CS Operational Policy

03.

The operational policies should clearly identify the extent of coverage of the policy (people, locations, and business partners), who owns and responsible for creating it, and authoritative sources for the policy (e.g. laws, rules, standards, and industry best practices). 

Sample Documents

Program Charter

Example charter to outline the principles and operational components of policy 

Identification  & Classification Policy

Determining which data should be restricted, confidential, or public.

Policy Change: Personal Devices

Example communication document to end users on the new personal device policy

Anti-Malware Policy

Steps required by the organization to keep malware off the network

Topic Examples

A discussion on the purpose of operational policy

A short overview of the law and link to the official site

Policy documents to implement in a HIPAA regulated environment.
See above

Links to SANS sites and articles to help formulate policy

Discussion on who gets admin access and when to revoke access

Defense against hackers is about "value, locks, and punishment"

My comments on the increasing amount of laws, regulations, and standards

Intro to Cyber Security Operational Policy

The majority of organizations introduce corporate and security policies upon the first week after being hired. Years ago, it may be treated the same as an iTune's End User License Agreement (EULA). We all kind of skim through it. If we are not planning on going outside the work scope specified by our management what would be the point of a thorough review of the policy?  Currently, in the age of regulation, ransomware, and social engineering attacks (phishing, vishing attacks) the IT/Security team cannot afford any more ambiguous or unenforceable enterprise policies.

Considerable time should be taken to make sure the development of the policy will be comprehensive and fits the architectural operating model. The policy should clearly identify the extent of coverage of the policy (people, locations, and business partners), who owns and responsible for creating it, and authoritative sources for the policy (e.g. laws, rules, standards, and industry best practices). The development of the policy attempts to align the business mission, goals, and security principles to employee behavior. There are no “one policy fits all” when it comes to today’s operating environments.

Implementation of the policy relies heavily on the consensus of different teams in the enterprise. If there is consensus regarding policy language, security controls, and intended outcome, this makes approval for the policy and future changes much easier. Personnel at the business will need to review and approve the policy document which may include technical personnel, legal department, human resources, internal audit, or those responsible for compliance.  Special attention should be given to how the policy is communicated and how employees are trained. It is known that to be effective in implementing policy, the employee has to understand most of decisions to protect enterprise data will be personal choices that are made day-to-day. Therefore, immersing the employee in situations to actual threat events will be key.

The goal is to build enforcement throughout the organization over time. This is important to maintain a vigilant yet happy employee base. The level of enforcement of the policy needs to align with the level of risk. For example, failure to follow some policies in certain industries may lead to regulatory noncompliance and can result in lawsuits, sanctions, and expensive legal fees. The disciplinary action taken will need to correlate to the level of security risk demonstrated by the employee with special considerations to circumstances leading up to the risk.

The policy should influence managers to use professional and ethical approaches when developing, training, and enforcing the policy. Rules and standards should not be used as a draconian measure to keep employees locked into social compliance or determine their attitude at the organization or in personal life. Over disciplining new or outstanding employees over small compliance blunders can set off a chain of events that result in low employee morale. To keep the dignity and professionalism in good standing for both sides, assertive communication is the only approach.

Reference
Johnson, R. (2015). Security Policies and Implementation Issues, Second Edition. Burlington, Massachusetts: Jones & Bartlett Learning

 

California Consumer Protections Act of 2018

The Consumer Privacy Act (CCPA) is rumored to be trail blazing for other state or Federal laws intended to mirror Europe's GDPR. 

Another regulation to add to the list of growing data governance laws. A catch-22 for business ethics as the digital world grew with the wholesale of internet data we knowingly gave-up.

 

The act will give the compliance, internal, and external auditors plenty of work in the coming years if the existing laws are not enough already.  Possibly in the future we can have one over arching law that includes education, health, personal identifiable information, and all consumer data. This would eliminate businesses need to run through a patchwork of State, Federal, and International laws and decrease overhead on business processes.

Some notable comments about the law:

-"The California Consumer Privacy Act will go into effect Jan. 1, 2020, putting greater restrictions around how companies can collect and use data, like Europe’s General Data Protection Regulation."

...
-"California Attorney General Xavier Becerra, whose office will be responsible for enforcing the law when it goes into effect, said he is worried he does not have enough staff to carry out the job effectively."

...
-"Among the law’s most powerful provisions is one that requires companies to stop selling people’s data upon request at any time."
(Farivar & Ingram, 2019)

"This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;

  • The right to delete personal information collected from them (with some exceptions);

  • The right to opt-out of the sale of their personal information; and

  • The right to non-discrimination for exercising their CCPA rights."
    (OAG, 2022)

Excerpts from the CCPA Website on oag.ca.gov: 

Who does it apply to? 

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;

  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or

  • Derive 50% or more of their annual revenue from selling California residents’ personal information.
     

Request to delete exceptions: 

There are exceptions to the right to delete. Common reasons why businesses may keep your personal information include:

  • The business cannot verify your request

  • To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes

  • For certain business security practices

  • For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided

  • To comply with legal obligations, exercise legal claims or rights, or defend legal claims

  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
    (OAG, 2022)
     

References
Farivar, C. Ingram, D. (2019 , May 14). California’s new data privacy law could change the internet in the US. Retrieved from https://www.cnbc.com/2019/05/14/california-consumer-privacy-act-could-change-the-internet-in-the-us.html

OAG (2022). California Consumer Privacy Act (CCPA). Retrieved from https://oag.ca.gov/privacy/ccpa

 

Policy Documents for HIPAA Regulated Environments

Program Charter for HIPAA Environment

See document here

Excerpt:
 

Scope
The HIC Information Security Program Charter and accompanying policies, guidelines, and procedures apply to all employees and contractors operating at HIC locations and subsidiaries including all users granted access to HIC information systems. The HIC Information Security Program (“Security Program”) applies directly to users handling, communicating, storing, administering systems involving protected health information (PHI) regulated by Health Insurance Portability and Accountability Act (HIPAA) including the standards for personally identifiable information (PII).  
 

Mission
“To provide a comprehensive approach for the administration of physical and non-physical components and systems to develop effective methods to support risk management objectives. The HIC Security Program aims to develop a strong security culture by affecting human attitudes and behavior to be in compliance with the Health Insurance Portability and Accountability Act (HIPAA), regulations associated with personally identifiable information (PII), and payment card industry (PCI) standards.”
 

The policy guides employees to identify and follow rules set forth by HIPAA for health insurance companies for their respective business units and systems. Additionally, the policy enables a standard system for practices across HIC locations and subsidiaries to provide knowledge to staff, particularly new employees, on how processes are carried out. Furthermore, the policy serves an invaluable resource for documented guidelines to reduce human generated errors (InfoSec, n.d.).
 

The security program will protect information by developing policies to identify assets, categorize by business impact, and establish protection mechanisms for assets using a risk management approach (Palmer et al., 2000). The program will establish acceptable use of assets to be sourced from authoritative resources for health insurance companies.

Information system threats will be countered by the policies developed by the security program by way of identification, prioritization, monitoring, and response. Monitoring activities support risk management objectives by having a transparent information system for the administrator to locate, respond, and recover from threats on the network.

Monitoring activities will include the use of metrics and Cyber Threat Intelligence (CTI) to provide on-going assessment to obtain the state of the network.  Monitoring metrics and CTI referenced in the policies, standards, guidelines, and procedures are intended to strengthen the strategic, operational, and tactical position of HIC and subsidiaries.
 

The policy aims to align with HIC’s security principles of:
 

Least Privilege Principle: Users and processes given the least authority and minimum access to resources required to accomplish a given task.

Accountability Principle: All significant system and process events should be traceable to the initiator.

Minimum Dependence on Secrecy Principle: Controls to still be effective even if an opponent knows of their existence and knows their mode of operation.

Control Automation Principle: Automatic controls should be used rather than controls which depend on human vigilance and human behavior.

Resiliency Principle: Systems managed to minimize damage in the event of breakdown or compromise.

Defense in Depth Principle: Layered controls involving backup or supporting mechanisms for primary controls.

Approved Exception Principle: Policy exceptions to always have management approval.

Secure Emergency Override Principle: Controls only bypassed in predetermined and secure ways.

Auditability Principle: An independent expert must be able to verify that the system conforms to the security policy.
(Sherwood, et al., 2005)
...





