INFORMATION SECURITY REGULATIONS AND COMPLIANCE
This question is well answered by the unemployed professors
Organizations and companies formulate information security protocols that are to be observed by their employees. The intention of this is to ensure smooth operations of their tasks. Quick often, persons mandated with this tasks are blinded by the sole well-being of their respective organisations neglecting consultation of relevant government agencies dealing with the issue. As a result, they find themselves in legal battles thereafter that sometimes cost them huge expenses and fines. Properly designed information security measures are once that take into cognition the already existing federal and state laws and regulations governing the matter. A number of agencies and bodies that provide information security laws and guidelines are discussed here. These include the Federal Information Security Management Act (FISMA), the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Intellectual Property Law, Department of Health and Human Science (HHS), the National Institute of Standards and Technology (NIST) among many more. An overview on matters pertaining information security by the aforementioned agencies, laws and regulations is discussed here. Also discussed are security methods and control measures that an organisation needs to consider in order to be compliant.
FISMA was enacted in 2002 and defines information security as “protecting on information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability (ICA)” (FISMA 2002). The purpose of the act is to assign specific roles and responsibilities to federal agencies such as the Department of Defence and the Central Intelligence Agencies, the National Institute of Standards and Technology and the Office of Management (NIST) and Budget (OMB) so as to ensure that information both private and national security systems are strong. It requires that the respective agencies design and implement policies and measures that are not only cost-effective but also reduce risks associated with information security.
According to the unemployed professors The Sarbanes-Oxley Act (SOA), also enacted in 2002 and is often also referred to as the Public Company Accounting Reform and Investment Protection Act or the Corporate and Auditing Accountability and Responsibility Act. The act is a result of misconducts by corporations and financial crimes that had been witnessed in the period before 2002. The main aim of this act was stated as “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes” (SOA 2002). The act provides a set of requirements to both federal and state public oversight boards, management as well as auditor firms and even private companies. Responsibilities of boards of directors are listed in the act alongside stiff penalties in even of misconduct such as document alteration to impede investigations and proceedings in section eight. The act also gives guides on financial records disclosure.
The Gramm-Leach-Bliley Act 1999 is sometimes referred to as the Financial Services Modernization Act and its goal was “To enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies and other financial service providers, and for other purposes” (GLBA 1999). Essentially the law provides for affiliations, mergers or consolidation of commercial banks, insurance firms and all other financial service providers, an action which was initially illegalised and had acted as a barrier to market. More importantly, with regard to information, it controls ways through which financial institutions deal with individuals’ private information. It is made up of three sections namely the financial privacy rule, the safeguard rule and pretexting provisions. Basically, the privacy rule serves to regulate the collection and disclosure of private financial information. The safeguards rule on the other hand requires that financial service provides must provide proper security measures to protect the information while the pretexts provisions prohibits use of tricks, unsubstantiated, false reasons or other ill practices so as to access a person’s financial records. The act goes further to require that financial institutions provide written policy notices to explain how they manage people’s information.
PCI DSS comprise of requirements, both technical and operation, that were set by the PCI Security Standards Council (PCI SSC) with the objective of protecting cardholder data. These standards apply to all merchants and organizations whose business include storage, processing and transmission of cardholder data. The technical guidelines are specifically meant to target manufactures of both the software and the hardware components that make up the devices unemployed professors . The PCI SSC was founded by the American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The council is charged with the responsibility of managing the security standards while compliance with the set standards is a mandate of the founding members. PCI DSS is a global data security standard adopted for all organisations that process, store and transmit cardholder data and is made up of a set of common sense steps that ensure best security practices. “The main goals of PCI DSS include building and maintaining secure networks, protecting cardholder data, maintaining vulnerability management programs, implementing strong access control measures, regular monitoring and testing of networks and maintenance of information security policies” (PCI 2008). Tools for assessing compliance with PCI DSS are found online on websites of the aforementioned founders.
