As stewards of sensitive data, companies have a duty to oversee its usage with diligence and good faith. When a chief information security officer (CISO) fails to uphold that trust, they tarnish both their own reputation and that of the entire enterprise. Every year, more companies recognize identity and access management (IAM) as the central component to digital business. As a result, the role of a CISO in fulfilling IAM compliance requirements is becoming more valuable and vulnerable to catastrophe from missteps.
As a CISO, what Legal Issues Should You be Considering?
In 2022, a federal jury found former Uber CISO Joseph Sullivan guilty of obstruction of the FTC and misprision of felony in connection with his attempt to cover up a 2016 hack of Uber. This was a warning shot across the bow of every CISO in America. Prosecutors asked for a 15-month prison sentence for Sullivan, but the judge imposed a relatively lenient 3 years probation, coupled with 200 hours of community service and a $50,000 fine.
Yes, there can be legal ramifications for improper identity and access management (IAM policies. IAM policies are designed to ensure that only authorized users have access to sensitive information and systems. This ensures that access is only granted on a “need-to-know” basis. Too often, IAM policies are not properly implemented or enforced. This creates security vulnerabilities that can be exploited by malicious actors.
What happens when an organization fails to adequately protect sensitive information or systems due to inadequate IAM policies? Your organization could be held liable for any resulting damage or losses. For example, say an employee with unauthorized access to sensitive information steals that information and sells it to a third party, the organization could be held responsible for the theft.
In some cases, inadequate IAM policies can also violate laws or regulations. For example, the General Data Protection Regulation (GDPR) in the European Union requires organizations to implement appropriate technical and organizational measures to protect personal data, and failure to do so can result in fines and other penalties.
Overall, it’s important for organizations to implement and enforce strong IAM policies in order to protect sensitive information and systems and to avoid legal liabilities.
What IAM policies offer the best legal protections for CISOs?
IAM policies are designed to protect an organization’s sensitive information and systems by ensuring that only authorized users have access to these assets. The specific IAM policies that offer the best legal protections will depend on the specific legal requirements and risks that organizations face.
In general, IAM policies should be designed to meet the specific needs of an organization. These should be based on a thorough assessment of the organization’s legal obligations and risks. Some key elements of effective IAM policies that can provide legal protections include:
- Access control: Access control policies should specify who is allowed to access specific information or systems, and under what circumstances. This includes defining different access levels or roles and requiring authentication before accessing sensitive assets. It also requires strong deprovisioning processes. Deprovisioning ensures that unneeded user access is removed quickly and efficiently when those users no longer need, or should not have, access to particular applications or entitlements.
- Data protection: Data protection policies should outline how sensitive information is to be handled and protected. This can includes specifying encryption requirements, defining how data is to be stored and accessed, and outlining policies for the disposal of sensitive data.
- Incident response: Incident response policies outline the procedures to be followed in the event of a security breach or other incident. This includes defining roles and responsibilities, outlining communication protocols, and specifying the steps that should be taken to contain and mitigate the impact of the incident.
- Training and awareness: Training and awareness policies need to provide employees with the knowledge and skills they need to protect the organization’s sensitive information and systems. Including regular training on security best practices, as well as ongoing communication about current threats and how to avoid them.
Overall, effective IAM policies can provide legal protections by helping organizations to comply with relevant laws and regulations, and by mitigating the risks associated with security breaches and other incidents.
CISOs are responsible for overseeing an organization’s information security program, including the implementation and enforcement of IAM policies. If an organization has inadequate IAM policies, the CISO may be held accountable for the resulting security vulnerabilities and any resulting damage or losses. However, the specific legal liabilities of a CISO depends on the laws and regulations that apply to the organization, as well as on the specific circumstances of the case. In some cases, a CISO may be held personally liable for failing to implement appropriate IAM policies, particularly if the CISO was aware of the risks and failed to take appropriate action. An example has been set.
It’s important for CISOs to understand the legal obligations and risks associated with their role. Additionally, they must work with the organization’s legal team to ensure that IAM policies are adequate and in compliance with relevant laws and regulations. This can help to minimize the legal risks for both the organization and the CISO.
What are the IAM Compliance Requirements for the General Data Protection Regulation (GDPR)?
The 2016 General Data Protection Regulation (GDPR) is a privacy bill which protects the identity information and personal data of EU citizens. It impacts any company doing business with customers in Europe. GDPR mandates that foreign and domestic companies ensure customer awareness and consent regarding private data access and use.
Organizations are responsible for the security of data during the collection process as well as storage. A robust IAM solution that satisfies the GDPR compliance requirements for data privacy and security must include:
- Access management
- Access governance
- Authorization
- Authentication (including multi-factor authentication)
- Identity management (IDM)
- Identity governance
Data protection is the key to satisfying GDPR compliance requirements. An IAM solution that monitors access to a customer’s personal data is not enough. Under GDPR, consumers have the right to “be forgotten” and to deny or revoke the collection of their data.
An effective IAM solution must track all access to personal data collected and update access rights based on both organizational changes and relevant customer preferences.
What are the IAM Compliance Requirements for the Sarbanes-Oxley Act (SOX)?
Created in response to numerous cases of high-profile corporate fraud, the Sarbanes-Oxley Act of 2002 (SOX) touches on all publicly traded organizations. However, it primarily targets financial services such as banks and insurance companies. IAM solutions that meet SOX security standards must address both identity management and data security. Sarbanes-Oxley security standards require tested, documented internal controls to ensure the integrity and security of financial reporting. It must also ensure the data integrity of the accounting going into these reports. SOX compliance mandates adequate internal controls for both digital and physical assets. This includes:
- Centralized administration of access management and identity governance
- Enforcement of Separation of Duties (SoD) policies.
