information security legislation
DESCRIPTION
TRANSCRIPT
![Page 1: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/1.jpg)
1
Information Security Legislation
“A Practical Guide to Security Assessments”By Sudhanshu Kairab(Chapter 10)
Sohel Imroz4/4/2006
![Page 2: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/2.jpg)
2
Some “not-so-bad” News
• U.S. government has set significant penalties for noncompliance with HIPAA
• Penalties for noncompliance with HIPAA Regulations:– Individual noncompliance
• Up to $100
![Page 3: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/3.jpg)
3
Some “very bad” News
• Penalties for noncompliance with HIPAA Regulations (cont’d):– Multiple occurrences of same
noncompliance• Up to $25,000.00 per year
– Wrongful disclosure of health information• Up to $50,000.00 • 1 year in prison
![Page 4: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/4.jpg)
4
Some “scary” News
• Penalties for noncompliance with HIPAA Regulations (cont’d):– Wrongful disclosure of health information
under false pretense• Up to $100,000.00• 5 years in prison
– Wrongful disclosure of health information with intent to sell, transfer, or use• Up to $250,000.00• 10 years in prison
![Page 5: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/5.jpg)
5
But, I have good
news !
![Page 6: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/6.jpg)
6
Agenda
• Why such legislation acts?• Various legislation acts:
– HIPAA– GLBA– Sarbanes-Oxley Act– Safe Harbor– FISMA
![Page 7: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/7.jpg)
7
HIPAA
• Health Insurance Portability and Accountability Act
• Formerly known as the Kennedy/ Kassebaum Act
• Was enacted by the Congress in 1996• Primary purpose:
– Improve health insurance accessibility for people changing employers or leaving the workforce (Source: http://www.emrworld.net/emr-research/articles/hipaa.ppt#257,2,Overview)
- Provide “Administrative Simplification” provisions
![Page 8: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/8.jpg)
8
HIPAA (cont’d)
• Administrative Simplification provisions:– National standards– Unique health identifiers– Security standards– Privacy and confidentiality
![Page 9: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/9.jpg)
9
HIPAA (cont’d)
• Objectives of Administrative Simplification provisions:– Improve efficiency of NHS– Reduce cost– Reduce fraud– Protect patient rights– Access to consistent clinical data– Information availability– Security standards for web-based
technology
![Page 10: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/10.jpg)
10
HIPAA (cont’d)
• Who must comply with HIPAA:– Health care providers– Health plans– Health care clearinghouses
• Key points to note:– HIPAA does not say how compliance will
be achieved– Requirements are too broad– A lot of room for interpretation
![Page 11: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/11.jpg)
11
GLBA
• Gramm-Leach-Bliley Act• Was signed into law in 1999, and was
in effect as of July 2001• GLBA repealed the Glass-Steagall Act• Primary purpose:
– Provide customers with privacy notice– Privacy notice must be given to customer
BEFORE any business agreement– Customers may “opt-out”
![Page 12: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/12.jpg)
12
GLBA (cont’d)
• GLBA security requirements:– Information security program– Coordination of Information Security
program– Regular risk analysis– Implementation of controls to mitigate
risks– Overseeing the service providers– Evaluation and adjustment
![Page 13: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/13.jpg)
13
GLBA (cont’d)
• Penalties for noncompliance with GLBA:– Financial institutions:
• Up to $100,000.00 for each violation
– Officers and directors:• Up to $10,000.00 for each violation
![Page 14: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/14.jpg)
14
Sarbanes-Oxley Act
• Was enacted in July 30, 2002• Answer to a series of corporate
financial scandals, e.g. Enron, Tyco International, WorldCom
• Named after Senator Paul Sarbanes, and Representative Michael Oxley
![Page 15: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/15.jpg)
15
Sarbanes-Oxley Act (cont’d)
• Some key provisions– CEO and CFO must certify financial reports
(Section 302)– Ban on personal loans to executive officers
(Section 402-A)– Prohibition on internal trades (Section 306)– Public reporting of CEO and CFO
compensation (Section 304)– Criminal and civil penalties (Title IX)– Results of management testing and
evaluation (Section 404)
![Page 16: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/16.jpg)
16
Sarbanes-Oxley Act (cont’d)
• Cost of Sarbanes-Oxley compliance:
“FEI surveyed 224 public companies with average revenues of $2.5 billion to gauge Section 404 compliance cost estimates. Results showed the total cost of compliance is now estimated at $3.14 million, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. The companies surveyed expect to pay their auditors $823,200 in fees for attestation of their internal controls, in addition to the annual audit fees. This compares to the $590,100 companies expected auditors would charge for attestation in January 2004.”
Source: Financial Executive Internationals (http://www.fei.org/news/404_july.cfm)
![Page 17: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/17.jpg)
17
Safe Harbor
• Result of European Commission’s Directive of Data Protection
• Was enacted in October 1998• Primary purpose:
– Personal data cannot be transmitted between European companies and non-European companies that do not meet the EC’s privacy standard
![Page 18: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/18.jpg)
18
Safe Harbor (cont’d)
• EU Safe Harbor Principles:– Notice to individuals about the specific
purposes of the data collection – Choice to opt-out of disclosure to third-
parties or additional uses (opt-in for sensitive information)
– Require third-party agents who receive personal information to provide the same level of privacy protection
![Page 19: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/19.jpg)
19
Safe Harbor (cont’d)
• EU Safe Harbor Principles (cont’d):– Allow means for an individual to access
personal information held – Take reasonable precautions from loss,
misuse or unauthorized access – Keep data reliable for its intended use – Provide a readily available recourse
mechanism – Provide procedures verifying
implementation of principles
![Page 20: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/20.jpg)
20
FISMA
• Federal Information Security Management Act
• Was enacted in 2002• Primary purpose:
– To strengthen information security programs at federal agencies
– Provide a information security framework– Does not provide any hard standards or
guidelines
![Page 21: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/21.jpg)
21
FISMA (cont’d)
• Key responsibilities:– Provide information security
commensurate with the associated risk– Perform a risk assessment– Implement policies and procedures – Conduct periodic test– Have a CISO– Conduct ongoing evaluation and
adjustment
![Page 22: Information security legislation](https://reader033.vdocument.in/reader033/viewer/2022061118/54694781af795909568b4817/html5/thumbnails/22.jpg)
22
A Final
Thought