regulations

RBI seeks data from banks on frauds

March 28, 2007 by binoy Leave a Comment

The Reserve Bank of India (RBI) has instructed banks to furnish data on frauds, thefts and burglaries on a quarterly basis to the regional offices of the Urban Banks Department.

Cases of online fraud and identity theft (also known broadly as phishing) come under the purview of this notification. The premier bank.s recent directive is a follow-up to its master circular on .Frauds – Classification and Reporting. for Primary (Urban) Co-operative Banks, issued in 2003.

There are more than seven million phishing attempts every day, according to security company Symantec, of which 84 per cent are targeted at banks and financial institutions.

In recent years, HDFC Bank, ICICI, SBI and more recently UTI Bank have been the target of phishing attacks. Phishing is a form of online identity theft where consumers. personal identity data and financial account credentials are stolen by third parties.

Phishing involves sending .spoofed. e-mails that direct consumers to websites designed to trick them into entering sensitive information such as usernames and passwords.

According to cyber law expert Pavan Duggal, many of these cases are not reported as financial institutions fear loss of credibility among customers.

The low rate of cyber crime convictions in India has been a further deterrent to reporting of cases. According to Duggal, there have been only two convictions in India so far . one of identity theft (credit card details) by a BPO employee and the other pertaining to an obscenity case in Tamil Nadu.

Following the RBI notification, banks are now scrambling to beef up existing security measures. Sources at HDFC Bank confirmed that several measures were being taken to tighten security and adopt internationally accepted best practices.

HIPAA Security Compliance

February 3, 2007 by binoy Leave a Comment

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996

Title II of HIPAA, the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers

Let have a look at the Security rule. The HIPAA Security rule has 3 focus areas, just like we discussed in the BS7799 article, they are:

Administrative Safeguards
Physical Safeguards
Technical Safeguards

The act contains 42 rules which are classified in to .Required. and .Addressable.. 20 rules are marked as .Required.; and 22 are marked .Addressable.

The rules marked as .Required. calls for mandatory implementation, while the others are recommended for implementation. So if you are looking at getting the HIPAA Security audit through, just implement the .Required. rules. But if you are looking at having a good Information Security Management System, it is suggested that you implement all possible rules defined the act.

UK-EU Regulations

October 14, 2006 by binoy Leave a Comment

In the last post many of the US regulations were discussed. This post focus on the UK regulations which has a Information Security Impact

The Turnbull Guidance 1999

Known as .Internal Control: Guidance for Directors on the Combined Code., this regulation.s principal aim is to encourage companies to identify and manage internal and external risk within their organizations.

IT security represents a major risk to business continuity. Security information management tools can help IT departments draw up reports demonstrating management of information security and business continuity risk.

Applicable for all companies listed on the UK Stock Exchange must implement the findings

The Companies Act 1985 Regulations 2005

These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators.

This set of regulations includes similar information security requirements as with the Turnbull Guidance; Information security measures are needed to manage risk by ensuring business continuity and protect IP rights. Requirements state that processes should also protect the data information used to create the reports provided to auditors and directors.

The Companies Act 2004

Known as the UK Companies (Audit, Investigations and Community Enterprise) Act 2004 it aims to improve the reliability of financial reporting and the independence of auditors while strengthening the role of the Financial Reporting Review Panel (FRRP) in enforcing good accounting and reporting, by giving it new powers to require necessary documents.

Information security solutions can help maintain the integrity and availability of these pieces of information.

The Act affects all companies audited in the UK and their directors.

Money Laundering Regulations 2003 (MLR)

Businesses must appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and maintain records of client identification and transactions for five years. Information security technologies and procedures are needed to ensure that records are not lost, corrupted or defaced in any way.

Applicable for financial services institutions as well as relevant professionals and other .relevant. industries including estate agencies, insolvency practitioners, tax consultants, accountants, finance and real estate legal services professionals and organizations dealing in goods involving transactions of more than .15,000.

EU Data Protection Directive

The directive covers the processing of personal data, including automatically-processed data and manual data in a filing system. Conditions include the confidentiality and security of processing as well as provisions for transfer to a third country. Organizations must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.

The US Safe Harbor Arrangement is a streamlined process for US companies to comply with the Directive, developed by the US Department of Commerce in consultation with EU.

The 95/46/EU Data Protection Directive applies to member countries within the EU and other countries that conduct business with member countries.

EC Privacy and Electronic Communication Regulations (EC Directive) . 2003

The legislation protects the public from electronic marketing practices that cause nuisance, offence and invasion of privacy.

IT security solutions and processes should be put in place to ensure that electronic marketing records are both available and correct.

Electronic service providers need both business continuity measures to maintain system and network uptime as well as measures put in place for more general data protection issues relating to customer data sets.

Organizations that use email marketing must comply with the regulations; additionally telecom companies and ISPs must implement security technologies and practices to safeguard their services.

UK Data Protection Act

The Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. Good information security practice is implied in all eight, but explicitly in Principle 7, which relates to the prevention of unauthorized or unlawful processing, and of accidental loss or damage to data.

Companies must ensure that both organizational as well as technical means must be used to protect personal information.

Any organization collecting personal data is covered by the Act

The Freedom of Information Act 2000 . UK

The Act states that public authority information cannot be altered, defaced or destroyed. Public authorities need to implement effective records and document management systems and IT security solutions are required to ensure the uptime of these systems and that both the information and the records kept on them are not altered or corrupted in any way.

The Act gives the general public access to information held by public authorities.

EU Annex 11, Computerized Systems

The central consideration of this regulation is that .records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process..

Annex 11 applies to all pharmaceutical manufacturers in the EU using computerized systems in manufacturing, storage, distribution, and quality control of medicinal products

Information Security regulations

June 11, 2006 by binoy Leave a Comment

Information Security is paramount in todays world. The world of information security is driven by the business needs and regulations. To achieve compliance, organizations often choose well known standards as benchmarks.Many countries have enforced regulations to protect the interests of the common public. Protection of everyone.s privacy is one among the top priorities of every government. Other than privacy, regulations protect investor interests, security of personal, financial information etc..

Here is a list of Security and Privacy regulations in various countries

United States of America

HIPAA – Health Insurance Portability and Accountability Act

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included .Administrative Simplification. provisions that required Health and Human Services (HHS) to adopt national standards for electronic health care transactions.

The information security references in HIPAA are the following rules

HIPAA Security – The HIPAA Security rule describes the requirements to secure the electronic protected health information(ePHI)

HIPAA Privacy – The HIPAA privacy rule make the law of the need of keeping the health information private.

More details about HIPAA can be found at http://www.hhs.gov/ocr/hipaa/

HIPAA applies to all healthcare providers, payers, and clearinghouses in the US.

SOX – Sarbanes-Oxley Act

The Sarbanes-Oxley Act is designed to review dated legislative audit requirements to protect investors by improving the accuracy and reliability of corporate disclosures, covering issues such as establishing a public company accounting oversight board, corporate responsibility, auditor independence, and enhanced financial disclosure.

All companies publicly traded in the United States and regulated by the Securities and Exchange Commission (SEC), including US-based companies as well as all international companies that have shares traded on a US exchange.

GLBA- Gramm-Leach-Bliley Act

GLBA includes provisions to establishing administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of consumer financial information. GLBA applies to financial institutions in the US, such as banks, securities firms, insurance companies, and other companies selling financial products.

California Assembly Bill 1950

California.s Assembly Bill 1950 expands on the privacy requirements of Senate Bill 1386 and requires that organizations take .reasonable precautions. to protect California residents. personal data from modification, deletion, disclosure, and misuse rather than just report on its disclosure.

This bill is applicable to state Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.

Authentication in an Internet Banking Environment(FFIEC November 2005 Guidance)

This guidance recommends that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers. It considers single-factor authentication, as the only control mechanism, to be inadequate for online banking. Banks should use authentication methods that are both effective and appropriate to the risks associated with online banking. These methods include multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

This is applicable for all financial institutions in the U.S., including banks, brokerages, credit unions and the like, and ASPs that offer Internet banking applications.

21 CFR Part 11

21 CFR Part 11 outlines the US Food and Drug Administration.s requirements for electronic records and electronic signatures. It is designed to prevent fraud while permitting the widest possible use of electronic technology within the pharmaceutical industry.

Organizations must implement controls to ensure authenticity, integrity, confidentiality, and non-repudiation of electronic records. In some cases, organizations must also implement measures such as encryption and digital signatures.

All organizations regulated by the FDA, which includes pharmaceutical, biotech, medical device, food, and cosmetic companies.

California Information Practice Act ( SB 1386)

This regulation requires organizations conducting business in California to disclose any security breach that occurs to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Since the law requires notification of security breaches involving .unencrypted. sensitive data, there is a safe harbor for those organizations which have encrypted the data.

This is applicable for all State Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.

North American Electric Reliability Council

The stated purpose is .to protect the critical cyber assets essential to the reliability of the bulk electric system..

The standard includes:

additional detail to clarify technical requirements and compliance measures
authorization requirements to place these measures into production
access authorization process requirements
generic account management requirements
change control and configuration management requirements
operating status monitoring tools
backup and recovery requirements
Applicable for all entities responsible for planning, operating, and using the bulk electric system must comply with NERC reliability standards.

Federal Information Security Management Act (FISMA)

FISMA requires federal agencies to develop, document, and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or contractors.

Applicable for all Federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the United States.

USA PATRIOT Act

The Act gives federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes.

All US companies and companies conducting business in the US are affected by this regulation

Federal Information Processing Standards (FIPS)

For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been Federal Information Processing Standard (FIPS) 140 validated or Common Criteria (CC) validated, and most CC Protection Profiles rely on FIPS validation for cryptographic security.

The FIPS 140 requirement .. . . is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information including any organization selling products to U.S. and Canadian government agencies