1

LECTURE 4: INTRODUCTION TO
REGULATORY STANDARDS IN
NETWORKING AND OCTAVE ALLEGRO

Networks standards and compliance- Dhanesh More

 Agenda
2

 OCTAVE ALLEGREO
 HIPAA
 PCI-DSS
 SOX
 FEPRA
 OCTAVE– a brief history
3

1999 OCTAVE developed by Software Engineering Institute

2003 OCTAVE-S a streamlined version

2007 OCTAVE Allegro

 Octave- Process overview
4

SEI Octave Process:

Phase 1 – Build Asset-based Threat Profiles
Identify assets, threats, organizational risks
Phase 2 – Identify Infrastructure Vulnerabilities
Analyze infrastructure resources for vulnerabilities
Phase 3 – Develop Security Strategy and Plans
Recommend and implement controls

OCTAVE Allegro
1. Establish risk measurement criteria
2. Develop information asset profile
3. Identify information asset containers
4. Identify areas of concern
5. Identify threat scenarios
6. Identify risks
7. Analyze risks
8. Select mitigation approach
 OCTAVE Allegro Roadmap
5
 Step 1:Establish Risk Measurement Criteria
6

 Establish the organizational drivers that will be used to evaluate the effect of a risk to organization’s mission and
business objectives. These drivers are reflected in a set of risk measurement criteria that client’s team will develop.
 Risk measurement criteria form the foundation for information asset risk assessment
 The criteria should be focused at an organizational level and should reflect senior management’s awareness of the risk
environment in which the organization operates.

Activity 1: Define a qualitative set of measures (risk measurement criteria)

 At a minimum, consider the following impact areas:
 Reputation/customer confidence
 Financial
 Productivity
 Safety and health
 Fines/legal penalties
 User-defined impact area

Activity 2: Prioritize the impact areas from most important to least important
This prioritization is used later in the risk assessment to develop a relative risk score that can help organization determine how
to address risks that have been identified in the assessment.
 Step 2 – Develop an Information Asset Profile
7

 Critical information asset – Critical information assets are the most important assets to an organization. The organization will suffer an
adverse impact if
 a critical asset is disclosed to unauthorized people
 a critical asset is modified without authorization
 a critical asset is lost or destroyed
 access to a critical asset is interrupted
 Information asset – An information asset can be described as information or data that is of value to the organization, including such
information as patient records, intellectual property, or customer information. These assets can exist in physical form (on paper, CDs, or
other media) or electronically (stored on databases, in files, on personal computers).
 Information asset profile – A representation of an information asset describing its unique features, qualities, characteristics, and value.
 How to prepare Information Asset profile:
 Activity 1: Identify information assets
 Activity 2: Focusing on the critical few
 Activity 3: Gather information about your information asset
 Activity 4: Document your rationale for selecting the critical information asset
 Activity 5: Record a description for the critical information asset
 Activity 6: Identify and document the owners of the critical information asset
 Activity 7: Record the security requirements for confidentiality, integrity, and availability
 Activity 8: Identify the most important security requirement for the information asset
 Step 3 – Identify Information Asset Containers
8

 Information asset container – An information asset container is where information assets are stored,
transported, or processed.
 The identification of containers is essential to identifying risks to the information asset itself.
 The places where an information asset is stored, transported, or processed can become points of
vulnerability and threats that put the information asset at risk.
 Conversely, they can also become places where controls can be implemented to ensure that information
assets are protected from harm so that they can be used as intended.
 Containers are most typically identified as some type of technical asset—hardware, software, or system—
but a container can also be a physical object such as piece of paper or a person that is important to the
organization.
 There are three very important points with respect to security and the concept of an information asset
container:
 The way in which an information asset is protected or secured is through controls implemented at the container level.
 How well the controls implemented at the container level
 Any vulnerabilities or threats to the containers in which the information asset lives are inherited by the information asset.

