Computer Systems Security Planning for Success

In order to determine if systems are in compliance, compliance audits are performed. These may be automated, and may be as simple as endpoint software that periodically scans machines. They may be as complex as having an outside team perform penetration testing on a particular site. In either case, compliance audits are looking for situations that violate security policies.

Risk assessment is an important part of compliance that determines just how damaging one of the violations discovered may be. Risk analysis reports are often generated as a second step in a compliance audit. These reports help the company make an informed decision as to what actions should be taken.

Lastly change controls are used to ensure that changes that need to happen are put in place and to track down changes that led to the violations of the security policies. By keeping track of how and why a system changes and requiring approvals systems can more from an insecure state to a secure one and hopefully stay that way. Change controls should be found in all facets of cybersecurity work.

Personally Identifiable Information (PII) and Payment Card Industry (PCI) compliance is probably the largest sector of compliance. PII may be social security numbers (SSNs), first and last names, birthdays, addresses, mother’s maiden names, etc. PCI related data would be a card holder’s name, account number, card expiration dates, security codes, strip/chip data, PINs, or card numbers.

Most of the protocols detailed here are designed to protect this data.

PCI DSS stands for Payment Card Industry Data Security Standards. It is mandated by the major credit card companies and maintained by the Payment Card Industry Security Standards Council (PCI SSC).

Coming in at over 100 pages, the DSS are basic rules to protect PCI data. They detail network security, vulnerability management, monitoring/testing requirements, and other information security policy.

The standards are based on levels, which in turn are based on how many credit card transactions a business performs. More strict standards are applied to companies that do more business (lower levels). The levels are shown below:

Protected Health Information (PHI) is another type of protected data covered by various legal and industry standards. PHI may be a medical history, admissions information for medical facilities, prescription information, or health insurance data.

The Health Insurance Portability and Accountability Act (HIPAA) provides standards for how PHI should be handled. In accordance with HIPAA PHI can only be disclosed to certain parties, users have a right to see and correct PHI, and PHI must be securely stored and transmitted.

If you’ve ever wondered why your health care provider always sends you to a secure portal instead of emailing you the details of your visit, it is because they are dealing with PHI and email is not considered secure.

The Sarbanes-Oxley Act (SOX) was passed following the busting of the dotcom bubble to help combat financial fraud. SOX details some basic CIA measures (as do most regulations):

Confidentiality: encryption, data loss prevention.

Integrity: access control, logging.

Accessibility: data retention, audits, public disclosure of breaches.

The interesting thing is that these controls also make it harder for a company to lie about its dealings. By retaining records for 90 days, tracking changes, and requiring public disclosure, SOX makes it harder for corporations to commit fraud.

The Gram-Leach-Bliley Act (GLBA) is another act designed to protect CIA and provide more information for the customer. The GLBA mandates that a financial institution must explain what they do with customer information, offer the customer the right to opt-out, and make sure the vendors they work with are in compliance.

The General Data Protection Regulation (GDPR) is a less targeted, but more far-reaching European Union law requiring that customers be notified if they are being tracked. For most people, the biggest effect of the GDPR is that they have to sign off on cookies being used by web sites. Recall that cookies are used almost exclusively for session management and as such they track visitors to a website.

The GDPR outlines rules for risk assessment, encryption, pseudonym usage, documentation, and audits. The GDPR also gives visitors the option to have their customer data forgotten by a website. Businesses wishing to operation in the European theater, most world-wide businesses, must make themselves GDPR compliant.

Not all regulations that require compliance are concerned with protecting information. Some regulations are designed to specifically weaken confidentiality for spying by government entities.

The US Patriot Act was passed following the 9/11 attacks and among many other things, it required telecom providers to comply with request customer information. These could be logs of phone calls, samples of network traffic, or location information.

Later in 2007, the Protect America Act (PAA) expanded on this surveillance requiring more companies to comply with requests for information. This act ushered in the PRISM program, uncovered by the Edward Snowden leaks, which forced companies to comply with a world-wide internet surveillance program.