Compliance ESSENTIAL GUIDE TO
Transcription
Compliance ESSENTIAL GUIDE TO
I N F O R M A T I O N ECURITY S ® E SS E NTIAL G U I D E TO Compliance Q You need to be nimble and proactive about compliance efforts in order to build a comprehensive program. That means learning more about risk assessment frameworks and global regulations while maintaining your established privacy and PCI programs. INSIDE 8 DATA and You 15 Navigating Data Privacy, Security and Management Across Borders 22 Sizing Up Risk 31 Culturally Boost Infosec Compliance and Risk Management 34 PCI DSS 2.0: PCI Assessment Changes Explained 40 Enterprise Protection for Web Add-Ons INFOSECURITYMAG.COM The Ultimate Enterprise Threat and Risk Management Platform. The ArcSight ETRM Platform is the world’s most advanced system for safeguarding your company against data theft, complying with policies and minimizing internal and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight ETRM Platform gives you better visibility of real-time events and better context for risk assessment, resulting in reduced response time and costs. Learn more at www.arcsight.com/etrm ArcSight Headquarters: 1-888-415-ARST | © 2011 ArcSight. All rights reserved. contents F E AT U R E S DATA and You 8 The Data Accountability and Trust Act, if passed into law, would create a national standard for privacy and data protection. BY R ICHAR D E. MACKEY J R. DATA PROTECTION Navigating Data Privacy, Security and Management Across Borders Companies should revisit streamlined global data operations with an eye toward revamping compliance. BY CYNTH IA O’DONOG H U E, 15 I NTE R NATIONAL R EG U LATIONS KATHAR I NA A. WE I M E R AN D AMY M USHAHWAR Sizing Up Risk There are a lot of risk assessment frameworks out there. Here’s what you need to know in order to pick the right one. BY R ICHAR D E. MACKEY J R. 22 R ISK M ETHODOLOG I ES Hurdle Cultural Barriers to Compliance Engage stakeholders frequently about their role in compliance and reducing risk inside your organization. BY E R IC HOLMQU IST 31 B USI N ESS I NTEG RATION ALSO PCI Assessment Changes Explained The latest update to PCI is relatively minor, but that doesn’t mean security and compliance managers can afford to slack. BY E D MOYLE 34 P CI DSS 2.0 Has Compliance Stifled Security Innovation? 5 E DITOR’S DESK Enterprises, driven by regulations, continue to shoot for a bare minimum set of security controls. That approach is impacting innovation. BY M ICHAE L S. M I MOSO 40 SP ONSOR R ESOU RCES 3 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Compliance Vulnerability Are you Compliant or Not? SOX DS 5.4 - Maintain user access rights in a central repository; ensure that rights are enforced PCI-DSS 7,8, and 10 - Restrict access rights of privileged users; do not use shared passwords HIPAA 4.14 and 4.16 - Ensure that system activity can be traced to a specific user FoxT provides Enterprise Access Management solutions that will enable you to control access to privileged accounts and data across your diverse servers and business applications. In addition to enabling you to achieve compliance with HIPAA, SOX, PCI, NERC-CIP and other regulations, centralized access management will also protect corporate value by reducing the risk of insider fraud. FOR MORE INFORMATION: www.foxt.com Enterprise Access Management EDITOR’S DESK Has Compliance Stifled Security Innovation? Enterprises, driven by regulations, continue to shoot for a bare minimum set of security controls. That approach is impacting innovation. BY MICHAEL S. MIMOSO TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 5 i IF YOU PITCH your boss for the latest and greatest security technology, is your boss’ first question whether you’ll incur a fine if you don’t? Does your IT decision maker fear an auditor more than an attacker? This is the influence compliance, PCI DSS compliance in particular, has inside enterprises and bigger picture, on innovation. Companies invest more in protecting custodial data than corporate secrets, despite the balance of value between the two leaning toward corporate secrets. Sure it’s costly if you lose PCI data in a breach, but if your trade secrets are in the clear, does your business have long to live? Yet it’s the checkmark that gets the pretty girl at the dance. And some think concurrently that PCI is turning innovation into a wallflower. Security observers and experts don’t put all the blame on PCI; security is a bloated market with dozens of products addressing dozens of threats in dozens of ways. Complexity and a still unsteady economy forces people to look for a crutch to lean on. PCI is a convenient one because it mandates controls more than most other industry and federal regulations. “It’s tough to spend on innovative solutions —JOSHUA CORMAN, analyst, 451 Group that aren’t required,” says 451 Group analyst Joshua Corman. Blame the vendors too. Blame them for still selling based on fear, uncertainty and doubt— FUD doesn’t hold up when there’s no money to spend on something that might happen. Sure you might get attacked, but you will get fined. So whatever satisfies the auditor gets the resources. “What we’re left with is instead of doing the best we could, now we’re doing what doing what’s mandatory,” Corman says. “We do that and not a whole lot more.” Regulations, in theory, are supposed to be the bare minimum set of controls you have to manage. They’re not the end game, yet most companies shoot for just the bare minimum, which isn’t good enough. That’s why firewalls, antivirus, encryption, vulnerability management, log management and IDS remain top-of-mind security technologies. Nothing wrong with that list, but most organizations’ arsenals don’t go much deeper. And if they do, as in I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE “What we’re left with is instead of doing the best we could, now we’re doing what’s mandatory. We do that and not a whole lot more.” TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES the case of Web application firewalls, it’s only because they’re specifically called out by PCI 6.6, for example. If you look at this issue of innovation vs. compliance from a business point of view, vendors will tell you that compliance, by setting that minimum standard, influences spending and stimulates certain markets. Vendors actually are competitive in those markets, products improve in a relatively short period of time and prices go down. Paul Judge, chief research officer and VP at Barracuda Networks, founded Purewire and was in on the ground floor at SecureComputing and CipherTrust. He’s a VC too. He says compliance is about enforcing best practices for a class of constituents, be they consumers or health care patients, for example. “When you enforce best practices, you do influence spending,” Judge says. “When you compete on those fronts, it creates better products for the market and you’re creating innovation on one of those fronts. If a problem is real and [a control is] mandated by legislation, you have a beautiful thing where everyone benefits from the vast improvements in short amount of time versus a market that is stagnant without motivation.” Judge’s best example is that of the Web application firewalls. WAF appliances can be had for relatively cheap today, compared to five years ago when he says the price was as much as 10 times more. WAFs are built into proxy appliances today, or can even be integrated into a load balancer. Because of the mandates in PCI 6.6, WAF has evolved into a technology that’s within reach of most of the market—more of a commodity. “This frees budget for more,” Judge says. “You can stop hitting your head against the wall for some problems.” Compliance is a complex monster that governs the direction of most IT security organizations. You’re still a cost center, yet you understand threats and risks better than anyone else. And you understand the shortcomings are shooting for a bare minimum standard. Keep making your case to management that innovative solutions have merit beyond a checkbox. Prove your business case for these defensive technologies, because if you don’t influence spending, the market won’t innovate and when new threats arrive, your holster is going to be empty.w Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to [email protected]. BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 6 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Malware Protection Data Protection Business Productivity IT Efficiency Compliance Hospital food w or ry l e s s . a c c o m pl i sh m or e . w w w. s opho s . c o m DATA PROTECTION DATA and You TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 8 The Data Accountability and Trust Act, if passed into law, would create a national standard for privacy and data protection. BY RICHARD E. MACKEY, JR. t THERE ARE CURRENTLY more than 40 different state and territorial laws that require organi- zations entrusted with personally identifiable information to notify individuals when their information has been exposed to unauthorized parties. These laws range from those only requiring notification to those that mandate full security programs designed to prevent breaches in the first place. They define personally identifiable information differently, require different notification processes and force organizations to deal not only with the victims of the breach, but also the attorneys general of all the states where victims reside. The complexity and cost of notification, let alone the difficulty of ensuring compliance with security program requirements, is daunting. Still, breaches that lead to identity theft happen regularly and people expect organizations to be held accountable for the security of their personal information. Politicians have heard the public outcry and have recognized that there is a need for more uniform protection of I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 9 personal data and more manageable and predictable notification processes. Consequently, every year there seem to be a handful of new proposed federal laws to address the growing problem of sloppy handling of personal information and breaches. At the end of 2009, the U.S. House of Representatives passed the Data Accountability and Trust Act of 2009 (DATA). If passed by the Senate and signed into law, DATA would supersede existing state laws and thereby eliminate the complex array of notification procedures and the myriad protection mechanisms required by the states. The proposed law would also provide a universal definition of personally identifiable information, appoint the Federal Trade Commission to specify regulations and enforce compliance, and require organizations to implement formal