 Identify and document the containers from these 3 dimensions :Technical, Physical, People
 Step 4 – Identify Areas of Concern
9

 Area of Concern – A descriptive statement that details a real-world condition or situation that could affect an information
asset in your organization.
 Step 4, Describes the process of developing information asset risk profiles
 Areas of concern may characterize a threat that is unique to your organization and its unique operating conditions.
 The purpose of this step is not to capture a complete list of all possible threat scenarios for an information asset; instead, the
idea is to quickly capture those
: situations or conditions that come immediately to mind that could affect your asset and record
them.
 Must consider the various actors, motives, and outcomes inherent in the area of concern
 The following are examples of areas of concern

Areas of concern
On the primary file server, incorrect file permissions might enable a staff member to accidentally access another employee’s
medical records.
On the payroll database server, a failure of the authentication controls could allow a user to accidentally view another
employee’s salary on the payroll system.
John Smith is the only employee who knows the production specs for producing widgets. The specs have never been written
down. John Smith has been talking about leaving the company; if he does so, and the widget specs aren’t obtained, we can’t
make widgets.

A patient’s medical records, which are contained in folders often left on the nursing station desks, are altered by an
unauthorized employee because there is no access control.
 Step 5 – Identify Threat Scenarios
10

 Threat scenario – A threat scenario is a situation in which an information asset can be compromised. It
generally consists of an actor, a motive, a means (access), and an undesired outcome. Threat scenarios are
simplified ways to determine if a risk exists that could affect your information asset.
 Threat trees – A tree structure used to visually represent a range of threat scenarios. Threat trees help you
to ensure that you consider a broad range of potential threats to your information asset as the basis for
determining risk. :
 Step 6 – Identify Risks
11

 Impact statement – A descriptive statement that details how the organization is impacted when a threat scenario is realized.
The impact statement is the consequence of the realization of a threat scenario
 By identifying how the organization is impacted, you are completing the risk equation. This can be illustrated as follows:
Threat (condition) + Impact (consequence) = Risk
[Steps 4 and 5] + [Step 6] = Risk
 For each threat scenario that is documented, determine how organization would be impacted if this threat scenario was
realized. This is the consequence of the threat and completes the risk equation.
 Document a minimum of one consequence. Additional consequences can be documented as necessary.

Threat Scenario Consequence

Incorrect file permissions enable a staff member to accidentally The medical records of an employee are disclosed, resulting in a
access another employee’s medical records. lawsuit filed against the organization and a resulting fine of
$50,000.

John Smith is the only employee who knows the production specs for Widgets are not produced, resulting in loss of production revenue of
producing widgets. The specs have never been written down. John $250,000 per day and potential that the company would shut
Smith has been talking about leaving the company; if he does so, down.
and the widget specs aren’t obtained, we can’t make widgets.

A patient’s medical records are altered by an unauthorized An incorrect dose of medication (or an incorrect medication) is given
employee due to poor authentication controls. to a patient resulting in their death and resulting lawsuits, reputation
damage, and possible fines.
 Step 7 – Analyze Risks
12

 Impact value – A qualitative value assigned to describe the extent of impact to an organization when a threat scenario and
resulting impact is realized. The impact value is derived from the risk measurement criteria
 Qualitatively measure the extent to which the organization is impacted by a threat by computing a risk score for each risk to
each information asset.
 This scoring information is used for determining which risks you need to mitigate immediately and for prioritizing mitigation
actions for the remainder of risks in Step 8
 In this activity, a relative risk score is generated
 The relative risk score is derived by considering the extent to which the consequence of a risk affects the organization as
compared to the relative importance of the various impact areas
 Following activities must be performed for each Information Asset
 Review the Risk Measurement Criteria
 A relative risk score will be computed that can be used to analyze risks and help the organization to determine an
appropriate risk strategy. Compute the score for each impact area by multiplying the impact area rank by the impact value

