SlideShare a Scribd company logo

It industry regulations

Download as PPT, PDF
Nicholas Davis
Nicholas Davis
TechnologyBusiness
1 of 48
Information Systems 365 Lecture 10 Industry Regulations
Today’s Chocolate Bar 3 Musketeers  When introduced in 1932, 3 Musketeers had three pieces of candy in one package, flavored vanilla, chocolate and strawberry, hence the name. In 1945, the product was changed to a single bar with the aforementioned chocolate filling.
Some Of This Stuff Is Tedious So, after each section we will have “take away slides”, PAY ATTENTION TO THOSE!
Industry Regulations Why Bother Learning Them?  Ability to impress interviewers  It all relies on TECHNOLOGY  Learn:  Policies  Procedures  Legislation  Guidance
Today  Regulation, legislation and guidance definitions. Provide a common understanding of the different types of requirements.  Commercial Guidance:  Industry must be concerned with compliance, legislation and guidance.  Federal, State, International and Industry Regulations
Information Security Related Laws  Federal Information Security Management Act of 2002 (“FISMA”)  Gramm-Leach-Bliley Act (“GLBA”)  Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)  Sarbanes-Oxley Act  USA PATRIOT Act  Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)  Electronic Communications Privacy Act (“ECPA”)
Take Away  There are 5 or 6 major information security laws  They all pretty much say the same things with about 20% special differences related to the specific industries they cover  The 80% 20% rule
What’s the difference between Federal laws and regulations?  Laws generally specify what is required, but not how it should be done.  Laws are frequently vague and can be ambiguous.
What Are Regulations?  Regulations stipulate requirements to be compliant with laws  Regulations may contain specific steps or procedures for compliance  Frequently composed with help from industry experts
Take Away  Laws are general  Regulations are more specific
Federal Activities Related to Information Security  Major Federal responsibility is securing Federally owned/operated systems.  Federal government does not generally regulate security of non-government systems.  HOWEVER, Federal government does require that certain types of information be protected.  Federal government working with industry regarding security of critical infrastructure.
Federal Laws We’re Going to Cover Today  Federal Information Security Management Act  Gramm-Leach-Bliley Act (GLBA)  Health Insurance Portability and Accountability Act (HIPAA)  Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act  Builds on requirements of:  Computer Security Act of 1987  Paperwork Reduction Act of 1995  Information Technology Management Reform Act of 1996  Provides basic statutory framework for securing Federally owned/operated computer systems.
FISMA  Requires each agency to  Inventory computer systems,  Identify and provide appropriate security protections, and  Develop, document and implement agency- wide information security program  Authorizes National Institute of Standards & Technology (NIST) to develop security standards and guidelines for systems used by federal government.
Take Away  FISMA covers Federal Government systems  Encrypted information  Defense information  National Security information  Inventory computer systems,  Identify and provide appropriate security protections, and  Develop, document and implement agency- wide information security program
Gramm-Leach-Bliley Act  Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.  Authorizes various agencies to coordinate development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc.  FTC announced final rule implementing GLBA in May 2002.
GLBA (cont) FTC GLBA regulations:  Published at 16 CFR 314  Require “financial institutions” to develop, implement and maintain comprehensive information security program with appropriate administrative, technical and physical safeguards, including:  Designating employee to coordinate program  Performing risk assessments  Performing regular testing and monitoring  Process for making changes in light of test results or changes in circumstances.
So what is a “financial institution” under GLBA?  Under GLBA rule, “financial institutions” generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information.
GLBA Continued  FTC's GLBA rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions.  What’s tricky about GLBA?  Broad definition of “financial institution” could potentially include array of companies that may not consider themselves as such (e.g., department store that offers lay-away services or manufacturers that offer equipment financing).  Multiple agencies with authority to issue regulations. Could conflict.
What do you need to do under GLBA? If GLBA applies to your company:  Create, implement and maintain an information security program.  The information security program should have the regular involvement of the Board of Directors (this may be beyond your scope).  Regularly assess risks.
GLBA, What You Need To Do  Create, document, implement and maintain policies and procedures to manage and control risk, including training, testing and managing/monitoring third party service providers.  Adjust information security program as necessary based on testing or other changes.
Take Away Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.
Health Insurance Portability and Accountability Act  Authorizes Secretary of Health and Human Services to adopt standards that require “health plans”, “health care providers” and “health care clearinghouses” to take reasonable and appropriate administrative, technical and physical safeguards to:  Ensure integrity and confidentiality of individually identifiable health information held or transferred by them;  Protect against any reasonably anticipated threats, unauthorized use or disclosure; and 
HIPAA Continued  HIPAA security regulations are much more substantive than GLBA security regulations.  GLBA is vague, HIPAA is more specific!
HIPAA Scope & Key Definitions Requires health care entities to implement new privacy policies, comply with technical security requirements, provide notice/secure authorizations for a range of uses and disclosures of health information, and enter into written agreements with business partners regarding the ability to share such information