Information Identification and Classification Policy Overview


See document here

Excerpt:
This classification policy prescribes a system for classifying, safeguarding, and declassifying Health Insurance Company (HIC) information, especially information subject to the Health Insurance Portability and Accountability Act (HIPAA). The healthcare industry is a sharing environment which allows doctors, practitioners, providers, and insurers find quality care for their patients. Many entities depend on the free flow of information to provide on-time care and payments. Nevertheless, to protect privacy, specific information regarding the patient/insured are maintained in confidence in order to protect against economic harm, embarrassment, and discrimination.

HIC Classification Policy is mandatory as it outlines protections for customers and patients demonstrating our commitment to HIPAA. The classification model is based on both Mandatory Access Control (MAC) for labeling information based on its secrecy level. From the MAC model, we can have a tiered system for information labels: HIPAA, PCI, and PII are placed in the “Restricted” level, other PII and organizational information at the “confidential” level, and all other unregulated information placed as “Public” for a total of three tiers. The classic MAC model prevents information leakage to public and unauthorized parties.
 

For internal information access, we use the ABAC model to provide smart security, performance, and administrative solutions. Technology has evolved the DAC model to Role Based Access Control (RBAC), and then transformed to Attribute Based Access Control (ABAC) currently used as best practice. ABAC is used by the latest technology such as MS Azure. The ABAC model provides for identification and classification of devices, identities, roles, and authorization for those specific devices and roles. Furthermore, departments can be segmented into organizational units (OU) to restrict access to data classified under the MAC model.
...

 

 

 

 

 

 

 


 

Personal Owned Device Policy Change


See document here
 

Excerpt:

Why is the policy changing?

The current risks to mobile devices are:

• Lost/Stolen Mobile Device
• Using an unsecured Wi-Fi network
• Inadvertently downloading viruses or other malware
• Exposure to new vulnerabilities in mobile devices (e.g. Bluetooth) (Armis, 2017)
• Unintentional disclosure to unauthorized individuals when sharing devices with family, friends, and/or coworkers
 

What could happen if PHI was sent or stored unauthorized from my mobile device?

These situations listed above risk the potential of mail containing PHI copied to other locations resulting in large fines and penalties. The fines can range of $100 to $50,000 for the HIPAA violation (even when knowing and using protective measures) (Hold, 2017). For example, the Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of health and human services (HHS) Office for Civil Rights (OCR) to settle for HIPAA violations (HHS.gov, 2018).

...
 

 

 

 

 

 

 

 

 


 

Anti-Malware Policy


See document here
 

Excerpt:

Anti-Malware Policy Overview

The HIC Anti-Malware policy is intended to secure HIC business operations from business disruption and safeguard information by maintaining access to authorized users. It is the responsibility of the Chief Information Security Officer (CISO) to establish the HIC Anti-Malware Policy, Information Security Awareness Program (ISAP), and all associated policies to ensure users are knowledgeable of policies and procedures in the HIC Security Program.

Malware Definition: A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim (NIST, 2013). Malware is an umbrella term that stands for a variety of malicious software, including Trojans, spyware, worms, adware, ransomware, and viruses (Zamora, 2018).
 

Strategy One, Defense in Depth: Aim is 100% coverage of devices with an anti-virus and/or anti-malware platform capable of running or being protected by the platform with significant activity logged and centralized on the same or different security platform. Defense in depth includes encryption of data at rest and in transit. Additionally, protecting devices and traffic facing the internet (e.g. router) and disabling vulnerable services such as SMB and changing default administration credentials (Talos, 2018). Finally, it includes a comprehensive backup plan to transmit data to external sites to render ransomware ineffective.
 

Strategy Two, Offensive Security: Security based on best practices may equate to outdated security depending on the source. The threat landscape is constantly evolving with researchers discovering attack vectors almost on a weekly basis for a variety of systems. Therefore, a threat intelligence process is required to effectively deter cyber attacks with strategic, operational, and tactical intel. This enables an integrated threat driven approach to cyber security.

...


 

 

Links to Help Formulate Policy

BYOD Security Implementation for Small Companies by SANS
Published in 2017, SANS provides a great overview of the threats facing IoT, vulnerabilities, and tool requirements to help manage devices.

Security Policy Roadmap by SANS
Published in 2002, the document provides a foundational level on the need for policy and areas to cover. 

