Chapter 108 · Flashcards

Security Considerations — Flashcards

Twelve cards covering SOX scope and requirements, HIPAA safeguards and breach notification, legal hold triggers and scope, GDPR 72-hour rule, cloud jurisdictional conflict, OT air-gapping, utility availability priority, medical access logging, geographical scope levels, data retention mandates, business associate agreements, and breach notification comparison. Click any card to flip it.

What is SOX, who does it apply to, and what are its key security requirements?

SOX (Sarbanes-Oxley Act of 2002): enacted after Enron/WorldCom scandals. Applies to: publicly traded companies and their auditors (private companies are exempt). Key security requirements: (1) Financial data integrity: IT systems supporting financial reporting must maintain accurate, tamper-evident records. (2) Access controls: only authorized personnel may access financial systems. (3) Audit logging: access and changes to financial systems must be logged. (4) Data retention: financial records retained for 7 years; audit logs preserved. (5) Section 404: management and external auditors must assess internal controls over financial reporting. SOX violations can result in criminal penalties for executives who certify fraudulent reports.

What three states of PHI does HIPAA require security safeguards for, and what is the encryption safe harbor?

HIPAA requires safeguards for PHI (Protected Health Information) in three states: (1) Storage (at rest): ePHI on servers, laptops, backups must be protected. (2) Transmission (in transit): ePHI sent over networks must be encrypted. (3) Disclosure: access controls limit who can view or retrieve PHI. Encryption safe harbor: if PHI is properly encrypted at the time of a breach, the incident may not qualify as a reportable breach because the data is rendered unusable, unreadable, or indecipherable to unauthorized parties. This safe harbor incentivizes encryption as a primary PHI protection control. A stolen laptop with encrypted PHI: likely not a reportable breach. A stolen laptop with unencrypted PHI: reportable breach requiring notification.

What is a legal hold, what triggers it, and what must IT do when one is issued?

Legal hold (litigation hold): a directive from legal counsel requiring preservation of data potentially relevant to anticipated or active litigation. Trigger: litigation is filed, threatened, or reasonably anticipated. Once anticipation begins, destroying relevant data can constitute spoliation (evidence destruction), which may result in sanctions or adverse inference instructions. IT obligations: (1) Suspend automated deletion for covered data (email purges, log rotation, backup expiration). (2) Notify data custodians not to delete covered records. (3) Document what was preserved and when. (4) Maintain the hold until legal counsel releases it. Legal hold overrides all normal retention schedules. The hold is released only at the conclusion of litigation or when the data is no longer relevant.

What are the breach notification timelines for GDPR, HIPAA, and U.S. states?

GDPR (EU): notify supervisory authority within 72 hours of becoming aware of the breach. Notify affected individuals without undue delay if high risk to their rights. Clock starts at awareness, not breach occurrence. HIPAA (US healthcare): notify affected individuals and HHS within 60 days of discovering the breach. For breaches affecting 500+ residents of a state: notify media simultaneously. U.S. state laws: all 50 states have breach notification laws; timelines and covered data categories vary by state. An organization breaching data of residents from multiple states must comply with each affected state's law simultaneously. Key distinction: GDPR = 72 hours (much faster); HIPAA = 60 days (more time to investigate).

Why are OT/SCADA systems air-gapped, and why does this matter for patching?

Air-gapping: physical isolation of OT (Operational Technology) networks from corporate IT networks and the internet. Why air-gap: OT systems control physical equipment (turbines, valves, switches). A cyberattack that compromises them could cause physical damage, safety incidents, or widespread outages. Isolation removes the attack vector from internet-connected systems. Patching challenge: OT systems prioritize availability above all else. Unplanned reboots during patching can have immediate physical consequences. Result: (1) Patches must be tested extensively in isolated test environments. (2) Patch cycles are slower (quarterly or annual vs. monthly for IT). (3) Some OT systems run operating systems that no longer receive patches (end-of-life but operationally critical). (4) Vendor certification may be required before patches can be applied. NERC CIP governs bulk electric system cybersecurity requirements.

What specific security controls does HIPAA require for medical/healthcare environments?

HIPAA Security Rule specifies three categories of safeguards for ePHI: Administrative safeguards: risk analysis, workforce training, access management policies, incident response procedures. Physical safeguards: facility access controls, workstation security, device controls. Technical safeguards: Access controls (unique user IDs, role-based access, automatic logoff). Audit controls: logging of access to ePHI (who accessed what record and when). Integrity controls: protections against improper ePHI alteration or destruction. Transmission security: encryption for ePHI transmitted over networks. Key exam points: access logs are required (HIPAA mandates audit controls), encryption is strongly recommended and provides the breach safe harbor, and business associate agreements (BAAs) must be in place with any vendor who handles ePHI.