security programs to prevent unauthorized access to personally identifiable information. Compared to other data protection legislative efforts, DATA’s passage in the House makes it the only bill to gather the necessary support in either chamber. Its impact is potentially far reaching, and organizations should understand how it might affect them. If passed by the Senate and signed into law, DATA would supersede existing state laws and thereby eliminate the complex array of notification procedures and the myriad protection mechanisms required by the states. PERSONAL INFORMATION DEFINED At the heart of DATA, or any data protection law, is the definition of personally identifiable information. The definition is critical because it not only spells out what types of information need to be protected, but also helps organizations strip out elements of data sets to avoid having to protect them. This practice, known as scrubbing, is commonly used to protect credit card numbers and Social Security numbers by masking all but the last four digits. DATA defines personal information as an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following data elements for that person: • Social Security number; • Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; • Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account. This definition is similar to most state breach laws with some notable differences: It does not consider a financial account number alone (without a PIN or password) sensitive. In addition, unlike another proposed federal law—S. 1490, the Personal Data Privacy and Security Act— DATA makes no mention of mother’s maiden name as sensitive (even though it is often used to authenticate an individual’s identity). I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE The law would provide room for the FTC to modify the definition of personal information as necessary to accomplish the goals of the act as long as these changes do not unreasonably impede interstate commerce. APPLICATION AND ENFORCEMENT TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES One of the most significant repercussions of the appointment of the FTC is the limit of the legislation’s jurisdiction; the FTC does not regulate banks, savings and loans, or common carriers such as airlines and railroads. As proposed, DATA will be regulated and enforced by the FTC. Consequently, the legislation applies only to those entities over which the FTC has jurisdiction. Even though DATA states that it applies to persons, partnerships, or corporations engaged in interstate commerce, it does not apply to all organizations. One of the most significant repercussions of the appointment of the FTC is the limit of the legislation’s jurisdiction; the FTC does not regulate banks, savings and loans, or common carriers such as airlines and railroads. However, the FTC is not the only enforcer of the law. DATA also carves out room for state attorneys general to take action against violators. They are empowered to enjoin further violation, compel compliance, or obtain civil penalties. In other words, state attorneys general have about the same power they have under the current state laws. The FTC or U.S. Attorney General, though, could intervene and limit state prosecution while federal actions are pending. PREVENTATIVE CONTROLS One of the ways DATA distinguishes itself from state laws that simply deal with breach notification is that it requires organizations to implement a security program designed to prevent compromise of the information. Organizations need to: • Appoint a person as a point of contact who is responsible for overseeing the program; • Document a security policy for the collection, use, sale, dissemination, and maintenance of personal information; • Establish contracts with third parties with access to the information to establish controls meeting the requirements of the act; • Establish a process to identify risks and vulnerabilities and implement administrative and technical controls to mitigate the risk of compromise of the information; • Define and implement a process for securely disposing of both digital and paper records including personal information. The security controls required by DATA are similar to those required by state regulations such as Massachusetts 201 CMR 17; they include a risk assessment, a vulnerability assessment, testing, remediation, and secure destruction and disposal of personal information. One 10 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Information Brokers in the Crosshairs Companies that collect personal data face extra requirements under DATA. A MAJOR DIFFERENCE between state TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES laws and DATA is the set of special requirements for information brokers. DATA requires information brokers to implement additional controls and program elements to those required by data owners. This provision is likely an attempt to avoid another breach like the one involving Choice Point in 2005 by making data brokers accountable to the information they collect and sell. The legislation defines information brokers as a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers. Information brokers collect such data in order to sell it or provide third party access to it for a fee; they may either collect information themselves or contract others to collect and maintain the information. The definition specifically excludes entities that maintain information about employees, customers, or former customers. Under DATA, information brokers must establish “reasonable procedures” to assure the accuracy of personal information they collect, assemble, or maintain. In addition to striving to maintain accuracy, they must support a program to respond to individuals’ written requests to provide information assembled about them once per year. These responses must be provided at no cost to the individual and the method for submitting requests must be conspicuously advertised on the organization’s website. Individuals must also be able to use this method for expressing a preference as to how their information might be used for marketing purposes. If someone finds inaccuracies, the information broker must provide a mechanism for the individual to request changes to correct the inaccuracies. If the broker is not the source of the information (e.g., the data was harvested from public records), the brokers must provide the person the source of the information and a method for correcting the inaccuracy at the source organization. The individual may provide proof that the public record has been corrected and require the information broker to correct its version of the information. Someone may also require a broker to mark the information as disputed if it hasn’t been corrected. As proposed by DATA, when an information broker has a breach, it must follow the same reporting procedures as other businesses. However, these organizations must also submit the policies governing their personal data protection program to the FTC as part of the notification and may be required to undergo an FTC security audit. The FTC has the right to request an information broker’s policy at any time.w —RICHARD E. MACKEY, JR. BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 11 notable exception is that DATA only requires organizations to establish contracts with third parties to protect personal information; it does not require definition of the policy and procedure for vetting the security practices of these organizations. Some state and federal regulations, most notably 201 CMR 17 and HIPAA, provide more in-depth requirements for dealing with business associates and service providers. This may be an area that the FTC will spell out more clearly if DATA becomes law. The legislation also does not provide requirements for where encryption is required. State laws and regulations from Massachusetts and Nevada require encryption of personal information when it is transmitted over public networks or stored on removable devices. This may also be an area eventually addressed by FTC regulations or guidance. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE BREACH NOTIFICATION RULES TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 12 Any organization that has gone through the process of breach notification according to multiple state laws would likely welcome the single set of rules that would come from a federal law. DATA defines “breach of security” as the unauthorized access to or acquisition of data in electronic form containing personal information. However, the legislation allows the data owner to avoid the process of notification if the data owner determines that there is a no reasonable risk of identity theft, fraud, or unlawful activity. While this is a rather broad statement, it means, at a minimum, that information that was encrypted and exposed to unauthorized parties would not be considered breached. In the event of a breach, DATA requires data owners to notify the FTC and directly notify each individual throughout the U.S. whose data has been exposed. This notification must take place within 60 days of discovery of the breach. The data owner may send notice in writing or electronically. However, electronic notification is only acceptable if the individual has consented to receiving official communications in that manner. In cases where the data owner does not have complete contact information for all individuals, the data owner may use email to the full extent possible, publish a notice on its website, and issue notification in print and broadcast media for areas where the victims reside. The notification must include a description of the information breached and a toll-free number to inquire about the breach. The letter must also include an offer to receive free quarterly credit reports for two years or a credit monitoring service. The individual must also be given toll-free numbers for credit reporting agencies and contact information for the FTC to learn about identity theft. The Act sets the maximum civil penalty for violations of each type to $5 million, making it possible for a single organization to pay up to $10 million for a combination of security program and notification violations. PENALTIES DATA sets out steep penalties for violations, which come in two types: failure to comply with security program requirements, and failure to follow the breach notification rules. The two types of penalties are calculated differently. The amount for security program penalties is based on the number of days the organization is found to be non-compliant multiplied by a maximum of $11,000 per day. Notification penalties are calculated by multiplying the number of violations—individuals they failed to notify—by an $11,000 maximum. Each failure to send notification is considered a separate violation. The Act sets the maximum civil penalty for violations of each type to $5 million, making it possible for a single organization to pay up to $10 million for a combination of security program and notification violations. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE LOOKING AHEAD TABLE OF CONTENTS EDITOR’S DESK The biggest difference between existing state laws and the proposed federal laws (both DATA and other similar bills) is the inclusion of special requirements for information brokers (see p. 25). This special treatment will not be taken well by the large organizations in the information broker business as it increases cost substantially. It will be interesting to see how information brokers and businesses in general react to these bills as they are debated in the Senate. Maplight.org, a nonprofit, nonpartisan research organization that tracks money and influence in the U. S. Congress, shows that the backers of the bill receive campaign contributions from finance companies and credit agencies. This makes sense as both these groups would benefit from stronger identity controls. Maplight.org shows no money associated with opposition to the bill–at least not as yet. DATA clearly has benefits for the general population and, whether they want to admit it or not, businesses that will need to notify people when breaches occur. The overall approach of ensuring that organizations formally protect information, implement sound technical controls that include risk assessment and treatment, and follow a uniform set of notification and support procedures promises to reduce the incidence of identity compromise and create incentives to improve overall security.w Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to [email protected]. DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 13 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE security is all we do 20,000 Malware Specimens Daily 13 Billion Events Every Day 3,000 Customers in 70 Countries 85 of The Fortune 500® Not surprisingly, the most powerful weapon in information security is information. At Dell SecureWorks, we turn raw security data into actionable security information. With the massive volume of relevant incidents we collect and analyse every day, we are able to better understand the threat landscape across the globe. We use that information to identify threats sooner and better protect our customers. Discover what makes us different, and learn how our information can help keep yours safer. See how one leading analyst rates the top MSSPs at secureworks.com/magic Contact us at [email protected] or call +44 (0)131 718 0600. ©2011 Dell Inc. All rights reserved. INTERNATIONAL REGULATIONS Navigating Data Privacy, Security and Management Across Borders Companies should revisit streamlined global data operations with an eye toward revamping compliance. TABLE OF CONTENTS EDITOR’S DESK BY CYNTHIA O’DONOGHUE, KATHARINA A. WEIMER AND AMY MUSHAHWAR DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 15 w WITH THE GLOBAL economic downturn, economies of scale are of increasing importance, and to achieve cost synergies, many companies have shed their geographic silos in favor of a streamlined centralized data infrastructure. Far more multinational companies with offices on all continents and production facilities in multiple countries share centralized databases, processing capabilities and even IT support teams that make integrated production possible on a 24/7 basis. While we have seen many industries such as life sciences, real estate and entertainment streamline their IT operations, all have one item in common—they store personal employee, customer, supplier and website visitor data. With the myriad data privacy, security and management laws that exist in the U.S. and abroad, data privacy compliance can be a difficult area to navigate. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE By now, most companies understand that U.S. federal, state and local governments have weaved an intricate web of laws protecting many aspects of Americans’ privacy (i.e., banking, telecom services, higher education, health care, financial services). Even with all of its privacy laws, the U.S. leaves some areas of personal data-processing largely unregulated. Unlike the U.S. sectoral approach, the EU views There are efforts underway by the privacy as a fundamental human right and has an Federal Trade Commission and the omnibus data protection law that regulates the Department of Commerce to develop collection and handling of information related to a comprehensive and uniform privacy identifiable individuals: “European Union Directive policy for the U.S. on the Protection of Individuals with Regard to the But these uniformity proposals are Processing of Personal Data and on the Free Movelikely to take years to fully implement ment of Such Data” (the EU Directive). and there does not appear to be a conBear in mind that the legislative tool the EU sensus as to whether either agency’s selected for privacy law—a “directive”—requires efforts alone can assist with closing the each EU member state to enact its own local law sectoral privacy gaps. It is safe to say adopting (or transposing) the directive into nationthat the U.S. is several years away al legislation. Therefore, the text of the EU Data from a fully comprehensive privacy Protection Directive offers only a blueprint or framework.w framework for data privacy laws across Europe. National legislation implementing the directive has resulted in variations among EU member states. Over the years, we have witnessed the compliance issues and various legal conflicts of law that spring from this cross-border culture clash. We will identify a few typical scenarios that require some international data privacy, security and management issue-spotting. U.S. Privacy Framework Lagging TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES DATA INTEGRATION ISSUES TO WATCH OUT FOR BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 16 Before we begin, we would like you to imagine a midsized company, Doggie’s Night Out (DNO, Inc.), a high-end manufacturer of canine retractable leashes with built-in flash lights, treats and waste disposal bags headquartered in the US. DNO, Inc. already has several offices across the U.S., a manufacturing site in China, and subsidiaries across South America, and it intends to acquire a German manufacturer of designer cat collars called Feline Fun AG, with nearly 100 local employees. This little gem is for sale at a bargain-basement price and DNO, after some due diligence, proceeds with the acquisition. Following the purchase, DNO’s general counsel would like to know everything about Feline Fun, including all information about the employees. DNO wishes to maintain ongoing data flows about the general business operations and activities of Feline Fun to fully integrate it and leverage its data capture and analytics tools globally (i.e., such as those for employees, job applicants, customer data, suppliers, third-party partners, purchased data, conferences, I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES and market research). Such data integration would necessitate the transfer of personal data of European citizens to the U.S. headquarters of DNO, Inc. Not surprisingly, the internal data protection officer of Feline Fun has some objections. Immediately upon hearing the data integration plans, the internal German data protection officer reminds the U.S.-based general counsel that the EU Directive regulates the processing of individuals’ personal data, a much broader concept than what is referred to in the U.S. as personally identifiable information. He explains that the broad definition covers nearly all information that DNO, Inc. would like to integrate for example, DNO, Inc. knew that certain information fields (or combinations of information fields) were protected under US law. For example items such as a name and account number could be protected personal financial information under the U.S. Graham Leach Bliley Act. Presently, however, there is little U.S. regulation governing the collection of information. For instance, while the EU Directive regulates the mere independent collection of an individual’s name, email address, or IP Address, the U.S. does not unless an individual’s name is collected in conjunction with other information, such as an individual’s social security number. The German data protection officer made DNO, Inc. aware that such limited information fields are only starting to be by U.S. federal regulators as part of the FTC privacy proceeding. Practically speaking, the broad concept of personal data under the EU Directive requires Feline Fun to examine two items for nearly all individual information it wishes to transfer to DNO, Inc.: (1) the legal basis for transferring the data, and (2) whether the transfer was to a country with data protection laws sufficiently similar to those in the EU, such that those laws provide adequate protection to the data, or a legal transfer method. Local Compliance with Data Transfer Requirements: According to EU and German law, before any processing of personal data may be undertaken (including transfer), there must be a legal basis to do so. The legal basis for transfer is satisfied if the transfer is necessary for the fulfillment of a contract or a contractual relationship with the data subject, i.e., the person whose data shall be transferred. For instance, personnel data can be transferred if and to the extent such transfer is necessary for the fulfillment of the employment contract. We must emphasize “necessary,” which is more than plain usefulness, for example, the transfer must be required for the employment relationship. Data transfer of customer data can sometimes be based on the contract with the customer; for instance, if the contract will be fulfilled out of another site and the other site requires the customer information for its performance. While these two examples tend to be the most common, other legal bases exist. As a last resort, the data controller can always try and obtain the individual’s consent to the processing, but any such consent must be voluntary (already disputable in an employment relationship), informed and revocable; it should therefore not be the No. 1 choice for establishing a legally secure way of transferring personal data. Transferring Data to a Country with Adequate Protection or an Appropriate Legal Process Alternative: Any recipient of personal data located outside the European Economic Area (EEA) must generally 17 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE provide an adequate level of protection to personal data. Data transfers to companies located in countries with adequate privacy laws akin to those in the EU/European Economic Area include Switzerland, Canada, Argentina, the Isle of Man, Guernsey, Jersey, Israel and Andorra. Transfer is also permissible to U.S. companies that participate in the Department of Commerce Safe Harbor Program. U.S. companies must self certify that their data privacy, security and management practices provide adequate protection (then, these companies must re-certify to the Department of Commerce annually thereafter), always provided that this processing step as such, i.e., the transfer, is permissible as described above. To be eligible to submit a U.S.