A Preparation Guide to Information Security Policies by SANS

Published in 2002, the document provides a brief overview of threats and information security that need to be covered by policy.

How to Create a Successful Corporate Policy by Malwarebytes Blog
Published in 2016, the easy to read article provides a checklist of items to consider when formulating policy.

10 Reasons Why Employees Don't Follow Organizational Processes by the Huffington Post
From 2017, this article provides a great overview on why employees may not accept policy changes and recommends solutions for all 10 issues.

Promoting Employee Policy Adherence and Rule Following in Work Setting: The Value of Self-Regulatory Process 
A Research Paper from Yale published in 2005, the paper discusses the motivation for employees to follow rules and recommends self-regulation as the best strategy to develop policy adherence.

 

Policy Enforcement of Administrative Access

Administrative (admin) profiles are used to configure the OS and install programs by authorized users. But admin profiles are also used by malicious programs or users to compromise the device and network. In 2017, ComputerWorld.com reported “94% of Microsoft vulnerabilities can be easily mitigated by removing admin rights”. The article continues to state:

"Privilege management and application control should be the cornerstone of your endpoint security strategy, building up from there to create ever stronger, multiple layers of defense. These measures can have a dramatic impact on your ability to mitigate today's attacks. Times have changed; removing admin rights and controlling applications is no longer difficult to achieve," said Mark Austin, co-founder and CEO of Avecto, in a statement” (Patrizio, 2017).

An organization should restrict its employees to a regular user profile without admin power, or an employee would be able to the following:

Change/Misconfigure/Disable/Enable:

  • User Account Control (UAC) Settings

  • Network Connections

  • Devices

  • Registry

  • Firewall

  • Other OS settings


Restrictions in administrative privileges should apply to other programs as well (e.g. Anti-Malware/Anti-Virus, Database & Database Connection Programs).

Two principles from our reading in place to support administrative access to individual or small subset:

Least Privilege Principle: “People should be granted only enough principle to accomplish assigned tasks and no more” (Johnson, 2015). This includes the “system process should be given the least authority and minimum access to resources required to accomplish a given task” (Sherwood et al., 2005).

Separation of Duties Principle: “Responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss. For example, in an accounting department, the person preparing invoices for payment should not be the same person writing the checks for payment” (Johnson, 2015).

Many organizations has shown that many employees continue to request administrative access to their work computers. Why do you think that is? 

From personal experience it’s for the installation or upgrade of existing day-to-day operational programs or adjustments to the OS that wasn’t made by the Administrator.  Symantec blog provided a great top 5 list for why users “want” or  “need” admin rights:

Want Admin Rights For:
Freedom: Users want administrator privileges so they can install or modify anything and everything on their computer. They may or may not view themselves as computer experts, but believe they know enough about computers to be able to make changes to their system without any negative repercussions. Unfortunately, they are usually wrong, causing the IT department to spend countless hours fixing the issues.

Control: Users also want more privileges on a computer because of the control associated with being able to call your own shots. Control leads to even more headaches for the IT department as they clean up the mess left by users who make changes without understanding implications. Installing a software package without proper licensing can result in costly audit expenses. Changing the security configuration might make life easier, but it can result in expensive breaches.

Time: Most people hate to wait – we want everything done instantaneously. It’s the same for computing. Most users fear that if they don’t have administrator rights, they’ll have to wait for someone in the IT department to install or update a piece of software that could take them minutes to do if they had administrator privileges.

Entitlement: Some users believe that they deserve administrator rights because they started the company, make more money than the IT department employees, or because they are just special for one reason or another. These reasons aren’t good enough though. They might be the reason that the company is making a profit right now, however with administrator rights they could be the reason the company suffers a loss next quarter when their computer is compromised and key data stolen.

Habit: For some companies, users have always had administrator rights. It has become the standard of how users operate their computers in the company. However with increasing cyber threats, this habit simply does not provide enough security to organizations any more.
(Symantec, 2013a)
 
Users actually need admin rights for:
System Utilities: many of the control panel applications require administrator rights including driver installation, disk defragmenter, and backing up the.

System Settings: changing system settings such as the date\time or network configuration settings require administrator privileges.

Software Installation: software that tries to install into the Program Files or Windows directory needs administrator rights to do so.

Software Updates: application updaters require administrator rights in order to make changes to the applications in the Program Files directory. This includes updaters for Adobe, Java, and iTunes.Legacy or 

Poorly Coded Software:  some applications simply require administrator rights to run normally.
(Symantec, 2013b)
 
What would you say to those employees who insist they need administrative access? 
I would refer them to the Acceptable Use Policy (AUP) that should state rules regarding administrative access. Additionally, I would let them know how admin rights pose a danger to the organization using real world examples (e.g. phishing emails, malicious websites). If there was a privilege management platform, I would consider adjusting the admin settings for users/department for specific applications to reduce downtime. If the organization has implemented privilege management correctly, there should be no complaints from users regarding admin access.

On what grounds would you grant an exception to the policy?
When no other administrators are available or onsite, one may need to provide elevate privileges temporarily for users to fix an issue. This is due to real world personnel, geographic, and time constraints. For example, in step 3 of the Firecall-ID process the administrator elevates rights of the user:

firecall_orig.png

(Johnson, 2015)

Another example may be a change in personnel. Where an administrator account may be temporarily assigned until the individual for the assigned role is hired. Policy would need to outline change management and expiration date of the temporary admin account.

Other safeguards that can be put into place by CIS Security:
1)Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.
2)Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. (cisecurity.org, n.d )
 
 
References
Cissecurity.org. (n.d.). Controlled Use of Administrative Privileges. Retrieved from https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/

Johnson, R. (2015). Security Policies and Implementation Issues, Second Edition. Burlington, Massachusetts: Jones & Bartlett Learning

Patrizio, A. (2017, February 25). 94% of Microsoft vulnerabilities can be easily mitigated. Retrieved from https://www.computerworld.com/article/3173246/security/94-of-microsoft-vulnerabilities-can-be-easily-mitigated.html

Sherwood, J., Clark, A., Lynas, D. (2005). Enterprise Security Architecture, A Business-Driven Approach. Boca Raton, Florida: CRC Press.

 

Policy Implementation in the Real World

Some security practitioners argue that theory is irrelevant to the way that security works in the real world.
What do you think could account for this belief? Do you agree? 


In 2001, Butler Lampson presented a paper “Computer Security in the Real World” at the Annual Computer Security and Applications Conference. The research findings from his experience are applicable to this day. He believes there is no perfect security model for any given organization due to the cost of security and the energy it takes to maintain those security systems. Instead, the organization is faced with trying to cover four main areas: secrecy, integrity, availability, and accountability. Although the organization’s policy will appear to cover these areas, “the difference in emphasis remains”. 

“It’s not about perfect defenses against determined attackers. Instead it’s about:

  • Value

  • Locks, and

  • Punishment


The bad guys balance the value of what they gain against the risk of punishment, which is the cost of punishment times the probability of getting punished.  The main thing that makes real world systems sufficiently secure is that bad guys who do break in are caught and punished often enough to make a life of crime unattractive.  The purpose of locks is not to provide absolute security, but to prevent casual intrusion by raising the threshold for a break-in”  (Lampson, 2001).

For the organization, the punishment aspect comes in the form of regulation and the fines for not complying with those rules and standards.

I agree with Lampson’s view that executives have constraints to place resources to cover the four main security areas resulting in a deficient security area(s). For example, a social media company may emphasize security regarding availability and content filtering for its users rather than accountability of internal processes and integrity of their services.  Another example would be a software company using security resources to fuzz the software code before release, provide bug bounties, and keeping track of licensing and intellectual property with little regard to the availability of its servers.  

Another reason to agree with Lampson are the psychologic factors behind executive and security team decision in regards to threats.  In a MIT working article called “Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment”, the authors analyze 1,479 simulation runs of experienced and inexperienced individuals on how they allocated resources to prevention, detection, and response capabilities. The goal of the game was to maximize profits with different types of intrusion and impact in two levels with each intrusion measured in terms of cash flow losses and reputation damage (with associated cash flow loss). The following conclusions were made:

When proactive players start investing in capability development they make noticeably less profit than the reactive players in the early stages of the game; however, once cyber-attacks begin to occur, proactive players perform much better over the rest of the simulation.
...
Among the experienced group, the users who had the highest performance slope in level one performed among the worst in level two, while the users who performed poorly in level one were the better performers in level two. The top players in level one learned the game and were successful in tweaking their investment strategies to increase accumulated profits when confronted with the same fixed cyber-attacks; however, the strategies they had developed did not translate effectively to the random environment of level two, and some even performed more poorly than other players who had not performed as well in level one.
...
Our experiment results present that neither experienced players nor inexperienced players showed performance differences in the game. One possible interpretation for the poor performance of experienced players is that the tightly controlled environment of level one, in which cyber-attacks happened at regular intervals and could be anticipated in repeated simulation runs, was far removed from the reality that the experienced players had experienced over their average 15 years in the field. This interpretation suggests deeply entrenched decision-making heuristics, reinforced over years of experience, and is supported directionally by our analysis of learning curves in the experienced group.


From both of the papers discussed, we can conclude real-world security is motivated by resource constraints, reliance on prevention and simplicity of those security platforms, short-term outlook to preserve profits, pre-existing beliefs, and entrenched mindsets.
 
What would you say to a co-worker who shares this belief? What would you say to a boss? 

First, one needs to know really why their “real-world” security deficits exist in their system. Budget? Compatibility? Complexity? Inherent (Government) backdoor? Short-staffed? Risk of system down-time to update information systems? Preexisting beliefs?  Business contracts in place creating conflict with evolving security architecture? Is the vulnerable system a honeypot that supposed to be unknown to you?

The next thing to do is express the risks and impact of not securing against evolving threats. Essentially it is a classic risk management approach supplemented by real life examples and statistics.
 
References
Jalali, M.S., Siegel, M., Madnick, S. (2017, December) Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment. Retrieved from https://arxiv.org/ftp/arxiv/papers/1707/1707.01031.pdf

Lampson, B.W. (2001). Computer Security in the Real World. MIT.edu. Retrieved from http://web.mit.edu/6.826/www/notes/HO31.pdf

 

Discussion on the New Compliance Regime

Why do you think there is an increasing number of security and privacy laws, regulations, and standards when there were so few before? 
 

As another CSOL student mentioned “Never before has there been so much personal information captured and available”. This coincides with the theme of technology moving faster than security. The exponential rate of technology over the years (Moore’s Law) enables cost efficient ways to store mass quantities of data to be used for various business needs. New business technologies generated from the exponential trend change the threat landscape which require new controls.
 

In 2015, Peter Denning, a computer scientist at the Naval Postgraduate School in California “We’ve just seen the beginning of what computers are going to do for us” (Sneed, 2015). If Denning’s statement is true, the increases of compliance on IT systems is an attempt by regulators to catch up to the impact technology has on various industries. For example, it’s no surprise the EU is putting into place the GDRP Law to protect the data of citizens while a British company, Cambridge Analytica, is influencing elections with the collection of personal data from Facebook (Hjelmgaard, 2018).
 
What do you think is responsible for this change? 

Profit motive ignoring the safeguard of consumer and/or user information. The introduction of computing and internet has provided additional hurdles for the organizations to protect the information system from outsiders in taking advantage of protected information.
 

No greater example than the Gramm-Leach-Bliley Act. The law was put into place after “substantial fear that sensitive consumer data would be openly shared among financial organizations and their subsidiaries. This open environment would likely threaten consumer rights and the security of sensitive and personal financial data “(Bosworth et al., 2014).
 

Most of the compliance burden started with Enron and WorldCom in the early 2000’s. Many Companies were caught using illegal schemes to inflate their growth. For Enron, it was creating brownouts in California to create a false electricity crisis (Borger, 2005). WorldCom was caught "improperly transferring $3.852 billion from line cost expenses to asset accounts during 2001 and the first quarter of 2002” (SEC, 2003). This lead to the creation of the Sarbanes-Oxley Act of 2002.
 

Computing and the Internet has provided consumers easy access to funds and resources but introduces new exposure to their data. Each business area has data to safeguard: Healthcare has e-PHI, retail transactions online have payment card information (PCI), and business information systems have SOX and COSO controls.

regs_1_orig.png

What are the benefits of this new “compliance regime”? Are there any drawbacks?
 
Benefits
Assurance for Investors: Investors may have greater confidence in the company that has a competent compliance and risk management program.

