SUNY Old Westbury Importance of Conducting Risk Assessments Discussion

Prompt:

Chapter 10 of the course textbook discusses the importance of conducting risk assessments (RAs). Darril Gibson defines an RA as a point-in-time reportused to compare current risks against the controls that are already in place. Although it is beneficial to conduct an RA often, there are challenges to conducting quantitative RAs. For this week’s discussion, you will consider the benefits and challenges of risk assessments with your peers.

Assignment:

• Using the internet, find an example of an adverse IT event that was likely a result of failed risk assessment and planning processes.
• As you write your post, consider the following:
  • Would a qualitative or quantitative RA have been more effective in preventing the risk? Why?
  • What controls would have been best to implement? Why?
  • In what ways did senior management’s attitude toward risk influence how the RA was conducted?
  • How should the company change its RA in the future to prevent this risk from occuring again?

AFTER COMPLETING THE BASICS of identifying assets, threats, and vulnerabilities, you can begin identifying controls. Controls mitigate risk throughout an organization. One of the ways to evaluate controls is to identify critical business operations and critical business functions. Controls should be in place to protect against risks for these critical areas of your business.

Compliance is an important topic in IT today. If any laws or guidelines govern your organization, you need to ensure you’re compliant. Noncompliance can be quite expensive. The first step is identifying the relevant laws and guidelines to see if they apply to your organization. If they do apply, you need to assess the regulations to identify the impact on your organization.

Where Should Your Organization Start with Risk Mitigation?

Your organization should start by identifying assets. An asset inventory helps you determine the value of your systems, services, and data. The value of the assets can be monetary, or it can be relative. For example, you may decide to assign values such as High, Medium, and Low for assets. These values do not necessarily equate to the cost of equipment. Rather, the value relates to the possible business impact if the assets are damaged or lost.

As an example, your asset inventory could have resulted in the following priorities:

• Database servers—High

• File servers—High

• E-mail servers—High

• Network infrastructure—High

• Web server—Medium

• User desktop systems—Medium

• User laptops—Low

 NOTE

This list isn’t intended to be a complete list of all assets. Instead, it provides a sample of how an organization may prioritize its assets.

Next, you identify and analyze threats and vulnerabilities. You do this with threat assessments, vulnerability assessments, and exploit assessments. You can perform a threat and vulnerability assessment on each asset.

For example, you can begin an assessment on the database servers. You can start several ways. One way is to consider the basics and ask yourself some questions:

• Loss of confidentiality—Is the data sensitive? Are access controls in place? Should at-rest data be encrypted? Should data be encrypted when it’s transferred?

• Loss of integrity—Can the database recover from power loss? Are data versions required? Is configuration of the database documented? Are change management practices followed?

• Loss of availability—Are reliable backups performed regularly? Are copies of backups stored off-site? Are backups checked to ensure they can be restored? What are the required hours for data availability? Are redundant drives used? Are failover clusters required?

The questions you ask will be different for different assets. For example, if you are examining the network infrastructure, you’ll have different concerns than if you are examining another asset. The point here isn’t the specific questions you’re asking. Instead, the point is that you are asking questions to identify areas of concern.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 includes extensive documentation on controls. A good way of ensuring you ask yourself the right questions is by using SP 800-53. Go through the control families one by one. If the controls apply, ensure your plan considers them.

You then evaluate the controls to determine what controls to implement. A significant part of this step is the cost-benefit analysis (CBA). CBAs are covered later in this chapter.

What Is the Scope of Risk Management for Your Organization?

The scope of risk management indicates your area of concern. You can also think of it as your area of control. There are some things you can control and some things you can’t control.

For example, you can’t control hurricanes or earthquakes. You can reduce the impact of these events by planning how your organization will respond. However, you can’t stop them from occurring.

FYI

The scope identifies the boundaries of a project. The biggest problem you can face if you don’t identify the scope is scope creep. Scope creep happens when a project’s goals or deliverables grow without control. For example, personnel could spend time and resources on low-value assets at the expense of the high-value assets. If you don’t control project scope, the project can consume more resources, cost more, and take more time. In the case of risk management, the boundaries may grow beyond the resources or time available to manage the risk. The result can be an organization that cannot identify or evaluate new risks, while evaluated risks go without a response.

When considering risk management scope within your organization, consider the following items:

• Critical business operations

• Customer service delivery

• Mission-critical business systems, applications, and data access

• Seven domains of a typical IT infrastructure

• Information systems security gap

The following sections cover these topics.

 TIP

It’s essential that risk management be driven by business needs. In other words, the risks you manage are those that have the potential to affect your business. Costs to manage risks outside this scope are not justified.

Critical Business Operations

An early step in risk management is identifying what business operations are critical. In other words, you want to identify what business operations must be functional to ensure the organization stays afloat.

A business impact analysis (BIA) is the key tool you’ll use for this step. It helps an organization identify the impact on the business if different risks occur.

One of the key elements of the BIA is the identification of costs. You identify both direct and indirect costs. The direct costs reflect the immediate cost of an outage. For example, if a Web server fails and cannot process sales, the sales lost during this period are direct costs. Indirect costs include the loss of customer goodwill and the cost to restore the goodwill.

These costs help identify the priority of the service or function. If the costs of an outage are high, you are justified to spend more money to prevent the outage.