Definitions You Will Forget  HIPAA Key Definitions  Protected health information (“PHI”) includes all individually identifiable health information (“IIHI”) in the hands of “covered entities.”  “Covered Entity” includes the following types : 1) health care plans; 2) health care clearinghouses; and 3) health care providers who electronically transmit health information in connection with certain specified transactions.  “Business Associates” are any people or entities that perform certain activities or functions on behalf of a Covered Entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).
HIPAA Security Rule - General  Requires CEs to implement unified security approach based on “defense in depth.”  Is technology neutral. CEs select appropriate technology to protect information.  Requires CEs to protect information from both internal and external threats.  Requires CEs to conduct regular, thorough and accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/number 2.htm#four for a detailed discussion of how to conduct a risk analysis.
HIPAA Security Regulations  HIPAA security requirements fall into three categories:  Administrative Safeguards  Physical Safeguards  Technical Safeguards  Each category includes:  “standards”: WHAT the organization must do; and  “implementation specifications”: HOW it must be done.
HIPAA Administrative Safeguards  Administrative safeguards require documented policies and procedures for managing:  Day-to-day operations;  Conduct and access of workforce members to protected information;  Selection, development and use of security controls.
HIPAA Physical Safeguards  Physical safeguards are intended to protect information systems and protected information from unauthorized physical access.  CE must limit physical access while still permitting authorized physical access.
HIPAA Technical Safeguards  Technical Safeguards are requirements for using technology to control access to protected information  Access Controls  Audit Controls  Information Integrity Controls  Person or entity authentication  Transmission security
HIPAA Documentation Requirements  CE must maintain documentation (e.g., policies and procedures) required by HIPAA Security Rule until LATER OF  6 years from date of creation; OR  6 years from date policy/procedure was last in effect.  CE must regularly review and update documentation.
Take Away  HIPAA covers healthcare related institutions, both public and private  Technical Controls  Physical Controls  Administrative Controls
Sarbanes-Oxley  After Enron, Adelphia Communications, MCI/Worldcom (among others) showed there were flaws in current financial reporting requirements, Congress passed SOX.  Purpose of SOX is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.”  Two sections of SOX have impact on information security: Section 302 and Section 404.
Sarbanes-Oxley Sections 302 and 404  Section 302 states that CEO and CFO must personally certify that financial reports are accurate and complete. Must also assess and report on effectiveness of internal controls around financial reporting.  Section 404 states that corporation must assess effectiveness of internal controls and report assessment to SEC. Assessment must also be reviewed by outside auditing firm.
Godzilla Size Take Away No assessment of internal controls is complete without an understanding of information security. Insecure systems cannot be considered a source of reliable financial information.
What do you have to do to comply with SOX?  Comply with requirements of ITGI Framework Topics:  Security Policy  Security Standards  Access and Authentication  User Account Management  Network Security  Monitoring  Segregation of Duties  Physical Security
SOX Audit  Auditors will look for:  Whether policies exist for appropriate information security topics  Whether policies have been approved at appropriate management levels  Whether policies are communicated effectively to personnel
Take Away  A core goal of SOX is to protect investors by providing assurance that financial data is truthful and has maintained its integrity  Without technical controls, you have no way to verify financial data truthfulness and integrity  Hardly begins to explain why we just gave 700 billion to the banks!
California has been leading the way Requires notification to California-resident data owners if a security breach discloses (or might have disclosed) certain information that could lead to identity theft.
Covered Information Name (full name or first initial and last name) Social security number Driver’s license number California Identification Care number Account number or credit or debit card number along with any required security code, access code, or
SB 1386 (cont)  Companies are not required to notify customers if the information was stored in encrypted form.  Some speculation that even something as simple as ROT13 would satisfy this requirement, but don’t bank on it.
AB 1950  On Sept. 29, California enacted AB 1950, which requires a business that  Stores personal information about a California resident MUST implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.  Discloses personal information about a California resident to a third party as part of a contract will require the third party to implement and maintain the same reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.
My organization isn’t in California, why should I care?  Because SB 1386 applies to any person or organization that conducts business in California and stores personal information about California residents on a computer system.  Many states are implementing their own regulations, similar to California
FTC has started enforcing security “promises” FTC Actions Regarding Security:  Eli Lilly Disclosure of email addresses of Prozac prescription holders  Microsoft Overpromising regarding security of MS Passport service  Guess, Inc. Promising security of information while remaining vulnerable to common attacks
You’ve been cracked… And now you’re sued.  US law requires people to behave “reasonably”.  If you don’t behave reasonably and someone is harmed because of it, you may be liable for negligence.  So…If your systems get cracked, and the cracker uses your boxes to launch an attack on someone else, that victim may try to sue you for negligently configuring your systems so that the cracker could get
You’ve been sued… And you might lose.  If you cannot show that you were “reasonable” - which may be defined as having complied with industry regulations, a court may decide that you were negligent and your company is liable for the damages of the downstream victim(s).  This hasn’t happened, yet, but many people think it’s coming.
LECTURE TAKE AWAYS  Knowing regulations is impressive to employers, I’m not sure why…  GLB, SOX and HIPAA all require similar things  Authentication  Auditing  Protection  Data Integrity Proof  80% 20% rule!!!

Recommended

2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance Raffa Learning Community
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 

Recommended

2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance Raffa Learning Community
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)Infosec Law (Feb 2006)
Infosec Law (Feb 2006)Lance Michalson
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Information governance
Information governanceInformation governance
Information governanceGerardo Medina
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security UpdateGuardEra Access Solutions, Inc.
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
 

More Related Content

What's hot

An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Information governance
Information governanceInformation governance
Information governanceGerardo Medina
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 

What's hot (19)

An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)Infosec Law (Feb 2006)
Infosec Law (Feb 2006)
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Information governance
Information governanceInformation governance
Information governance
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security Update
 
Cissp notes
Cissp notesCissp notes
Cissp notes
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information Protection
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 

Similar to It industry regulations

Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfarjunenterprises1978
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and trainingLaDavia Day, MHA, BS
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare softwareConcetto Labs
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 

Similar to It industry regulations (20)

Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. Framework
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
HIPAA AND IT AUDITS.pdf
HIPAA AND IT AUDITS.pdfHIPAA AND IT AUDITS.pdf
HIPAA AND IT AUDITS.pdf
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 

More from Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 

More from Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Recently uploaded

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

It industry regulations

  • 1. Information Systems 365 Lecture 10 Industry Regulations
  • 2. Today’s Chocolate Bar 3 Musketeers  When introduced in 1932, 3 Musketeers had three pieces of candy in one package, flavored vanilla, chocolate and strawberry, hence the name. In 1945, the product was changed to a single bar with the aforementioned chocolate filling.
  • 3. Some Of This Stuff Is Tedious So, after each section we will have “take away slides”, PAY ATTENTION TO THOSE!
  • 4. Industry Regulations Why Bother Learning Them?  Ability to impress interviewers  It all relies on TECHNOLOGY  Learn:  Policies  Procedures  Legislation  Guidance
  • 5. Today  Regulation, legislation and guidance definitions. Provide a common understanding of the different types of requirements.  Commercial Guidance:  Industry must be concerned with compliance, legislation and guidance.  Federal, State, International and Industry Regulations
  • 6. Information Security Related Laws  Federal Information Security Management Act of 2002 (“FISMA”)  Gramm-Leach-Bliley Act (“GLBA”)  Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)  Sarbanes-Oxley Act  USA PATRIOT Act  Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)  Electronic Communications Privacy Act (“ECPA”)
  • 7. Take Away  There are 5 or 6 major information security laws  They all pretty much say the same things with about 20% special differences related to the specific industries they cover  The 80% 20% rule
  • 8. What’s the difference between Federal laws and regulations?  Laws generally specify what is required, but not how it should be done.  Laws are frequently vague and can be ambiguous.
  • 9. What Are Regulations?  Regulations stipulate requirements to be compliant with laws  Regulations may contain specific steps or procedures for compliance  Frequently composed with help from industry experts
  • 10. Take Away  Laws are general  Regulations are more specific
  • 11. Federal Activities Related to Information Security  Major Federal responsibility is securing Federally owned/operated systems.  Federal government does not generally regulate security of non-government systems.  HOWEVER, Federal government does require that certain types of information be protected.  Federal government working with industry regarding security of critical infrastructure.
  • 12. Federal Laws We’re Going to Cover Today  Federal Information Security Management Act  Gramm-Leach-Bliley Act (GLBA)  Health Insurance Portability and Accountability Act (HIPAA)  Sarbanes-Oxley Act (SOX)
  • 13. Federal Information Security Management Act  Builds on requirements of:  Computer Security Act of 1987  Paperwork Reduction Act of 1995  Information Technology Management Reform Act of 1996  Provides basic statutory framework for securing Federally owned/operated computer systems.