Impact Area Ranking Impact Value Score

Reputation 4 Moderate (2) 8

Financial 5 Low (1) 5

Productivity 3 Low (1) 3

Safety and Health 1 Low (1) 1

Fines/Legal 2 High (3) 6

Total Score 23
 Step 8 – Select Mitigation Approach
13

 Mitigation approach – The way that an organization intends to address a risk. An organization has the following options:
accept, mitigate, or defer.
 Residual risk – Residual risk is the risk that remains when a mitigation approach has been developed and implemented for the
range of risks that affect an information asset. Residual risk that remains must be acceptable to the organization
 In Step 8, consider which risks you need to mitigate and how
 This is done by prioritizing risks, deciding on an approach to mitigate important risk based on a number of organizational
factors, and developing a mitigation strategy that considers the value of the asset and the places where it lives.
 Impact value is a primary driver, but so is probability
 If a risk could seriously or significantly impact the organization but is highly unlikely to occur, you may not want to mitigate it
 Often, this is a decision that is driven by the individuals involved in the risk assessment and their knowledge of the
organization.
 Once the decision is made to mitigate a risk, you must develop an effective and efficient mitigation strategy.
 The need for collaboration between business experts and information technology personnel highlights the scenario in which the
owner of an information asset is different from the custodian
 the information asset with the most extensive security requirements influences the overall controls applied to the container.
 Step 8 – Select Mitigation Approach (Continued..)
14

RELATIVE RISK MATRIX Consider the following questions when developing a

risk mitigation strategy:
RISK SCORE • How could the actor be prevented from exploiting a weakness?
PROBABILITY • How could the means that the actor would use be prevented?
30 TO 45 16 TO 29 0 TO 15
• How could the motive be prevented?
• How could the resulting outcome be prevented?
HIGH POOL 1 POOL 2 POOL 2
• Could the probability of the threat be reduced?
MEDIUM POOL 2 POOL 2 POOL 3 • If no proactive activity can be performed, can the impact of
the threat be reduced?
LOW POOL 3 POOL 3 POOL 4 • Can the organization minimize the effect or impact of a
realized risk?
• How will the security requirements for this information asset be
satisfied by the mitigation strategy?

Pool Mitigation Approach

Pool 1 Mitigate
Pool 2 Mitigate or Defer
Pool 3 Defer or Accept
Pool 4 Accept
15
 HIPAA- Overview
16

 Health Insurance Portability and Accountability Act

 Initially effective April 14, 2001
 Modified August 14, 2002
 Final Implementation April 14, 2003
 HIPAA is a Federal Law that has special privacy and security rules that health agencies must follow.
-Privacy rules make sure that a patient’s personal info is not given to others without permission.
-Security rules make sure a patient’s personal info is stored safely.
 Gives more control to the patients over their health information
-How the info may be used.
-Limits the amount of info released.
-Gives patients the right to examine and obtain a copy of their health records and request corrections.
 Sets boundaries on the use and release of health records
 Establish safeguards to protect the privacy of health info
 Holds violators accountable
 HIPAA and Privacy Rule Overview:
17
The Privacy Rule applies to protected health
information (PHI)

Protected health information (PHI) is “identifiable” health information acquired in

the course of serving patients. Any of the following data make health information
“identifiable”:
 Name
 Social security number
 Street and email addresses
 Employer
 Telephone and fax numbers
 Member or account numbers
 (e.g. medical record number, health plan identification number)
 Relatives’ names
 Date of service, birth or death
 Fingerprints, photographs, voice recordings
 Certificate or license numbers
 Any other linked number, code, characteristic (e.g. device identifiers, serial numbers)

18
 Permitted Uses and Disclosures of PHI
19

An agency may use or disclose PHI for the following purposes:

 In order to treat a patient.
 Justifying payment for treating a patient.
 Certain administrative, financial, legal, and quality-improvement activities that are necessary to “run the business” (such activities
are called “health care operations”).