BIAs identify the maximum acceptable outage (MAO). The MAO is the maximum amount of time a system or service can be down before affecting the mission. The MAO is sometimes referred to as maximum tolerable outage (MTO) or maximum tolerable period of disruption (MTPOD).

The MAO directly affects the required recovery time. As an example, imagine that the MAO is 30 minutes for a system. Recovery plans must be able to restore the failed system within 30 minutes.

A big part of the BIA is data collection. You can collect data by going through available reports. You can also collect data by interviewing personnel.

When completing a BIA of a specific service or function, you’ll try to answer different questions. Some of the key questions you’ll try to answer are:

• How does this service affect the organization’s profitability?

• How does this service affect the organization’s survivability?

• How does this service affect the organization’s image?

• How will an outage affect employees?

• How will an outage affect customers?

• When does this service need to be available?

• What is the MAO of the service?

Customer Service Delivery

Risk management includes an evaluation of services you provide to customers. In this context, a customer is any entity that receives a service.

 NOTE

Entities within the same organization often have agreements similar to an SLA. For example, a remote office may have an agreement with the main office that virtual private network (VPN) services will be provided during business hours. This isn’t as formal as an SLA. Additionally, it wouldn’t have monetary penalties. However, this agreement does specify expectations of service.

Obvious customers are those that purchase your services. For example, if your organization provides e-mail services to small businesses, these small businesses are your customers. Instead of managing their own e-mail servers, they outsource the service to you.

These customers have an expectation related to this service. They could expect that e-mail is available 24 hours a day, seven days a week. Alternatively, they may expect access to the e-mail only during their business hours. Either way, it’s important to identify their expectations.

A service level agreement (SLA) is a document that identifies an expected level of performance. It identifies the minimum uptime or the maximum downtime. Organizations use SLAs as a contract between a service provider and a customer. An SLA can identify monetary penalties if the terms aren’t met.

If your organization has SLAs with other organizations, these should be included in the risk management review. You should pay special attention to monetary penalties.

For example, an SLA could specify a maximum downtime of four hours. After four hours, hourly penalties will start to accrue. You can relate this to the MAO.

Of course, SLAs that promise low levels of downtimes cost more. This extra cost is imposed to pay for the extra controls that are used. These extra controls provide a higher level of service.

A less-obvious customer is the internal customer. Any employee or department that receives a service is a customer. Some common services provided to internal employees include:

• E-mail services

• Access to the Internet

• Network access

• Server applications, such as database servers

• Access to internal servers, such as file servers

• Desktop computer support

Employees won’t have SLAs with an IT department. However, they do have expectations related to the services. If any of these services fails for too long, it will begin to affect the employees’ ability to perform their jobs. This impacts the organization’s mission. By identifying the time frame when the outage affects the mission, you can identify the MAO.

Just because a service doesn’t have an external customer doesn’t mean it should be ignored. Many services are required for internal customers.

Mission-Critical Business Systems, Applications, and Data Access

Many organizations have mission-critical systems, applications, and data. When these are not available, the mission is affected. It’s important to identify and review these when reviewing risk management and risk mitigation plans.

Mission-critical business systems are any systems or processes integral to the organization. You really need to understand the business to identify these. You can help identify these by first identifying critical business functions (CBFs) and critical success factors (CSFs).

A CBF is any function considered vital to an organization. If the CBF fails, the organization will lose the ability to perform essential operations, such as sales to customers. If the organization cannot perform the function, it will lose money. The loss could be due to lost revenue or indirect losses.

A CSF is any element necessary to perform the mission of an organization. An organization will have a few elements that must succeed in order for the organization to succeed. For example, a reliable network infrastructure may be considered a CSF for many companies today. If the network infrastructure fails, communication can stop.

Critical business functions are supported by multiple elements. For example, consider an organization that sells products on the Internet. Figures 10-1 through 10-3 show the different supporting elements in a complete transaction. By analyzing these elements, you can identify the critical business functions.

In Figure 10-1, the customer makes the purchase. In this example, the customer is purchasing the product from an Internet Web server. Additionally, a back-end database server records the transaction.

FIGURE 10-1
Critical business functions—making the purchase.

Critical business functions here are:

• Internet access—The Web server must have reliable Internet access. If Internet access fails, the customer can’t access the Web server.

• Web server availability—The Web server must be operational. This includes the Web server and the Web application. If the Web server fails, the customer can’t complete the purchase.

• Database server availability—A database server records the transaction. This includes details on the customer, the product purchased, and payment information. If the database server fails, the Web application cannot complete the transaction.

Figure 10-2 shows how a payment is received. Although payment processing will often occur as part of the transaction, it’s separated here for clarity. Credit card transactions are common on the Internet. The organization must comply with the Payment Card Industry Data Security Standard (PCI DSS) to process credit card payments. The Web application uses data in the database to identify details for the credit card payment. It then sends a request to the appropriate bank for payment.

This step requires the same critical business functions as the purchase step. However, one additional element is needed. PCI DSS compliance is required. This ensures the organization is meeting minimum security standards for credit card data. If the organization is not compliant with PCI DSS, it can lose the ability to process credit cards. Noncompliance can also result in fines.

 NOTE

PCI DSS is discussed later in this chapter in the “Legal Requirements, Compliance Laws, Regulations, and Mandates” section.

FIGURE 10-2
Critical business functions—receiving funds.

FIGURE 10-3
Critical business functions—shipping the product.

