Auditing IT Infrastructures for

Compliance

Lesson 2
Overview of U.S. Compliance Laws

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective
▪ Explain specific U.S. compliance laws and
standards, and their role in organizations.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 2
All rights reserved.
 Key Concepts
▪ The difference between public and private sector
regulatory requirements
▪ The essentials of significant compliance laws, such as
CIPA (Children's Internet Protection Act), FERPA (Family
Educational Rights and Privacy Act), GLBA (Gramm-
Leach-Bliley Act), and SOX (Sarbanes-Oxley Act)
▪ Department of Defense (DoD) requirements
▪ The importance of certification and accreditation (C&A) and
Risk Management Framework (RMF)
▪ The purpose of PCI DSS (Payment Card Industry Data
Security Standards) and the consequences to merchants
when they fail to adhere to the standards

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 3
All rights reserved.
 Public and Private Sector
Requirements
▪ Troubles come from two directions:
• IT personnel have no legal background
• Regulations have little technical depth
▪ Vague regulation requirements
▪ Regulatory requirements: state, federal, industry,
and international
▪ Know which regulations apply to your organization
▪ Internal policies should execute the regulatory
policies with which you need to comply

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 4
All rights reserved.
 Federal Information Security
Management Act (FISMA)
▪ Applies to federal agencies
▪ Grants the importance of sound information
security practices
▪ Controls the interest of national security and the
economic well-being of the United States

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 5
All rights reserved.
 Purpose of FISMA
▪ Provide a framework for effective information
security resources that support federal
operations, data, and infrastructure.
▪ Accept the interconnectedness of IT. Ensure
effective risk management is in place.
▪ Ensure coordination of information security efforts
between civilian, national security, and law
enforcement communities.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 6
All rights reserved.
 Purpose of FISMA (Cont.)
▪ Facilitate the development and ongoing
monitoring of required minimum controls to
protect federal information systems and data.
▪ Provide for increased oversight of federal agency
information security programs.
▪ Recognize that information technology
solutions may be acquired from commercial
organizations. Leave the acquisition decisions to
the individual agencies.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 7
All rights reserved.
 U.S. Department of Defense
Requirements
▪ United States Department of Defense (DoD):
• Is responsible for all agencies of the government
relating to national security and the military
• Imposes many requirements on the management
of its information systems
• Requirements apply to organizations that work
with, contract with, and provide services for the
DoD

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 8
All rights reserved.
 Key Laws That Apply to the DoD
Paperwork • Designed to have federal agencies take
Reduction Act more responsibility and be held publically
accountable for reducing paperwork
of 1995

Clinger-Cohen • Improves the acquisition, use and

Act of 1996 disposal of federal IT resources

E-Government • Improves the management of

Act of 2002 electronic government services

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 9
All rights reserved.
 Certification and Accreditation
FISMA Process of auditing systems
before putting them into production
Ensures efforts are made to
mitigate risks
Security controls must be properly
implemented and maintained
Supports risk management
activities

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 10
All rights reserved.
 Six Steps of the Risk
Management Framework

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 11
All rights reserved.
 Risk Management Framework
Steps
1. Categorizing the information system, giving
consideration to the related data and the impact
as a result of an incident
2. Selecting a baseline set of controls based on
the previous categorization and supplementing
the baseline as appropriate
3. Implementing and documenting the security
controls

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 12
All rights reserved.
 Risk Management Framework
Steps (Cont.)
4. Assessing the security controls to ensure they
are producing the desired results
5. Authorizing the operation of the information
system based on an acceptable level of risk
6. Monitoring the security controls continuously

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 13
All rights reserved.
 Foundation of Cybersecurity

Confidentiality

Security

Integrity Availability

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 14
All rights reserved.
 Sarbanes-Oxley (SOX) Act
▪ Protects investors by requiring accuracy and
reliability in corporate disclosures
▪ Created new standards for corporate
accountability
▪ Created new penalties for acts of wrongdoing,
both civil and criminal
▪ Changes how corporate boards and executives
must exchange information and work with
corporate auditors

