IT Manager's Handbook: Getting Your New Job Done (55 page)

From a technical perspective, phishing relies on spoofing e-mail. From the human perspective, phishing also relies on “social engineering.” Social engineering is the practice of trying to get information from people by lying to them. Social engineering relies on the natural tendency of people to trust, to follow instructions, and to want to help. From this perspective, the adage about users being the weakest link of computer security is certainly true. Typical social engineering tricks include pretending to be an IT administrator and contacting users to verify their account or password. While pretending to be from IT is popular, so is IT as the victim. In the reverse situation, the phisher might call the Help Desk and complain that he's having difficulty logging in. By counting on the Help Desk to provide “help” (including instructions, password resets, etc.), the phisher may be able to gain access to the system.

Some Security Stories

Grand Theft

“(CNN) -- A hacker has obtained the personal information of PlayStation Network account holders and subscribers of the Qriocity streaming service, Sony said in a message to customers … The attack also has crippled Sony's PlayStation Network, which has some 70 million subscribers …” (
www.cnn.com/2011/TECH/gaming.gadgets/04/26/playstation.network.hack/
).

A Tiny Clue Leads to Giant Flaw

“What first appears as a 75-cent accounting error in a computer log is eventually revealed to be a ring of industrial espionage … Clifford Stoll [Lawrence Livermore lab scientist] becomes, almost unwillingly, a one-man security force trying to track down faceless criminals who've invaded the university computer lab he stewards” (
www.amazon.com/gp/product/0671726889/002-0037032-5296037?v=glance&n=283155
).

A Classic (and Unfortunate for the Victim) Story of the Damage Lack of Understanding Can Cause

Kevin Mitnick is a famous hacker, one of the first to hone his social engineering skills to break into and acquire all kinds of technical information (including code from Nokia and Motorola). After he was arrested, he had the guards so spooked at his federal penitentiary that they put him in solitary confinement for eight months because they were convinced he could launch nuclear missiles by whistling into a phone (
www.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna
).

8.5 Compliance and IT

Certainly one of the biggest changes to affect the IT industry over the past few years has been the concern for compliance of a variety of regulations and legislation. Spurred by events such as the financial scandals of Enron, WorldCom, Bernie Madoff, HealthSouth, Adelphia, Tyco, Qwest Communications, and Global Crossing (to name a few), along with the financial sector meltdown of 2008 and 2009, attention has been drawn to the integrity of financial reporting and controls. In these cases, senior management was allegedly aware of events and activities that led to the misstatement of the financials and the deception of investors.

Following this series of scandals, there was renewed interest in ensuring that sufficient controls were in place to make sure that this couldn't happen again. The most well-known legislation is the Sarbanes–Oxley Act of 2002, which was passed by the U.S. Congress and is discussed later in this chapter on
page 227
. Of course, while Sarbanes–Oxley is the best known, it isn't, by far, the only set of regulations that makes sure that data, financials, etc. are being handled properly.

“Compliance” is a broad term that can carry a lot of meanings. Is the entrance to your building ADA (Americans with Disabilities Act)-compliant? Was your television compliant for the digital TV (DTV) conversion of 2009? Is your health care provider HIPAA-compliant?

Overview

The following section,
“The Rules,”
presents some important compliancy regulations. You may have heard of some of these and are wondering if they pertain to your group or company. The goal is to provide you with a brief overview of the rule or regulation; you can then either pursue further information or decide the issue does not pertain to your situation.

For example, the HIPAA
privacy
provision took effect in 2003, but the
security
provision of HIPAA didn't take effect until 2005. You may have been working for a health care provider and heard the term “HIPAA compliant” for years but not understood what that meant. For ITers, the biggest impact of the rules and regulations of compliance generally relates to controlling, securing, and managing data. This is no small issue: Making data flow from one place to another is easy (sometimes too easy), but making it flow only to certain places and
not
to others (and to be certain of that) is much harder. In 2006, the FTC imposed a $10 million fine on ChoicePoint for failing to comply with the data protection obligations of the Fair Credit Report Act when a security breach resulted in the potential exposure of financial records for over 100,000 individuals.

Personally Identifiable Information
(PII)

Many of the compliance regulations presented in the following section
“The Rules”
have specific references to individuals’ personal data. Within the industry, this is referred to as Personally Identifiable Information (PII) and essentially refers to any data that can be used (either alone or with other data and sources) to identify a person. The definitions of PII vary among regulations and countries, but often include fields like:

•
Name

•
Government ID number (e.g., Social Security number)

•
Driver's license and other identification numbers

•
Birth date, place of birth

•
Personal telephone numbers

•
Personal e-mail address

•
Home address

•
Mother's maiden name

•
Financial information, medical information, disability information

•
Credit card and account numbers

It is this PII data that often gets the most attention and protection in laws and regulations, and that IT, businesses, and organizations will take extra steps with (e.g., policies, guidelines, security solutions, etc.) to ensure compliance.

Victims of Non-Compliance

There is a perception that the victims of non-compliance are the employees of the companies themselves. And that is true: Global Crossing's excesses affected 10,000 employees and WorldCom's 12,800. Many people lost their entire 401k savings in addition to their jobs.