HIPAA has a privacy rule that establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearing houses and those health care providers that conduct the health care transactions electronically. In addition to the privacy rule and there is established a security rule, requires the government to develop regulations protecting the privacy and security of certain health information. Before this act, there were no requirements, regulations or standards whatsoever that were set to protect health records of individuals in the health care industry.
Intellectual Property Law is governed by the World Intellectual Property Organization (WIPO). WIPO defines intellectual property as “the legal rights which result from intellectual activity in the industrial, scientific, literary and artistic fields.” (WIPO 2008). It further states that the aim of the intellectual property law is to safeguard creators and other producers of intellectual goods and services by granting them certain time-limited rights to control the use made of those productions. The rights do not apply to the physical object in which the creation is embodied but instead to the intellectual creation. IP is divided into industrial property and copyright.
So as to comply with the above stated standards and regulatory requirements required by laws, agencies and other authorities, several methods and controls need to be implemented by companies, organizations or institutions that deal with information to ensure that the three main principles of information security, confidentiality, integrity and availability are observed to the latter.
Organizations and authorities dealing with information must build proper security infrastructure to guide against unauthorised. This including building firewalls that prevent attacks from individuals with malicious intentions. Their also must be a section of the governing body that is charged with information security mandates. This ensures that the NIST requirement for information security governance is observed and is a fundamental step towards accountability and efficiency in operations (For more information contact the unemployed professors).
Regarding access to private information such as health and financial records of individuals, the organisations should ensure that such information is only accessed and retrieved with the full consent of person. They are to provide viable reasons as to why they need to access the information stating explicitly how they would use the information as well. In addition to that, they should serve the subject person with notices and legal documents to be signed against.
To the organizations, companies and agencies that collect users’ private information, they must ensure that a written security policy is provided to the users’ to which they are to agree to prior to the start of the information collection process. The policies design process must be informed by legal experts to make sure that they do not contradict regulatory guidelines. Care should also be taken to properly cite, recognize patented work to avoid getting embroiled in intellectual property (IP) lawsuits. Any such work should only be used with full consent of the IP owner.
Organizations dealing with gathering and processing of sensitive information must anticipate security breaches and therefore should put in place procedures and steps to be undertaken should this happen. Such preparations could include installation of tracking equipment to aid speed up diagnostics and troubleshooting and efforts to recover.
Information security can further be enhanced with latest data encryption and password protection systems. In the likely event that information system attacker gain access and get in contact with the information, data encryption will help cypher information and prevent prying eyes from using it to their benefit. Password protection of information is plays a crucial role in prevention of unauthorized access. In the case of use of electronic cards for access or granting permissions, the organization should ensure that the design and usage of such devices conforms to the PCI DSS stipulated by the governing body (unemployed professors).
NIST, as already
mentioned, is mandated by FISMA to develop standards and guidelines, including
minimum requirements, and for providing adequate information security for all
agency operations and assets with the exception of the national security
systems. NIST provides guidelines to formation of information security
governance whose major purpose is to ensure that agencies are proactively
implementing appropriate information security controls to support their mission
in a cost-effective manner, while managing evolving information security risks
(Pauline, Joan & Mark 2006). NIST also defines Chief Information Officer
(CIOS), Information System Security Officer (ISSO), Senior Agency Information
Security Officer (SAISO), Information System Owner and Information Owner with
their respective roles. For instance, the Information Owner is the agency official
with statutory or operational authority for specified information and is
responsible for establishing the controls for information generation,
collection, processing, dissemination and disposal. He is also required to
stablish rule for appropriate use and protection of the subject data or
Pauline Bowen, Joan Hash & Mark Wilson (2006). Information Security Handbook: A Guide for Managers. Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-100
World Intellectual Property Organization (2008). WIPO Intellectual Property Handbook. WIPO Publications.
Federal Information Security Management Act, (FISMA) 2002.
Sarbanes Oxley Act of 2002.
Gramm-Leach-Bliley Act of 1999.
PCI Security Standard Council (2008). PCI Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard Version 1.2. PCI Security Standard Council, LLC
Secretary, H. O. (n.d.). Summary of the HIPAA Security Rule. Retrieved June 07, 2016, from http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/