterly, to
confirm that personnel are following security policies and operational procedures
DISCUSSION
INFORMATION SECURITY
STANDARDS
LEARNING OBJECTIVES
Identify prominent information security standards
organizations
Summarize what ISO 17799 contains
Explain how ISO/IEC 27002 pertains to information
security
Describe PCI DSS requirements
INTRODUCTION
Standards
How can so many products from
different vendors work together?
Necessary to create and maintain a competitive
market for hardware and software vendors.
They work together because of
standards
Guarantee compatibility between products from
different countries.
Provide guidelines to ensure products in today's
computing environments work together
Adhering to standards is necessary to increase
market appeal and for regulatory compliance
QUESTION
What are some challenges of trying to adhere to a security
standards framework? Do you think that everyone in the
organization will want to use the same standards? Why or why
not?
NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY (NIST)
Federal agency within the U.S. Department of Commerce
Founded in 1901 as the National Bureau of Standards (NBS)
America's first federal physical science research laboratory
Mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement
science, standards, and technology in ways that enhance economic security and improve our quality of
life."
Provides standards for measurement and technology on which nearly all computing devices rely
NIST COOPERATIVE PROGRAMS
NIST
Laboratories
Laboratories that conduct research to advance the United States'
technology infrastructure.
The nation's industry uses this infrastructure to improve the quality of
products and services.
Baldrige
National
Quality
Program
A national program that empowers and encourages excellence among U.S.
organizations, including manufacturers, service organizations, educational
institutions, health care providers, and nonprofit organizations
Strives to increase quality and recognize organizations that achieve quality
goals
NIST COOPERATIVE PROGRAMS
Hollings
Manufacturing
Extension
Partnership
A network of centers around the nation that
offer technical and business assistance to
small and medium-sized manufacturers.
Technology
Innovation
Program
Another national program that offers awards
to organizations and universities to support
potentially revolutionary technologies that
apply to critical needs of national interest.
NIST PUBLICATIONS
NIST maintains a list of standards and publications of general interest to the
computer-security community.
NIST established this collection of documents, called the Special Publications
800 series, in 1990 to provide a separate identity for information technology
security publications
The publications in this series report on research and guideline efforts related
to computer security in government, industry, and academic organizations.
The NIST Special Publications 800 series contains many standards that provide
guidance for information systems security activities
INTERNATIONAL ORGANIZATION FOR
STANDARDIZATION (ISO)
Formed in 1946 - is a nongovernmental international organization.
Its goal is to develop and publish international standards.
ISO, based in Geneva, Switzerland, is a network of 163 national
standards institutes.
ISO serves as a bridge between the public and private sectors.
Some members are governmental entities, while others are in the
private sector
INTERNATIONAL ORGANIZATION FOR
STANDARDIZATION (ISO)
ISO's goals are to develop standards that do not cater to either group exclusively but reach
consensus.
Although the organization's short name, ISO, appears to be an acronym, it is not.
Because ISO is an international organization, its full name is different depending on the
language.
ISO members agreed on the short name ISO derived from the Greek word isos, which means
"equal."
ISO strives for consensus, even in the choice of its name. This focus on consensus is what
makes ISO such a successful authority in developing and promoting standards in many areas.
ISO PUBLICATIONS
ISO publishes many standards for nearly all industries.
For example, the International Standard Book Number (ISBN) is an ISO
standard.
ISO organizes its many standards by both the International Classification for
Standards (ICS) and the Technical Committee (TC) to which it assigns each
standard.
You can find standards spread among 40 different Level 1 ICSs, assigned to one
of over 200 TCs.
OPEN SYSTEMS INTERCONNECTION (OSI)
REFERENCE MODEL
Best-known ISO standard - governs how separate computer systems
communicate using networks.
The reference model contains seven distinct layers that address seven
different issues related to networked communications.
The reference model defines the standards that enable computers and
devices from different vendors to communicate.
Each layer in the model represents a collection of related functions
Each function provides services to the layer immediately above it and
receives services from the layer immediately below it.
THE OSI REFERENCE MODEL
INTERNATIONAL ELECTROTECHNICAL
COMMISSION (IEC)
IEC's standards
Standards organization that often works with ISO.
Power generation
The IEC is the preeminent organization for developing and publishing
international standards for technologies related to electrical and
electronic devices and processes.
Power transmission and distribution
People refer to the collective body of knowledge addressed by the IEC as
electrotechnology.
The IEC formed in 1906 to address issues with the expanding
technologies related to electrical devices.
The IEC was instrumental in the development of standards for electrical
measurements, including the gauss, hertz, and weber.
You will most likely encounter IEC standards relating to physical
computer and networking hardware.
Commercial and consumer electrical appliances
Semiconductors
Electromagnetics Batteries
Solar energy
Telecommunications
WORLD WIDE WEB CONSORTIUM (W3C)
The creation of the World Wide Web in 1990 marked a turning point in the way users accessed resources on the
Internet.
In the early days of the Internet, competing vendors released their own versions of the primary language of the Web,
HTML which led to incompatible browsers, limited functionality
Sir Tim Berners-Lee, the computer scientist who wrote the original proposal for what eventually became the World
Wide Web, founded the World Wide Web Consortium (W3C) in 1994 to address the lack of standards.
The W3C immediately became the main international standards organization for the World Wide Web.
The stated purpose of the W3C is to develop protocols and guidelines that unify the World Wide Web and ensure its
long-term growth.
The W3C develops many Web-related standards that govern and coordinate many aspects of Web development and
operation
WORLD WIDE WEB CONSORTIUM (W3C)
W3C Standards
Cascading Style Sheets (CSS)
Common Gateway Interface (CGI)
Hypertext Markup Language (HTML)
Simple Object Access Protocol (SOAP)
Web Services Description Language (WSDL)
Extensible Markup Language (XML)
Each of these standards and
specifications is necessary to ensure
that Web applications interact with
Web components from other
vendors.
INTERNET ENGINEERING TASK FORCE (IETF)
The Internet Engineering Task Force (IETF) develops and promotes
Internet standards.
According to the IETF Web site, the purpose of the IETF is to "make
the Internet work better."
The IETF focuses on the engineering aspects of Internet
communication and attempts to avoid policy and business questions.
The IETF works closely with the W3C and ISO/IEC, focusing
primarily on standards of the TCP/IP or Internet protocol suite
INTERNET ENGINEERING TASK FORCE (IETF)
The IETF is an open organization. There are no membership requirements.
All participants, including contributors and leaders, are volunteers. Their
employers usually fund their work.
The IETF first met in 1986 as a group of 21 researchers wanting to formalize
the main Internet communication protocols.
Today, the IETF is a collection of working groups (WGs), with each group
addressing a specific topic - every WG has a dedicated mailing list to which
anyone can subscribe.
REQUEST FOR COMMENTS (RFC)
An RFC is a series of documents that range from simple
memos to standards documents.
Each RFC's introduction indicates its status. The RFC model
allows input from many sources and encourages collaboration
and peer review
REQUEST FOR COMMENTS (RFC) - GUIDELINES
Only some
RFCs are
standards
Only RFCs that open with phrases like "This document
specifies…" or "This memo documents…" should be
considered standards or normative documents.
RFCs never
change
Any changes to an RFC get a new number and become
a new RFC. Always look for the latest RFC, because
previous documents may be out of date.
RFCs may
originate with
other
organizations
The IETF creates only some RFCs. Others may come
from independent sources, the IAB, or the Internet
Research Task Force (IRTF)
REQUEST FOR COMMENTS (RFC) - GUIDELINES
Stages
RFCs that define formal
standards have four stages
Proposed Standard (PS)—The initial official stage of a
standard
Draft Standard (DS)—The second stage of a standard,
after participants have demonstrated that the standard
has been deployed in working environments
As an RFC moves from one
stage to the next, it becomes
more formal and more
organizations accept it
Standard (STD)—The final stage of a standard, after it
has been shown to be widely adopted and deployed
Best Current Practice (BCP)—The alternative method
used to document operational specifications that are not
formal standards
INTERNET ARCHITECTURE BOARD (IAB)
The Internet Architecture Board (IAB) is a subcommittee of the IETF.