  • 14. FISMA  Requires each agency to  Inventory computer systems,  Identify and provide appropriate security protections, and  Develop, document and implement agency- wide information security program  Authorizes National Institute of Standards & Technology (NIST) to develop security standards and guidelines for systems used by federal government.
  • 15. Take Away  FISMA covers Federal Government systems  Encrypted information  Defense information  National Security information  Inventory computer systems,  Identify and provide appropriate security protections, and  Develop, document and implement agency- wide information security program
  • 16. Gramm-Leach-Bliley Act  Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.  Authorizes various agencies to coordinate development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc.  FTC announced final rule implementing GLBA in May 2002.
  • 17. GLBA (cont) FTC GLBA regulations:  Published at 16 CFR 314  Require “financial institutions” to develop, implement and maintain comprehensive information security program with appropriate administrative, technical and physical safeguards, including:  Designating employee to coordinate program  Performing risk assessments  Performing regular testing and monitoring  Process for making changes in light of test results or changes in circumstances.
  • 18. So what is a “financial institution” under GLBA?  Under GLBA rule, “financial institutions” generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information.
  • 19. GLBA Continued  FTC's GLBA rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions.  What’s tricky about GLBA?  Broad definition of “financial institution” could potentially include array of companies that may not consider themselves as such (e.g., department store that offers lay-away services or manufacturers that offer equipment financing).  Multiple agencies with authority to issue regulations. Could conflict.
  • 20. What do you need to do under GLBA? If GLBA applies to your company:  Create, implement and maintain an information security program.  The information security program should have the regular involvement of the Board of Directors (this may be beyond your scope).  Regularly assess risks.
  • 21. GLBA, What You Need To Do  Create, document, implement and maintain policies and procedures to manage and control risk, including training, testing and managing/monitoring third party service providers.  Adjust information security program as necessary based on testing or other changes.
  • 22. Take Away Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.
  • 23. Health Insurance Portability and Accountability Act  Authorizes Secretary of Health and Human Services to adopt standards that require “health plans”, “health care providers” and “health care clearinghouses” to take reasonable and appropriate administrative, technical and physical safeguards to:  Ensure integrity and confidentiality of individually identifiable health information held or transferred by them;  Protect against any reasonably anticipated threats, unauthorized use or disclosure; and 
  • 24. HIPAA Continued  HIPAA security regulations are much more substantive than GLBA security regulations.  GLBA is vague, HIPAA is more specific!
  • 25. HIPAA Scope & Key Definitions Requires health care entities to implement new privacy policies, comply with technical security requirements, provide notice/secure authorizations for a range of uses and disclosures of health information, and enter into written agreements with business partners regarding the ability to share such information
  • 26. Definitions You Will Forget  HIPAA Key Definitions  Protected health information (“PHI”) includes all individually identifiable health information (“IIHI”) in the hands of “covered entities.”  “Covered Entity” includes the following types : 1) health care plans; 2) health care clearinghouses; and 3) health care providers who electronically transmit health information in connection with certain specified transactions.  “Business Associates” are any people or entities that perform certain activities or functions on behalf of a Covered Entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).
  • 27. HIPAA Security Rule - General  Requires CEs to implement unified security approach based on “defense in depth.”  Is technology neutral. CEs select appropriate technology to protect information.  Requires CEs to protect information from both internal and external threats.  Requires CEs to conduct regular, thorough and accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/number 2.htm#four for a detailed discussion of how to conduct a risk analysis.
  • 28. HIPAA Security Regulations  HIPAA security requirements fall into three categories:  Administrative Safeguards  Physical Safeguards  Technical Safeguards  Each category includes:  “standards”: WHAT the organization must do; and  “implementation specifications”: HOW it must be done.
  • 29. HIPAA Administrative Safeguards  Administrative safeguards require documented policies and procedures for managing:  Day-to-day operations;  Conduct and access of workforce members to protected information;  Selection, development and use of security controls.
  • 30. HIPAA Physical Safeguards  Physical safeguards are intended to protect information systems and protected information from unauthorized physical access.  CE must limit physical access while still permitting authorized physical access.
