Security standards and legislative mandates across industries

Security Standards & Least Privilege

Security Standards and Legislative Mandates

Industries are required by law to follow regulations to protect the privacy of information, do risk assessments, and set policies for internal control measures. Among these polices are: SOX, HIPAA, PCI DSS, and GLBA. Each of these regulations implements internal control of personal information for different industries. Where GLBA is for the way information is shared, all of them are for the safeguard of sensitive personal information.

Sarbanes-Oxley Act of 2002 (SOX) created new standards for corporate accountability in reporting responsibilities, accuracy of financial statements, interaction with auditors, and internal controls and procedures (Sarbanes-Oxley Essential Information). When audits are done to verify the validity of the financial statements, auditors must also verify the adequacy of the internal control and procedures. The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect personal health information held by covered entities and gives patients' rights with respect to that information (Understanding Health Information Privacy). The Privacy Rule is balanced permitting disclosure of personal information need for patient care and other important purposes. The Gramm Leach Bliley Act regulates financial institutions to explain how information is shared and requires the safeguarding of sensitive information (Gramm Leach Bliley Act). Payment Card Industry's Data Security Standard (PCI DSS) protects privacy rights and requires encryption of credit and debit cards for purchases (Brenner, 2007).

Regardless of the industry, safeguarding sensitive information for employees, customers, and financial data is required to be safeguarded by at least one regulation. That means that information systems are required to do risk assessments on an ongoing basis and risk management is responsible for internal controls and procedures.

Principles of Least Privilege

The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning (principle of least privilege (POLP)). This means that the lowest levels of user rights are given based on what is needed to perform the job. Some operating systems have least privilege built in. Even if they do not, there are models of access control policies that can be implemented.

In the Lattice Model, every resource and every user of a resource is associated with one of an ordered set of classes (Tipton). This model takes no account of threats. The Bel-La Padula Model prevents users and processes from reading above their security level and prevents processes with a given classification from writing data associated with a lower classification. The Biba Model operates on maintenance of integrity requiring that data not flow from a receptacle of a given integrity to a receptacle of a higher integrity. The Take-Grant Model is a mathematical framework for studying the results of revoking and granting authorization. It is useful for auditors. The Clark-Wilson Model consists of subject/program/object triples and rules about data, application programs, and triples, or sets that have a fixed relationship.