If the disclosure complies with and is limited to what the law requires, agencies are permitted to disclose PHI:
 To public health authorities and health oversight agencies
 To coroners, medical examiners, and funeral directors
 For organ procurement
 To respond to court orders and subpoenas

There are certain disclosures that agencies may make if the patient is given the opportunity to agree or object:
 A patient’s location and condition (in general terms) if the patient is asked for by name or for disaster relief purposes.
 PHI relevant to care, or to family/close friends who are designated by the patient

Written permission or authorization from the patient is required to use or disclose PHI for purposes other than treatment, payment, health
care operations, or as required by law or for public health reasons.
 Permitted Uses and Disclosures to Carry Out Treatment,
Payment, and Health Care Operations
20

An entity may use or disclose PHI for its own “Treatment,” “Payment,” or “Health Care
Operations”:

 “Treatment” generally means the providing, coordinating, or managing health care and
related services among health care providers or by a health care provider with a third party;
consultation between health care providers regarding a patient; or the referral of a patient
for health care from one health care provider to another.

 “Payment” encompasses the various activities of health care providers to obtain payment or
be reimbursed for their services and of a health plan to obtain premiums, to fulfill coverage
responsibilities, and to provide benefits under the plan.

 “Health Care Operations” are certain administrative, financial, legal, training, and quality
improvement activities of a covered entity that are necessary to run its business and to support
the core functions of treatment and payment.
 Fines and Legal Penalties
21

 Federal fines of $100 per accidental violation ($25,000 annually).

 Maximum fine of $250,000 for malicious violation
 Federal prison sentence up to 10 years for selling PHI or maliciously using the info
to harm someone

 Sanction Levels
 Level 1- Violation is accidental. Ex: Disclosing PHI by leaving a computer terminal
unattended without logging off.
 Level 2- Violation is purposeful disregard of policies. Ex: Using another employee’s
password to look at patient records without a need to know.
 Level 3- Violation is intentional and malicious with complete disregard to HIPAA standards.
Ex: Selling PHI to a local newspaper.
 De-identified Data Sets (DDS)
 HIPAA allows the CE to create,
use or disclose a De-identified
Data Set
 No Patient Authorization required
 No tracking of disclosures
 Researchers may act as members of the
workforce to create a de-identified
Data Set if they have received HIPAA
training.
 CE must De-identify the Data Set by 1
of 2 methods:
 Application of a statistical method that
renders information not individually
identifiable; or
 Stripping of 18 listed identifiers for
patients, relatives, employers, or household
members, such as:
 Names; geographic subdivision (city, state,
zip Code);
 All elements of dates (date of birth, death,
service)
 Social Security numbers, medical record
numbers, patient account numbers, etc.
22
 Limited Data Sets (LDS)
23

 HIPAA allows the CE to create, use or disclose a LDS for research, public health
disclosures and health care operations
 No Patient Authorization required
 No accounting of Uses and Disclosures with LDS
 Recipient of the LDS must sign a Data Use Agreement (see UC Boilerplate)
 UC should retain Data Use Agreements
 Researchers may act as members of the workforce to create a LDS, if they have received HIPAA training
and have signed a Confidentiality Agreement

 LDS removes direct identifiers of the individual, relatives, employers or household

members, but allows … age, dates, ethnicity and zip code
 Dates of admission, discharge and service, date of birth / death
24
 PCI-DSS
25
Payment Card Industry Data Security Standard

 PCI DSS is a worldwide security standard established through the Security Standards Council (SSC)
in 2006 by:
 American Express
 Discover Financial Services
 JCB International
 MasterCard Worldwide
 Visa

 The PCI security standards are technical and operational requirements placed on organizational
entities that process card payments to prevent credit card fraud, and hacking and mitigate other
security vulnerabilities/threats.