-EU Safe Harbor program self certification, an organization can (1) join a self-regulatory privacy program that adheres to the U.S.-EU Safe Harbor Framework’s requirements; or (2) develop its own self-regulatory privacy policy that conforms to the U.S.-EU Safe Harbor Framework. TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 18 The Feline Fun data protection officer learns that all data will be transferred from Germany to the U.S. and DNO, Inc. has not self-certified under the Safe Harbor Program. But an adequate level of protection may be achieved by other means: (1) Feline Fun and DNO, Inc. could enter into a set of contractual clauses approved by the European Commission as establishing an adequate level of protection (“Model Clauses”), or (2) DNO, Inc. could establish Binding Corporate Rules (“BCRs”) for its entire group that are approved by a lead data protection authority in Europe. Approximately 50 U.S. companies per month file initial self-certifications to the Safe Harbor program, and approximately 150 companies submit annual re-certifications. More than 50 percent of the companies in Safe Harbor have joined during the past two years. Currently, more than 2,100 companies are on the Safe Harbor list. Placed in context, this means that more companies join Safe Harbor in a single month than the total number of companies that have obtained approval for BCRs to date. This trend is counter-intuitive, given the recent statements of the Düsseldorfer Kreis (a body formed by the German data protection authorities) and other EU member state bodies issuing critical opinions regarding the Safe Harbor program. Practitioners point to the following items as a potential reason for Safe Harbor’s increased popularity at the moment: • Greater control for the U.S. company. Safe Harbor primarily requires the U.S. company to undertake relevant compliance steps, and requires little to no significant local affiliate involvement. • Enhanced brand reputation for outsourcing providers and satisfaction of EU customer requirements. • The Swiss Federal Data Protection and Information Commission (Swiss DPA) has recently established the U.S.-Swiss Safe Harbor Framework with the United States. • Streamlining of local filing procedures. In a number of EU member states, cross-border transfers of EU personal data trigger registration requirements with the data protection authorities. In some of these countries, the Safe Harbor facilitates the local registration process by avoiding procedural approvals that apply to the use of Model Contracts and I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE the “substantive” approvals for BCRs. • Avoiding administrative burdens of maintaining several versions of Model Contracts. However, there are as many good reasons to join Safe Harbor, or use Safe Harbor as a baseline to authorize certain data transfers, as there are good reasons why Safe Harbor may not be sufficient for all data transfers. Some negative aspects of Safe Harbor include: • FTC enforcement. The promise to comply with Safe Harbor is ultimately subject to the enforcement authority of the FTC. • Some data transfers are not eligible for coverage by Safe Harbor. U.S. companies are only eligible to join the Safe Harbor to protect certain transfers of EU Personal Data to the United States. Other transfers within a global enterprise, such as transfers from the EU to Asia or Latin America, are not covered by Safe Harbor. Likewise, financial institutions and other organizations that fall outside the scope of FTC and DOT authority are not eligible to join Safe Harbor, even if the organizations are located in the United States. TABLE OF CONTENTS EDITOR’S DESK Likewise, even in the context of e-discovery, attorneys must address whether cross-border data transfers are permissible under local EU law, and this is typically viewed as a prime area of conflict, and transfers of data for purposes of litigation may expose the EU affiliate to liability. With this general data transfer background, we also identify a few other issuespotting items that we have seen reoccur over the years. DATA PROTECTION EU EMPLOYEES ENJOY MORE PRIVACY PROTECTIONS INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 Implementing data integration measures along those proposed by DNO, Inc. may be common sense to any U.S. company, but integrating the data of European affiliates may trigger a variety of issues, such as whistleblower protections. A person whose behavior is reported through an employer-provided hotline retains his or her data privacy rights. Yet his/her personal details have been communicated to a third party in a country without adequate protection and without his/her knowledge. Employee monitoring, for example, is a sensitive topic in Europe; every country has different rules and, generally speaking, employees have a rightful expectation of privacy even in the work environment. The employee’s (potentially private) use of the telecommunications infrastructure provided by the employer may trigger obligations of secrecy vis-à-vis the employee—the employer may not be able to access the employee’s communication or even Internet history. SPONSOR RESOURCES USING WEBSITE ADVERTISING AND ANALYTICS IN THE EU If DNO, Inc. were to integrate website advertising and analytics operations, there may also be issues. Recently, German data protection authorities have been in discussions with Google about the legitimacy of its analytics programs under German data protection law 19 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 and came to the conclusion that analytics currently does not provide adequate safeguards to the consumer. The authorities objected to the use of IP addresses, considered personal data by the data protection authorities. Court decisions differ in this aspect. Some consider an IP address to be personal data, others do not. While it is ultimately up to a court to decide, the initial assessment will be carried out by the data protection authorities and their opinion should be carefully considered. It should also be noted that the U.S. FTC has made recent statements that an IP address may be included in the definition of protected personally identifiable information. While Google demonstrated goodwill and allowed an anonymization tool to be built into the software, and additionally built a plug-in for Internet users with which they can set their browser to object to the collection of the IP address, this did not satisfy the data protection authorities’ requirements: The anonymization is in the discretion of the website operator and the plug-in does not work for all browsers. As the issue has yet to be resolved, there is a risk that the authorities may proceed against website operators that use analytics without consumer opt-in. IT MAY BE RAINING CATS AND DOGS BUT THERE ARE TOOLS TO WEATHER THE STORM Decisions by multinationals to centralize data should not be taken lightly. The complexity of the EU data protection law poses special problems and must be considered fully as part of any data centralization initiative. Recently, the U.S. has made attempts to move closer to EU-style data protection, but these efforts will not come into fruition for some time. The data compliance scramble should not stop U.S. companies from wading out into the storm to access the wide variety of personal data available from EU entities. Rather, the philosophical and jurisprudential gap can be bridged by relying on the number of tools available to organizations that allows them to transfer data, while being mindful that the EU takes its obligation to safeguard its citizens’ privacy very seriously.w Cynthia O’Donoghue is a partner and co-practice leader of Reed Smith LLP’s Data Privacy, Security and Management group and is based in London. Katharina A. Weimer is an associate in the Munich office of Reed Smith LLP with a focus on Media law and Data Protection. Amy Mushahwar is an associate in the Data Privacy, Security and Management practice in the Washington D.C. law office of Reed Smith LLP. Send comments on this column to [email protected]. SPONSOR RESOURCES 20 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Your One Stop Shop for All Things Networking Nowhere else will you find such a highly targeted combination of resources specifically dedicated to the success of today’s IT-networking and service provider professionals. Free. Access time-saving technical tips, independent expert advice, checklists and tutorials, along with webcasts, white papers, newsletters and more - all for free! We also have half-day and full-day seminars, multi-day conferences, and dinner events coming to a city near you, as well as virtual shows you can view from the comfort of your desktop. Topics covered include: unified communications, WAN optimization, network management and more. View our full 2010-2011 schedule at: events.techtarget.com RISK METHODOLOGIES TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION There are a lot of risk assessment frameworks out there. Here’s what you need to know in order to pick the right one. Sizing Up Risk BY RICHARD E. MACKEY, JR. m MANY REGULATIONS and virtually all security frameworks require some objective PCI DSS 2.0 SPONSOR RESOURCES 22 assessment of risks. The reason is simple: Security controls should be selected based on real risks to an organization’s assets and operations. The alternative—selecting controls without a methodical analysis of threats and controls—is likely to result in implementation of security controls in the wrong places, wasting resources while at the same time leaving an organization vulnerable to unanticipated threats. A risk assessment framework establishes the rules for what is assessed, who needs to be involved, the terminology used in discussing risk, the criteria for quantifying, qualifying, and comparing degrees of risk, and the documentation that must