Figure 10-3 shows the last step in the process. In this step, workers use a warehouse application to identify products to ship. This application interacts with a database server. The database server has details on purchased products, customers, and product locations. The warehouse workers then ship the product to the customer.

This step has several additional critical functions:

• Warehouse application server—This application must be available to the workers. It must also be able to interact with the database server. If the application is not available, the workers won’t be able to identify products to ship. Shipping will stop.

• Database server—The database server is needed to identify what products to ship. It also identifies details on where to ship them. If the data from this server is not available, shipping will stop.

• Workers—The workers pack and ship the purchased products. They use the warehouse application to identify the materials. If the workers aren’t available, shipping stops. Even if an organization has been able to automate some of the functions, such as retrieving products, workers still finalize the process. Additionally, human interaction is valuable for quality control.

• Warehouse—The products are stored and shipped from the warehouse. If the warehouse is damaged, two things are affected. First, the inventory may be lost. For example, a fire could destroy some or all of the inventory in the warehouse. Second, shipping may stop or be slowed. If the shipping area is damaged, shipping may stop completely. If products are damaged, shipping will be delayed for these products.

 TIP

The warehouse database server holds a lot of the same data as the Web database server. However, it will probably be a different server. The servers have different availability needs. The Web application needs to be operational all the time. The warehouse application needs to be available only when workers are shipping goods. Automation techniques would regularly move data from the Web database server to the Warehouse database server.

With the critical business functions identified, you can now focus on risk management. Each of these functions can be reviewed to ensure that adequate steps are taken to protect them.

Notice that some of the functions will require different levels of protection. For example, the Web server and the Web database server need to be operational all the time. The MAO is very short. The servers may require failover clusters to ensure the services continue to run even if a server fails.

However, shipping may only occur six days a week during the daytime. The warehouse servers won’t need the same level of protection. The MAO for these servers is significantly longer.

Seven Domains of a Typical IT Infrastructure

You can also review the seven domains of a typical IT infrastructure to identify risks. By looking at each of these domains, you can identify the scope of risk management needed for your organization. Figure 10-4 shows the seven domains of a typical IT infrastructure.

User Domain

Every organization has users. Computers by themselves do a lot, but they can’t yet do everything. Instead, the computers are here to support the users.

FIGURE 10-4
The seven domains of a typical IT infrastructure.

With this in mind, it’s important to look at risks associated with users. The primary risks associated with the User Domain are related to social engineering. Users can be conned and tricked. A social engineer tries to trick a user into giving up information or performing an unsafe action.

You combat these risks by raising user awareness. An acceptable use policy (AUP) helps ensure users know what they should and shouldn’t be doing. Logon banners remind users of the AUP. Many organizations send out occasional e-mails with security tidbits to keep security awareness on users’ minds. Posters in employee areas also help raise awareness.

Workstation Domain

The Workstation Domain is the computers that users will use. In some organizations, all employees have computers on their desks. In other organizations, desktop computers may be limited. For example, not every user in a warehouse needs a computer.

However, when users do have computers, they face risks. Some of the primary risks associated with workstations are related to malware. Users can bring malware from home on universal serial bus (USB) flash drives. They can accidentally download malware from Web sites. They can also install malware from malicious e-mails.

The primary protection is to ensure that you install antivirus (AV) software. Additionally, you need to update AV signatures regularly. You can’t depend on the users to keep their signatures up to date. Instead, you must take control of the process. Many AV vendors provide tools to automatically install and update AV software on workstations.

You must also be sure to keep operating systems up to date. When security patches become available, they should be evaluated and deployed when needed. Many of these security patches remove vulnerabilities. Without the patch, the systems remain vulnerable.

Just as you can use tools to ensure AV software remains updated, you can also use tools to keep systems patched. The same concepts apply. You can’t depend on users to keep their systems updated. Instead, you must take control of the process.

LAN Domain

The LAN Domain includes the networking components that connect systems on a local area network (LAN). This includes hardware components such as routers and switches. It also includes the wiring and wiring closets used to connect the users.

Computers typically access network resources via servers. For example, in a Microsoft environment clients are connected in a Microsoft domain. This includes at least one server acting as a domain controller. In a Microsoft domain, every user must have an account to log on to the domain. Additionally, every computer must have an account on the domain.

There are significant risks to consider in the LAN Domain. Routers have access control lists (ACLs) used to control what traffic is allowed through them. Switches can also be programmed for specific functionality.

Routers and switches are commonly located in a wiring closet or server room. This ensures they are protected with physical security. If an attacker has unrestricted access to these devices, the ACLs could be modified. Additionally, an attacker could connect a wireless access point to capture and transmit all the traffic going through any of these devices.

Many organizations also practice port security as an added control. Port security ensures that only specific computers are able to attach to the network device. In other words, if an attacker brings in a computer, he will not be able to connect the computer to the network.

LAN-to-WAN Domain

The LAN-to-WAN Domain marks the boundary where the private network meets the public network. In this context, the public network is the Internet.

Many different types of attacks come from the Internet. The primary protection here is the use of one or more firewalls. Firewalls can examine traffic as it passes through and allow or block traffic based on rules.

Although most organizations have firewalls in place, the major concern here is the management of the firewalls. A common problem is too many firewall rules allowing too much traffic. The firewall should discriminate and allow only certain types of traffic.

Organizations commonly use hardware firewalls that can be very sophisticated. Administrators often need additional training to ensure they know how to manage and maintain them. Trained administrators understand the importance of limiting the number of firewall rules.