 The standards apply to all organizations that store, process or transmit cardholder data, which
obviously includes an increasingly larger number of state agencies transacting with businesses, with
citizens, and with other government entities.
 PCI-DSS
26

 The following are the six primary control areas comprising the Payment
Card Industry security standard:

 Build and Maintain a Secure Network

 Protect Cardholder Data
 Maintain a Vulnerability Management Program
 Implement Strong Access Control Measures
 Regularly Monitor and Test Networks
 Maintain an Information Security Policy
 Long list of requirements
27

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security
 Example for illustration
28

 Example: Step 1 – Install and Maintain Firewall

 Actually 28 steps total...
29
30
31
 Steps to become Compliant
32

 Report on Compliance (ROC)

 Pass vulnerability scans by Approved Scanning Vendor
 Complete Attestation of Compliance (AOC)
 Submit all paperwork to the acquirer
 Network components involved
33

 Firewall
 IDS
 Proxy server
 Encryption
 DR / BCP
 Threat modeling
 Trust boundaries / zones
 3-Zone Security Architecture
34
 Non-Compliance
35

 Too many requirements: 220+ total  Huge Fines

 Terrifying for Merchants  Cisero Ristorante and Nightclub
 Not always computer-savvy  Network “might have been compromised”

 Don't always understand motivation  Forensics showed no sign of breaches

behind steps  Found POS stored data in unencrypted form
Visa estimated liability $1.33 million
 Problems with Scope 

 Visa fined them $55,000; MasterCard $15,000

 Confusing Requirements  $15,000 for fraudulent charges
 Ambiguous Requirements
 Heartland Payment Systems
 Agreed to pay:
 $60 million – Visa
 $3.6 million – American Express
 Forensic Investigation
 Reputation Damage
36
 SOX Overview
37

 The Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002 in response
to a number of major corporate and accounting scandals, most prominently that of the Enron
Corporation.

 SOX establishes new, enhanced standards for all U.S. public companies, and though as such
it is not directed at government, it has nonetheless had a significant impact on internal
accounting controls in public agencies through its focus on management oversight of how
fiscal information within agencies is created, accessed, stored, processed, and transmitted
within automated as well as manual record systems.
 Sponsors: US Senator Paul Sarbanes and US Representative Michael Oxley.
 Applies to: publicly-traded companies.
 Overseen by the SEC and the new Public Company Accounting Oversight Board (PCAOB)
 Sarbanes-Oxley Act of 2002
38

 Intended to restore investor trust in US corporations

 Changes how companies manage:
 Auditors
 Financial Reporting
 Executive Responsibility
 Internal Controls
 SOX Section 302, 404
Corporations required to:
 assess internal controls around financial reporting system
 Report effectiveness of controls to SEC
 Assessment must be reviewed and judged by an outside auditing firm
 Section 404: Management Assessment of Internal Controls

39

Requires each annual report of an issuer to contain an "internal control report," which
shall:

(1) state the responsibility of management for establishing and maintaining an adequate internal
control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal
control structure and procedures of the issuer for financial reporting.

 Each issuer's auditor shall attest to, and report on, the assessment made by the management of
the issuer. An attestation made under this section shall be in accordance with standards for
attestation engagements issued or adopted by the Board. An attestation engagement shall not
be the subject of a separate engagement.

 The language in the report of the Committee which accompanies the bill to explain the
legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the
subject of a separate engagement or the basis for increased charges or fees."
 Information Security and SOX
40

 Financial reporting systems heavily dependent on well controlled IT environment

(ITGI, 2004).

 Internal controls include information security controls

 ITGI identified security controls required by SOX in the following areas:

 Security Policy
 Security Standards
 Access and Authentication
 Network Security
 Monitoring
 Segregation of Duties
 Physical Security

 Companies required to assess and report the effectiveness of these controls to be

compliant
41
 FERPA
42

 The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR
Part 99) is a Federal law that protects the privacy of student education records. The
law applies to all schools that receive funds under an applicable program of the U.S.
Department of Education.

 Schools or public agencies that receive student data may disclose, without consent,
“directory” information such as a student’s name, address, telephone number, date and
place of birth, honors and awards, and dates of attendance.

 However, schools or agencies must tell parents and eligible students about directory
information and allow parents and eligible students a reasonable amount of time to
request that the school not disclose directory information about them. Schools must
notify parents and eligible students annually of their rights under FERPA.

 Education records must not be disclosed and must be protected.

43

Thank you!!