- Regular auditing to verify user rights and permissions across the infrastructure.
- Automatic logging and tracking tools that generate clear reports for compliance audits.
Companies can reduce the risk of data breaches by providing granular, conditional access controls — and by automating IAM activities such as user provisioning and de-provisioning, predictive SoD analysis, and access logging and usage tracking. The ability to produce on-demand evidence for an audit is key to aligning with SOX requirements.
As a CISO How Do You Comply with the Health Insurance Portability and Accountability Act (HIPAA)?
Enacted as a national healthcare standard in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that guarantees the privacy and security of protected health information (PHI) that health insurance and healthcare providers collect and store. The act was designed to target healthcare organizations with lax security practices around identifiable health information.
HIPAA requires entities to ensure that patient data was kept confidential. Additionally, it mandates that access to that data was limited to healthcare providers directly servicing the patient. Much like GDPR and SOX, HIPAA compliance procedures limit access to PHI (Protected Health Information) based on identity and purpose. HIPAA also shares a close relationship with the HITECH Act, which mandates data security for electronic healthcare records (EHR).
As healthcare data proliferates, IAM solutions paired with HIPAA compliance policies create a wide umbrella of protection against privacy violations. An effective IAM solution must include:
- Credential protection using single sign-on (SSO).
- Multiple ways to onboard and simplify the integration of healthcare business partners.
- Centralized access governance to curate HIPAA-compliant access management across organizational infrastructure. This includes human and non-human users like the Internet of Things (IoT) devices.
- Automatic access logging, such as tracking access to patient data, and automated reporting to facilitate auditing.
With effectively managed rights and proper account termination, administrative transactions become less complicated. In addition, automated logging helps HIPAA auditors to verify electronic media policy compliance more easily.
What are the IAM Compliance Requirements for the Gramm-Leach-Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, mandates that financial institutions create and maintain information security programs that protect customer information. The GLBA applies explicitly to sensitive data such as social security numbers, credit history, and account numbers. GLBA also includes safeguards for consumer financial information and provides privacy for more benign information such as addresses and phone numbers.
Financial institutions reduce risk when they implement organization-wide “least privilege” policies and safeguard identifiable information according to GLBA privacy rules.
All financial services employees — not just security programs — should be aware of the Safeguards Rule and comply with federal privacy policies and consumer protection rules.
An IAM solution can proactively improve GLBA compliance through:
- Role-based management to ensure access through user roles rather than direct user assignment.
- SoD controls to prevent risky access situations.
- Automated provisioning and de-provisioning of users as personnel change roles.
- Entitlement management which permits only enough access for a user to complete their job.
- Multi-factor authentication to protect data in the event of compromised passwords.
Organizations and executives that violate GLBA face significant financial penalties and potential jail time — particularly true for those who ignore or willfully circumvent security safeguards. Enforcement of GLBA is handled by the Federal Trade Commission (FTC).
How Do You As the CISO Fulfill the Requirements for the Family Educational Rights and Privacy Act (FERPA)?
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students in post-secondary educational institutions.
FERPA specifically protects the rights of students to restrict access to their data, educational records, and even public-facing directory information. Eligible students may also prevent or grant record access to their parents.
Other FERPA compliance requirements an IAM solution should address:
- Federated infrastructure allowing eligible non-university affiliates access to relevant education records.
- Means by which students can delegate education data access to third parties.
- Accurate, complete, and time-stamped logging of users with access to student data.
- Automated reporting with audit-worthy access management evidence.
For effective FERPA compliance, IAM solutions should centrally manage and cross-reference accounts of eligible students and their parents. They should also so do for school staff and faculty and ensure that controls limit access to student records.
What are the IAM Compliance Requirements for the California Consumer Privacy Act (CCPA)?
Following in the footsteps of GDPR, the 2020 California Consumer Privacy Act (CCPA) brought massive privacy implications for U.S. businesses that serve California consumers. CCPA is like GDPR in that it provides California citizens the same level of control over their personal information that EU citizens currently exercise. CCPA regulations apply to any company that generates $25 million or more in gross revenue and collects personal information from California consumers.
IAM solutions that assist in the satisfaction of CCPA compliance requirements for privacy and data security include:
- Identity management capabilities that tie individual consumers to their data and privacy requests.
- Access Governance to ensure that a company knows where the data is housed and who can access it.
- Strong authentication (including multi-factor) to protect disclosure to unauthorized users.
- Centralization administration of access management and identity governance.
With CCPA, consumers are in control of their privacy and personal information with rights to deny or revoke either the collection or sale of their data.
What are the IAM Compliance Requirements for the New York SHIELD Act?
The SHIELD Act is the common name for New York’s “Stop Hacks and Improve Electronic Data Security Act” implemented in 2019. Like GDPR and CCPA, SHIELD dramatically expands security and privacy requirements on companies storing personal information of New York citizens. The goal is to enforce better protection of personal data, prevent breaches, and improve consumer notification requirements.
Any organization already in compliance with either HIPAA or GLBA will find similar safeguards in the SHIELD Act. However, SHIELD considers the burden of cybersecurity requirements for small businesses collecting and storing personal information. It adjusts its directives to be appropriate for the size and complexity of the organization.
IAM solutions that address NY SHIELD Act data security standards should include:
- Automated provisioning and de-provisioning of users as personnel change roles and jobs.
- Entitlement management to limit permissions to least privileges.
- Federated identity management to simplify integration and tracking of business partners.
- Multi-factor authentication to increase the difficulty of stealing credentials to illicitly access data.
Are you interested in how managed identity services can positively impact your compliance abilities? Reach out to a Simeio identity expert today and learn how IAM compliance fulfillment can be made easy.
Article contributed by Dr. James Quick.