WAN Domain

The WAN Domain includes all systems that are accessible over a wide area network (WAN). This primarily refers to servers accessible over the Internet.

Servers available on the Internet have public IP addresses. They can be reached from any system on the Internet. This makes them easy targets.

A primary method of protection for systems in the WAN Domain is the use of a demilitarized zone (DMZ). A DMZ uses two firewalls. One firewall has direct access to the Internet. The other firewall has direct access to the internal network. The area between the two firewalls is the DMZ.

 NOTE

The WAN Domain can also include systems that are accessible over a WAN link that is semiprivate. For example, an organization can lease lines from a telecommunications company. Other customers share these lines. They aren’t as public as the Internet. However, your systems are still susceptible to attacks from other customers leasing the same lines.

Although the DMZ doesn’t stop an attacker from accessing a server, it can limit the attacker’s access. For example, a Web server can be placed in the DMZ to host a Web site. Web servers use the Hypertext Transfer Protocol (HTTP). Secure Web servers also use the Hypertext Transfer Protocol Secure (HTTPS). The well-known ports for HTTP and HTTPS are 80 and 443, respectively. You can configure the DMZ to allow traffic to the Web server using only ports 80 and 443. All other traffic directed at the Web server is blocked.

Additionally, these servers need to be kept up to date. When security patches are released, you should evaluate them as soon as possible. Test the patch to ensure it doesn’t have any negative impacts. You can then deploy it to the servers.

 NOTE

A DMZ typically uses two firewalls. Public-facing servers are configured in the DMZ between the two firewalls

Remote Access Domain

The Remote Access Domain allows remote users to access the private network. Users can dial in if the remote access server is a dial-in server. Although dial-in servers aren’t as common, they are still used. A more popular option is a virtual private network (VPN). A VPN allows a user to access the private network over a public network, such as the Internet.

If your organization utilizes remote access servers, you need to consider the risks. If you are using dial-in remote access servers, your systems are available from any phone. The attacker only needs to know the phone number.

If you are using VPN servers, the VPN server has an Internet Protocol (IP) address that is publicly available from anywhere on the Internet. It is susceptible to attacks from anywhere in the world.

You can use several different controls to protect servers in the Remote Access Domain.

 NOTE

An older technique of locating remote access servers is war dialing. The attacker dials numbers randomly until a modem answers. Once the modem answers, the attacker attempts to log on.

Automatic callback is one method used with dial-in remote access servers. Imagine that Sally can work from home. Her account information includes her phone number. When she dials in, she is prompted to log on. As soon as she logs on, the remote server hangs up and calls her home number.

This increases security because even if an attacker learns Sally’s credentials, the attacker can’t use them for remote access. If the attacker dials in and logs on with Sally’s credentials, the server hangs up and calls Sally’s home.

Remote access policies are another control used with remote access. Policies are used to specify several conditions to ensure the connection is secure. For example, a policy could specify that only Layer 2 Tunneling Protocol (L2TP) connections are allowed. Additionally, Internet Protocol Security (IPSec) could be required to encrypt the connection.

System/Application Domain

The System/Application Domain includes any server-based applications. This can include e-mail servers. It can include database servers. It can include any server or system that has a dedicated application.

For example, Oracle Database hosts databases on a server. Microsoft Exchange is a popular e-mail server. Apache hosts Web applications on Web servers. Each of these applications is specialized. They have unique risks. They often require specialized knowledge to manage and configure. What’s more, they require attention to detail to keep them secure.

A primary requirement to keep these systems secure is to ensure administrators have adequate training and knowledge. Additionally, configuration and change management practices are helpful. Configuration management ensures the systems are configured using sound security practices. Change management ensures that the configuration is not modified without adequate review.

System applications often have bugs. Vendors release security patches when they have identified the bugs. Administrators of these systems need to stay in tune with the vendor so that they’re aware when patches are released. Unfortunately, some patches cause other problems such as system crashes. Administrators typically test patches to ensure they do not have any negative effects. They apply the patches after testing. Additionally, they often use software to verify that systems have current patches. When systems are not up to date, the software sends alerts to administrators. In some organizations, network access control (NAC) software isolates unpatched systems. These systems have limited network access until they are up to date.

Information Systems Security Gap

The information systems security gap refers to the difference between the controls you have in place and what you need. In a perfect world, the in-place controls will address all threats and vulnerabilities. However, threats and vulnerabilities are constantly changing.

A risk assessment (RA) provides a point-in-time report. It can be used to compare the existing threats and vulnerabilities against the in-place controls. Even if the last RA was perfect, it wasn’t able to address the threats and vulnerabilities that emerged after the RA.

Gap analysis reports are often used when dealing with legal compliance. For example, you can use a gap analysis report when reviewing compliance with the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act (SOX). The gap analysis report documents the security gap.

You should combine the gap analysis report with a remediation plan. The remediation plan identifies how the security gap is closed. In other words, it provides recommendations on what controls to implement.

Defense in Depth

Even if you have aggressive risk management and risk mitigation plans, there will usually be security gaps. It’s impossible to have systems 100 percent secure 100 percent of the time.

However, defense in depth is a security practice that adds multiple layers of protection. These multiple layers overlap with one another. Even if a gap occurs in one layer, there is a greater chance that a system is protected from another layer.

