|Many organizations are affected by Security and Privacy Laws, Regulations and Directives; these emerging requirements are driving IT Security Governance, Risk Management, Audit and Compliance (GRC).
We are equipped to guide you through the engineering process of addressing or improving your compliance performance for requirements such as:
Healthcare: HIPAA requirements - The Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the U.S. Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. Links to HIPAA Resources:
Healthcare: Medicaid Information Technology Architecture (MITA) is an IT initiative intended to stimulate an integrated business and IT transformation affecting the Medicaid enterprise in all States. It includes an architecture framework, processes, and planning guidelines that allow State Medicaid enterprises to meet their Medicaid objectives within the MITA Framework while supporting unique local needs. Links to MITA Resources:
Federal Government: FISMA requirements - FISMA requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm that may result from unauthorized access, use, disclosure, disruption, modification or destruction of its information and information systems. The protection should apply not only within the agency, but also within contractor or other organizations working on behalf of the agency. FISMA requires that the agency head delegate to the agency Chief Information Officer (CIO) the authority to ensure compliance with the legislation. Further, the CIO must designate a senior agency information security officer whose primary duty is to carry out the CIO’s responsibilities for information security. This information security officer must possess commensurate professional qualifications, training and experience, and head an office with sufficient resources to carry out information security responsibilities. Link to FISMA resources:
Financial: PCI requirements - The Payment Card Industry (PCI) Data Security Standard (DSS), is a set of comprehensive requirements for enhancing payment account data security, that was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. Links to PCI DSS Resources:
Financial: GLBA requirements - GLBA is designed to protect the private financial information of consumers. The law instructs financial institutions to secure and protect private information from unauthorized use or access and updates the practice and policies for individual consumers to control the use of such data. GLBA was signed into law in 1999 with full compliance required by July 1, 2001. Links to GLBA Resources:
Commercial: Sarbanes-Oxley Act (SOX) Security requirements - SOX is currently law, and even smaller companies are now required to comply with Section 404 for fiscal years beginning on or after Dec. 16, 2006.
The combination of the various SOX requirements means that CEOs must attest to having the proper "internal controls" at their companies to protect against data tampering. Links to SOX Security Resources:
Utilities: NERC CIP and Cyber Security requirements - The North American Electric Reliability Council (NERC) has issued eight reliability standards on cyber security. These Standards, effective June 1, 2006, provide a cyber security framework for the protection of critical assets to support reliable operations of the bulk electric system. Standard CIP-007, "Systems Security Management," "requires responsible entities to define methods, processes, and procedures for securing those systems determined to be critical assets, as well as the non-critical assets within the electronic security perimeter. Link to NERC CIP and Cyber Security Resources:
Defense: DIACAP requirements - Department of Defense Information Assurance Certification and Accreditation Process. It is the new process by which systems are certified as meeting security requirements and then accredited for operation. DIACAP has recently replaced DITSCAP (DOD Information Technology Security Certification and Accreditation Process) as the standard process under which all DOD systems will achieve and maintain their Authority to Operate (accreditation). Links to DIACAP Resources: