lptv4 module 47 standards and compliance
DESCRIPTION
ECSAv4 Module 00 Student IntroductionTRANSCRIPT
/ECSA/LPT
EC Council Module XLVIIEC-CouncilStandards and Compliance
Laws
List of statutes, regulations, and other laws that , g ,may govern information security consultants and their customers:
• Gramm-Leach-Bliley Act (GLBA)• Health Insurance Portability and Accountability Act (HIPAA)• Sarbanes-Oxley• Sarbanes Oxley• Federal Information Security and Management Act (FISMA)• Family Educational Rights and Privacy Act (FERPA)• Electronic Communications Privacy Act (ECPA)• Electronic Communications Privacy Act (ECPA)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GLBA Compliance Checklist
Does the written security program include:Does the written security program include:
• Program policies?• Issue specific policies?• System specific policies?
Perform the risk assessment to detect the threats to the customer’s data or to the systems which store the data.y
Create written incident response plan to take action when any unauthorized access is detectedunauthorized access is detected.
Document business continuity plans covering those systems that i f i
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
support customer information.
GLBA Compliance Checklist (cont’d)( )
The checklist for safeguard rule is as follows:
• Does the organization have appropriate disciplinary policies?
The checklist for safeguard rule is as follows:
• Does the organization have appropriate disciplinary policies?• Does the written document contain the policies and procedures for
handling the confidential information?• Are the employees made aware of the information security policies
and practices?• Does the organization have record retention policies for those files
that contain customer’s information and identity verification?• Is the storage area secured from unauthorized access and protected • Is the storage area secured from unauthorized access and protected
against physical hazards like fire or floods?• Are the electronic records of the organization stored securely?• How does the organization transmit and receive sensitive customer
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
information?
GLBA Compliance Checklist (cont’d)(cont d)
Checklists for administrative safeguards:
• Does the organization have official sanctions against their employees who fail to comply with security policies and procedures?
• Does the organization implement policies to review audit logs, access reports, and track records of security incidents?
• Does the organization check the references or background of the potential employees?g g p p y• How does the organization ensure that employees are updated about applicable policies
and expectations?• Does the organization conduct scheduled and unscheduled training with their employees
on security policies?on security policies?• Does the organization have specific policies, procedures, and tools for defending against
detecting and reporting malicious software?• Has the organization established procedures for restoring any loss of customer
information stored electronically?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
information stored electronically?• Has the organization implemented procedures for periodic testing and correction of
contingency plans?
GLBA Compliance Checklist (cont’d)(cont d)
Checklists for physical safeguards:
• Has the organization implemented policies and procedures for the protection of facility and the equipment from unauthorized access and theft?
Checklists for physical safeguards:
of facility and the equipment from unauthorized access and theft?• Is there any facility to lock rooms and file cabinets where customer
information is kept?• Has the organization implemented physical safeguards for all of their
o kstations that access c stome info mation to a thenticate access to the workstations that access customer information to authenticate access to the authorized users?
• Does the organization implement policies and procedures to address final disposition of the customer’s information and hardware or storage media on which it is stored?which it is stored?
• Does the organization maintain the record about the movements of hardware, electronic media, and the entity responsible for its movement?
• Does the organization create a retrievable, exact copy of customer information when needed before moving the equipment?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
information, when needed, before moving the equipment?
GLBA Compliance Checklist (cont’d)(cont d)
Checklists for technical safeguards:
• Does the organization essentially manage all the security tools and keep employees informed about the security risks and breaches?
• Has the organization established a written contingency plan addressing breaches of safeguards?
• Has the organization established procedures for obtaining essential customer information during an emergency?
• Does the organization store electronic customer information on a • Does the organization store electronic customer information on a secure server that is accessible through the password only and is in a physically secure area?
• Has the organization implemented mechanism for encrypting and decrypting customer information?
• Does the system administrator of the organization regularly scan, obtain, and install patches that resolve software vulnerabilities?
• Does the organization have procedures and controls for maintaining
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Does the organization have procedures and controls for maintaining secure backup of media and secure archived data?
HIPAA Compliance Checklist
Administrative safeguards:
H h i i i l d d f h l • Has the organization implemented procedures for the approval or supervision of employees who work with Electronic Protected Health Information (EPHI) or in locations where it might be accessed? Does the organization implement policies for granting access to EPHI • Does the organization implement policies for granting access to EPHI such as, throughout access to a workplace, transaction, program, or process?
• Does the organization establish procedures for creating and • Does the organization establish procedures for creating and maintaining retrievable correct copies of EPHI?
• Has the organization established procedures for restoring any loss of EPHI data that is accumulated electronically?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
da a a s accu u a ed e ec o ca y
HIPAA Compliance Checklist (cont’d)(cont d)
Physical safeguards:
• Has the organization implemented policies and procedures for the protection of facility and the equipment from unauthorized access
y g
p y q pand theft?
• Does the organization implement procedures to control and authenticate a person’s access to facilities based on his/her role or function? function?
• Does the organization implement policies and procedures that state the proper functions that are to be performed?
• Has the organization implemented physical safeguards for all of their workstations that access EPHI to authenticate access to authorized users?
• Does the organization implement policies and procedures to address final disposition of EPHI and hardware or storage media on which it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
final disposition of EPHI, and hardware or storage media on which it is stored?
HIPAA Compliance Checklist (cont’d)(cont d)
T h i l f dTechnical safeguards:
• Is there any procedure of assigning a unique name or number for identifying y p g g q y gand tracking the user’s identity in the organization?
• Does the organization establish procedures for acquiring necessary EPHI during an emergency?H th i ti i l t d h i f ti d • Has the organization implemented any mechanism for encrypting and decrypting EPHI?
• Does the organization execute audit control, hardware, software, or a procedural system that record and check activity in information systems that p y y yinclude or use EPHI?
• Has the organization implemented any electronic mechanisms to verify that EPHI has not been modified or destroyed in an unauthorized manner?I th d i l t d f th ’ th ti ti t if
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Is there any procedure implemented for the person’s authentication to verify that person is the one who has claimed for accessing EPHI?
Sarbanes Oxley Compliance ChecklistChecklist
Has the audit committee established communication procedures h f d i ithat guarantee safe, secure, and anonymous communications
with employees?
H th dit itt t bli h d d t ti Has the audit committee established record retention procedures that safeguard the receipt and treatment of employee reports of fraud?
Are all frauds whether material or not material reported to the audit committee?
Are the disclosure controls defined for financial reporting?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p g
Sarbanes Oxley Compliance Checklist (cont’d)Checklist (cont d)
Does the financial disclosures reflect all material correcting Does the financial disclosures reflect all material correcting adjustments and off-balance sheet transactions?
Are the code of ethics established for the financial function and financial officers?
Has the company adopted code of ethics for its senior financial officers?
Has the management reviewed the effectiveness of the organization’s internal controls and procedures for financial reporting?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
reporting?
FISMA Compliance Checklist
Does the organization regularly review the risks pertaining to the i f ti t ? information system?
Does the organization develop security policies and procedures based on th lt f i k t ? the results of risk assessments?
Does the organization follow the policies which are based on risk ? assessments?
Does the organization plan to acquire proper information about facilities, k d i f inetwork, and information systems?
Does the organization provide security awareness training to all the
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
employees?
FISMA Compliance Checklist (cont’d) (cont d)
Does the organization evaluate the effectiveness of information security g ypolicies annually?
Does the organization plan, implement, evaluate, and document the remedial action for deficiency in the information security policy?
Does the organization plan the procedures of detecting, reporting, and responding for security incidents?
Does the organization plan procedures for the stability of operations for information systems that support the operations and assets of the
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
organization?
FERPA Compliance Checklist
Each program must have release of confidential information forms on the program’s letterhead.
No confidential information should be shared outside.
Faxing and other electronic transfer methods are not permissible for transfer of confidential g pinformation.
Applications and enrollment forms must be free of confidential questions.
No confidential information without release should be shared with the student.
Each program must have all confidential information in locked files with monitored access onlyEach program must have all confidential information in locked files with monitored access only.
Confidential information files should be maintained for a period of five years.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Confidential files should be maintained properly.
FERPA Compliance Checklist (cont’d)(cont d)
Does the university have a written policy about the student’s academic records? records?
Does the university annually notify students of their rights and the i tit ti ' li i t i i t th FERPA?institution's policies pertaining to the FERPA?
What are the rights of inspection and review of student’s educational records?
What are the procedures for modifying educational records?What are the procedures for modifying educational records?
D t d t h i ht t d h th i d ti l d ?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Do students have a right to see and change their educational records?
FERPA Compliance Checklist (cont’d)(cont d)
Does annual notification to currently enrolled students concerning their rights under FERPA, contain the following information:
• The right of the student to inspect and review education records?
contain the following information:
• The right of a student to amend or correct any part of the education record believed to be inaccurate, misleading, or in violation of the privacy rights of the student?
• The right of the student to control the disclosure of personally The right of the student to control the disclosure of personally identifiable information contained in the student's educational records, except as otherwise authorized by law?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FERPA Compliance Checklist (cont’d)(cont d)
Does the university reserve the right to refuse a
• The financial statements and tax returns of the student's
y gstudent to inspect the following records:
• The financial statements and tax returns of the student s parents?
• Letters and statements of recommendation that the student has waived his or her right to access?has waived his or her right to access?
• Those records which are not educational records as defined by FERPA?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ECPA Compliance Checklist
Block all P2P file sharing
Ensure that employee should use authorized IM usage policy
Restrict the transmission of confidential information over such channelsRestrict the transmission of confidential information over such channels
Ensure that only authorized person can access the confidential and sensitive information
Only authorized person should have the authority to transmit and receive the information
Maintain the confidentiality of the dataMaintain the confidentiality of the data
Monitor and audit the user’s activities who are using IM and other communication channels
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Provide training to employees
Summary
GLBA compliance checklist:
• Perform the risk assessment to detect the threats to the customer’s data or to the systems which stores this data
• Create written incident response plan to take the action when any unauthorized access is detectedaccess is detected
HIPAA compliance checklist:
• Has the organization implemented any mechanism for encrypting and g p y yp gdecrypting EPHI?
FISMA compliance checklist:
D l it li i d d b d th lt f i k • Develop security policies and procedures based on the results of risk assessments
FERPA compliance checklist
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• No confidential information should be shared outside
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited