securing your computing environment to conform to privacy regulations july 31, 2002
TRANSCRIPT
Securing Your Computing Environment to Conform to Privacy Regulations
July 31, 2002July 31, 2002
2
Agenda
• Introductions
• Why Privacy Matters
• Gramm-Leach-Bliley 101
• Interagency Guidelines
• Scenarios
• Summary of Key Points
3
Why Privacy Matters
Privacy is one of the most visible business and public policy issues facing institutions in the information economy
The Internet has seen consumers’ awareness increase … customers are demanding a greater sense of trust and confidence
Privacy is increasingly a matter of regulatory compliance:- U.S. financial services and health information privacy legislation- Emerging state legislative activity- Global data protection legislation and regulation
Consequences of a privacy failure can include:- Damage to brand, reputation, and ability to retain customers- Loss of revenue and new business opportunities - Potential federal and state enforcement actions- Class action litigation- For global operations, interruption of transborder dataflows
4
Introduction to Gramm-Leach-Bliley
GLBA Title V Privacy Requirements Apply to:
• All Financial Institutions (banks, broker dealers, mutual funds, insurance companies) – both regulated and non-regulated
• Activities that are financial in nature or incidental to financial activities
Title V Protects:
• Any nonpublic personal data collected in the purchase or administration of financial products for individual, family or household use
– regardless of source
– regardless of whether the purchase goes through
GLBA does not preempt stronger state law protecting privacy of consumer information
5
Privacy Protections
Overview of Title V Privacy Requirements
• Require financial institutions to develop privacy policies and procedures to protect nonpublic personal information
• Require disclosure of these policies in a clear and conspicuous notice
• Restrict sharing of nonpublic personal information and account identifiers
• Provides opt-out consumer choice for sharing with non-affiliates; no choice when sharing occurs between affiliates
• Security rules have now been developed, requiring financial institutions to have extensive security policies and procedures
• Public information can be shared without restriction, but the agencies have established a due diligence standard for classifying information as nonpublic
6
GLBA Security Requirements
GLBA Section 501(b) requires agencies/authority to establish appropriate standards for financial institutions in their jurisdiction relating to the administrative, technical and physical safeguards of non-public customer data to:
• Insure the security and confidentiality of customer records and information
• Protect against anticipated threats and hazards to the security or integrity of these records
• Protect against unauthorized access or use which could result in substantial harm or inconvenience to a customer
7
Gramm-Leach-Bliley Title V
Banking Agencies(FDIC, OCC, OTS, Federal Reserve)
• Issued final privacy regulations• Issued final security guidelines
“Interagency Guidelines Establishing Standards for Safeguarding Customer
Information and Recession of Year 2000Standards for Safety and Soundness“
Banking Agencies(FDIC, OCC, OTS, Federal Reserve)
• Issued final privacy regulations• Issued final security guidelines
“Interagency Guidelines Establishing Standards for Safeguarding Customer
Information and Recession of Year 2000Standards for Safety and Soundness“
Title III Insurance
Title VIIOther provisions• ATM fee reform• Community reinvestment• Other regulatory
improvements
FTC• Issued final privacy
regulations• Issued final security
regulations
SECIssued final privacy regulations known as
“Regulation S-P”
Title VIFederal Home Loan
Bank System modernization
Title IFacilitates affiliation
among banks, securities firms and insurance
companiesTitle IV
Unitary savings and loan holding companies
National Credit Union Association (NCUA)• Issued final privacy regulations• Issued final security regulations
State insurance regulators• NAIC model law 672• NCOIL draft model legislation• NYS Regulation 169/173• Potential for 50 different state
laws.
