Forum for Information Security

California was the first state to come out with comprehensive legislation that required companies to implement adequate safeguards to protect privacy and security of information collected for business purposes. Termed SB1386, it heralded a new era in compliance and assurance legislation - and today, 18 US states have passed privacy and security laws in some form or the other.

The Personal Data Privacy and Security (PDPSA) bill applies to any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of personally identifiable information in electronic or digital form on 10,000 or more U.S. persons.”

It is really aimed at codifying a federal bill in response to over 18 state data protection laws incorporating breach notification, many of which are modeled after California’s SB 1386.

A 91-page bi-partisan bill “The Personal Data Privacy and Security Act of 2005” (PDPSA), cosponsored by senators Patrick Leahy and Arlen Specter is currently in front of congress designed “to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections.”

Watch this space for further details.

Certainly seems like things are tightening up as awareness of privacy and security grows at the consumer level.

Expect companies to be face stiff penalties for non compliance and executive officers to be held individually and severally liable - this will force most medium to large companies in B2C space to take proactive measures to secure their databases, internet facing applications and consumer interfaces.

Do send us your comments,

RiOn

There is some talk in companies about creating a new position to ensure regulatory compliance across the enterprise.

The term being used for the moment is Chief Compliance Officer.

According to Tech Target, this is a basic job description:

Staying current with new and updated regulations. These may include state and federal laws, as well as industry-based accreditation requirements.

Developing and maintaining a repository of regulations and the organization’s compliance status. This provides a quick snapshot and a valuable reference document. When new regulations emerge, this tool can identify any overlap with pre-existing regulations.

Understanding how each regulation affects the organization and explaining the impact of non-compliance to leadership.

Developing cooperative relationships with those charged with implementation, such as the ISO and the Privacy Officer.

Developing documented and repeatable evaluation processes to verify that underlying controls are adequate to meet requirements.

Periodically performing evaluations and reporting outcomes to senior management.

Developing processes for the workforce to report non-compliance issues to the CCO and how the CCO will respond to those issues.

Reporting compliance deficits and lapses to senior management and ensuring they are remedied.

Tech Target goes on to say:

‘An effective CCO is a great asset to the CISO and the information security program. The CISO can make a case for this position as an added layer of protection for the organization. The CCO brings a fresh perspective to security and other regulatory controls and may spot program opportunities or weaknesses that the CISO is too close to see. …’

See the entire article on:
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1111697,00.html

In my view, while it is okay to appoint someone as CCO, the position should be defined and structured in such a way to avoid duplication with other job functions - especially those in legal, risk management, operations and of course security departments.

How do companies ensure internal ‘buy-in’ so a candidate is able to discharge his responsibilities, how is the position structured so that he can get the necessary cooperation from various other sections of the enterprise. As we all know, large corporations have power centres which may not necessarily reflect the organizational structure.

So I think that before businesses rush to employ a CCO, a lot of consideration should be given to what value someone will bring to the organization and how the individual can deliver clear, measurable results on an ongoing basis.

Broadly, the way that companies work these days is that they engage an external consultant to scope the work required to achieve compliance and also to conduct ongoing compliance audits to verify that they aren’t breaking any rules which may land them in trouble with the regulator or law making bodies.

This effort is largely coordinated by a few top level internal executives - since compliance is a complicated field which requires in depth domain and technical knowledge, legal expertise and also practical hands on industry experience.

Is it possible to find skillsets? Will the results be better than hiring outside consultants, who bring specialization and experience with their services? And, if the CCO fails in his / her duty, what is the backup procedure or verification process to ensure compliance. Another guard to watch the guard.

Time will tell. In my experience, a lot of Information Security Officers or Privacy Officers are stunted by internal obstacles, lack of planning and budgetary support, lack of clear direction given from the board, etc. Additionally, they are simply bestowed with the title in addition to their existing job responsibilities - like a Company Secretary may be the Privacy Officer, etc.

Comments? Let me know.

RiOn

Dear Folks -

We would like to extend a warm welcome to all the infosec professionals who use this forum on behalf of MIEL’s Information Security Training Institute.

From hereon, we will be posting topics relevant to infosec training here.

Feel free to post your comments and feedback.

Happy blogging!

Abigail and RiOn

In an earlier post, I have outlined a basic 3 step approach to Implementing HIPAA within your organization.

http://mielesecurity.blogsome.com/2005/07/02/hipaa-compliance-a-basic-3-step-approach/

This information is provided for an audience seeking an overview of the Information Security requirements, as outlined in HIPAA. I hope this will be useful as a starting point towards compliance, particularly if you are in the heathcare outsourcing business (claims processing, clinical records management and analysis, customer service, helpdesk, etc).