be collected and produced as a result of assessments and follow-on activities. The I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE goal of a framework is to establish an objective measurement of risk that will allow an organization to understand business risk to critical information and assets both qualitatively and quantitatively. In the end, the risk assessment framework provides the tools necessary to make business decisions regarding investments in people, processes, and technology to bring risk to acceptable level. Two of the most popular risk frameworks in use today are OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University, and the NIST risk assessment framework documented in NIST Special Publication 800-30. Other risk frameworks that have a substantial following are ISACA’s RISK IT (part of COBIT), and ISO 27005:2008 (part of the ISO 27000 series that includes ISO 27001 and 27002). All the frameworks have similar approaches but differ in their high level goals. OCTAVE, NIST, and ISO 27005 focus on security risk assessments, whereas RISK IT applies to the broader IT risk management space. How does a company know which framework is the best fit for its needs? We’ll provide an overview of the general structure and approach to risk assessment, draw a comparison of the frameworks, and offer some guidance for experimentation and selection of an appropriate framework. OCTAVE, NIST, and ISO 27005 focus on security risk assessments, whereas RISK IT applies to the broader IT risk management space. TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 23 ASSET-BASED ASSESSMENTS All risk assessment methods require organizations to select an asset as the object of the assessment. Generally speaking, assets can be people, information, processes, systems, applications, or systems. However frameworks differ in how strict they are in requiring organizations to follow a particular discipline in identifying what constitutes an asset. For example CMU’s original OCTAVE framework allowed an organization to select any item previously described as the asset to be assessed, where the most recent methodology in the OCTAVE series, Allegro, requires assets to be information. There are advantages and disadvantages associated with any definition of asset. For example, if an asset is a system or application, the assessment team will need to include all information owners affected by the system. On the other hand, if the asset is information, the scope of the assessment would need to include all systems and applications that affect the information. Practically speaking, it is important to define the asset precisely so the scope of the assessment is clear. It is also useful to be consistent in how assets are defined from assessment to assessment to facilitate comparisons of results. A critical component of a risk assessment framework is that it establishes a common set of terminology so organizations can discuss risk effectively. See p. 30 for a list of terms used in most frameworks. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Framework Terminology Risk assessment frameworks establish the meaning of terms to get everyone on the same page. Here are terms used in most frameworks. Actors, motives, access: These describe who is responsible for the threat, what might motivate the actor or attacker to carry out an attack, and the access that is necessary to perpetrate an attack or carry out the threat. Actors may be a disgruntled employee, a hacker from the Internet, or simply a well meaning administrator who accidently damages an asset. The access required to carry out an attack is important in determining how large a group may be able to realize a threat. The larger the attacking community (e.g., all users on the Internet versus a few trusted administrators), the more likely an attack can be attempted. TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES Asset owners: Owners have the authority to accept risk. Owners must participate in risk assessment and management as they are ultimately responsible for allocating funding for controls or accepting the risk resulting from a decision not to implement controls. Asset custodians: A person or group responsible for implementing and maintaining the systems and security controls that protect an asset. This is typically an IT entity. Impact: The business ramifications of an asset being compromised. The risk assessment team needs to understand and document the degree of damage that would result if the confidentiality, integrity, or availability of an asset is lost. The terms impact, business impact, and inherent risk are usually used to describe, in either relative or monetary terms, how the business would be affected by the loss. It’s important to note that impact assumes the threat has been realized; impact is irrespective of the likelihood of compromise. Information asset: An abstract logical grouping of information that is, as a unit, valuable to an organization. Assets have owners that are responsible for protecting value of the asset. Risk magnitude or risk measurement criteria: The product of likelihood and the impact described above. If we consider likelihood a probability value (less than 1) and impact a value of high, medium, or low, the risk magnitude can be “calculated” and compared to risks of various threats on particular assets. Security requirements: The qualities of an asset that must be protected to retain its value. Depending on the asset, different degrees of confidentiality, integrity, and availability must be protected. For example, confidentiality and integrity of personal identifying information may be critical for a given environment while availability may be less of a concern. glossary Threats, threat scenarios or vectors: According to OCTAVE, threats are conditions or situations that may adversely affect an asset. Threats and threat scenarios involve particular classes of actors (attackers or users) and methods or vectors by which an attack or threat may be carried out. 24 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE RISK ASSESSMENT METHODOLOGY The heart of a risk assessment framework is an objective, repeatable methodology that gathers input regarding business risks, threats, vulnerabilities, and controls and produces a risk magnitude that can be discussed, reasoned about, and treated. The various risk frameworks follow similar structures, but differ in the description and details of the steps. However, they all follow the general pattern of identifying assets and stakeholders, understanding security requirements, enumerating threats, identifying and assessing the effectiveness of controls, and calculating the risk based on the inherent risk of compromise and the likelihood that the threat will be realized. The following is a basic methodology, largely derived from the OCTAVE and NIST frameworks. 1. Identify assets and stakeholders TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES All risk assessment methods require a risk assessment team to clearly define the scope of the asset, the business owner of the asset, and those people responsible for the technology and particularly the security controls for the asset. The asset defines the scope of the assessment and the owners and custodians define the members of the risk assessment team. NIST’s approach allows the asset to be a system, application, or information, while OCTAVE is more biased toward information and OCTAVE Allegro requires the asset to be information. Regardless of what method you choose, this step must define the boundaries and contents of the asset to be assessed. 2. Analyze impact The exercise of analyzing the value or impact of asset loss can help determine which assets should undergo risk assessment. The next step is to understand both the dimensions and magnitude of the business impact to the organization, assuming the asset was compromised. The dimensions of compromise are confidentiality, integrity, and availability while the magnitude is typically described as low, medium, or high corresponding to the financial impact of the compromise. It’s important to consider the business impact of a compromise in absence of controls to avoid the common mistake of assuming that a compromise could not take place because the controls are assumed to be effective. The exercise of analyzing the value or impact of asset loss can help determine which assets should undergo risk assessment. This step is mostly the responsibility of the business team, but technical representatives can profit by hearing the value judgments of the business. The output of this step is a document (typically a form) that describes the business impact in monetary terms or, more often, a graded scale for compromise of the confidentiality, integrity, and availability of the asset. 3. Identify threats Identify the various ways an asset could be compromised that would have an impact on the 25 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE business. Threats involve people exploiting weaknesses or vulnerabilities intentionally or unintentionally that result in a compromise. This process typically starts at a high level, looking at general areas of concern (e.g., a competitor gaining access to proprietary plans stored in a database) and progressing to more detailed analysis (e.g., gaining unauthorized access through a remote access method). The idea is to list the most common combinations of actors or perpetrators and paths that might lead to the compromise an asset (e.g., application interfaces, storage systems, remote access, etc.). These combinations are called threat scenarios. The assessment team uses this list later in the process to determine whether these threats are effectively defended against by technical and process controls. The output of this step is the list of threats described in terms of actors, access path or vector, and the associated impact of the compromise. 4. Investigate vulnerabilities TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 26 Use the list of threats and analyze the technical components and business processes for flaws that might facilitate the success of a threat. The vulnerabilities may have been discovered in separate design and architecture reviews, penetration testing, or control process reviews. Use these vulnerabilities to assemble or inform the threat scenarios described above. For example, a general threat scenario may be defined as a skilled attacker from the Internet motivated by financial reward gains access to an account withdrawal function; a known vulnerability in a Web application may make that threat more likely. This information is used in the later stage of likelihood determination. This step is designed to allow the assessment team to determine the likelihood that a vulnerability can be exploited by the actor identified in the threat scenario. The team considers factors such as the technical skills and access necessary to exploit the vulnerability in rating the vulnerability exploit likelihood from low to high. This will be used in the likelihood calculation later to determine the magnitude of risk. The exercise of analyzing the value or impact of asset loss can help determine which assets should undergo risk assessment. 5. Analyze controls Look at the technical and process controls surrounding an asset and consider their effectiveness in defending against the threats defined earlier. Technical controls like authentication and authorization, intrusion detection, network filtering and routing, and encryption are considered in this phase of the assessment. It’s important, however, not to stop there. Business controls like reconciliation of multiple paths of transactions, manual review and approval of activities, and audits can often be more effective in preventing or detecting attacks or errors than technical controls. The multi-disciplinary risk assessment team is designed to bring both types of controls into consideration when determining the effectiveness of controls. At the conclusion of this step, the assessment team documents the controls associated with the asset and their effectiveness in defending against the particular threats. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE The Value of Formal Assessments A thorough analysis of risk helps justify security spending Formal, methodical risk analysis allows organizations to reason about the magnitude of business risk given the value of the system or information at risk, a set of threats, and a set of security controls like authentication, firewalls, and monitoring. The magnitude of the risk is a function of the degree of damage or loss that would occur if the threat is realized and the likelihood of the realization of the threat. This kind of thoughtful and objective approach not only helps to meet regulatory requirements, but also provides a practical way to manage security expenditures. The value of assessing risk in this manner is that it transforms risk discussion from a conversation among strategy TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 27 technical people into a one relating technical vulnerabilities and controls to business impact. The process requires technical and business representatives to come to an understanding of what the business risk is and how it relates to technical risk. It also facilitates the economic discussion of whether investments in technology and processes are justified by the damage that may result from an attack or incident and the likelihood of the event. In short, it steers organizations away from being held hostage by the fear mongers or being starved for security investment by business people who do not appreciate the dangers posed by insufficient —RICHARD E. MACKEY, JR. security controls.w 6. Calculate threat likelihood After identifying a particular threat, developing scenarios describing how the threat may be realized, and judging the effectiveness of controls in preventing exploitation of a vulnerability, use a “formula” to determine the likelihood of an actor successfully exploiting a vulnerability and circumventing known business and technical controls to compromise an asset. The team needs to consider the motivation of the actor, the likelihood of being caught (captured in control effectiveness), and the ease with which the asset may be compromised, then come up with a measure of overall likelihood, from low to high. 7. Calculate risk magnitude The calculation of risk magnitude or residual risk combines the business impact of compromise of the asset (considered at the start of the assessment), taking into consideration the diminishing effect of the particular threat scenario under consideration (e.g., the particular attack may only affect confidentiality and not integrity) with the likelihood of the threat succeeding. The result is a measure of the risk to the business of a particular threat. This is typically expressed as one of three or four values (low, medium, high, and sometimes severe). This measure of risk is the whole point of the risk assessment. It serves as a guide to the business as to the importance of addressing the vulnerabilities or control weaknesses that allow the threat to be realized. Ultimately, the risk assessment forces a business decision to treat or accept risk. Anyone reading a risk assessment method for the first time will probably get the impression that it describes a clean and orderly process that can be sequentially executed. However, you’ll find that you need to repeatedly return to earlier steps when information in later steps helps to clarify the real definition of the asset, which actors may be realistically considered in a I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE threat scenario, or what the sensitivity of a particular asset is. It often takes an organization several attempts to get used to the idea that circling back to earlier steps is a necessary and important part of the process. WHICH FRAMEWORK IS BEST? TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 28 Over the years, many risk frameworks have been developed and each has its own advantages and disadvantages. In general, they all require organizational discipline to convene a multidisciplinary team, define assets, list threats, evaluate controls, and conclude with an estimate of the risk magnitude. OCTAVE, probably the most well known of the risk frameworks, comes in three sizes. The original, full-featured version is a heavyweight process with substantial documentation meant for large organizations. OCTAVE-S is designed for smaller organizations where the multi-disciplinary group may be represented by fewer people, sometimes exclusively technical folks with knowledge of the business. The documentation burden is lower and the process is lighter weight. The latest product in the OCTAVE series is Allegro, which has more of a lightweight feel and takes a more focused approach than its predecessors. Allegro requires the assets to be information, requiring additional discipline at the start of the process, and views systems, applications, and environments as containers. The scope of the assessment needs to be based on the information abstraction (e.g., protected health information) and identify and assess risk across the containers in which the information is stored, processed, or transmitted. One of the benefits of the OCTAVE series is that each of the frameworks provides templates for worksheets to document each step in the process. These can either be used directly or customized for a particular organization. The NIST framework, described in NIST Special Publication 800-30, is a general one that can be applied to any asset. It uses slightly different terminology than OCTAVE, but follows a similar structure. It doesn’t provide the wealth of forms that OCTAVE does, but is relatively straightforward to follow. Its brevity and focus on more concrete components (e.g., systems) makes it a good candidate for organizations new to risk assessment. Furthermore, because it’s defined by NIST, it’s approved for use by government agencies and organizations that work with them. ISACA’s COBIT and the ISO 27001 and 27002 are IT management and security frameworks that require organizations to have a risk management program. Both offer but don’t require their own versions of risk assessment frameworks: COBIT has RISK IT and ISO has Business controls like reconciliation of multiple paths of transactions, manual review and approval of activities, and audits can often be more effective in preventing or detecting attacks or errors than technical controls. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES ISO 27005:2008. They recommend repeatable methodologies and specify when risk assessments should take place. The ISO 27000 series is designed to deal with security, while COBIT encompasses all of IT; consequently, the risk assessments required by each correspond to those scopes. In other words, risk assessment in COBIT—described in RISK IT—goes beyond security risks and includes development, business continuity and other types of operational risk in IT, whereas ISO 27005 concentrates on security exclusively. ISO 27005 follows a similar structure to NIST but defines terms differently. The framework includes steps called context establishment, risk identification and estimation, in which threats, vulnerabilities and controls are considered, and a risk analysis step that discusses and documents threat likelihood and business impact. ISO 27005 includes annexes with forms and examples, but like other risk frameworks, it’s up to the organization implementing it to evaluate or quantify risk in ways that are relevant to its particular business. Organizations that do not have a formal risk assessment methodology would do well to review the risk assessment requirements in ISO 27001 and 27002 and consider the 27005 or NIST approach. The ISO standards provide a good justification for formal risk assessments and outline requirements, while the NIST document provides a good introduction to a risk assessment framework. With practice, an organization can establish a methodology based on this approach. However, it is worthwhile to review the OCTAVE family and, in particular, the Allegro framework. Its focus on information, its forms and relatively lightweight approach (when compared to other OCTAVE methods) provides a good alternative to NIST and will allow an organization to build a customized method that meets its own requirements. One of the benefits of the OCTAVE series is that each of the frameworks provides templates for worksheets to document each step in the process. CONSISTENCY IS KEY In the end, the most important aspect of choosing a framework is ensuring that the organization will use it. Auditors will seldom inspect the details of your risk assessment method, but will look at whether you have a systematic method and apply it regularly. It’s an organization’s prerogative to accept risks that are too difficult or expensive to mitigate. However, one can only accept risks that one understands. Consistent and repeatable risk assessments provide the mechanism to not only understand risk, but also to demonstrate to auditors and regulators that the organization understands risk. Whether your goal is to simply achieve good security or also meet regulatory requirements, creating a risk assessment method based on a well-known framework is a good place to start.w Richard E. Mackey, Jr. is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to [email protected]. 