Week 6
1. Discuss the Sarbanes-OxleyAct and how it impacts you.
2. Discuss FISMA and how it impacts you and/or your work.
ISOL 633
Legal, Regulations, Investigations, and Compliance
UNIVERSITY OF THE CUMBERLANDS
School of Computer and Information Sciences
Housekeeping
Lecture Roadmap:
Chapter Eight: Federal Government Information Security and Privacy Regulations
Homework Assignments
Discussion Post
Chapter Eight: Federal Government Information Security and Privacy Regulations
What are information security challenges facing the federal government?
FISMA
Federal privacy laws
ADA Section 508
Chapter Eight: Federal Government Information Security and Privacy Regulations
Information Security Challenges
Federal government is largest producer and user of information in U.S.
Government computer systems data:
Critical for government operations
Employment, tax, citizenship
Businesses
Threat Protection
Federal IT systems and data in them are attractive targets for criminals
Chapter Eight: Federal Government Information Security and Privacy Regulations
FISMA
Many functions and objectives
Categorize data and systems
Compliance with security requirements
Identifies, assesses, monitors security controls
Authorization schema
Key FISMA Requirements
Agency Information Security Programs
NIST Created Standards and Guidelines
FedCIRC became US-CERT
NSSs Take Risk-based Approach
FISMA Implementation Project
**not actually certified**
Chapter Eight: Federal Government Information Security and Privacy Regulations
FISMA requires each federal agency to create an agency-wide information security program which must include:
Risk assessments
Annual inventory
Policies and procedures
Subordinate plans
Security awareness training
Testing and evaluation
Remedial actions
Incident Response
Continuity of operations
Chapter Eight: Federal Government Information Security and Privacy Regulations
Privacy Requirements
Create information security programs
Review information security risks
Implement controls to mitigate risks
Limit use of PII
Review IT systems for privacy impacts
Notify public about data collection practices
Full Name National ID # IP address
Vehicle Registration # DL #
Face, Fingerprints, Bio Data Credit Card #
Digital ID Date of Birth Country of birth
Genetic data
Chapter Eight Summary
This chapter reviews the laws that protect the security and privacy of data that the federal government uses. FISMA is the main law protecting the security of federal government IT systems. It requires federal agencies to create information security programs. Agencies also must review their information security risks. The law requires them to implement controls to mitigate those risks.
The Privacy Act of 1974 and the E-Government Act of 2002 are the main laws protecting data privacy at the federal level. These laws govern how federal agencies use personally identifiable data. Under the E-Government Act, federal agencies must review their IT systems for any privacy impacts. Both laws require federal agencies to notify the public about their data collection practices.
It was produced in January 2017 by the US access board and it surrounds section 508 of the ADA.
There are amendments there and they include requirements for what is called information and communications technology.
These are civil rights laws.
Section 508 is important because it is a new rule that applies to ICT.
Section 508 of the ADA
Read Chapter 9
Discussion Post
Homework Assignments ISOL 633
Legal, Regulations, Investigations, and Compliance
UNIVERSITY OF THE CUMBERLANDS
School of Computer and Information Sciences
Housekeeping
Lecture Roadmap:
Chapter Seven: Corporate Information Security and Privacy Regulation
Discussion Post
The Enron Scandal
Why Is Accurate Financial Reporting Important?
What is the Sarbanes-Oxley Act (SOX)?
Critical Aspects of SOX
Critical Sections of SOX
Where SOX applies
Public Company Accounting Oversight Board (PCAOB)
Compliance and Security Controls
Privacy
Principle Concepts
Workplace Privacy
Chapter Seven: Corporate Information Security and Privacy Regulation
Chapter Seven: Corporate Information Security and Privacy Regulation
The Enron Scandal
1990s and early 2000s: Growth, Public Company, and Complex Financial Transactions
Officers owned many affiliated companies where losses were hidden
High operating costs, debts
GAAP Nonconformance
Enron filed for then-largest U.S. bankruptcy
Retirement funds dropped $1.3 billion
Demise of accounting firm Arthur Andersen
U.S. prosecuted many Enrons executives
Investor Confidence: Enron was not alone
Securities and Exchange Commission Fraud Detection
Three Disclosure Statements (http://edgar.sec.gov/edgar/searchedgar/companysearch.html):
Form 10-K
Form 10-Q
Form 8-K
Chapter Seven: Corporate Information Security and Privacy Regulation
Why Is Accurate Financial Reporting Important?
Chapter Seven: Corporate Information Security and Privacy Regulation
What is the Sarbanes-Oxley Act (SOX)?
Critical Aspects
Protect Investors
New Corporate Accountability
Civil & Criminal Penalties
Officers <> Board <> Auditors
Reporting Requirements
Internal Control Report
Auditors Attestation
Critical Sections
Section 201: Services outside the scope of auditor practice
Section 302: Corporate responsibility for financial reports
Section 404: Assessment of internal controls
Section 409: Real-time issuer disclosures
Section 802: Criminal penalties for altering documents
Section 806: Protection of employees exposing fraud
Section 807: Criminal penalties for defrauding shareholders
Section 906: Imposes criminal liability for fraudulent financial certifications.
Chapter Seven: Corporate Information Security and Privacy Regulation
Public Company Accounting Oversight Board (PCAOB)
Registers Acct. Firms
Establishing Standards
Inspects Acct. Firms
Investigations & Discipline
Enforce SOX Compliance
Chapter Seven: Corporate Information Security and Privacy Regulation
Compliance and Security Controls
Assessing ICFR
COBIT
GAIT
ISO/IEC Standards
NIST Computer Security Guidance
ICFR Assurances
Accurate maintenance of reports, records, data
GAAP
Prevent & detect unauthorized data
Chapter Seven: Corporate Information Security and Privacy Regulation
Workplace Privacy
Principle Concepts
Privacy of Employee Data
Privacy of Customer Data
Privacy of Corporate Data
Congress created the Sarbanes-Oxley Act in response to scandal. It passed SOX to help improve investor confidence in publicly traded companies. SOX places rules on public companies and other organizations. These rules promote trustworthy financial reports. The scope of SOX extends to any public company functions or processes that impact financial reporting. The scope of SOX within a company is very broad. SOX requires that companies review many information technology processes to make sure that theyre trustworthy.
The scope of SOX is broad. Its influence extends even to organizations that arent required to follow it. For example, private companies and nonprofit organizations may choose to follow SOX to show their commitment to good governance.
Chapter Seven Summary
Discussion Post
Read Chapter 8
Homework Assignments 1
About the U.S. Access Boards Update of the Section 508 Standards and
Section 255 Guidelines for Information and Communication Technology
On January 18, 2017, the U.S. Access Board published a final rule updating
accessibility requirements for information and communication technology (ICT)
covered by Section 508 of the Rehabilitation Act and Section 255 of the
Communications Act. This document provides an overview of the rule and
highlights substantive changes to the ICT requirements. The preamble to the
final rule discusses the requirements in greater detail.
Updated Section 508 Standards for Federal ICT
The Access Boards final rule revises and refreshes its standards for
information and communication technology in the federal sector covered
by Section 508 of the Rehabilitation Act of 1973. The Boards Section 508
Standards, which were first issued in 2000, apply to ICT developed,
procured, maintained, or used by federal agencies. Examples include
computers, telecommunications equipment, multifunction office
machines such as copiers that also function as printers, software,
websites, information kiosks and transaction machines, and electronic
documents.
Updated Section 255 Guidelines for Telecommunications Equipment
The Boards final rule also updates guidelines for telecommunications equipment covered by
Section 255 of the Communications Act of 1934, as amended. The Section 255 Guidelines,
which the Board initially published in 1998, cover telecommunications equipment and
customer premises equipment, including telephones, cell phones, routers, set-top boxes, and
computers with modems, interconnected Voice over Internet Protocol products, as well as
software integral to the operation of telecommunications function of such equipment.
Goals of the Refresh
The Board updated the 508 Standards and 255 Guidelines jointly to ensure consistency in
accessibility across the spectrum of information and communication technologies (ICT) covered.
Other goals of this refresh include:
enhancing accessibility to ICT for people with disabilities;
making the requirements easier to understand and follow;
updating the requirements so that they stay abreast of the ever-changing nature of the
technologies covered; and
harmonizing the requirements with other standards in the U.S. and abroad.
2
How the Final Rule was Developed
The Access Board initiated this update by organizing
an advisory committee to review the original 508
Standards and 255 Guidelines and to recommend
changes. The 41 members of the Telecommunications
and Electronic and Information Technology Advisory
Committee (TEITAC) comprised a broad cross-section
of stakeholders representing industry, disability
groups, and government agencies. Its membership
also included representatives from the European
Commission, Canada, Australia, and Japan. The committee addressed a range of issues,
including new or convergent technologies, market forces, and international harmonization and
submitted its report to the Board in April 2008. Recognizing the importance of standardization
across markets worldwide, the committee coordinated its work with standard-setting bodies in
the U.S. and abroad, including the World Wide Web Consortium (W3C) and the European
Commission.