It also serves as an advisory body to the Internet Society (ISOC).
The IAB is composed of independent researchers and professionals who
have a technical interest in the well-being of the Internet.
The IAB provides much of the high-level management and validation of
the processes of conducting IETF business.
The IAB is an important committee that has substantial influence over
many standards that affect the Internet
INTERNET ARCHITECTURE BOARD (IAB) –
OVERSIGHT ACTIVITIES
Architecture for Internet protocols and procedures
Processes used to create standards
Editorial and publication procedures for RFCs
Confirmation of IETF chair and technical area directors
INSTITUTE OF ELECTRICAL AND ELECTRONICS
ENGINEERS (IEEE)
The world's largest professional association for the advancement of technology.
The IEEE is an international nonprofit organization that focuses on developing and distributing
standards that relate to electricity and electronics.
With more than 425,000 members in approximately 160 countries, it has the largest number of
members of any technical professional organization in the world.
The IEEE formed in 1963 through the merger of two older organizations: the Institute of Radio
Engineers, formed in 1912, and the American Institute of Electrical Engineers, formed in 1884.
IEEE supports 38 societies that focus activities on specific technical areas - technical areas
include magnetics, photonics, and computers.
The 802 working group takes its name from the date it first convened, in February (month 2) of
1980.
INSTITUTE OF ELECTRICAL AND ELECTRONICS
ENGINEERS (IEEE)
IEEE is also one of the largest standards-producing organizations.
The IEEE Standards Association (IEEE-SA) manages these standards.
IEEE standards cover many industries, including information technology
IEEE currently publishes or sponsors more than 1,300 standards and projects
The best-known standard that relates to information security is the IEEE 802 LAN/MAN standard
family
This group of standards defines how different types of local area network (LAN) and metropolitan
area network (MAN) protocols work
Students can obtain student memberships to IEEE; they can enjoy all the benefits of full membership
except the right to vote
COMMON IEEE 802 STANDARD WORKING
GROUPS
Working Group
802.1
802.3
802.11
Name
Higher Layer LAN Protocols
Ethernet
Wireless LAN (802.11a, 802.11b, 802.11g,
802.11n, 802.11ad, etc.)
802.15
802.16
802.18
802.19
802.20
Wireless Personal Area Network (WPAN)
Broadband Wireless Access (WiMAX)
Radio Regulatory TAG
Wireless Coexistence
Mobile Broadband Wireless Access
INTERNATIONAL TELECOMMUNICATION
UNION TELECOMMUNICATION SECTOR (ITU-T)
The International Telecommunication Union (ITU) is a United Nations agency.
It is responsible for managing and promoting information and technology issues.
ITU is a global point of focus for both governmental and commercial development of networks and
related services.
ITU was formed in 1865 as the International Telegraph Union to develop international standards for
the emerging telegraph communications industry.
ITU became a United Nations agency in 1947. It was renamed the International Telegraph and
Telephone Consultative Committee (CCITT) in 1956, and eventually adopted its current name in
1993.
INTERNATIONAL TELECOMMUNICATION
UNION TELECOMMUNICATION SECTOR (ITU-T)
The oldest and most recognizable activity of the ITU is its work developing
standards.
The ITU Telecommunication Sector (ITU-T) performs all ITU standards
work.
The ITU-T is responsible for ensuring the efficient and effective production
of standards covering all fields of telecommunications for all nations.
ITU-T also defines tariff and accounting principles for international
telecommunication services
INTERNATIONAL TELECOMMUNICATION
UNION TELECOMMUNICATION SECTOR (ITU-T)
ITU-T calls the international standards it produces
recommendations.
They become mandatory only when adopted as part of a
member state's national law. Because the ITU-T is a United
Nations agency, its standards carry significant international
weight. Even though ITU-T calls its standards
recommendations, they tend to carry substantial authority
INTERNATIONAL TELECOMMUNICATION
UNION TELECOMMUNICATION SECTOR (ITU-T)
ITU-T divides its recommendations into 26 separate series, each bearing a
unique letter of the alphabet.
