lptv4 module 47 standards and compliance

/ECSA/LPT

EC Council Module XLVIIEC-CouncilStandards and Compliance

Laws

List of statutes, regulations, and other laws that , g ,may govern information security consultants and their customers:

• Gramm-Leach-Bliley Act (GLBA)• Health Insurance Portability and Accountability Act (HIPAA)• Sarbanes-Oxley• Sarbanes Oxley• Federal Information Security and Management Act (FISMA)• Family Educational Rights and Privacy Act (FERPA)• Electronic Communications Privacy Act (ECPA)• Electronic Communications Privacy Act (ECPA)

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

GLBA Compliance Checklist

Does the written security program include:Does the written security program include:

• Program policies?• Issue specific policies?• System specific policies?

Perform the risk assessment to detect the threats to the customer’s data or to the systems which store the data.y

Create written incident response plan to take action when any unauthorized access is detectedunauthorized access is detected.

Document business continuity plans covering those systems that i f i



support customer information.

GLBA Compliance Checklist (cont’d)( )

The checklist for safeguard rule is as follows:

• Does the organization have appropriate disciplinary policies?

The checklist for safeguard rule is as follows:

• Does the organization have appropriate disciplinary policies?• Does the written document contain the policies and procedures for

handling the confidential information?• Are the employees made aware of the information security policies

and practices?• Does the organization have record retention policies for those files

that contain customer’s information and identity verification?• Is the storage area secured from unauthorized access and protected • Is the storage area secured from unauthorized access and protected

against physical hazards like fire or floods?• Are the electronic records of the organization stored securely?• How does the organization transmit and receive sensitive customer



information?

GLBA Compliance Checklist (cont’d)(cont d)

Checklists for administrative safeguards:

• Does the organization have official sanctions against their employees who fail to comply with security policies and procedures?

• Does the organization implement policies to review audit logs, access reports, and track records of security incidents?

• Does the organization check the references or background of the potential employees?g g p p y• How does the organization ensure that employees are updated about applicable policies

and expectations?• Does the organization conduct scheduled and unscheduled training with their employees

on security policies?on security policies?• Does the organization have specific policies, procedures, and tools for defending against

detecting and reporting malicious software?• Has the organization established procedures for restoring any loss of customer

information stored electronically?



information stored electronically?• Has the organization implemented procedures for periodic testing and correction of

contingency plans?


Checklists for physical safeguards:

• Has the organization implemented policies and procedures for the protection of facility and the equipment from unauthorized access and theft?

Checklists for physical safeguards:

of facility and the equipment from unauthorized access and theft?• Is there any facility to lock rooms and file cabinets where customer

information is kept?• Has the organization implemented physical safeguards for all of their

o kstations that access c stome info mation to a thenticate access to the workstations that access customer information to authenticate access to the authorized users?

• Does the organization implement policies and procedures to address final disposition of the customer’s information and hardware or storage media on which it is stored?which it is stored?

• Does the organization maintain the record about the movements of hardware, electronic media, and the entity responsible for its movement?

• Does the organization create a retrievable, exact copy of customer information when needed before moving the equipment?



information, when needed, before moving the equipment?


Checklists for technical safeguards:

• Does the organization essentially manage all the security tools and keep employees informed about the security risks and breaches?

• Has the organization established a written contingency plan addressing breaches of safeguards?

• Has the organization established procedures for obtaining essential customer information during an emergency?

• Does the organization store electronic customer information on a • Does the organization store electronic customer information on a secure server that is accessible through the password only and is in a physically secure area?

• Has the organization implemented mechanism for encrypting and decrypting customer information?

• Does the system administrator of the organization regularly scan, obtain, and install patches that resolve software vulnerabilities?

• Does the organization have procedures and controls for maintaining



• Does the organization have procedures and controls for maintaining secure backup of media and secure archived data?

HIPAA Compliance Checklist

Administrative safeguards:

H h i i i l d d f h l • Has the organization implemented procedures for the approval or supervision of employees who work with Electronic Protected Health Information (EPHI) or in locations where it might be accessed? Does the organization implement policies for granting access to EPHI • Does the organization implement policies for granting access to EPHI such as, throughout access to a workplace, transaction, program, or process?

• Does the organization establish procedures for creating and • Does the organization establish procedures for creating and maintaining retrievable correct copies of EPHI?

• Has the organization established procedures for restoring any loss of EPHI data that is accumulated electronically?



da a a s accu u a ed e ec o ca y

HIPAA Compliance Checklist (cont’d)(cont d)

Physical safeguards:

• Has the organization implemented policies and procedures for the protection of facility and the equipment from unauthorized access

y g

p y q pand theft?

• Does the organization implement procedures to control and authenticate a person’s access to facilities based on his/her role or function? function?

• Does the organization implement policies and procedures that state the proper functions that are to be performed?

• Has the organization implemented physical safeguards for all of their workstations that access EPHI to authenticate access to authorized users?

• Does the organization implement policies and procedures to address final disposition of EPHI and hardware or storage media on which it



final disposition of EPHI, and hardware or storage media on which it is stored?

HIPAA Compliance Checklist (cont’d)(cont d)

T h i l f dTechnical safeguards:

• Is there any procedure of assigning a unique name or number for identifying y p g g q y gand tracking the user’s identity in the organization?

• Does the organization establish procedures for acquiring necessary EPHI during an emergency?H th i ti i l t d h i f ti d • Has the organization implemented any mechanism for encrypting and decrypting EPHI?

• Does the organization execute audit control, hardware, software, or a procedural system that record and check activity in information systems that p y y yinclude or use EPHI?

• Has the organization implemented any electronic mechanisms to verify that EPHI has not been modified or destroyed in an unauthorized manner?I th d i l t d f th ’ th ti ti t if



• Is there any procedure implemented for the person’s authentication to verify that person is the one who has claimed for accessing EPHI?

Sarbanes Oxley Compliance ChecklistChecklist

Has the audit committee established communication procedures h f d i ithat guarantee safe, secure, and anonymous communications

with employees?

H th dit itt t bli h d d t ti Has the audit committee established record retention procedures that safeguard the receipt and treatment of employee reports of fraud?

Are all frauds whether material or not material reported to the audit committee?

Are the disclosure controls defined for financial reporting?



p g

Sarbanes Oxley Compliance Checklist (cont’d)Checklist (cont d)

Does the financial disclosures reflect all material correcting Does the financial disclosures reflect all material correcting adjustments and off-balance sheet transactions?

Are the code of ethics established for the financial function and financial officers?

Has the company adopted code of ethics for its senior financial officers?

Has the management reviewed the effectiveness of the organization’s internal controls and procedures for financial reporting?



reporting?

FISMA Compliance Checklist

Does the organization regularly review the risks pertaining to the i f ti t ? information system?

Does the organization develop security policies and procedures based on th lt f i k t ? the results of risk assessments?

Does the organization follow the policies which are based on risk ? assessments?

Does the organization plan to acquire proper information about facilities, k d i f inetwork, and information systems?

Does the organization provide security awareness training to all the



employees?

FISMA Compliance Checklist (cont’d) (cont d)

Does the organization evaluate the effectiveness of information security g ypolicies annually?

Does the organization plan, implement, evaluate, and document the remedial action for deficiency in the information security policy?

Does the organization plan the procedures of detecting, reporting, and responding for security incidents?

Does the organization plan procedures for the stability of operations for information systems that support the operations and assets of the



organization?

FERPA Compliance Checklist

Each program must have release of confidential information forms on the program’s letterhead.

No confidential information should be shared outside.

Faxing and other electronic transfer methods are not permissible for transfer of confidential g pinformation.

Applications and enrollment forms must be free of confidential questions.

No confidential information without release should be shared with the student.

Each program must have all confidential information in locked files with monitored access onlyEach program must have all confidential information in locked files with monitored access only.

Confidential information files should be maintained for a period of five years.



Confidential files should be maintained properly.

FERPA Compliance Checklist (cont’d)(cont d)

Does the university have a written policy about the student’s academic records? records?

Does the university annually notify students of their rights and the i tit ti ' li i t i i t th FERPA?institution's policies pertaining to the FERPA?

What are the rights of inspection and review of student’s educational records?

What are the procedures for modifying educational records?What are the procedures for modifying educational records?

D t d t h i ht t d h th i d ti l d ?



Do students have a right to see and change their educational records?


Does annual notification to currently enrolled students concerning their rights under FERPA, contain the following information:

• The right of the student to inspect and review education records?

contain the following information:

• The right of a student to amend or correct any part of the education record believed to be inaccurate, misleading, or in violation of the privacy rights of the student?

• The right of the student to control the disclosure of personally The right of the student to control the disclosure of personally identifiable information contained in the student's educational records, except as otherwise authorized by law?




Does the university reserve the right to refuse a

• The financial statements and tax returns of the student's

y gstudent to inspect the following records:

• The financial statements and tax returns of the student s parents?

• Letters and statements of recommendation that the student has waived his or her right to access?has waived his or her right to access?

• Those records which are not educational records as defined by FERPA?



ECPA Compliance Checklist

Block all P2P file sharing

Ensure that employee should use authorized IM usage policy

Restrict the transmission of confidential information over such channelsRestrict the transmission of confidential information over such channels

Ensure that only authorized person can access the confidential and sensitive information

Only authorized person should have the authority to transmit and receive the information

Maintain the confidentiality of the dataMaintain the confidentiality of the data

Monitor and audit the user’s activities who are using IM and other communication channels



Provide training to employees

Summary

GLBA compliance checklist:

• Perform the risk assessment to detect the threats to the customer’s data or to the systems which stores this data

• Create written incident response plan to take the action when any unauthorized access is detectedaccess is detected

HIPAA compliance checklist:

• Has the organization implemented any mechanism for encrypting and g p y yp gdecrypting EPHI?

FISMA compliance checklist:

D l it li i d d b d th lt f i k • Develop security policies and procedures based on the results of risk assessments

FERPA compliance checklist



• No confidential information should be shared outside

lptv4 module 47 standards and compliance

Documents