What is a Business Associate Agreement (BAA) and when is it required?

Business Associate Agreement (BAA): a legally required contract between a HIPAA covered entity (hospital, health plan, healthcare provider) and any vendor or service provider (business associate) that creates, receives, maintains, or transmits ePHI on behalf of the covered entity. When required: whenever a third party handles ePHI as part of providing services. Examples: cloud storage for medical records, billing services, IT support companies with access to patient systems, data analytics vendors. BAA content: requires the business associate to: (1) implement appropriate safeguards for ePHI. (2) Report breaches to the covered entity. (3) Comply with HIPAA Security Rule requirements. (4) Return or destroy ePHI when the relationship ends. Without a BAA, a covered entity sharing ePHI with a vendor is in violation of HIPAA regardless of the vendor's actual security practices.

What cross-border challenges does cloud computing create for data security and compliance?

Data sovereignty: some countries require certain data categories to remain physically within national borders (government data, citizen personal data). Storing in foreign cloud regions violates this requirement. Cross-border transfer restrictions: GDPR prohibits transfer of EU personal data to countries without adequate protection. Requires legal mechanisms: Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules. Jurisdictional conflict: data stored in multiple countries may be subject to incompatible legal requirements simultaneously. U.S. law enforcement subpoena for EU-stored data conflicts with GDPR data transfer prohibitions. Multi-tenancy risk: shared cloud infrastructure creates isolation challenges. Legal process conflicts: complying with one country's legal process may require violating another country's privacy law. Organizations must understand where their cloud data actually resides to assess applicable legal obligations.

How do local, national, and global geographical scopes affect security requirements?

Local/Regional: city, county, state government systems; local utilities; regional healthcare. Concerns: state breach notification laws; local records retention; availability of essential public services. Local governments prioritize availability (records access for constituents). National: federal systems (FISMA, NIST 800-53, FedRAMP); defense contractors (CMMC, ITAR/EAR for export-controlled technology); national financial institutions (multi-state breach notification obligations). Classified data handling follows NIST standards and security clearance requirements. Global: multinational corporations; global cloud providers. Concerns: GDPR (EU); data localization laws (Russia, China, India have requirements); conflicting legal process; transfer restrictions; varying definitions of personal data. A global breach may simultaneously trigger notification obligations in 50+ jurisdictions, each with different requirements and timelines.

What is spoliation, and how does it relate to legal hold obligations?

Spoliation: the destruction, alteration, or failure to preserve evidence that is relevant to anticipated or pending litigation. Courts treat spoliation seriously. Consequences of spoliation: (1) Sanctions against the offending party. (2) Adverse inference instruction: the jury is told to assume the destroyed evidence would have been unfavorable to the party that destroyed it. (3) Case dismissal or default judgment in severe cases. (4) Criminal liability in some jurisdictions for intentional destruction. Relationship to legal hold: once litigation is reasonably anticipated, any destruction of relevant data — even routine automated deletion following normal policy — can be characterized as spoliation. This is why legal hold directives must be issued and executed promptly, and why normal retention schedules must be immediately suspended. "We did not know it was relevant" is not always an effective defense if litigation was foreseeable.

What security considerations are unique to reporting illegal activity discovered during a security investigation?

When a security investigation reveals evidence of criminal activity (fraud, CSAM, terrorism-related communications), specific obligations arise: (1) Mandatory reporting: certain crimes trigger mandatory reporting to law enforcement (e.g., CSAM under federal law in the US requires immediate reporting to NCMEC and law enforcement). (2) Evidence preservation: discovered evidence must be preserved with chain of custody intact; it must not be altered or deleted before law enforcement is notified. (3) Legal counsel involvement: the security team should not independently decide whether or how to report; legal counsel must be involved in that decision. (4) Confidentiality: the investigation should be kept confidential to avoid alerting the suspect. (5) Avoid further investigation: security teams should generally stop their own investigation and hand off to law enforcement rather than accessing more evidence than necessary, which could compromise the prosecution.

What data retention mandates apply to different regulated industries?

Different industries have different minimum retention requirements: SOX (financial reporting): audit records and financial documents: 7 years for certain records. HIPAA (healthcare): medical records: 6 years from creation or last effective date (state laws may require longer). HIPAA policies and procedures: 6 years. PCI DSS (payment cards): cardholder data: minimize retention; audit logs: 12 months (3 months immediately accessible). GDPR (EU personal data): data minimization principle: retain only as long as necessary for the original purpose. No specific minimum — organizations must justify retention duration. FINRA (financial services): broker-dealer records: 3-6 years depending on record type. NERC CIP (electric utilities): security event logs: 90 days. Retention compliance requires automated policies, legal holds capability, and defensible deletion (proof data was deleted per policy, not arbitrarily).