Title VConsumer Privacy
8
GLBA Key Terms
Nonpublic personal information means:
Individually identifying information provided by consumers, or obtained through transactions or third parties in the process of obtaining or administering financial products, including lists compiled from public information. Nonpublic information can include:
Salary Social Security Number Account numbers Account balances Financial products purchased Identifying information collected via cookies Any information not collected from a public source, etc…
Public information means:
Identifying information lawfully available to the general public from public records or other public databases such as:
Public records (e.g.,real estate disclosures, bankruptcy filings, tax liens) Information from telephone white pages Information from website with nonrestricted access
9
Public Information Due Diligence
“Reasonable Basis” under banking, FTC and insurance models:
• The institution has taken steps to determine that the information is available to the general public and the individual has not prevented disclosure of the information if that option is available
“Reasonable Belief” under the SEC rule:
• The institution has confirmed or the consumer has represented that the information is available through a public source and the consumer has not restricted disclosure of the information where that option is available; or
• The institution has taken steps to submit the information, in accordance with policies/procedures and applicable law, to a keeper of records that is required to make information public
10
Interagency Guidelines
The Agencies require regulated entities to implement a comprehensive written information security program addressing administrative, technical and physical safeguards to protect sensitive customer information.
The objectives of the entities IS program are to:
(a) Ensure the security and confidentiality of customer information;
(b) Protect against any anticipated threats or hazards to the security or integrity of
such information; and
(c) Protect against unauthorized access to or use of such information that could
result in substantial harm or inconvenience to any customer.
Compliance Date: July 1, 2001
Grandfathering clause extends the compliance date for contracts entered into on or before March 5, 2001 to July 1, 2003
11
Interagency Guidelines – Key Components
Assess Risk
• Identify external and internal threats to customer information
• Assess the likelihood of potential damages
• Determine the adequacy of mitigating controls
• Board of Directors must approve the IS program
• Board must oversee and remain accountable for the IS program
Manage and Control Risk
• Design IS program that is appropriate for “size and scope of operations”
• Conduct IS training for employees
• Regularly test key controls Logical Access Controls
• Physical Access Controls
• Encryption of customer data while in transit or storage
12
Interagency Guidelines – Key Components
Manage and Control Risk
• Change control procedures
• Segregation of duties
• Security monitoring / Audit logging
• Incident reporting and escalation procedures
• BCP/DR plans
Oversee Service Provider Arrangements
• Due diligence in selecting providers
• Gain comfort that service provider has implemented controls to protect customer data
• Includes contractual obligations to protect customer data
13
Interagency Guidelines – Key Components
Adjust the IS Program as appropriate
• Review threats, scope of operations, technologies and controls
Report to the Board
• At least annually on the status of the IS program to include:
– Risk Assessment
– Risk Management and Control Decisions
– Service Provider Arrangements
– Results of Testing
– Security Breaches/Violations and Managements Response
– Recommended Changes to the IS program
14
OCC
The OCC is already engaging in privacy examinations. Focus at the current time is helping companies into compliance.
• Use Examination Guidelines as a benchmark.
• An assessment against these guidelines, gap analysis and plan to close gaps demonstrates good faith effort.
• Completing an information inventory is also a good first step.
• Safeguarding of Customer Information and security has been a focus.
• Reviewing issues such as notice content, notice delivery, opt-out systems, and complaint tracking/monitoring.
• Companies need to have some support for the accuracy of their privacy notice.
15
SEC
The SEC is already engaging in privacy examinations in accordance with Regulation S-P. The exams are typically conducted by teams of four (4) and take approximately one (1) week. Recent comments made by the SEC’s John Walsh, Office of Compliance, are as follows:
• Focus at the current time is on helping companies into compliance, not fining them. Intentional misuse of consumer information may still draw a fine.
• SEC is expecting to see some form of information inventory. Companies need to have some support for the accuracy of their privacy notice.
• Safeguarding of Customer Information is a focus area of the SEC. Even though they provided very little guidance, the SEC is looking at issues such as senior management involvement and training of personnel.
• SEC is also reviewing issues such as notice content, notice delivery, opt-out systems, and complaint tracking/monitoring.
16
The Basics of Data
Nonpublic personal information
Individually identifying information provided by consumers, or obtained through transactions or third parties in the process of obtaining or administering financial products, including lists compiled from public information
Who – Can access it?
What – Is it? / Why – Is it critical?
When – Is the regulation effective?
Where – Is it stored?
How – Does it move?
17
The Audit Model
Old Model –
• Identify the critical data (HR Data, Legal documentation, Trade secrets, etc.) and restrict access to the machines where it is stored.
New Model –
• Identify the type of critical data (Nonpublic Customer Information) , the location of it, and determine the flow of this data through and outside of the corporate network.