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 15
All rights reserved.
 Gramm-Leach Bliley Act (GLBA)
▪ The Financial Modernization Act of 1999
▪ Protects personal financial information
held by financial institutions
▪ To protect personally identifiable
information (PII), GLBA divides privacy
requirements into three principal parts:
▪ Financial Privacy Rule
▪ Safeguards Rule
▪ Pretexting provisions
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 16
All rights reserved.
 Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
▪ Helps citizens maintain health
insurance coverage
▪ Improves efficiency and effectiveness of
American health care system
▪ Protects the privacy and security of
certain health information
▪ Financial penalties for non-compliance

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 17
All rights reserved.
 HIPAA Privacy and Security
Rules
• Dictates how covered
Privacy entities must protect the
privacy of PHI
Rule

• Dictates covered entities

Security must protect the C-I-A
of electronic PHI
Rule

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 18
All rights reserved.
 Children’s Internet Protection Act
(CIPA)
▪ Attempts to prevent children from being
exposed to explicit content at schools and
libraries
▪ Schools and libraries must:
• Use technology protection measures
• Protect our children from exposure to
offensive Internet content
• Adopt and enforce a policy to monitor the
online activities of minors
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 19
All rights reserved.
 Children’s Online Privacy
Protection Act (COPPA)
▪ Requires Web sites and other online services
aimed at children less than 13 years of age
to comply:
• Post a privacy policy
• Notify parents directly before collecting
personal information from kids
• Get parents’ verifiable consent before
collecting information from kids

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 20
All rights reserved.
 Family Educational Rights and
Privacy Act (FERPA)

Right to inspect and review

Right to correct records

Parental written permission

required

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 21
All rights reserved.
 Payment Card Industry Data
Security Standard (PCI DSS)
▪ Not a law or regulation
▪ A set of requirements that prescribe
operational and technical controls to
protect cardholder data
▪ Requirements follow security best practices
and use 12 high-level requirements,
aligned across six goals

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 22
All rights reserved.
 Steps Required to Comply with
PCI DSS

Report
Remediate
Assess

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 23
All rights reserved.
 PCI DSS Principles

Build and • Requirement 1: Install and maintain a firewall

Maintain a configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied
Secure defaults for system passwords and other
Network security parameters

Protect • Requirement 3: Protect stored cardholder

data
Cardholder • Requirement 4: Encrypt transmission of
Data cardholder data across open, public networks

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 24
All rights reserved.
 PCI DSS Principles (Cont.)

Maintain a • Requirement 5: Use and regularly update

Vulnerability antivirus software or programs
Management • Requirement 6: Develop and maintain secure
systems and applications
Program

Implement • Requirement 7: Restrict access to cardholder

data by business need-to-know
Strong Access • Requirement 8: Assign a unique ID to each
Control person with computer access
• Requirement 9: Restrict physical access to
Measures the cardholder data environment

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 25
All rights reserved.
 PCI DSS Principles (Cont.)

• Requirement 10: Track and monitor all

Regularly access to network resources and
Monitor and cardholder data
Test Networks • Requirement 11: Regularly test
security systems and processes

Maintain an • Requirement 12: Maintain a policy that

Information addresses information security for
employees and contractors
Security Policy

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 26
All rights reserved.
 Red Flags Rule
▪ Based upon the Fair and Accurate Credit
Transactions Act (FACTA) of 2003
▪ Improves the accuracy of consumers' credit-
related records
▪ Establishes procedures for the identification of
possible instances of identity theft
▪ To comply:
▪ Identify red flags for covered accounts.
▪ Detect red flags.
▪ Respond to those red flags.
▪ Update the program periodically.
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 27
All rights reserved.
 Summary
▪ The difference between public and private
sector regulatory requirements
▪ The essentials of significant compliance laws,
such as CIPA, FERPA, GLBA, and SOX
▪ Department of Defense (DoD) requirements
▪ The importance of certification and accreditation
(C&A) and Risk Management Framework (RMF)
▪ The purpose of PCI DSS and the consequences
to merchants when they fail to adhere to the
standards

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 28
All rights reserved.
 Lab
▪ Assessing the Impact of Sarbanes-Oxley
(SOX) Compliance Law on Enron

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 29
All rights reserved.