US Security Standards

14 November 2013
By Roman Denisenko, Senior QA

This is the first in the series of articles about security standards.

Security standards describe measures which have to be taken to help with keeping confidential data secure and reduce risk of intrusion. Organizations having sensitive data in possession have to comply with these standards in order to operate. Security standards can be classified as national and international. In this first article we will review major international standards adopted in the USA.

There are many mandatory and optional compliance standards which help to defend sensitive data from malicious persons. Unfortunately, during my research I did not meet any documentation which summarizes information about commonly used standards in a single place. I had to dig through official documents, study a lot of additional articles and gather information bit by bit. Because of this I had an idea to create a document which will be useful for everyone who wants to know the basic information about a standard but doesn’t have enough time for a large-scale research.

I divided all standards into three large categories: international and two national, namely US and UK. Some of those are mandatory, others are optional. In this article we’ll talk about standards which are adopted in the USA.

The United States is a country with a wide range of standards that cover almost all aspects of life. Not only government organizations must be compliant with a huge amount of mandatory certifications and standards but financial organizations, organizations within the energy power spheres, healthcare and much more have their own specific standards which mitigate security risks and often are mandatory for compliance.

HIPAA

What is it?

HIPAA is the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:

  1. Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
  2. Reduces health care fraud and abuse;
  3. Mandates industry-wide standards for health care information on electronic billing and other processes;
  4. Requires the protection and confidential handling of protected health information.

Who has to comply

Any organization which operates ePHI (Electronic Personal Health Information).

Who confirms compliance

Specialized certified vendors which are listed in this link.

Consequences of non-compliance

  1. Fines of around $50000 per violation or an aggregate of $1500000 per year.
  2. Criminal penalties that include up to one year of imprisonment even for violations done unknowingly or with reasonable cause

How often to confirm compliance

Software products should be certified once. But after each significant change the product has to be certified again. Organization must prove its compliance on a yearly basis.

Useful links

FISMA

What is it?

FISMA (Federal Information Security Management Act) requires federal agencies to develop, document, and implement an information security program to safeguard their information systems including those provided or managed by another agency, contractor or another third party.

Who has to comply

All government agencies, government contractors, and organizations that exchange data directly with government systems.

Who confirms compliance

CIOs, program officials and inspector generals at the agencies are required to conduct a yearly review of the program and submit the results to the Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.

Consequences of non-compliance

  1. Significant administrative sanctions.
  2. Unfavorable publicity.
  3. Reduction of IT budget.

How often to confirm compliance

The whole certification process should be performed annually but also, all who fall under the certification program should perform vulnerability scanning of their infrastructure and send reports to the CyberScope system on monthly basis. CyberScope is a web-based application launched by the OMB to provide for secure and efficient FISMA focused reporting by federal agencies.

Useful links

CAG

What is it?

The Twenty Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for computer security. The main idea is that almost all requirements can be automated. (Except for the last 4)

Who has to comply

Critical infrastructure entities outside of the Federal government include organizations in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily supplement and enhance the security requirements already needed to comply with regulations in these industries, including FISMA, NERC, PCI, GLBA and HIPAA.

Who confirms compliance

No one. CAG is a non-mandatory standard.

Consequences of non-compliance

Only your peace of mind.

Useful links

NERC

What is it?

The standard of The North American Electric Reliability Corporation (NERC) is a not-for-profit corporation whose mission is to improve the reliability of critical systems that create and transport electricity around the North America continent.

Who must be compliant

All bulk power system owners, operators, and users must comply with approved NERC reliability standards. These entities are required to register with NERC through the appropriate regional entity.

Who confirms compliance

NERC relies on eight regional entities to monitor compliance with the NERC standards of bulk power system owners, operators and users within their regional boundaries.

Consequences of non-compliance

  1. A formal “Notice of Penalty” (NOP) for alleged violations that constitute a High or Medium risk.
  2. A formal notice of “Find, Fix, Track and Report” (FFT) in case of alleged violations that constitute minimal risk.
  3. Dismissal.

How often confirm compliance

Regularly scheduled compliance audits, random spot checks and specific investigations

Useful links

Mass 201 CMR 17

What is it?

The Massachusetts privacy law, Mass 201 CMR 17, establishes a minimum standard for the protection of Massachusetts residents’ personal information (PI), both in paper and electronic records. The state defines PI as a resident’s first name and last name or first initial and last name in combination with at least one other form of data, including social security number. It covers “Personal Information”. That is a combination of a resident’s first and last name connected to one of the following: A driver’s license number, state-issued identification card number, a credit card number, financial account number or a Social Security number.

Who has to comply

Every person and company that owns, licenses, stores or maintains personal information about a resident of Massachusetts.

Who confirms compliance

The Massachusetts government.

Consequences of non-compliance

According to MA General Law 93I, there’s a $100 fine per record lost, with a maximum of $50K per “incident”. MA General Law 93H states that there is a $5,000 fine per “violation”. It’s unclear what the correlation is between an individual record lost and an “incident or violation”.

How often confirm compliance

Security policies should be updated at least annually.

Useful links

USGCB (FDCC)

What is it?

The United States Government Configuration Baseline (USGCB) is a United States government-wide initiative that guides federal agencies on what they can do to improve and maintain effective configuration settings, focusing primarily on security. This initiative aims to create security configuration baselines for IT and security products, specifically on desktops and laptops, deployed across federal agencies. The old version of USGCB was the Federal Desktop Core Configuration Solutions (FDCC) which was superseded by the USGCB benchmarks in 2010 and 2011.

Who has to comply

All federal agencies using Microsoft Windows XP, Vista, Seven and Red Hat Linux machines are required to meet and prove compliance with USGCB in order to improve security, reduce costs, and decrease application-compatibility issues. Compliance with USGCB means rigorous assessment and maintenance of IT configuration is vital, and that compliant settings can be proved via thorough reporting.

Who confirms compliance

OMB (Office of Management and Budget) may require compliance reporting of USGCB implementation as part of their standard operating procedures

Useful links

SOX

What is it?

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.”

Who has to comply

Publicly-traded companies in the United States, including all wholly-owned subsidiaries and all publicly-traded non-US companies doing business in the US are affected. Also, any private companies that are preparing their initial public offering (IPO) will also need to comply with certain provisions of Sarbanes-Oxley.

Who confirms compliance

Compliance with SOX is administered by the Securities and Exchange Commission (SEC), which publishes requirements and sets deadlines for organizations to comply with them. The SEC provides up-to-date information about the Sarbanes-Oxley Act on its website.

Consequences of non-compliance

In addition to lawsuits and negative publicity, a company officer who does not comply or submits an inaccurate certification is subject to a fine of up to $1 million and ten years in prison, even if it was simply a mistake. If it is proved that a wrong certification was submitted on purpose, the fine can be up to $5 million and twenty years in prison.

In situations where penalties are assessed, the leaders of the organization are typically held to account, not the IT managers who prepare the report

How often confirm compliance

Quarterly and annual reports

Useful links

Tags: ,


Add Comment

Name Mail Website Comment