ITS THE LAW

1
ITS THE LAW

• Shirley Payne
• Director for Security Coordination and Policy
• Kevin Savoy
• Assistant Director of Audits
• University of Virginia

2
Agenda

• Horror stories
• Laws and regulations
• Elements of strong IT security program
• Organizational models for compliance
• Trends and the future

3
University of California San Diego

• May 7, 2004
• The University reports that about 380,000
  students, faculty, alumni, applicants, and
  employees had information compromised after
  hackers broke into university servers.

4
West Chester University - Pennsylvania

• Sensitive student information found in college
  trash in 2004
• University confirmed that confidential documents
  such as students' Social Security numbers and
  other information were found by a dog walker
  looking in the trash bin by the school's football
  field.
• The Associated Press

5
APA Audit Findings of 25 laptop/servers ready for
sale to the public.

• Information found on 22 laptops
• Citizen vaccination records
• Woman Infant and Children (WIC program) personal
  information
• Credit card numbers
• Personnel evaluations
• Personnel grievances and actions
• Scholastic evaluations of students

6
APA Audit Findings

• At two Virginia institutions of higher ed we
  found
• Credit card number of a Dean
• Information of the student counseling center
• Departmental data
• Scholastic evaluations of students

7
Katrina

• Tulane University data center is on 14th floor.
• When they went to evacuate backup tapes prior to
  Katrinas landfall the building was locked!
• They had to go back days after, in flooded
  conditions with no power and extreme heat.

8
Security Breaches

• 1994
• Russian hackers siphon off 10 million dollars
  from Citibank and disperse it to hidden bank
  accounts around the world.

9
Regulations are needed

• HIPAA - (Health Insurance Portability
  Accountability Act)
• GLBA (Gramm - Leach-Bliley Act )
• FERPA (Family Educational Rights and Privacy
  Act)
• PCI (Payment Card Industry Data Security
  Standard)
• SOX (Sarbanes Oxley Act)
• State regulations - (Virginia Information
  Technologies Agency)

10
HIPAA Health Insurance Portability and
Accountability Act

• The Privacy Regulation (effective April 2003)
• A notice to all individuals, whom protected
  health information is collected, must tell what
  purpose and to what extent the information will
  be used (i.e. treatment and billing purposes)
• Any other dissemination must have written consent
  of patient.

11
HIPAA Health Insurance Portability and
Accountability Act

• Noncompliance with the HIPAA privacy regulations
  
• 100.00 per violation and up to 25,000 per
  person or entity for all identical violations in
  a calendar year if done unknowingly.
• Fines of up to 250,000 if information is
  released knowingly for gain.
• Note- the fines are for both disclosing or
  receiving

12
GLBA Gramm Leach Bliley Act

• The GLBA enacts privacy rules over financial
  service industry such as banks, insurance,
  stocks, investment houses and financial planning.
  
• Must provide security and confidentiality over
  customer records and information.
• Notice to customers about information sharing
  policies.
• Gives consumers the right to opt out of a limited
  amount of non-public information (NPI) sharing.

13
This means you too

• The Act applies to the lending of funds to
  students and makes universities and colleges in
  most cases fall under GLBA.
• Must develop, implement, maintain a written
  comprehensive security program.

14
FERPA Family Educational Rights and Privacy Act

• Applicable to any school that receives funds
  under any program of US Department of Education.
• Parent or student (if 18) must give written
  permission to disclose ANY information from a
  students educational records.

15
PCI Payment Card Industry (VISA/MC)

• Requires certain security measures based on
  volume of credit card transactions
• Level 1 merchant 6 million transactions/year
• Level 2 merchant 150k-6m transactions/year
• Level 3 merchant 20k-150k transactions/year
• Level 4 merchant up to 20k transactions/year

16
PCI requirements (by level of merchant)

• Level 1 Annual on-site security evaluation by
  outside firm or internal audit, and quarterly
  network scans by independent firm.
• Level 2 Annual self assessment questionnaire and
  quarterly network scans by independent firm.
• Level 3 same as level 2
• Level 4 Recommended but not required annual self
  assessment questionnaire and quarterly network
  scans by independent firm.