The Board released drafts of the rule based on the committees report in 2010 and 2011 and
followed up with an official notice of proposed rulemaking in February 2015. With each
release, the Board held public hearings and solicited public comment. Over the course of this
rulemaking, the Board held seven public hearings and received over 630 comments.
Major Changes
The final rule revises both the structure and substance of the ICT requirements to further
accessibility, facilitate compliance, and make the document easier to use. Major changes
include:
restructuring provisions by functionality instead of product type due to the increasingly
multi-functional capabilities of ICT;
incorporating the Web Content Accessibility Guidelines (WCAG) 2.0 by reference and
applying Level A and Level AA Success Criteria and Conformance Requirements to
websites, as well as to non-web electronic documents and software;
specifying the types of non-public facing electronic content that must comply;
requiring that operating systems provide certain accessibility features;
clarifying that software and operating systems must interoperate with assistive
technology (such as screen magnification software and refreshable braille displays);
addressing access for people with cognitive, language, and learning disabilities; and
harmonizing the requirements with international standards.
3
Incorporation of the Web Content Accessibility Guidelines (WCAG)
The final rule incorporates by reference a number of voluntary
consensus standards, including WCAG 2.0. Issued by the W3Cs Web
Accessibility Initiative, WCAG 2.0 is a globally recognized, technology-
neutral standard for web content. The final rule applies WCAG 2.0 not
only to web-based content, but to all electronic content. The benefits of
incorporating the WCAG 2.0 into the Section 508 Standards and the 255 Guidelines and
applying it in this manner are significant. WCAG 2.0 addresses new technologies and recognizes
that the characteristics of products, such as native browser behavior and plug-ins and applets,
have converged over time. A substantial amount of WCAG 2.0 support material is available,
and WCAG 2.0-compliant accessibility features are already built into many products. Further,
use of WCAG 2.0 promotes international harmonization as it is referenced by, or the basis for,
standards issued by the European Commission, Canada, Australia, New Zealand, Japan,
Germany, and France.
Harmonization with European Commission ICT Standards
Harmonization with international standards and guidelines promotes
greater accessibility worldwide, enhances uniformity, and heightens
market incentives for integrating accessibility into information and
communication technology. Throughout the rulemaking process, the
Board coordinated its refresh with the European Commissions
development of counterpart ICT accessibility standards. In 2014, the European Commission
adopted the Accessibility requirements for public procurement of ICT products and services in
Europe (EN 301 549) which is available for use by European government officials as technical
specifications or award criteria in public procurements of ICT products and services. The Board
has worked to ensure broad harmonization between its ICT requirements and the European
Commissions standards (as revised in 2015).
Structure of the Rule
The final rule provides parallel chapters that separately address general application and scoping
of the Section 508 Standards and the Section 255 Guidelines (Chapters 1 and 2). These sections
apply to both 508-covered and 255-covered ICT functional performance criteria (Chapter 3),
technical requirements for hardware and software (Chapters 4 and 5), criteria for support
documentation and services (Chapter 6), and referenced standards (Chapter 7).
Coverage of Electronic Content (508 Standards)
Like the original 508 Standards, the updated 508 Standards apply to a federal
agencys full range of public-facing content, including websites, documents and
media, blog posts, and social media sites. The final rule also specifically lists the
types of non-public-facing content that must comply. This includes electronic
content used by a federal agency for official business to communicate:
4
emergency notifications, initial or final decisions adjudicating administrative claims or
proceedings, internal or external program or policy announcements, notices of benefits,
program eligibility, employment opportunities or personnel actions, formal acknowledgements
or receipts, questionnaires or surveys, templates or forms, educational or training materials,
and web-based intranets.
Safe Harbor for Legacy ICT
Existing ICT, including content, that meets the original 508 Standards does not have to be
upgraded to meet the refreshed standards unless it is altered. This safe harbor clause
(E202.2) applies to any component or portion of ICT that complies with the existing 508
Standards and is not altered. Any component or portion of existing, compliant ICT that is
altered after the compliance date (January 18, 2018) must conform to the updated 508
Standards.
Functional Performance Criteria (Chapter 3)
The functional performance criteria are outcome-based provisions that address accessibility
relevant to disabilities impacting vision, hearing, color perception, speech, cognition, manual
dexterity, reach, and strength. These criteria apply only where a technical requirement is silent
regarding one or more functions or when evaluation of an alterntative design or technology is
needed under equivalent facilitation. If a technical provision covers a particular function of
hardware or software, meeting the relevant functional performance criterion is not required.