As an example, AV protection often uses a three-pronged approach. You install AV software at the firewall to scan incoming data. You also install AV software on the e-mail server to scan for malicious attachments or scripts. As a third measure, you install AV software on all workstations and servers.

You might wonder why you should install AV software on desktop systems if the firewall and e-mail already scan for malware. The reason is because users could transmit a virus from a CD/DVD or USB flash drive.

In addition, although AV software protects desktop systems, you still need additional AV software to scan e-mail attachments. Malware is most commonly sent through e-mail. If you haven’t installed AV software on the e-mail server, it will forward malware to clients. If a single system isn’t up to date, or has a malfunction with the AV software, it will be infected. This infection could quickly spread.

Defense in depth is more expensive in the short run. However, defense in depth closes more security gaps and in the long run, it saves money.

Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization

It’s important that an organization knows what laws and regulations apply to it. Once these are identified, it’s important to ensure that the organization is in compliance.

Noncompliance can have serious consequences. Some laws assess hefty fines on an organization. Other laws can result in jail time. Some can negatively affect an organization’s ability to do business.

In this context, compliance is a mitigation control. You implement controls to mitigate risk. Controls reduce or neutralize threats or vulnerabilities to an acceptable level.

For example, HIPAA fines can be as high as $25,000 a year for mistakes. An internal compliance program can ensure these costly mistakes don’t happen.

When assessing the impact of compliance issues in your organization, you should take two distinct steps. First, identify what compliance issues apply to your organization. Second, assess the impact of these issues on your business operations. These two topics are presented in the following sections.

The Growth of Compliance Laws

Greed and corruption can seep in anywhere. This includes large organizations. When problems are discovered, people are outraged. They demand justice. In the United States, Congress enacts laws.

Compliance has become more prominent in the past few decades. In the 1960s, General Electric and Westinghouse were convicted of several antitrust regulations. They were part of a widespread bid rigging and price fixing conspiracy. Congress responded with the Foreign Corrupt Practices Act (FCPA) in 1977.

In 1991, the U.S. Federal Sentencing Guidelines for Organizational Ethics legislation was passed. It included provisions to punish organizations for criminal actions and deterrence incentives to detect and prevent crime.

The Enron scandal occurred in 2001. A group of executives used a variety of tactics over several years to hide billions of dollars in debt from failed deals and projects. When they were exposed, Enron’s stock price went from $90 per share to less than $1, resulting in about $11 billion in losses to investors. Several executives were indicted and sentenced to prison.

WorldCom executives also used a variety of tactics over several years to artificially inflate the company’s value by around $11 billion. When the CEO was ousted in April 2002, things began to fall apart. The fraud was discovered in June 2002. WorldCom filed for bankruptcy in July 2002 and never repaid most of the creditors. Several of WorldCom’s executives were also indicted and sentenced to prison.

Congress responded to these scandals with laws to expand the reliability of financial reporting for public companies. The Sarbanes-Oxley Act was one such law. It increased penalties for defrauding shareholders. It also imposed more stringent requirements for internal controls.

The U.S. housing bubble burst in 2006, driving down home prices. Unfortunately, many homes were financed with shady subprime mortgages, resulting in a high number of foreclosures in 2007. More than 25 subprime lenders went bankrupt in 2007. This reached a critical stage in 2008 when Lehman Brothers, a huge global bank, went bankrupt. These events helped trigger a worldwide recession, commonly called the Great Recession.

Many banks bought insurance to cover their losses from insurance giant AIG. However, AIG was not able to cover these losses and was at risk of going bankrupt, too. The U.S. government rescued AIG from bankruptcy with an $85 billion bailout in 2008. Later, the U.S. government gave AIG an additional $37.8 billion. Congress passed the Troubled Asset Relief Program (TARP) in late 2008. TARP rescued many other financial companies. Congress authorized $700 billion in expenditures through TARP, but the government only disbursed $431 billion. As of December 2012, the U.S. government had recouped more than $405 billion of this money.

Congress responded to the subprime mortgage debacle with the Dodd-Frank Wall Street Reform and Consumer Protection Act. Many experts believed that a lack of financial regulation allowed the Great Recession to occur. One of the goals of the Dodd-Frank law is to prevent similar financial crises. While Dodd-Frank doesn’t directly affect IT resources as much as Sarbanes-Oxley does, it does apply to IT resources in financial organizations.

This is certainly not a complete history. There was much more fraud. There were many more scandals. However, it does provide a partial view of how corruption can grow, and how Congress reacts.

Corporate compliance has become so important in some organizations that a new position has been created. Many companies have a chief compliance officer (CCO) to oversee compliance. Some companies use the title of chief ethics compliance officer (CECO) or ethics compliance officer (ECO).

Legal Requirements, Compliance Laws, Regulations, and Mandates

Although there are many laws and regulations that apply to IT, they don’t all apply to IT. One of the important issues to understand first is which laws apply to your organization.

As a reminder, some of the key laws that apply to organizations are:

• Health Insurance Portability and Accountability Act (HIPAA)

• Sarbanes-Oxley Act (SOX)

• Federal Information Security Management Act (FISMA)

• Family Educational Rights and Privacy Act (FERPA)

• Children’s Internet Protection Act (CIPA)

• Payment Card Industry Data Security Standard (PCI DSS)

The following sections identify how you can determine if a law applies to your organization. Some laws are very specific and narrow in scope. However, others, such as HIPAA, apply to a wide range of organizations.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to any organization that handles health information. The obvious organizations that handle health information are hospitals and doctor’s offices. However, HIPAA reaches much farther than the medical industry.

