Computer Forensics Role in Compliance
By Robert Shields

There are four laws that clearly indicate the need for digital investigations: Sarbanes Oxley, California SB 1386, Gramm Leach Bliley and HIPAA. These laws/regulations specify investigation and response to security breaches or policy violations. Without utilizing computer forensics to perform these digital investigations, you risk severe penalties and fines in trying to comply with these laws.

These four laws apply broadly to virtually all major commercial organizations. They affect all publicly traded US companies, organizations that store personal financial or medical information and organizations that conduct business with California citizens. This broad criterion affects most US companies and many international businesses as well. This article will examine these four laws and the role of computer forensics in achieving compliance to them.

SARBANES OXLEY
The Sarbanes Oxley Act was enacted to fight corporate fraud. Massive financial fraud at Enron, Worldcom, Global Crossing and Arthur Anderson led to the passing of this legislation in 2002. The SEC is responsible for enforcement of Sarbanes Oxley and all publicly traded companies must report yearly on the effectiveness of their financial controls. Corporate Governance has become a critical operational focus of organizations to ensure that they have the proper controls and audit processes in place to prevent and detect fraud.

The legislation has serious consequences for non-compliance. This includes civil and criminal penalties. In fact, Section 302 specifies that CEOs and CFOs are directly responsible for the accuracy of their company’s financial reports.

Much of the focus on Sarbanes Oxley has been regarding Section 404. Section 404 requires management to specify their responsibility for financial controls and report on the adequacy and shortcomings of the controls. Many companies offer products and services to help companies achieve Section 404 compliance.

Sarbanes Oxley has other provisions that have not received the same attention from technology and service providers. Section 301 specifies that the handling of fraud complaints and investigations; likewise Sections 806 and 1107 provide that companies support and protect whistleblowers.

Section 802 is another important element in Sarbanes Oxley that forbids the intentional destruction, altering or falsification of financial or related operational records.

Many companies recognize the need for computer forensics as part of normal business operations and controls and it therefore indirectly supports Section 404 compliance. For Section 301, case law has established that computer forensics is required to properly investigate fraud. In addition, computer forensics is widely accepted as the only precise and reliable method for determining if digital records have been deleted and/or altered; therefore computer forensics is needed to maintain compliance with Section 802. Computer forensics has proven itself in battling wrongful termination litigation, in HR investigations, in theft of intellectual property and in e-Discovery management; all of these issues enhance the accuracy of financial reporting; thus supporting Section 404.

Section 301 and 802 compliance will require the use of computer forensics as established by case law and by best practices. Organizations should have computer forensics capability available anywhere and anytime in their organizations to ensure compliance with Sarbanes Oxley.

CALIFORNIA SB 1386
Enacted on July 1, 2003, California SB 1386 requires organizations doing business in California to report security breeches that result in the unauthorized disclosure of a residents private or financial information. The intent of this legislation was to thwart identity theft and consumer fraud.

Given the size of California and its economy, this law affects most US and international companies. Disclosure is required if an individuals name and either a driver licenses number, Social Security number or the combination of a financial account number and password is accessed. Notification is not required if the information disclosed was encrypted.

The law allows for civil actions to be brought against non-complying businesses or they may be enjoined by the court. The key for any business is to conduct a thorough investigation to determine if they “reasonably” believe that information has been compromised or not.

The legislation does not clearly define a ‘reasonable’ investigation of a security breach. However, current incident response processes have been documented by security organizations and government agencies. The National Institute of Standards and Technology (NIST) has provided clear guidance for government and commercial organizations for the investigation of security incidents.

NIST published the “Computer Security Incident Handling Guide”, which specifically outlines incident investigation and the role of computer forensics to properly acquire and analyze the incident. NIST also clearly identifies “unauthorized access” as a type of security breach that their process addresses.

The Information Systems Audit and Control Association (ISACA) is an association of information technology auditors who utilize audit and control standards to improve their organization’s information security, compliance and governance. ISACA has developed a checklist for incident response planning and implementation. These checklists specifically call for computer forensics to determine if data has been compromised, altered or deleted.

In a nutshell, the NIST Guidelines provide practitioners with processes using computer forensics to investigate cyber crime. The ISACA checklist provides the planning and implementation criteria for implementing an enterprise computer forensics infrastructure. With the potential liability of CA SB 1386 non-compliance, organizations must have immediate access to computer forensics capability.

GRAMM-LEACH BLILEY (GLB)
Gramm-Leach Bliley or The Financial Modernization Act of 1999 or simply GLB, has a broad spectrum of qualifications, requirements and regulating parties. Eight agencies and the states are charged with managing and enforcing the regulations.

GLB applies to financial organizations or any organization that collects or transfers private financial information for the purpose of doing business or providing a service to its customers.

The two regulations of GLB are the Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers’ information while the Safeguard rule governs the processes and controls an organizations uses to protect customers’ financial information.

The Safeguard Rule is enforced by the Federal Trade Commission. In addition to public embarrassment of non-compliance, organizations may be fined thousands of dollars a day while they are non-compliant.

GLB calls for financial institutions to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

As previous mentioned, computer forensics is an inherent part of investigating and auditing all of the foregoing elements. For response to incidents, GLB guidelines state:

“Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies;”. Technical guidelines that support GLB call for extensive IDS response utilizing computer forensic investigations.

From the guidelines for security controls and the guidelines for incident response, we can see that GLB compliance requires the utilization of computer forensics both proactively and for incident response to ensure the privacy of client information and to exhibit due diligence in GLB compliant efforts.

HIPAA
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. A primary goal of HIPAA is for healthcare providers to improve the privacy and security of their clients’ medical information. Health care providers, records clearinghouses and health plans must comply with HIPAA. Trading partner organizations that handle medical records electronically would fall under HIPAA rules.

Several HIPAA rules have been finalized including information security which encompasses incident response. HIPAA defines a security incident as “… the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

HIPAA specifies thorough analysis and reporting of security incidents. The guidelines do not provide specific information on incident response policies, so organizations must consider their incident response policies carefully.

As previously stated, NIST and ISACA specify computer forensic software as part of any reasonable incident response policy to clearly understand the scope of the incident. During an incident response procedure, you will need to determine, with forensic precision, what information has been compromised, when the compromise took place, what systems were affected, and were there any malware or backdoors left on the system that will allow further compromises. Non-forensic tools will alter vital metadata, making it difficult or impossible to determine when a compromise occurred and will often miss Trojans and rootkits that cloak themselves within the system.

In addition to security incidents, computer forensics plays a natural role in supporting overall information security by providing the investigation of any anomalies that could indicate policy or use violations that could jeopardize HIPAA privacy rules.

The foregoing review of the key investigation provisions of Sarbanes Oxley, Gramm Leach Bliley, CA SB 1386 and HIPAA clearly suggest a prominent role for computer forensics in achieving information security compliance. Implementing an enterprise-wide capability for compliance support requires the consideration of several issues to ensure that the organization is utilizing best practices and effort in achieving compliance; a critical criteria for overall organization risk and liability.

<< Previous Page