  • 31. HIPAA Technical Safeguards  Technical Safeguards are requirements for using technology to control access to protected information  Access Controls  Audit Controls  Information Integrity Controls  Person or entity authentication  Transmission security
  • 32. HIPAA Documentation Requirements  CE must maintain documentation (e.g., policies and procedures) required by HIPAA Security Rule until LATER OF  6 years from date of creation; OR  6 years from date policy/procedure was last in effect.  CE must regularly review and update documentation.
  • 33. Take Away  HIPAA covers healthcare related institutions, both public and private  Technical Controls  Physical Controls  Administrative Controls
  • 34. Sarbanes-Oxley  After Enron, Adelphia Communications, MCI/Worldcom (among others) showed there were flaws in current financial reporting requirements, Congress passed SOX.  Purpose of SOX is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.”  Two sections of SOX have impact on information security: Section 302 and Section 404.
  • 35. Sarbanes-Oxley Sections 302 and 404  Section 302 states that CEO and CFO must personally certify that financial reports are accurate and complete. Must also assess and report on effectiveness of internal controls around financial reporting.  Section 404 states that corporation must assess effectiveness of internal controls and report assessment to SEC. Assessment must also be reviewed by outside auditing firm.
  • 36. Godzilla Size Take Away No assessment of internal controls is complete without an understanding of information security. Insecure systems cannot be considered a source of reliable financial information.
  • 37. What do you have to do to comply with SOX?  Comply with requirements of ITGI Framework Topics:  Security Policy  Security Standards  Access and Authentication  User Account Management  Network Security  Monitoring  Segregation of Duties  Physical Security
  • 38. SOX Audit  Auditors will look for:  Whether policies exist for appropriate information security topics  Whether policies have been approved at appropriate management levels  Whether policies are communicated effectively to personnel
  • 39. Take Away  A core goal of SOX is to protect investors by providing assurance that financial data is truthful and has maintained its integrity  Without technical controls, you have no way to verify financial data truthfulness and integrity  Hardly begins to explain why we just gave 700 billion to the banks!
  • 40. California has been leading the way Requires notification to California-resident data owners if a security breach discloses (or might have disclosed) certain information that could lead to identity theft.
  • 41. Covered Information Name (full name or first initial and last name) Social security number Driver’s license number California Identification Care number Account number or credit or debit card number along with any required security code, access code, or
  • 42. SB 1386 (cont)  Companies are not required to notify customers if the information was stored in encrypted form.  Some speculation that even something as simple as ROT13 would satisfy this requirement, but don’t bank on it.
  • 43. AB 1950  On Sept. 29, California enacted AB 1950, which requires a business that  Stores personal information about a California resident MUST implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.  Discloses personal information about a California resident to a third party as part of a contract will require the third party to implement and maintain the same reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.
  • 44. My organization isn’t in California, why should I care?  Because SB 1386 applies to any person or organization that conducts business in California and stores personal information about California residents on a computer system.  Many states are implementing their own regulations, similar to California
  • 45. FTC has started enforcing security “promises” FTC Actions Regarding Security:  Eli Lilly Disclosure of email addresses of Prozac prescription holders  Microsoft Overpromising regarding security of MS Passport service  Guess, Inc. Promising security of information while remaining vulnerable to common attacks
  • 46. You’ve been cracked… And now you’re sued.  US law requires people to behave “reasonably”.  If you don’t behave reasonably and someone is harmed because of it, you may be liable for negligence.  So…If your systems get cracked, and the cracker uses your boxes to launch an attack on someone else, that victim may try to sue you for negligently configuring your systems so that the cracker could get
  • 47. You’ve been sued… And you might lose.  If you cannot show that you were “reasonable” - which may be defined as having complied with industry regulations, a court may decide that you were negligent and your company is liable for the damages of the downstream victim(s).  This hasn’t happened, yet, but many people think it’s coming.
  • 48. LECTURE TAKE AWAYS  Knowing regulations is impressive to employers, I’m not sure why…  GLB, SOX and HIPAA all require similar things  Authentication  Auditing  Protection  Data Integrity Proof  80% 20% rule!!!