Health information includes any data that relates to the health of an individual. This includes a person’s past, present, and future health. It includes their condition, physical health, or mental health. It also includes any past, present, or future payments for health care.

If an organization creates or receives health information, it must comply with

HIPAA. This includes employers. It includes health plan sponsors. It includes health care providers. It includes public health authorities, and more.

If your organization isn’t involved in health care but it does provide a health plan, it falls under HIPAA.

Sarbanes-Oxley Act (SOX)

The SOX Act applies to any business that is required to be registered with the Securities and Exchange Commission. This is any publicly traded company. In other words, if someone can buy stock in your company, then SOX applies.

SOX establishes a set of standards. Even if they don’t apply directly to private businesses, private businesses can use these same standards. If the organization faces legal issues later, they can point to their actions as good faith efforts to avoid the problems.

Federal Information Security Management Act (FISMA)

FISMA applies to all U.S. federal agencies. The goal is to ensure that federal agencies take steps to protect their data. If you work in a federal agency, FISMA applies.

The National Institute of Standards and Technology (NIST) is tasked by FISMA to develop standards, guidelines, and best practices to support FISMA. Special publications created by NIST for FISMA are available at http://csrc.nist.gov/publications/PubsSPs.html.

Family Educational Rights and Privacy Act (FERPA)

FERPA applies to all education institutions and agencies that receive funding under any program administered by the U.S. Department of Education (ED).

The obvious examples are any public schools from grades K through 12. However, many other entities can receive funding from ED. This includes any school or agency offering preschool programs. It includes any institution of higher education, such as colleges and universities.

Funding is often indirect. Although public grade schools receive their funding directly from ED, other institutions receive their funding indirectly. ED provides student aid and grants for college. If a student receives this funding and uses the money to pay for college, the college is receiving ED funding.

ED updated FERPA in 2012. Amendments allow for greater disclosures of student personal information and student information in the school’s directory. They also regulate student IDs and e-mail addresses.

Children’s Internet Protection Act (CIPA)

CIPA applies to any school or library that receives funding from the U.S. E-Rate program. The Federal Communications Commission (FCC) sponsors the E-Rate program. It provides discounts for Internet access.

Schools and libraries are not required to use the E-Rate program. However, if they choose to take advantage of the discounts, they are governed by CIPA. The annual E-Rate application requires schools and libraries to certify they are complying with CIPA.

Payment Card Industry Data Security Standard (PCI DSS)

PCIDSS is not a law. Instead, it is a standard that was jointly created by several credit card companies. The Payment Card Industry (PCI) Security Standards Council oversees the standard. Any organization that accepts credit card payments must comply.

Many credit card companies support PCI DSS. This includes Visa International, MasterCard Worldwide, American Express, Discover Financial Services, and JCB International. The PCI Security Standards Council includes employees of these companies.

 TIP

PCI compliance and PCI DSS compliance mean the same thing.

Smaller companies can certify they are compliant by completing a self-assessment questionnaire. A qualified security assessor independently audits large organizations.

The PCI Security Standards Council released PCI DSS v3.0 in November 2013.

Assessing the Impact of Legal and Compliance Issues on Your Business Operations

Once you’ve determined your organization has compliance requirements, the next step is to determine the impact of these requirements on your organization. The impact is significantly different depending on the law or standard.

The following sections present potential impacts for some of the common laws and standards.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA affects a wide spectrum of a business. The cost of noncompliance is high. Additionally, the steps required to comply can be complex depending on how much health-related information an organization handles.

First, the penalties are severe if the rules aren’t being followed. Organizations can be fined $100 per violation and up to $25,000 per year for mistakes. If someone knowingly obtains or releases data he or she shouldn’t, the penalties can be as high as $50,000 and one year in prison. If data is obtained or disclosed under false pretenses, penalties can be as high as $100,000 and five years in prison. If data is obtained or disclosed for personal gain or malicious harm, penalties can be as high as $250,000 and 10 years in prison.

However, compliance can also be expensive. Organizations that handle health data must take specific steps to protect it. This includes protecting any data that it creates, receives, or sends. It also includes protecting any of the systems that handle health data.

The responsibility to keep the data secure rests with the organization. The data must be protected while at rest. In other words, if it is stored on a hard drive or in a filing cabinet, it must be protected. This can be done through access controls, or physical security depending on the type of data.

Use of health information is restricted. Employees who handle and review health information must be trained so they know the requirements. As an example, data cannot be released to a third party without the written consent of the patient.

Data must be protected when transmitted. When any health data is transmitted, it must be transmitted in a specific format.

The good news is that health plan providers are well versed in HIPAA. A company that outsources a health plan can also outsource handling of the health data.

For example, a health plan provider can be contracted to provide insurance to employees. Employees can then be directed to the health plan provider’s Web site to enroll. When a health plan is managed in this manner, the provider hosts almost all the information. The company has very little data and its risks are limited.

Sarbanes-Oxley Act (SOX)

The business impact of SOX is a higher liability for the accuracy of data. High-level officers such as chief executive officers (CEOs) and chief financial officers (CFOs) must personally verify and attest to the accuracy of financial data. The goal is to avoid megascandals such as the loss of $11 billion by Enron’s investors.