17
SOX Sarbanes Oxley Act

• Section 404 of the Act requires each annual
  report of a public company to include a report by
  management on the company's internal control over
  financial reporting.
• Thus companies are documenting and assessing
  these controls.

18
Government Data Collection and Dissemination
Act (for Virginia state government entities)

• There shall be a clearly prescribed procedure to
  prevent personal information collected for one
  purpose from being used for another purpose.
• Give notice to a data subject of the possible
  dissemination of part or all of this information
  to another agency, nongovernmental organization
  or system not having regular access authority,
  and indicate the use for which it is intended,
  and the specific consequences for the individual,
  which are known to the agency, of providing or
  not providing the information.
• In other words you cant give it out without
  knowledge of data subject

19
What do the laws require??

• Privacy Rules Security Plan 3rd Party
  Assessment
• HIPAA X X
• GLBA X X
• FERPA X
• PCI X X X
• SOX X X
• Note FERPA trumps HIPAA for privacy for student
  clinics but not employees. GLBA defers to FERPA
  privacy rule if compliant but still needs
  written security plan

20
Common ElementsA Strong Security Framework

• Assigned Security Responsibility
• Workforce Training
• Risk Assessment Program
• Access Management
• Technical Safeguards for Network, Hardware,
  Software, and Data

• Physical Security
• Threat/Incident Detection Response
• Disaster Recovery Continuity Planning
• Business Associate Contracts
• Policies Documentation

21
Top of the pyramid.

• Senior management must buy into the process of
  implementing a security program or it will be
  lost on the lower echelon.
• Everyone has a role and must take it seriously.
• A team effort works best

22
These are the players needed to comply with and
enforce these laws and regulations

• CEO, CFO, COO
• Compliance Officers
• Security Directors
• IT CIO
• IT Administrators
• IT Auditors
• Legal Council
• Department Heads
• Every Employee to some extent

23
Convergence of expertise and perspective is
essential
24
Current U.Va. model

• Selected departments assume primary
  responsibility for regulation compliance, for
  example
• FERPA Registrar
• GLBA and PCI Finance
• HIPAA Medical Center and certain academic
  side departments
• Security Director has coordination role for IT
  security aspects of key laws and regulations
• Compliance requirements built into
  university-wide IT security risk management
  program
• Compliance reporting to VP for Finance
• Audit Department verifies compliance

25
How does your entity enforce compliance?

• Who reports to whom?
• What authority are the players given?
• What do you see as strengths and weaknesses in
  any particular approach?

26
The future

• Compliance in the IT arena is requiring much more
  effort than in the past and will likely continue
  to escalate.
• Today, compliance mostly entails having
  documentation on file of compliance efforts, but
  we may see more periodic reviews by independent
  parties. (PCI requires remote network scanning
  for some larger credit card players)
• The compliance officer role may evolve to an even
  more critical function in the future.

27
The future is now for some.

• Many Universities are beginning to warm up to
  voluntary compliance with sections 302 and 404 of
  Sarbanes Oxley that require documenting and
  testing internal controls.
• Some of it is fear driven, as many state
  legislators and federal legislators are
  attempting to write similar SOX laws for
  not-for-profit organizations.

28
One final thought

• Many have said these new laws are costing money
  for no appreciable gain.
• Others though believe it is just plain old common
  sense to know what you are doing and why

29
References

• EDUCAUSE GLBA Resources http//www.educause.edu/Br
  owse/645?PARENT_ID673
• EDUCAUSE FERPA Resources http//www.educause.edu/B
  rowse/645?PARENT_ID250
• EDUCAUSE HIPAA Resources http//www.educause.edu/B
  rowse/645?PARENT_ID547
• EDUCAUSE Sarbanes-Oxley Resources
  http//www.educause.edu/LibraryDetailPage/666?IDC
  SD3867
• Cardholder Information Security Program
  http//usa.visa.com/business/accepting_visa/ops_ri
  sk_management/cisp_merchants.html
• IT Security for Higher Education A Legal
  Perspective http//www.educause.edu/LibraryDetailP
  age/666?IDCSD2746

30
Questions??

• Shirley Paynepayne_at_virginia.edu
• Kevin Savoy..savoy_at_virginia.edu