1 / 15

Compliance Concerns for Security Architectures

Compliance Concerns for Security Architectures. Ken Rowe ISSAP, CISSP, IAM. Industry Pressure on Compliance. Three major regulations: Sarbanes-Oxley Act (SOA or SOX) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA)

tacita
Télécharger la présentation

Compliance Concerns for Security Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Compliance Concerns for Security Architectures Ken Rowe ISSAP, CISSP, IAM Rowe Systems Security

  2. Industry Pressure on Compliance • Three major regulations: • Sarbanes-Oxley Act (SOA or SOX) • Gramm-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA) • Compliance – providing assurance that controls are in place and effective. • Not Sufficient to just implement security services – must demonstrate continual control and management involvement. Rowe Systems Security

  3. SOX Overview(Tracking Information Flows) What can happen to the data on the way to statements? Internal Corporate IT Systems External Systems End User Computing Business Event Financial Statement Data Applications Systems Networks Facilities Data Slide from Jan Hertzberg, Grant Thornton, Inc. Rowe Systems Security

  4. SOX Overview - 2 See itgi.org website Rowe Systems Security

  5. SOX Overview - 3 COBIT is a framework for managing risk and control of Information Technology COSO is a framework for an internal control environment See itgi.org website Rowe Systems Security

  6. SOX Overview – 4a • General IT Controls • Implementation Lifecycle • Acquire or Develop • Authorized Requirements • Include Security Considerations • Application Specific Controls • Operating Environment Controls • User Acceptance Testing Rowe Systems Security

  7. SOX Overview – 4b • General IT Controls (continued) • Formal Change Management Process for: • Application Programs • Operating Environment • Infrastructure Components • Regular and Emergency Changes • Incident Reporting • Monitoring, Logging, Tracking to Closure • Defined Process for Management Reporting Rowe Systems Security

  8. SOX Overview – 4c • General IT Controls (continued) • System Infrastructure Audit • Includes FW, Routers, Switches, etc. • Examine settings on devices • Perform periodic vulnerability testing • e.g., Nessus • Corporate Security Policy • High Level Policy Statement (example) • Non-Repudiation Services Rowe Systems Security

  9. SOX Overview - 5 • Outsourced Processing • SAS 70 Type II • Documented Controls relevant to outsourced processes. • Independent Audit • Review of flow to/from outsourced process. Rowe Systems Security

  10. GLBA Overview • Addresses: • Protection of Non-Public Information • Security and Confidentiality • Anticipate Threats • Unauthorized Use or Access Rowe Systems Security

  11. GLBA Overview - 2 • Examples of Non-Public Information: • “Customer Records” • Social Security, Drivers License, Birthdate • Credit Card Numbers • Loan and Account numbers Rowe Systems Security

  12. HIPAA Overview • Covered by HIPAA: • Claims or equivalent encounter information • Payment and Remittance Advice • Claim Status Inquiry/Response • Eligibility Inquiry/Response • Referral Authorization Inquiry/Response • Self-insured Health Care Programs and Health Savings Accounts Rowe Systems Security

  13. HIPAA Overview - 2 • The Administrative Simplification Requirements of HIPAA consist of four parts: • 1) Electronic transactions and code sets; • 2) Security; • 3) Unique identifiers; and • 4) Privacy. Rowe Systems Security

  14. Discussion – Outsourced Service • Payroll Processing is Outsourced to Acme Business Services (ABS) • What information is sent? • What controls would you expect ABS to have in place? • What controls would you expect Company A to have in place? Rowe Systems Security

  15. Discussion – Merchant / Check Scenario • Customer writes check at Merchant for over $250.00 • Merchant requires Thumbprint on Check. • Where does the check go? • Regular vs Electronic Clearing • Under GLBA, how do you safeguard the Thumbprint? • What if you are using a Thumbprint for Electronic User ID? Rowe Systems Security

More Related