Because of this, organizations are required to take extra steps to ensure the accuracy and integrity of the data. This includes implementing internal controls. It also requires both internal and external audits to verify compliance. A key benefit is that SOX increased executives’ accountability to act in their shareholders’ interest. Additionally, SOX-required monitoring helped provide better control of internal costs.

Some opponents of SOX have argued that the costs of compliance are excessive. However, the costs for most organizations are manageable according to a 2013 survey by Protiviti.

Federal Information Security Management Act (FISMA)

Because FISMA applies only to federal agencies, it does not affect the revenue of any organization. However, it can have a significant effect on operations.

A core requirement of FISMA is to identify, certify as compliant, and authorize for operation all IT systems in the organization. This process can be lengthy. One of the primary problems is the slow implementation of new systems.

FISMA encourages the use of baselines. As long as a system follows the same baseline as another system, it can be certified and authorized quicker.

 NOTE

A baseline is any known starting point. If it’s an IT system, a baseline represents the same hardware, software, and configuration as another system. For example, if one server has been authorized using a baseline, another server can be authorized much more quickly by using the same baseline.

Family Educational Rights and Privacy Act (FERPA)

FERPA requires covered organizations to share student records with students or their parents. If the student or parent makes the request, the school must comply.

Students or parents can request the correction of errors in the student’s record. The school has an obligation to consider the request. However, the school isn’t required to make all the changes a student asks for. For example, if a student requests a poor grade to be removed from a record, but the grade is accurate, the school isn’t required to remove it.

 TIP

FERPA grants specific rights to parents of students under 18. However, when the student turns 18, these rights transfer to the student. The parents no longer have rights to the information without the student’s knowledge and consent.

Students can grant access to their record to specific third parties. For example, a student may grant access when applying for admission to a college or university. Some specific third parties are automatically granted access to the records. Many school officials, for instance, do not need student permission to view the record.

The biggest impact this has on business operations is ensuring that employees know the rules. This can be done with training.

If a student under 18 requests access to the record, the employee should know the right belongs to the parent. If a parent of a 20-year-old requests access, the employee should know the right belongs to the student. Similarly, if a third party requests access, the employee should know if access should be granted.

Children’s Internet Protection Act (CIPA)

CIPA imposes several technical requirements on schools and libraries. They must be able to filter offensive content to ensure that minors aren’t exposed to it. If the school or library cannot comply with CIPA, it risks losing all E-Rate discounts.

E-Rate funding provides discounts to schools and libraries for Internet access. Any school or library that requests discounts under the E-Rate program is required to certify that they comply with CIPA rules.

The first challenge is identifying offensive content. CIPA allows the school or library to define offensive using local standards. In other words, what is deemed offensive content in a library in one area of the country may be acceptable in a library in another area of the country.

Schools and libraries filter the content with a technology protection measure (TPM). Figure 10-5 shows an example of a proxy server used as a TPM. A proxy server receives requests from clients for Web pages, retrieves the Web pages, and then serves the pages to the clients. It can also filter the requests to block content requests.

Users are able to access the Internet through the proxy server. All content requests are filtered using the content filter. If the content is acceptable, the page is retrieved and sent to the client. If the content is unacceptable, the content is blocked.

FIGURE 10-5
Proxy server used as a TPM.

A proxy server commonly works with data provided by a third-party service. This third-party service provides a list of content to filter. The list is often in the format of specific Web site URLs. The proxy server uses this list to prevent the content from reaching the requesting computer.

CIPA defines a minor as anyone under the age of 17. Their access should be restricted by the TPM.

However, anyone 17 years old or over should be able to use the computer without restrictions. For example, if an adult wants to use it, he or she can request that the TPM filter be removed. An administrator or librarian should be able to remove the filter in a timely manner.

Payment Card Industry Data Security Standard (PCI DSS)

PCIDSS is built around the following 6 principles and 12 requirements:

• Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall.

Requirement 2: Do not use defaults, such as default passwords.

• Protect Cardholder Data

Requirement 3: Protect stored data.

Requirement 4: Encrypt transmissions.

• Maintain a Vulnerability Management Program

Requirement 5: Use and update antivirus software. Requirement 6: Develop and maintain secure systems.

• Implement Strong Access Control Measures

Requirement 7: Restrict access to data.

Requirement 8: Use unique logons for each user. Don’t share usernames and passwords.

Requirement 9: Restrict physical access.

• Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to systems and data. Requirement 11: Regularly test security.

• Maintain an Information Security Policy

Requirement 12: Maintain a security policy.

Notice that all of the principles and requirements are IT-related. However, they reflect many common best practices. If your organization is already using best practices, PCI DSS won’t have much effect on your business operations.

However, if your organization is not currently using common security practices, PCI DSS compliance may affect your budget and operations.

Translating Legal and Compliance Implications for Your Organization

Compliance implications can have far-reaching effects. Just as with other threats and vulnerabilities, you can have both direct and indirect losses.

For example, if your organization is fined $10,000 for mistakes related to HIPAA, the direct loss is $10,000. However, once this hits the news, your organization will have indirect losses.

The media may report that you mishandle health data. If your customers have health data stored with your organization, they may leave. Even if your customers don’t have health data stored with your organization, they may be suspicious of how you handle other data. Similarly, employees may realize their data is mishandled. Valuable employees may leave.