The Act:

The Health Insurance Portability and Accountability Act (HIPAA), signed into law by President Clinton on August 21, 1996, was established to improve the overall efficiency and effectiveness of the healthcare system by ensuring continued healthcare coverage for individual workers and their families in the event that they change employment. The law includes additional provisions for healthcare systems which address the management of health information, the simplification of administrative aspects of healthcare, as well as rulings which address the privacy and the security of health information.

Key Sections That Pertain to System Security

HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measures that must be addressed in order to protect and assure the confidentiality of electronic protected health information:

• Administrative Safeguards: Implement and maintain policies and procedures to prevent, detect, contain and correct security violations.
• Physical Safeguards: Implement and maintain policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.
• Technical Safeguards: Implement and maintain policies and procedures that protect and monitor information access and prevent unauthorized access to data transmitted over a network.
• Technical Safeguards: These standards describe the technical processes of the systems which will be used to enforce the administrative standards. Stated differently, how will you execute your security plan, including the electronic creation, updating, managing and transmittal of the data? At a minimum, each of the following must be addressed:
• Access Controls Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
• Privacy Controls Ensure that confidential data is secured in transit.
• Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Integrity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
• Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Best Practices Approach

• The following is a “best practices” approach to securing the “inner” network from internal threats, thereby achieving regulatory compliance. These steps, coupled with an adequate external perimeter defense, will establish and maintain a secure “trusted” internal network environment.
• Define which security relationships are needed.
• Segregate the network into security zones to facilitate easier management.
• Enforce the established security relationships within and across the security zones.
• Perform regular network audits to ensure security relationships are enforced.
• Update security relationships as business needs or compliance issues dictate.
• Provide an audit trail and reporting to satisfy regulatory compliance audits.

If anyone has questions / comments, do post them here.

RiOn

For folks in the pharmaceutical business, and operating in North American markets, there are regulatory standards that need to be complied with. These are summarized in the FDA 21 Code of Federal Regulations Part 11 -
(FDA 21 CFR) - this is particularly relevant to Indian companies who have acquired US pharma companies, are present in generics or bulk drugs formulations and even extend to biotech companies and other companies who undertake contract manufacturing for US pharmaceutical companies.

FDA 21 CFR Part 11 became effective in August, 1997,
and affects companies in all FDA-regulated industries,
including, but not limited to, Bio-Pharmaceutical
(Human and Veterinary), Personal Care Products,
Medical Devices and Food and Beverage. The regulation
specifies the FDA requirements for accepting
electronic records in lieu of paper records. So far,
the focus of FDA auditing efforts has mostly focused
on manufacturing, clinical trials and drug
development.

FDA 21 CFR PART 11 key requirements:

FDA 21 CFR Part 11 outlines procedures and controls
for ensuring the authenticity, integrity,
non-repudiation and confidentiality of electronic
records and signatures. The controls themselves
differentiate between “closed systems” and “open
systems”. An example of a closed system would be an
information system that is contained within an
organization’s local area network or Intranet, while
an open system would be one that uses the Internet.

The controls essentially state that “Persons who use
open systems to create, modify, maintain, or transmit
electronic records shall employ procedures and
controls designed to ensure the authenticity,
integrity, and confidentiality of electronic records
from the point of their creation to the point of
receipt, and as appropriate, additional measures such
as encryption and digital signature standards”.
Key IT Security Requirements of FDA 21 CFR Part 11

1. Manage access rights in distributed and
networked environments.
2. Confirm only authorized users have access to
sensitive information and systems.
3. Prevent unauthorized access to computer system
resources.
4. Prevent unauthorized access to information held
in application systems.
5. Confirm only authorized users have access to
sensitive information and systems.
6. Prevent unauthorized access to computer system
resources.
7. Prevent unauthorized access to information held
in application systems.
8. If digital signatures are utilized with the
organization then the controls require that the system
be effectively managed, secured and kept up to date.
9. Put procedures processes and systems in place to
ensure system integrity.
10. Enforce data integrity and privacy while in
transit.

Best Practices Approach

The following is a “best practices” approach to
securing the “inner” network from internal threats,
thereby achieving regulatory compliance. These steps,
coupled with an adequate external perimeter defense,
will establish and maintain a secure “trusted”
internal network environment.

1. Define which security relationships are needed.
2. Segregate the network into security zones to
facilitate easier management.
3. Enforce the established security relationships
within and across the security zones.
4. Perform regular network audits to ensure
security relationships are enforced.
5. Update security relationships as business needs
or compliance issues dictate.
6. Provide an audit trail and reporting to satisfy
regulatory compliance audits.

For more information, visit the FDA’s CFR database section’s Part 11, which deals with electronic records and electronic signatures.

http://www.fda.gov/ora/compliance_ref/part11/

Hope this information is useful,

oRiOn