• Secure all the network components that support that flow.
18
Life Cycle Model
Assess
• What is our sensitive customer information?
• Where does this information reside?
• How does the information flow (creation, storage, transmission, destruction)?
Design
• Where should our data be stored?
• Who should be able to access sensitive customer data?
• What type of access should they have?
Implement
• Assign Hardware, O/S, and Application access controls to meet these needs
19
Scenario 1: Outsourced Web
Our website is outsourced to a 3rd party that controls and manages the web servers
The website allows individuals to view and update policy information (transactional)
The 3rd party has a connection back to our network to access our databases
20
Concerns
How is the website built?
• Is our site a virtual instance of the web server or its own physical server?
• Is our site segregated from other customers by VLAN’s or by a separate physical network?
• Which 3rd party employees have access to our site and what type of access do they have?
21
Concerns Cont.
Where are our technical security concerns?
• Web Application
– Parameter Tampering, Cookie Poisoning, etc.
• Web Server Software
– IIS Buffer Overflows, php/cgi vulnerabilities
• Operating System
– Windows issues, Unix configurations
• Network Architecture/Design
– Router/Firewall rules
22
Scenario 2: Internal Data Flow
Customer Data is stored in many disparate systems across the network
This data is flowing around the internal network from mainframes through client/server apps to individual workstations
Data is often printed to hardcopy for review, analysis and storage
23
Concerns
Authorization and Access Control
• Strong Authentication (Biometrics)
• Cross Platform credentials (Single-Sign On)
• Inter-O/S Communication (scripts, batches, etc)
Communication Paths
• How do really know where data is/is going?
– By watching the flow of packets> Netstat
> Sniffers
> Port bindings
> Services
24
Concerns Cont.
What about physical security?
• Printers
• File Cabinets
• Paper on desks
• Interoffice envelopes
• Etc.
25
Scenario 3: Data Leaving Perimeter
Our data is available to our remote users via VPN / independent field reps (non-employees)
Data is sent to with 3rd parties for Printing, etc
Data is sent electronically to 3rd party network for backup
What about data on servers, workstations, laptops when their lease expires?
26
Concerns
Authentication
• VPN configuration, dial-up lines, tokens
Access Control
• What can 3rd parties do with their network connection?
• How are routers/firewalls configured?
How is data handled once it leaves our network?
• SAS 70
• Their 3rd party connections
27
Summary of Key Points
Components of an Effective IS Program – Interagency Guidelines
• Appropriate Board level involvement and accountability
• Management level responsibility and accountability for program development, implementation, training, testing, monitoring and reporting
• A formal risk assessment process
• A comprehensive written Information Security Program
• A proper incident response strategy/plan
• Exercising appropriate due diligence in the selecting, contracting with, and monitoring of service providers (compliance with Guidelines for service provider contracts entered into on or before March 5, 2001 is grandfathered until July 1, 2003)
• Reporting to the Board or appropriate committee at least annually
• Ongoing adjustment of Information Security Program
28
Summary of Key Points
Board Responsibilities – Interagency Guidelines
• Approve the Bank’s written Information Security Program and policies
• Oversee development, implementation and maintenance of the Bank’s Information Security Program
• Assign specific responsibilities for the implementation of the Information Security Program
• Review reports indicating the status of the Information Security Program and the bank’s compliance with the Interagency Guidelines (at least annually)
Note: A committee of the board may approve the institution’s written security program. In addition, the Guidelines permit the Board to assign the specific implementation responsibilities and review of management reports to a committee or an individual.
29
Summary of Key Points
Management Responsibilities – Interagency Guidelines
• Develop, implement and maintain a comprehensive Information Security Program that is appropriate to the Bank’s size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue
• Develop a comprehensive Risk Assessment Process
• Monitor, evaluate and adjust Risk Assessment strategy/plans
• Develop a training program that is designed to implement the institution’s information security policies and procedures
• Conduct regular testing of key controls, systems and procedures (or review results of testing) by independent third parties or by staff independent of those that develop or maintain the security program
• Oversee service provider arrangements
• Adjust the Information Security Program
• Report to the Board or an appropriate committee (at least annually)