The functional performance criteria require that technologies with:
visual modes also be usable with limited vision and without vision
or color perception;
audible modes also be usable with limited hearing and without
hearing;
speech-based modes for input, control, or operation also be usable
without speech;
manual operation modes also be usable with limited reach and
strength and without fine motor control or simultaneous manual
operations; and
have features making its use simpler and easier for people with
limited cognitive, language, and learning abilities.
5
Technical Requirements for Hardware and Software (Chapters 4 and 5)
Requirements in Chapter 4 apply to hardware that transmits information or has a user
interface. Examples include computers, information kiosks, and multi-function copy
machines. These provisions address closed functionality, biometrics, privacy, operable
parts, data connections, display screens, status indicators, color coding, audible
signals, two-way voice communication, closed captioning, and audio description.
Software requirements in Chapter 5 apply to computerized code that directs
the use and operation of ICT and instructs ICT to perform a given task or
function, including applications and mobile apps, operating systems, and
processes that transform or operate on information and data. These provisions
cover the interoperability with assistive technology, applications, and authoring
tools.
Support Documentation and Services (Chapter 6)
Access to support documentation and services for the use of ICT is also
addressed. Product documentation must cover how to use the access and
compatibility features required for hardware and software. Electronic
documentation must comply with the requirements for electronic content.
Alternate formats must be made available upon request for documentation provided in a non-
electronic format. Support services, including help desks, call centers, training services, and
automated technical support must accommodate the communication needs of customers with
disabilities and include information on access and compatibility features.
Referenced Standards (Chapter 7)
In addition to WCAG 2.0, the final rule also references other voluntary consensus standards to
address:
ergonomics for the design of accessible software
(ANSI/HFES 200.2, Human Factors Engineering of Software User Interfaces Part 2:
Accessibility)
interference to hearing aids by wireless telephones
(ANSI/IEEE C63.19-2011, American National Standard for Methods of Measurement of
Compatibility between Wireless Communications Devices and Hearing Aids)
handset generated audio band magnetic noise of wire line telephones
(TIA-1083-B, TelecommunicationsCommunications ProductsHandset Magnetic
Measurement Procedures and Performance Requirements)
speech quality in digital transmissions
(ITU-T Recommendation G.722.2, Series G. Transmission Systems and Media, Digital
Systems and Networks or IETF RFC 6716, Definition of the Opus Codec)
audio description by digital television tuners
(A/53 Digital Television Standard, Part 5: AC-3 Audio System Characteristics)
6
accessible PDF files
(ANSI/AIIM/ISO 14289-1-2016, Document Management Applications Electronic
Document File Format Enhancement for Accessibility Part 1: Use of ISO 32000-1
(PDF/UA-1))
keypad arrangement
(1 ITU-T Recommendation E.161, Series E. Overall Network Operation, Telephone
Service, Service Operation and Human Factors)
Effective Date and Next Steps
Federal agencies and contractors covered by Section 508 are not
required to comply with the updated 508 Standards immediately.
The Rehabilitation Act gives the Federal Acquisition Regulatory
Council (FAR Council) and federal agencies up to six months to
incorporate the updated 508 Standards into their respective
acquisition regulations and procurement policies and directives. It will be up to the FAR Council
to establish the date by which new and existing procurements for 508-covered ICT must meet
the updated 508 Standards. For all other non-procured ICT, federal agencies and contractors
must comply with the updated 508 Standards beginning on January 18, 2018 (i.e., one year
after publication of the final rule in the Federal Register). During the interim period before the
updated 508 Standards take effect, the original 508 Standards continue to serve as the
accessibility standard for all 508-covered ICT.
With respect to the updated Section 255 Guidelines, compliance is not
required until the guidelines are adopted by the Federal Communications
Commission (FCC), which is the federal agency tasked with implementation
and enforcement of Section 255. The FCCs existing regulations under
Section 255 specify accessibility requirements that largely track the Boards original Section 255
Guidelines. When the FCC initiates a rulemaking to revise its existing regulations, it has the
discretion to adopt the Boards 255 Guidelines in whole or in part. Any FCC rulemaking, when
completed, will specify the effective date for its updated accessibility requirements under
Section 255.
Further Information
For further information on this rulemaking, visit the Boards website at www.access-board.gov,
send a message to [emailprotected], or contact Bruce Bailey at (202) 272-0024 (v), (202)
272-0070 (TTY) or Timothy Creagan at (202) 272-0016 (v), (202) 272-0074 (TTY).
U N I T E D S T A T E S A C C E S S B O A R D
A d v a n c i n g F u l l A c c e s s a n d I n c l u s i o n f o r A l l
1331 F Street, NW Suite 1000 Washington, DC 20004-1111
(202) 272-0080 (v) (202) 272-0082 (TTY) www.access-board.gov
January 2017