Disclosure of Security Breaches for Consumers: “Compliance and regulatory disclosure requirements generally shape corporate attention to the impact of cyberattacks…those requirements largely center on the theft of PII, payment data, and personal health information” (Gelinne et al., 2016).

Upfront Costs for Compliance Outweigh the Cost of Data Breaches: The costs of a breach extend far beyond the direct tangible costs of ensuring compliance. The graphic below shows a wide range of costs associated with a breach, particularly the invisible costs:

surface_orig.png

(Gelinne et al., 2016)

Drawbacks
Moderating Costs of Senior Resources: “Consistent with prior years, the reasons given for increased resource costs include focus on skills and include up-skilling of existing staff, increased costs to obtain required skills as well as the need to keep pay competitive to retain experienced compliance personnel“ (English & Hammond, 2017). This would have impact on the competitiveness of the organization on a international level with countries that have loose compliance standards.

Third-Party Exposure: “Outsourcing continues to be a well-trodden path for firms with 28 percent choosing to outsource some or all of their compliance functionality (25 percent in 2016). Consistent with the prior year, the top two reasons given were the lack of in-house compliance skills and the need for additional assurance on compliance processes (English & Hammond, 2017).”

Increasing Impact of Technology: “A third of all firms overall (33 percent) and almost half of G-SIFIs (48 percent) are expecting more compliance involvement in the assessment of fintech and regtech solutions in the coming year. This is in addition to the 48 percent of all firms which expect to spend more time in 2017 assessing cyber resilience in their firm (English & Hammond, 2017).”

Risk Reduction Compliance is Guesswork: ““Security risk is not measurable, because the frequencies and impacts of future incidents are mutually dependent on variables with unknown mutual dependency under control of unknown and often irrational enemies with unknown skills, knowledge, resources, authority, motives, and objectives—operating from unknown locations at unknown future times…”(Pile & Cleare, 2016). Commenting on PCI DSS Compliance: “Compliance does not guarantee protection against data breaches, nor does it insulate a company from related expenses” (Pile & Cleare, 2016).
 
 
References
Borger, J. (2005, February 4). Tapes reveal Enron's secret role in California's power blackouts. Retrieved from https://www.theguardian.com/business/2005/feb/05/enron.usnews

Bosworth, S. & Kabay, M.E., & Whyne, E. (2014). Computer Security Handbook, Sixth Edition. Volume 2. Hoboken, Ney Jersey: John Wiley & Sons, Inc.

English, S., Hammond, S. (2017). Cost of Compliance 2017. ThomsonReuters.com. Retrieved from https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/cost-of-compliance-2017.pdf

Gelinne, J., Fancher, D.J., Mossburg, E. (2016, July 25).The hidden costs of an IP breach: Cyber theft and the loss of intellectual property. Deloitte.com. Retrieved from https://www2.deloitte.com/insights/us/en/deloitte-review/issue-19/loss-of-intellectual-property-ip-breach.html

Hjelmgaard, K. (2018, March 22). Cambridge Analytica active in elections, big data projects for years. Usatoday.com. Retrieved from https://www.usatoday.com/story/news/world/2018/03/22/cambridge-analytica-profile/437210002/

Pile, R.J., Cleare, K.W. (March 1, 2016). Pros And Cons Of The Payment Card Data Security Standard. Law360.com. Retrieved from https://us.eversheds-sutherland.com/portalresource/lookup/poid/Z1tOl9NPluKPtDNIqLMRV56Pab6TfzcRXncKbDtRr9tObDdEo0pDoW3!/fileUpload.name=/Pros%20And%20Cons%20Of%20The%20Payment%20Card%20Data%20Security%20Standard.pdf

SEC. (2003, March 31). REPORT OF INVESTIGATION BY THE SPECIAL INVESTIGATIVE COMMITTEE OF THE BOARD OF DIRECTORS OF WORLDCOM, INC. SEC.gov. Retrieved from https://www.sec.gov/Archives/edgar/data/723527/000093176303001862/dex991.htm#ex991902_3

Sneed, A. (2015, May 19). Moore's Law Keeps Going, Defying Expectations. Retrieved from https://www.scientificamerican.com/article/moore-s-law-keeps-going-defying-expectations/