For example, switching and signaling recommendations are in the Q series. Data
networks, open systems communications, and security recommendations are in
the X series.
ITU-T has developed and published many communication recommendations
that address technical details of all types of communication.
Three recommendations of particular interest in information security are X.25,
X.75, and X.509. Table 12-3 lists a few details of each of these ITU-T
recommendations
ITU-T INFORMATION SECURITY
RECOMMENDATIONS
ITU-T Recommendation
X.800 – X.849: Security
X.1000 – X.1099: Information
and network security
X.1100 – X.1199: Secure
applications and services
Description
Recommendations in this series
address security issues as they
relate to different networking
layers
General network security
Ensuring that applications and
services are developed and
deployed in a secure manner
ITU-T INFORMATION SECURITY
RECOMMENDATIONS (CONT.)
ITU-T Recommendation
X.1200 – X.1299: Cyberspace
security
Description
Overall cybersecurity, identity
management, and countering spam
X.1300 – X.1399: Secure
applications and services
Different from X.1100 – X.1199,
this series focuses on emergency
communications and sensor
network security
Focused on exchanging
information between actors in a
secure manner
Security topics specifically related
to cloud environments
X.1500 – X.1599: Cybersecurity
information exchange
X.1600 – X.1699: Cloud
computing security
AMERICAN NATIONAL STANDARDS INSTITUTE
(ANSI)
One of the leading standards agencies in the United States is
the American National Standards Institute (ANSI).
ANSI's goal is to strengthen the U.S. marketplace within the
global economy.
At the same time, it strives to ensure the safety and health
of consumers and the protection of the environment.
It seeks to accomplish this by promoting voluntary
consensus standards and conformity assessment systems
AMERICAN NATIONAL STANDARDS INSTITUTE
(ANSI)
ANSI was formed in 1918 through the merger of five engineering societies and
three government agencies.
These groups merged to form the American Engineering Standards Committee
(AESC). In 1928, the AESC became the American Standards Association (ASA).
In 1966, the ASA reorganized and became the United States of America
Standards Institute (USASI).
Finally, in 1969, the USASI became ANSI. Today, ANSI is composed of
government agencies, organizations, educational institutions, and individuals.
ANSI represents more than 125,000 companies and 3.5 million professionals
AMERICAN NATIONAL STANDARDS INSTITUTE
(ANSI)
ANSI oversees the creation, publication, and management of many standards
and guidelines that directly affect businesses in nearly every sector.
ANSI standards cover such business sectors as acoustical devices, construction
equipment, dairy and livestock production, and energy distribution.
ANSI produces standards that affect nearly all aspects of IT.
Unlike other organizations that specifically focus on engineering or technical
aspects of computing and communication, ANSI primarily addresses standards
that support software development and computer system operation
ISO 17799
ISO 17799 is an international security standard.
This standard documents a compre-hensive set of controls that represent best
practices in information systems.
The standard actually consists of two separate parts: The ISO 17799 code of
practice; BS 17799-2 specification for an information security management system
The main purpose of the standard is to identify security controls needed for
information systems in today's business environments.
The standard originally appeared as the "DTI Code of Practice" in Britain and was
later renamed BS 7799
ISO 17799
Developers submitted the standard to ISO for accreditation and publishing. ISO
published the standard as ISO 17799 in 2000.
Interest in the standard increased quickly. Several companies began providing
tools and services to help implement ISO 17799.
It quickly became the predominant information security standard. ISO 17799
gave many organizations a framework on which to build their security policy.
It also became a differentiator among competitors.
The standard enabled potential customers to evaluate organizations on their
efforts toward securing data.
ISO 17799 - SECTIONS
Security Policy
A statement of management direction
Security
Organization
Governance of information security, or how information
security should be enforced
Asset
Classification and
Control
Procedures to classify and manage information assets
Personnel Security
Guidance for security controls that protect and limit
personnel
Physical and
Environmental
Security
Protection of computer facilities
ISO 17799 - SECTIONS
Communications
and Operations
Management
Managing technical security controls in systems and networks
Access Control
Controls that limit access rights to network resources,
applications, functions, and data
System
Development and
Maintenance
Guidelines for designing and incorporating security into
applications
Business
Continuity
Management
Protecting, maintaining, and recovering business-critical
processes and systems
Compliance
Ensuring conformance with information security policies,
standards, laws, and regulations
ISO/IEC 27002
A newer standard, ISO/IES 27002, has superseded ISO
17799.
