1. Aligning risk appetite and strategy.Management considers the entityfs risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

2. Enhancing risk response decisions.Enterprise risk management provides the rigor to identify and select among alternative risk responses.risk avoidance, reduction, sharing, and acceptance.

3. Reducing operational surprises and losses.Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.

The Family Educational Right to Privacy Act (FERPA) prohibits educational agencies and programs, at risk of losing federal funds, from having a policy or practice of “permitting the release of ” specified educational records. FERPA does not state whether or not the prohibition places affirmative requirements on educational institutions to protect against unauthorized access to these records through the use of information security measures. It is certainly possible that a court could conclude in the future that an educational institution which fails to take reasonable information security measures to prevent unauthorized access to protected information is liable under FERPA for “permitting the release” of such information.

The recent case of a Vermont college system employee having such data on a laptop that was later stolen (see Chapter 1 sidebar “The Real Cost of Remediation”) might test this very statute.The 2002 Technology, Education, and Copyright Harmonization Act (the “TEACH Act”) explicitly requires educational institutions to take “technologically feasible” measures to prevent unauthorized sharing of copyrighted information beyond the students specifically requiring the information for their studies, and, thus, may create newly

The Federal Information Security and Management Act of 2002, as amended, (FISMA) does not directly create liability for private sector IT security professionals or their companies. However, IT security professionals should be aware of this law, because it:
- Legally mandates the process by which information security requirements for federal government departments and agencies must be developed and implemented
- Directs the federal government to look to the private sector for applicable gbest practicesh and to provide assistance to the private sector (if requested) with regard to information security
- Contributes to the developing gstandard of careh for information security by mandating a number of specific procedures and policies

These two federal statutes, while not mandating information security procedures, create serious criminal penalties for any persons who gain unauthorized access to electronic records. Unlike laws such as HIPAA and GLBA, these two statues broadly apply, regardless of the type of electronic records that are involved.The Electronic Communications Privacy Act (ECPA) makes it a federal felony to use or intercept the contents of electronic communications without authorization. In addition, the Computer Fraud and Abuse Act of 1984 (CFAA) makes it a felony to gain unauthorized access to a very wide range of computer systems (including financial institutions, the federal government, and any protected computer system used in interstate commerce).

Perhaps the most complex aspect of the healthcare vertical is the payment systems. Generally, a subscriber to a managed care plan pays some deductible, with an employer of that patient paying the rest to the managed care plan. The doctors who are part of those plans bill the plan directly for services rendered.

There may be intermediary services to which doctors subscribe to determine the eligibility of the patient. Hospitals also may bill patients and/or managed plans and have doctors, who may also be part of those plans, whom they need to pay. As you can see, the payment aspect can be quite complicated. In the end, the question of who pays is perhaps best answered by asking who benefits from these security solutions. Beneficiaries can be examined in two categories: those parties who would benefit from more cost-efficient solutions enabled by security technology, and those parties who are required to adhere to specific compliance regulations.

This case study covers how PCI Requirement 11 was dealt with at a large retain chain in US Midwest.The Unnamed Retailer, Inc. did not perform any periodic network vulnerability scanning and didn’t employ the services of a penetrationtesting firm.Their IT security staff sometimes used the freeware tools to scan a specific system for open ports or sometimes for vulnerabilities, but all such efforts were ad hoc and not tied to any program. Upon the approach of PCI compliance deadline, the company had to start the scanning using the PCI-approved scanning vendor every quarter.

They chose to deploy a service-based vulnerability scanning from a major vendor.The choice of vendor was determined after a brief proof-of-concept study. Initially, they suffered from having no information or no knowledge of their vulnerability posture to having too much, since they decided to scan all the Internetfacing systems. Later however, they reduced the scope to what they considered to be “in-scope” systems such as those processing payments (few of those systems are ever visible from the internet, however) and those connected to such systems.

This case study is based on a major e-commerce implementation of a commercial scanning service, a penetration testing by a security consultancy, and a host IPS and file integrity monitoring on critical servers. Upon encountering PCI compliance requirements, Buy.Web, Inc. has assessed their current security efforts, which include the use of host IPS on their demilitarized zone (DMZ) servers as well as periodic vulnerability scanning.They realized that they needed to additionally satisfy the pen testing requirements as well as file integrity checking requirements to be truly compliant.Their IT staff performed an extensive research of file integrity monitoring vendors, and chose one with the most advanced centralized management system (to ease the management of all the integrity checking results).They also contracted a small IT security consultancy to perform the penetration testing for them.

The team also utilized their previously acquired log management solution to aggregate the host IPS and file integrity checking, to create a single data presentation and reporting interface for their PCI auditors.