However, many more people are affected by corporate perfidy than is generally understood. In HealthSouth's case, not only did the company's employees suffer, it radically affected the financial well-being of its hometown, Birmingham, Alabama. When corporate scandals took their toll on companies based in New York, the state suffered a $1 billion reduction in tax revenues (
www.osc.state.ny.us/press/releases/aug03/082003.htm
). The questionable practices that led to the economic crisis of 2008/2009 was felt across the country and across the globe in soaring statistics related to record unemployment, a huge number of foreclosures, and wiped-out retirement nest eggs.

The situation can easily snowball well beyond a single company or state. Depending on the type and scope of the circumstances, incidents of non-compliance (such as data breaches or lack of financial reporting integrity) can impact a company's employees, customers, suppliers, and partners; in some cases it may have an impact on the financial markets as a whole. Non-compliance can lead to media attention; lack of trust by employees, customers, suppliers, and partners; individual and organizational financial loss; and, in some cases, bankruptcy. Eroding consumer confidence leads to reduced spending, which further impacts other individuals and businesses, and causes the economy to shrink.

8.6 The Rules

The sections that follow aren't meant to be comprehensive, but they do represent some of the more impactful guidelines under which many organizations and IT departments have to operate. This section isn't intended to be a how-to guide for ensuring compliance, but to make the new IT manager aware of the various issues and their importance.

Sarbanes–Oxley

Named for its two sponsors, Senator Paul S. Sarbanes (D-Maryland) and Representative Michael G. Oxley (R-Ohio), and frequently called by a variety of nicknames (Sarbanes, SOX, Sarb-Ox), it's formally called the Public Company Accounting Reform and Investor Protection Act of 2002 and is considered to be the most significant change to U.S. Securities Law since the 1930s.

The primary objective of SOX is to ensure the integrity of financial statements. It's interesting to note that SOX doesn't regulate information technology directly, but because IT systems are usually at the core of how a company manages and reports its finances, it is no surprise that IT is significantly impacted by it.

Although less than 200 words long, Section 404 of Sarbanes–Oxley has the most impact on IT. Of particular note is the requirement for companies to annually (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

In addition, Section 404 requires the auditors to “attest to, and report on, the assessment made by the management.”

Those few lines of requirements have had an enormous trickle-down effect throughout companies, with a great deal of it being felt in IT. In fact, SOX has placed such an enormous burden that a study and survey by the Security and Exchange Commission (
www.sec.gov/news/studies/2009/sox-404_study.pdf
) released in 2009 showed that:

•
The SEC's survey shows the long-term burden on small companies is more than seven times that imposed on large firms relative to their assets.

•
Section 404 compliance exceeds $2.3 million each year in direct costs at the average company.

•
Among companies of all sizes, only 19 percent say that the benefits of Section 404 outweigh the costs.

•
More respondents say that it has reduced the efficiency of their operations than say it has improved them.

•
More say that Section 404 has negatively affected the timeliness of their financial reporting than say it has enhanced it.

In the years since its passage, the regulations have received quite a bit of criticism with reference to increased costs but not delivering the intended results. While some notable names have called for its repeal, the rules still stand and should be taken seriously. Misstatement of financials under Sarbanes–Oxley can lead to jail time, fines, or both for executives.

Many other countries have their own legislation that is comparable to Sarbanes–Oxley. These include Ontario Canada's Bill 198, Japan's Financial Instruments and Exchange Law, Germany's Corporate Governance Code, Australia's CLERP9, Financial Security Law of France, L262/2005 of Italy and India's Clause 49.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA has regulations promoting the privacy and security of medical records. These regulations are related primarily to the health care industry. HIPAA's regulations directly cover three basic groups of individual or corporate entities:

•
Health plans (e.g., public and private insurance carriers, employee medical plans)

•
Health care providers (e.g., doctors, hospitals, or any provider of health or medical services)

•
Health care clearinghouses (e.g., processors of health information, such as billing services)

While HIPAA primarily impacts those in the medical industry, it can indirectly impact organizations outside of the field. For example, nonmedical companies would need to make sure that the process of dealing with and administering employee medical benefits complies with the act.

The Security Rule of HIPAA is designed to assure the confidentiality and integrity of Protected Health Information (PHI). Protected Health Information under HIPAA includes any individually-identifiable health information (IIHI). This refers not only to data explicitly linked to a particular individual, but also includes health information with data items that reasonably could be expected to allow individual identification.

The Privacy Rule of HIPAA is intended to protect the privacy of all IIHI in the custody of covered entities, regardless of whether the information is or has been in electronic form.

Associated with HIPAA is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which promotes the use of information technology in the health industry. Provisions of the HITECH act address the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Basel II

Basel II is an updated version of the Basel Accord that was adopted in 1988 in Basel, Switzerland. Basel II, formally known as the International Convergence of Capital Measurement and Capital Standards, was endorsed in 2004 by the central bank governors and the heads of bank supervisory authorities in the Group of Ten (G10). G10 refers to the 10-member countries of the International Monetary Fund (United States, United Kingdom, Germany, France, Belgium, The Netherlands, Italy, Sweden, Canada, and Japan) plus Switzerland.