It provides a generic information security standard
accessible by all organizations, regardless of size, industry, or
location.
Although ISO/IES 27002 replaced ISO 17799, you will still
see references to ISO 17799 as a leading information
security standard
ISO/IEC 27002
ISO/IEC 27002 appeared in 2005 as an update to the ISO 17799
standard.
Originally named ISO 17799:2005, ISO changed its name to ISO/IEC
27002:2005 in 2007.
This was to conform to the naming convention used by other 27000series ISO/IEC standards.
The ISO/IEC 27000 series is a growing family of general information
security standards.
ISO/IEC 27002 is "Information Technology Security Techniques Code of
Practice for Information Security Management."
ISO/IEC 27002
Like its predecessor, ISO/IEC 27002
provides organizations with best-practice
recommendations on information security
management.
ISO/IEC 27002 expands on its
predecessor by adding two new
sections and reorganizing several
others.
The standard directs its recommendations
to management and security personnel
responsible for information security
management systems.
The standard specifies and outlines
the recommended security controls
within each section.
Information security is within the standard
in the context of the C-I-A triad
Most people regard the information
security controls as best practices.
ISO/IEC 27002 - SECTIONS
Risk Assessment
Formal methods of identifying and classifying risks
Security Policy
A statement of management direction
Organization of
Information Security
Governance of information security, or how information security should
be enforced
Asset Management
Procedures to acquire, classify, and manage information assets
Human Resources
Security
Security guidelines for personnel joining, leaving, or moving within an
organization
Physical and
Environmental Security
Protection of computer facilities
ISO/IEC 27002 - SECTIONS
Communications and
Operations Management
Managing technical security controls in systems and networks
Access Control
Controls that limit access rights to network resources, applications,
functions, and data
Information Systems
Acquisition Development
and Maintenance
Guidelines for designing and incorporating security into applications
Information Security
Incident Management
Anticipating and responding appropriately to information security
breaches
Business Continuity
Management
Protecting, maintaining, and recovering business-critical processes and
systems
Compliance
Ensuring conformance with information security policies, standards, laws,
and regulations
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS)
The is an international standard for handling transactions
involving payment cards.
The Payment Card Industry Security Standards Council (PCI
SSC) developed, publishes, and maintains the standard.
PCI DSS is different from other standards you have seen so
far
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS)
Some of the largest payment card vendors in the
world formed PCI DSS: Visa; MasterCard; Discover;
American Express; Japan Credit Bureau
Each of these organizations had its own standard
for protecting payment card information.These
organizations combined their efforts and published
the first version of the PCI DSS in December 2004
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS)
They created PCI DSS to protect payment card users from
fraud and to preempt legislative requirements on the
industry.
It requires layers of controls to protect all payment card–
related information as it is processed, transmitted, and
stored.
The standard applies to all organizations that participate in
any of the processes surrounding payment card processing
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS)
Compliance with PCI DSS standards is a prerequisite for doing business
with any of the member organizations.
If any organization violates PCI DSS standards, it could lose its ability to
process payment cards.
In most cases, noncompliance results in fines and/ or audits that are
more frequent.
Habitual offenders may find their processing privileges revoked.
The rules with which an organization must comply depend on the
number of payment card transactions the organization processes
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS)
Organizations assess compliance at least annually.
Organizations that handle large volumes of transactions must have their
compliance assessed by an independent Qualified Security Assessor (QSA).
Organizations that handle smaller volumes of transactions can choose to
self-certify using a PCI DSS Self-Assessment Questionnaire (SAQ)
PCI DSS version 2.0 defines 12 requirements for compliance, organized into
six groups, called control objectives
QUESTION
What value do you think that security standards provide to an
organization? Is there any negative effect by adhering to
standards?
DISCUSSION
Purchase answer to see full
attachment