29 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Information Security magazine CALL FOR NOMINATIONS It’s Time to Recognize the Industry’s Best Security Professionals Information Security magazine and SearchSecurity.com announce that nominations are open for the seventh annual Security 7 Awards. Find the nomination form at: http://www.surveygizmo.com/s3/462797/Security-7 SECURITY 7 Prestigious Industry Accolades The honor roll of past Security 7 Award winners is a prestigious list of distinguished security practitioners and dignitaries, including Dorothy Denning, Gene Spafford, Michael Assante and Christofer Hoff. Since 2005, we’ve recognized the most innovative and stalwart security practitioners in the industry. It’s time to do it again. 2 0 11 Seven Industries, Seven Winners The Security 7 Award honors innovative security practitioners in seven vertical markets. We recognize the achievements and contributions of practitioners in the financial services, telecommunications, manufacturing, retail, government/public sector/ non-profit, education and healthcare/pharmaceutical industries. How to Nominate Your Peers —MARK WEATHERFORD Do you know someone worthy of recognition? Nominate them by filling out the form. A panel of editors and industry experts will review the nominees and select our winners. 2008 Security 7 Government winner Former CISO for the states of California and Colorado and current CSO at the North American Electric Reliability Corporation (NERC) I N F O R M A T I O N S ECURITY ® For more information, please visit our website: www.searchsecurity.com Recognize the Security Industry’s Best Today! BUSINESS INTEGRATION Hurdle Cultural Barriers to Compliance TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION Engage stakeholders frequently about their role in compliance and reducing risk inside your organization. BY ERIC HOLMQUIST w WHEN LOOKING TO create or expand information security reporting to senior management, the biggest challenge is often not technical but cultural. Business managers can be hesitant to have areas of risk highlighted for fear that they will be perceived as not doing their jobs. Lawyers are often nervous that putting vulnerabilities in writing could ultimately be used against the organization. And managers are sometimes hesitant to tell senior management too much, fearing the managers won’t understand the information they are given, but recognizing that it represents a significant risk, will feel obligated to give arbitrary directives in a misguided attempt to solve problems they don’t fully understand. While these are all realities that we as security and compliance managers live with, they are ones that mature organizations must push past if they are to holistically manage information security risk and compliance. Contrary to what many believe, when seeking to address security and compliance weaknesses, knowledge is power and transparency is good. However, to successfully evolve beyond cultural barriers to effective information security reporting, a strategy is required. The following are some time-tested solutions to address these cultural barriers that often stifle effective information security risk and compliance management. PCI DSS 2.0 Tips for fostering a compliance culture SPONSOR RESOURCES English only please – Unquestionably, the most critical make-or-break factor in information security reporting is language. Simply put, any report, whether in scorecard or narrative, must be limited to basic business terminology. No IT terms, no obscure acronyms, no exceptions— ever. An IDS system or other gateway device may produce a wonderfully detailed 20-page technical report, and while that may be helpful to technical staff, they should never see the light of day in an executive report. Instead, require these data owners to summarize their reports as succinctly 31 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE as possible using language that someone who has no familiarity with technology would understand. Make disclosure safe – The second most critical factor is to create an environment where disclosure is safe. Meaning people must be allowed to express both their observations of potential risk as well as operational failures without being persecuted, and managers must foster an environment where such disclosures are encouraged. For observed risks, the focus must be on an assessment of the risk and an analysis of response options. For failures, the focus of the reporting needs to be 1) what happened, 2) what is being doing about it, and 3) what could be done so that it doesn’t happen again. Blame is the mortal enemy of collaboration, so any disciplinary action must be done privately. Once people begin to realize that risk and failure can be brought up for healthy discussion, more and more risks will suddenly come out of the woodwork and that is a healthy thing. Focus on solutions – Simply put, make sure any material risk that is reported to management TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 32 includes a management-level assessment of that risk and a plan of action (or, at minimum, a series of options). Highlighting a risk in isolation can be paralyzing and is often interpreted that people aren’t doing their jobs. But presenting risks with a variety of solutions is empowering and reinforces the fact that people are on the job. Let them make decisions – When presenting information on the state of the information security program and compliance, give management the opportunity not only to provide input, but also to make decisions. Even if this means simply submitting a menu of choices for a given area of concern, this engages them in the process and builds ownership. This may seem risky (Who wants “pointyhaired bosses” actually making decisions?), but it really does work to build engagement if risks are explained clearly and options area detailed out. Trust me, engagement is very good. Start small – The fact is that most organizations can’t go from nothing to a detailed scorecard in one pass; It just doesn’t happen. Start small by focusing on more innocuous data points that allow management to take action (training completion, third-party governance, etc.) As management becomes more comfortable with the reporting cycle, move to more sensitive areas, such as open audit issues, control failures, operational incidents, risk heat maps, etc. (The latter having more direct association with specific business areas.) In the end, the goal is to create a compliance culture through dialog and engagement. Start small, being exceedingly clear and keep pressing. Eventually people will realize these topics are more approachable then they thought and that creating forums for discussion with a range of constituencies is healthy for the organization, ultimately creating a compliance culture that will serve an organization well.w Eric Holmquist is a principal with consulting firm Holmquist Advisory. He has more than 25 years experience in the financial services industry and is a frequent industry author and speaker. As the former vice president and director of operations risk management for Advanta Bank Corp., he was responsible for the development and oversight of the bank’s operational risk management program and its information security strategy. In addition, Holmquist chaired the bank’s MIS council, an oversight group that provides governance with regard to standards, methods and production of financial and operational reports and the management of enterprise data. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE Now there’s an online resource tailored specifically to the distinct challenges faced by security pros in the financial sector. Information Security magazine’s sister site is the Web’s most targeted information resource to feature FREE access to unbiased product reviews, webcasts, white papers, breaking industry news updated daily, targeted search engine powered by Google, and so much more. Activate your FREE membership today and benefit from security-specific financial expertise focused on: • Regulations and compliance • Management strategies • Business process security • Security-financial technologies • And more www.SearchFinancialSecurity.com The Web’s best information resource for security pros in the financial sector. ® PCI DSS 2.0 PCI Assessment Changes Explained TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 34 The latest update to PCI is relatively minor, but that doesn’t mean security and compliance managers can afford to slack. BY ED MOYLE v VERSIONS 2.0 OF the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS) made their debuts last fall. Since then, organizations have been trying to make sense of the updates, the new timetable for compliance and how this impacts established security and compliance programs. From a PCI assessment standpoint, there are two things to call out about the changes at a macro level before going into the details of the changes themselves: First, the changes are relatively minor. This wasn’t entirely expected; a number of industry experts speculated that the standard would follow a “major release/minor release” paradigm (similar to what you’d see in a software product). Following a “point” release of PCI DSS 1.2 in October 2008, many thought the PCI DSS 2.0 “major revision” last year could mean sweeping change, but this wasn’t the way it turned out. The council cites maturity in the standard as the reason for the relatively small number of changes, which means companies can also expect a lesser volume of change in future revisions. For those that were hit hard by the (fairly significant) changes in the 1.x iterations during the past five years, this should be welcome news. Secondly, the enforcement timing of changes is beneficial: In other words, there is time to respond before organizations are called to task on how they’ve implemented the changes. Merchants have a year to comply from the January launch date, meaning there is plenty of time to get environments in shape before enterprises actually have to go through an assessment based on the updates. I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE But these positive developments shouldn’t encourage security and compliance managers to slack. Although most of the changes represent a reduction of the scope of controls, there could be a few that might have broader impact depending on your current processes, scope of compliance efforts, and how your company has interpreted the controls in the past. So starting now, look at the changes and update your compliance plan accordingly. It will be time well spent. PCI 2.0: If anything, mostly a slight reduction of assessment impact TABLE OF CONTENTS EDITOR’S DESK As outlined, most of the changes reflect a decrease in the effort associated with the PCI assessment process, changes that provide additional flexibility for the assessor or for you to generally decrease the scope of assessment effort because they allow interpretive latitude—both for you and your QSA. That interpretive latitude means less time spent trying to force-fit what you’ve deployed into narrow parameters; in combination with clarifications about control scope means less time-consuming back-and-forth discussion between merchants/service providers and QSAs about intent and meaning. The chart (see p. 36) outlines areas where the changes have either no impact on PCI assessment effort or that decrease the effort associated with the assessment process: As you can see, with the exception of the two areas called out, the items in this list connote relatively little impact on an assessment. It’s these other two areas that merchants and service providers may want to keep an eye out for. Two areas to watch DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 35 One of the most significant changes is the clarification of PCI assessment scope (item No. 2 in the change list in the chart). It’s still unclear specifically how the scope change will be reflected in the final document, but what is there should be enough for anybody who’s been through an assessment to take notice. Specifically, according to this, scope of cardholder data flow diagrams should include all locations and all areas. That’s an “uh-oh” for many firms; as it turns out, many organizations just aren’t where they need to be on this point. Producing up-to-date diagrams of cardholder data everywhere in the enterprise may seem negligible at first glance, but in a large retail environment with multiple business units, diagrams might cover only one business unit of many, or a subset of payment flows throughout the whole organization. So this change could very well mean a significant effort to share flow information between business units (since one process might intersect multiple business units) and to ensure all payment flows are accounted for in the documentation. Lack of appropriate documentation has always been one of the primary issues within an assessment context, so this change amps up what was already a known issue. Secondly, the update for virtualization on the surface seems relatively innocuous; after all, many of us have been asking for a long time how virtualization ties into requirements like “one function per server” (Requirement 2.2.1). However, under the surface, expansion of the definition of “system components” to include virtual components might have additional ramifications beyond just 2.2.1; it could affect other requirements as well. For example, some requirements and test procedures specifically refer to “all system components” (for example, Requirements 10.6, “Review logs for all system components at least daily…”, and Requirement 2.2, “Develop configuration standards for all system components…”). Requirements that address “all system components” now implicitly include the virtual enviI N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE PCI 2.0 EXPLAINED TABLE OF CONTENTS Requirement Proposed Change Assessment Impact PCI DSS Intro Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. In most cases, minimal impact on assessment effort. Potential reduction in assessment scope of effort if you or your QSA interpreted 3.3. or 3.4 as applying to other cardholder data in past assessments. Scope of Assessment Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Potential area of impact (described below) PCI DSS Intro and various requirements Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization. Potential area of impact (described below) PCI DSS Requirement 1 Provide clarification on secure boundaries between Internet and card holder data environment. It isn’t clear from the description what this clarification will be. However, since the controls around separation of the CDE from the Internet are relatively unambiguous currently, this is likely to be a minimal impact issue. PCI DSS Requirement 3.2 Recognize that issuers have a legitimate business need to store Sensitive Authentication Data. The scope of an issuer’s business requirements has little bearing on an assessment at a merchant or service provider. Minimal impact to assessment effort. PCI DSS Requirement 3.6 Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. We don’t have enough information to know from the change description how this will change. The intent of the change is to increase flexibility, which suggests reduction in assessment effort. PCI DSS Requirement 6.2 Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. This moves the requirement more in-line with what firms do; this change allows latitude to reflect that practice during an assessment. PCI DSS Requirement 6.5 Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT. Consolidation in this area means reduced assessment effort as merchants and QSA’s are no longer writing up results twice for the same controls. PCI DSS Requirement 12.3.10 Update requirement to allow business justification for copy, move and storage of CHD during remote access. This change recognizes that business may need to manipulate cardholder data during a remote access scenario. Therefore, businesses that required doing this will no longer have to write up compensating controls to do so. EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 36 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE ronment as well, as do the test procedures. So a test procedure like 2.2.a (“Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards”) means that not only will an organization need to have a hardening standard for its virtual environment, but its assessor will also need to obtain and review that standard. This might not have been the case in prior assessments. So overall for merchants and service providers, this version of the standard represents a streamlining of the assessment process, which should help ease the PCI DSS compliance burden somewhat. But the expansion of system components to include virtualization and the updates to required documentation could make those elements of the assessment process more complex, so be sure to address each with your assessor when the time comes for your company’s first assessment under PCI DSS 2.0; also, it’s a good idea to start the planning now for areas where your current control deployment may not address the entirety of the scope.w Ed Moyle is currently a manager with CTG’s Information Security Solutions practice, providing strategy, consulting, and solutions to clients worldwide as well as a founding partner of SecurityCurve. TABLE OF CONTENTS EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION PCI DSS 2.0 SPONSOR RESOURCES 37 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE TECHTARGET SECURITY MEDIA GROUP I N F O R M A T I O N S ECURITY ® EDITORIAL DIRECTOR Michael S. Mimoso VICE PRESIDENT/GROUP PUBLISHER Doug Olender SENIOR SITE EDITOR Eric Parizo PUBLISHER Josh Garland EDITOR Marcia Savage DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver MANAGING EDITOR Kara Gattine DIRECTOR OF MARKETING Nick Dowd NEWS DIRECTOR Robert Westervelt SALES DIRECTOR Tom Click SITE EDITOR Jane Wright CIRCULATION MANAGER Kate Sullivan ASSOCIATE EDITOR Carolyn Gibney PROJECT MANAGER Elizabeth Lareau ASSISTANT EDITOR Maggie Sullivan PRODUCT MANAGEMENT & MARKETING Kim Dugdale, Andrew McHugh, Karina Rousseau ASSISTANT EDITOR Greg Smith UK BUREAU CHIEF Ron Condon ART & DESIGN CREATIVE DIRECTOR Maureen Joyce TABLE OF CONTENTS SALES REPRESENTATIVES Eric Belcher [email protected] Patrick Eichmann [email protected] Sean Flynn [email protected] Jennifer Gebbie [email protected] COLUMNISTS Marcus Ranum, Lee Kushner, Mike Murray Jaime Glynn [email protected] Leah Paikin [email protected] EDITOR’S DESK DATA PROTECTION INTERNATIONAL REGULATIONS RISK METHODOLOGIES BUSINESS INTEGRATION CONTRIBUTING EDITORS Michael Cobb, Phillip Cox, Scott Crawford, Peter Giannoulis, Ernest N. “Ernie” Hayden, Robbie Higgins, Jennifer Jabbusch, David Jacobs, Diana Kelley, Nick Lewis, Richard E. Mackey Jr., Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ashley Podhradsky, Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser USER ADVISORY BOARD Phil Agcaoili, Cox Communications Richard Bejtlich, GE Seth Bromberger, Energy Sector Consortium Chris Ipsen, State of Nevada Diana Kelley, Security Curve Nick Lewis, ACM Rich Mogull, Securosis Craig Shumard, CIGNA CISO Retired Marc Sokol, Guardian Life Gene Spafford, Purdue University Tony Spinelli, Equifax INFORMATION SECURITY DECISIONS GENERAL MANAGER OF EVENTS Amy Cleary Jeff Tonello [email protected] Vanessa Tonello [email protected] George Whetstone [email protected] Nikki Wise [email protected] TECHTARGET INC. CHIEF EXECUTIVE OFFICER Greg Strakosch PRESIDENT Don Hawk EXECUTIVE VICE PRESIDENT Kevin Beam CHIEF FINANCIAL OFFICER Jeff Wakely EUROPEAN DISTRIBUTION Parkway Gordon Phone 44-1491-875-386 www.parkway.co.uk LIST RENTAL SERVICES Julie Brown Phone 781-657-1336 Fax 781-657-1100 PCI DSS 2.0 SPONSOR RESOURCES Information Security’s Essential Guide to Compliance is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201. All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or INFORMATION SECURITY. 39 I N F O R M AT I O N S E C U R I T Y • ESSE NTIAL G U I DE • COM PLIANCE SPONSOR RESOURCES See ad page 2 • ArcSight Customer Success • First Annual Cost of Cyber Crime Study - Benchmark Study of U.S. Companies • Using Advanced Event Correlation to Improve Enterprise Security, Compliance and Business Posture See ad page 4 • FoxT Demonstration on Privileged Access Management • FoxT Compliance Report Packs for SOX, PCI, HIPAA, NERC-CIPs • Solving Key Compliance Audit Issues with Enterprise Access Management • Choosing a Cloud Provider with Confidence • Stop Phishing: A Guide to Protecting Your Web Site Against Phishing Scams • GeoTrust SSL Solutions SPONSOR RESOURCES See ad page 14 • Dell SecureWorks Webcast: An Expert Approach to PCI compliance See ad page 7 • Compliance for Dummies Book from Sophos • 8 Steps to Protecting PII (Personally Identifiable Information) • Learn how to implement a data loss prevention strategy • Webinar: Managed DNS - Using Hybrid Routing to Optimize DNS Performance • Webinar: DDoS Defense - Augmenting your Business Continuity Practices in the Face of the Growing Threat • Benchmark your Company's Infrastructure Protection: Take the Executive Threat Assessment