Public relations (PR) campaigns can sometimes restore your organization’s good name. However, PR isn’t cheap. It takes talent to create effective campaigns. It also takes money to implement the campaigns. However, proactively spending money in PR campaigns can reduce the effects of an incident. This ultimately saves money for the organization.

Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure

The seven domains of a typical IT infrastructure were presented earlier in this chapter. When evaluating legal and compliance implications, you can examine the impact of each of these domains:

• User Domain—Most compliance issues affect the User Domain in some way. You need to train users to ensure they comply with the procedures. For example, HIPAA requires users to understand what data they can give out. CIPA requires librarians to know how to turn off the TPM for an adult. PCI DSS requires users to have unique logons.

• Workstation Domain—If employees will access covered data with their workstations, you need to examine the workstations. If HIPAA or SOX data is stored on the systems, you need to protect that data with access controls. Many small companies use desktop PCs as point-of-sale (POS) systems. A POS system is an electronic cashier. These systems need to be compliant with PCI DSS guidelines. Any desktop system needs antivirus software installed.

• LAN Domain—The LAN needs to be secure to prevent attackers from capturing data. This includes HIPAA, SOX, and PCI DSS data. Encryption technologies may be required to ensure transmitted data is secure. This is especially true if your organization uses wireless networks. In the past, attackers captured details of wireless transactions while sitting in the parking lot of the business.

• LAN-to-WAN Domain—A firewall protects a LAN from potential WAN attacks. PCI DSS specifically requires a firewall. A library may use a proxy server as a TPM to comply with CIPA. A proxy server has access to the Internet and the intranet. It would need additional security to protect it from external attacks.

• WAN Domain—Some PCI DSS systems may have direct access to the Internet to transmit transaction data. These systems need additional protection. For example, transmissions need to be encrypted. Additionally, the systems need to be protected from attackers who may try to access stored data.

• Remote Access Domain—Many organizations use VPNs to connect a main office and a remote office. Many laws mandate protection of data transmissions. If users transmit sensitive data over the VPN, it’s important to ensure the VPN is secure. For example, if users transmit HIPAA data over the VPN, the data should be encrypted.

• System/Application Domain—Health and financial data governed by HIPAA and SOX are often hosted on database servers. These servers need to be examined to ensure they comply with these laws. Access controls should ensure that least privilege principles are implemented. Proxy servers used as TPMs to meet CIPA requirements must include a method to disable the TPM when adults use the service.

Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation

The primary purpose of countermeasures, safeguards, or controls is to mitigate risk. Controls are implemented at a point in time to reduce the risks at that time. However, things change. Threats change. Vulnerabilities change. Because of this, the effectiveness of controls can change. It’s important to regularly assess controls to ensure they are effective.

You can measure the effectiveness of a control by determining how well it meets its goals. A control will attempt to mitigate risk by:

 TIP

The terms countermeasure, safeguard, and control are used interchangeably. Each is used to mitigate risk.

• Reducing the impact of threats to an acceptable level—For example, the threat of a hurricane can’t be stopped. However, a business continuity plan that identifies an alternate location for the business can reduce the threat.

• Reducing a vulnerability to an acceptable level—For example, some denial of service (DoS) attacks can take down unpatched servers. By keeping servers up to date with current patches, they are less vulnerable to known DoS attacks.

A risk assessment (RA) is a point-in-time assessment. It will evaluate the threats and vulnerabilities at a specific time. An RA recommends controls based on the known risks when the assessment is performed. RAs should be repeated periodically.

Additionally, an RA should be repeated if the control is changed. For example, if you replace a hardware firewall with a different model, the original RA is no longer valid. You should redo the RA with the new firewall.

Understanding the Operational Implications of Legal and Compliance Requirements

Compliance requirements will often affect how systems operate. When considering the legal and compliance requirements, you’ll need to consider how compliance may affect operations.

Consider the following examples:

• HIPAA—HIPAA requires the protection of any health-related data. When this data is stored electronically, it becomes easier to control using standard access controls in a network. You may choose to switch from paper-based records to computer-based records. This will affect how employees access data and represents a change in operational procedures.

• SOX—SOX requires the protection of financial data. This data may be stored on a database server. If so, the database server is subject to additional controls that may not be required for other database servers. Administrators may need to take additional steps to protect the data. Users may need to take additional steps to access the data.

• FISMA—FISMA requires different procedures for government agencies to purchase and deploy systems. If you purchase different systems outside of the norm, the process to get them certified and authorized can be lengthy. This may affect the agency’s ability to field new systems in a timely manner.

• FERPA—FERPA mandates access to educational records by students or parents. If the school has a large volume of these requests, it could affect regular operations. The school could choose to limit when access to records is granted.

• CIPA—CIPA requires that minors be protected from offensive content, but adults should be able to have unrestricted access. Librarians may not have had to manage systems in the past. However, they may need to be trained on how to turn off the TPM for adult access.

• PCI DSS—If an organization is already conducting standard security practices, PCI DSS has little effect on normal operations. However, if the organization has weak security practices, PCI DSS standards could drastically change operations. Although this is good in the long run, it may be uncomfortable for users to get used to in the short term.

Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization

Although it’s important to look at individual systems and functions for possible risks, it’s also important to take a broader view. A macro view of the organization identifies how all the pieces fit together.

Most organizations have a security policy created by senior management. It lays out the philosophy of security in the organization and identifies big-picture security goals. You implement security controls based on direction