Regulatory Compliance in Information Technology and Information ...

11 downloads 28368 Views 90KB Size Report
policy based on new requirements while struggling to identify concrete ... and processes to ensure consumer privacy and data security (See Appendix. 1).
Journal of Comprehensive Research, Volume 5, Page 1

Information Technology Regulatory Compliance and Information Security Management

Katia Deriabina Amy Ernest Beth McAbee Jacksonville University

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 2

Regulatory compliance is an ever-increasing factor impacting how all organizations do business. IT organizations face the challenge of developing policy based on new requirements while struggling to identify concrete controls that can be deployed successfully into the organization. Many companies are developing solutions to provide a “universal set of controls mapped through industry-standard frameworks and then into the regulations” (Kolology, 2005). Solutions such as these decrease the amount of time IT organizations spend determining which controls to codify into policy for deployment. This paper examines the standards and regulations affecting a majority of corporate entities as well as the technological solutions available to comply with industry standards and federal regulations. Legislation and the Issues New regulations and legislation are imposed daily on businesses within the United States as well as around the world. These regulatory instruments impact various industries mandating businesses enact certain protections and processes to ensure consumer privacy and data security (See Appendix 1). IT organizations play an important role supporting enterprise business operations. Information security is a function within the IT organization that is primarily concerned with the preservation of confidentiality, integrity and availability of an organization’s information systems and resources.

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 3

Managing enterprise risk, demonstrating regulatory and legal compliance due diligence and internal audits must be coordinated amongst the business and IT areas of an enterprise in order to demonstrate adequate controls are in place. There is no one law that defines due care in security. So how does an organization know when they have achieved an adequate amount of data protection? Laws do not define the standard of “due care in security” because they are guidelines wherein it is the implementers’ responsibility to discern the reasonable approach specific to the organization. Gartner Research (2005, June) recommends an enterprise-wide security framework instead of security point solutions for a more robust security infrastructure. The more robust the organization’s infrastructure is, the less likely a security failure will occur, reducing the potential for loss of consumer data and the reputation of the business. However, the infrastructure design should not occur until self-assessment and risk analyses have been completed. By completing the self-assessment and risk analysis, the organization will be better positioned for infrastructure deployment by understanding: what assets the security measures are to protect; what weaknesses exist in the systems which allow threats; the impact of threats in terms of losses, should they occur; and what controls and measures should be implemented to eliminate the threat of loss (Wheatman & Proctor, 2005).

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 4

Industry Standards In an effort to regulate information created and stored, as well as, to prevent fraudulent reporting, several industry standards have been developed and are required for implementation by all corporations. Organizations, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the IT Governance Institute (ITGI) and VISA, MasterCard, JCB and American Express, are responsible for some of these standards and controls. These organizations work to ensure the protection of consumers and shareholders from unintentional and intentional harm. COSO was formed to redefine internal control and the criteria for determining the effectiveness of an internal control system. It developed a document in 1992, Internal Control – Integrated Framework, that changed the view of internal controls. COSO was created to address the need for internal controls related to areas such as: a framework for establishing management ownership of risk and controls; to provide a methodology for the implementation of controls; and to help the focus of internal audits to be value added (“Applying COSO’s”, n.d.). According to COSO, there are three primary objectives of an internal control system: efficient and effective operations, accurate financial reporting and compliance with laws and regulations. In conjunction with the primary objectives, elements such as the Control Environment, Risk

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 5

Assessment, Control Activities, Information and Communication and Monitoring are used in combination to form an integrated system of controls (“Applying COSO’s”, n.d.). The second structure developed by COSO is the Enterprise Risk Management – Integrated Framework (ERM) in which all types of risk are addressed in relation to all industries. This framework details the principles and components of an effective enterprise risk management process while defining how risks should be identified, assessed, responded to and controlled within the context of strategy setting. ERM encompasses the framework of Internal Controls and both frameworks are compatible and based on the same conceptual foundation (“Applying COSO’s”, n.d.). ERM supports the creation of value by allowing management to deal effectively with potential future events that create uncertainty while responding in a manner that reduces the chances of negative outcomes. There are four categories of objectives that include: strategic, operations, reporting and compliance.

Within these four categories, there are eight

components that are interrelated: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communicating and monitoring (Crawford, n.d.). Both of these frameworks focus on the importance of maximizing value for all stakeholders. They help to ensure effective reporting and compliance with laws and regulations and help to avoid damage to an organization’s

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 6

reputation. The capabilities achieved by both frameworks help management achieve the organization’s performance and profitability targets and prevent loss of resources. The second set of industry standards that are adhered to within the IT community is COBIT. COBIT is published and maintained by ITGI and is an international framework for the implementation of IT governance, security and control. The most recent release of COBIT, 4.0, builds upon previous versioning and does not invalidate previous directives. The primary goal of these guidelines is to provide a verifiable audit trail for both internal and external policies in order to meet all regulatory obligations. The three major benefits to be realized by implementing this framework into an organization is time, money and that it complies with the Sarbanes-Oxley Act (SOX) and defined international standards (Amis, 2006). COBIT is organized into four sections, the most important section being the Core Content. This section addresses the 34 IT processes providing a complete overview of how to control, manage and measure the process. For each process a high-level objective, detailed control objectives, management guidelines and a maturity model are provided. A third set of standards is defined within the credit card industry. The consumer bankcard safety issue is essential to the Payment Card Industry (PCI) since fraud and identify theft can dramatically affect the industry‘s reputation and profits. Without adequate security programs, cardholder

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 7

account information is at risk for security threats and identity theft which have increased dramatically since 1998. In 2004, the credit card companies, Visa and MasterCard, came together to develop industry security requirements that would be applicable to the entire industry, called the Payment Card Industry (PCI) Data Security Standard (see Appendix 2). Along with Visa and MasterCard, other companies within the United States have implemented the PCI Data Security Standard into their cardholder security programs. The PCI standard has the following five objectives: to build and maintain a secure network; protect cardholder data; maintain a Vulnerability Management Program; implement strong access control measures; regularly monitor and test networks and maintain an information security policy (Visa, 2005). Security Requirements and Challenges Information is the most important asset to an organization and the responsibility to protect that information rests on the shoulders of the entire organization. Information security is one of the most crucial tasks facing corporations today. Organizations operate in an environment where informational assets are threatened from a variety of external and internal sources that did not always exist. The implementation of comprehensive guidelines and governances, in regards to information technology, is essential to maintaining the highest and most efficient levels of business risk management.

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 8

Security measures are not new to the industry, as provided by PCI. Business within the United States has evolved into more stringent legal mandates and industry standards with the newly implemented privacy regulations and pending security legislation (Mark, 2006). To comply with regulations like the Sarbanes-Oxley Act (SOX) and the Gramm-Leach Bliley Act (GLBA), organizations must be able to protect data from unauthorized access, ensure documents are authentic and offer the flexibility of selective access and portability (GeoTrust, 2006). Information technology plays a key role in supporting a company’s internal control framework and compliance with such regulatory requirements. SOX has fundamentally changed the business and regulatory environment in an effort to improve corporate responsibility and restore investor confidence in public markets which were damaged by business scandals and lapses in corporate governance. This act aims to enhance corporate governance through measures that will strengthen internal checks and balances and corporate accountability. The challenges public organizations face in the wake of SOX entail those responsible for corporate IT systems such as: assessing the current state of the IT control environment; designing controls necessary to meet the directives of SOX Section 404; and closing any gaps between the two. Most of the financial data used to produce financial reports are generated by applications managed by IT and its related processes (see Appendix 4). It is critical

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 9

these processes can be verified and that executives can certify the reports come from managed software applications (GeoTrust, 2006). According to the PwC Advisory (2005, p.6), “IT and information security are a crucial part of the internal control environment,” which is why meeting SOX control objectives through leveraged technology is essential. In addition to adhering to mandated legislation, Visa implemented its Cardholder Information Security Program (CISP) in June of 2001 in order to protect its cardholders’ data from fraud and identity theft. The main objective of CISP is to decrease cardholder risk and to ensure protection of account information (See Appendix 3). Visa USA requires all its members, merchants and service providers to be CISP-compliant and holds them accountable for the compliance of their service providers and merchants with CISP. Visa’s CISP program is meant to work for all payment options such as business-to-consumer retail, e-commerce and email/telephone order systems. CISP compliance support is performed through recognition and correction of various weaknesses by keeping certain levels of cardholder account information security up to par with CISP standards. Visa views its CISP program as a way for its members, merchants and service providers to establish strong credibility with their customers by creating a safer payment culture (Visa, 2005).

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 10

Security Infrastructure Technology As a result of enacted legislation, many vendor solutions have emerged to assist organizations with their compliance efforts. Organizations can reduce compliance costs by leveraging technology to meet the increasing complex and confusing environment of standards and regulations. Serena Software has developed an “automated, process-oriented Application Life Cycle Management Solution” which provides for automated change management throughout the enterprise while minimizing risk of noncompliance (Serena, 2004, p.4). Process control for meeting compliance objectives, in addition to change management, can be accomplished through Integrated Identity and Access Management (IAM) technology enabling the secure operation of critical business applications. The discipline of identity management is still rather new within the IT industry. Essentially, it attempts to reduce the costs and streamline the tasks of user authentication and access authorization. As with any new IT discipline, the early adopters and implementers wrestled with implementing tools, interfacing applications, streamlining sign-on-utilization and rearchitecting applications. It has been the single most expensive security process for IT organizations during the last decade. Computer Associates is the industry leader with an “end-to-end solution with best-in-class functionality” for integrated components (Netegrity, 2003). IAM solutions comprise a suite of related technologies developed to provide password

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 11

management, user provisioning, access and authentication management and audit capabilities (PwC Advisory, 2005), see Appendix 5. Most organizations’ technical foundations are a heterogeneous environment with multiple platforms, operating systems, applications and tools. Many of these technical components have unique authentication mechanisms for identifying users resulting in multiple user IDs/passwords and multiple security repositories. When engaging in an IAM project, an organization must first identify the duplicate security environments, establish a security infrastructure framework to support the environments and ensure user authentication for new application development adheres to the security infrastructure. The industry trend for providing improvements to security infrastructure is to improve service and integrity by reducing the usage of multiple security repositories through common protocols and interfaces. Lightweight Directory Access Protocol (LDAP) is the industry standard for establishing a common service and authentication repository that can be used by varied applications. The next step in establishing an IAM is ensuring the security infrastructure remediation takes place prior to any workflow and provisioning of user accounts. Finally, priority business applications are selected and slowly brought online to reduce the burden on system administrators while reducing IT overhead (Computer Associates, 2004).

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 12

Acknowledging that data security is essential for any organization, and in adherence to requirement four of the PCI guidelines, it is required corporations that store and utilize consumer data must, “encrypt the transmission of cardholder data and sensitive information across public networks”. Encryption is the algorithmic scheme that encodes plain text into non-readable form or cipher text. A key is used to decrypt the message back into readable text resulting in the protection of private information. The most popular version of encryption is provided by the PGP (Pretty Good Privacy) Corporation. PGP has developed the PGP Universal encryption platform to protect organizations from data breaches, regulatory notification requirements and the costs associated with both. By use of this functionality, data security can be achieved by all internal entities and external business partners that handle data (“What is Encryption”, n.d.). PGP is a hybrid cryptosystem that combines both conventional and public key cryptography. The fist step during PGP encryption is for the data to be compressed. This step allows for saves in disk space and transmission time. Another added benefit to the compression is that compressed data is harder to decipher because of the reduced amount of plain text, which eliminates the potential patterns in data. A session key is then created that can be used only one time. The key is a random number generated from the random movements of the mouse and keystrokes. Once the data has been encrypted, the session key is also encrypted to the recipient’s public key,

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 13

and both are transmitted to the recipient. In order to decrypt the data, the recipient’s PGP uses the private key to recover the temporary session key, which is then used to decrypt the cipher text. The use of both encryption methods combines convenience and speed without forfeiting security (“What is Encryption”, n.d.). Conclusion Information security is a business risk management issue. When determining the appropriate level of controls to safeguard information, an organization must determine risk levels, the highest level of potential threats against the information and ensure that protection mechanisms are in place to avert and detect attacks resulting from these threats. The appropriate level of control depends not only on the risk to the organization, but also on the environment in which information is stored, processed or transmitted. This task is enormous and the ramifications for not adhering to regulations and security management are profound. If regulations and industry standards are not followed stringently, a firm’s reputation and financial future can be irreparably damaged.

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 14

References Amis, R. (2006, March 16). Introducing COBIT. Retrieved March 21, 2006, from http:// management.itmanagerjournal.com/management/06/03/13/1845239.shtml?tid=88 Apani Networks White Paper Compliance Series. Regulatory Compliance Series 4 of 6 (2005, May 12). The Federal Information Security Management Act (FISMA) and Its Impact on IT Security. Retrieved February 18, 2006, from http://www.knowledgestorm.com Applegate, D. & Wills, T. (1999, December). Struggling to incorporate the COSO recommendations into your audit process?. Retrieved March 2, 2006, from http://www.coso.org/ audit_shop.htm Applying COSO’s Enterprise Risk Management – Integrated Framework (n.d.). Retrieved March 21, 2006, from http://www.coso.org Bowser, D. (2005, December). How to Learn to Love Sarbanes-Oxley. CSO Online.com, Retrieved March 30, 2006, from http://www.csoonline.com Computer Associates PowerPoint Presentation (2004). Considerations for Managing Business and Compliance Issues with IAM Solutions. Crawford, D. (n.d.). COSO & Self Assessment. Retrieved March 15, 2006, from http:// www. coso.org/publications.htm GeoTrust White Paper (2006). Meeting SOX and GLBA Compliance. Retrieved March 1, 2006, from http://www.knowledgestorm.com Introduction to Data Encryption (n.d.) Retrieved March 21, 2006, from http://library. thinkquest.org/27158/history.html IT Governance Institute (2004). IT Control Objectives for Sarbanes-Oxley. Hard copy publication received from Computer Associates. ISBN: 1-893209-67-9. Kapuria, S. (2005, November 10). Steps for managing risk. Computerworld. Retrieved March 30, 2006, from http://www.computerworld.com Kolodgy, C. (2005, December). IDC Analyze the Future. Optimizing Your IT Controls Environment for Compliance with Multiple Regulations. Retrieved March 28, 2006, from http://www.knowledgestorm.com Lost Customer Information: Surveys Reveal Consumer Revolt and $14 Million Average Corporate Costs to Contain Brand Damage. (2005, November). Retrieved March 21, 2006, from http://www.pgp.com/news/2005/ponemon_report.html Mark, H. The Achilles Heel of Information Security. Retrieved February 23, 2006, from http://www.transactionworld.com/articles/2005/December/securit1.asp Morency, J. (2005, January 10). Best practice, practice, practice. NetworkWorld. Retrieved March 30, 2006 from http://www.networkworld.com/research/2005/ 011005cobit.html

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 15

Netegrity White Paper (2003, May 15). Securely Let Business In – Keep Risk Out. Retrieved April 4, 2006, from http://www.knowledgestrom.com Sandia Report A COBIT Primer (2005, June). Retrieved March 21, 2006, from http:// www.isaca.org/.../ContentManagement/ContentDisplay.cfm Simmons, M. (1997, December). COSO Based Auditing. Retrieved March 1, 2006, from http://www.cwu.edu/~atkinsom/coso.htm Sullivan, D. (2005, April 18). Continuing Threats to Assets and Recourses. Retrieved March 21, 2006, from http://www.Securitydocs.com/library/3211/2 Serena White Paper (2004). Managing Regulatory Risk Through Improved IT Processes. Retrieved from http://www.knowledgestorm.com Ponemon, L. (2005, December 22). Encryption: A nice idea that few want to implement?. Computerworld. Retrieved March 30, 2006 from http://www.computerworld.com PwC Advisory White Paper (2005). Performance Improvement. How to use identity management to reduce the cost and complexity of Sarbanes-Oxley compliance. Retrieved March 4, 2006, from http://www.knowledgestorm.com Visa USA Cardholder Information Security Program (CISP). Retrieved March 18, 2006, from http://www.visa.com/CISP Vormetric White Paper (2005, December 1). Ensuring Compliance with Payment Card Industry Data Security Standards (PCI DSS). Forbes. Retrieved March 28th, 2006, from http://itresearch.forbes.com/detail/RES/1138980033_603.html What is Encryption? (n.d.) Retrieved March 21, 2006, from http://wisegeek.com/what-isencryption.htm Wheatman, V. & Proctor, P. (2005, June). Gartner Research. Management Update: Eight Steps Needed to define Reasonable Security. Retrieved February 21, 2006, from http://mediaproducts.gartner.com/reprints/knowledgestorm/129076.html Zweig, Phillip, Holland, Kelley, Spiro, (&) Burrows (1994, October 31). Managing Risk. Business Week Online. Retrieved March 30, 2006, from http://www.Business.com/ archives.com

Information Technology Regulatory Compliance

Journal of Comprehensive Research, Volume 5, Page 16

Appendixes 1. Brief Descriptions of Selected Regulations and Standards 2. PCI Cardholder Information Security Program Data Standards 3. PCI Cardholder Information Security Program Best Practices 4. Top 10 SOX Control Deficiencies 5. Key Features of an IAM Solution

Information Technology Regulatory Compliance