Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.
Many major companies within the United States are subject to some security regulation. Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry, and many organizations would welcome such information. The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation. The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to implement them. Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as the HISP (Holistic Information Security Practitioner) that signify their understanding of the regulations. Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.
First, companies need to assess which of the laws and acts apply to them. Then they need to organize their information security to address the boundaries put in place by the acts. This requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.
But how do we assess which laws apply to which company
Talking about the particular bills and which companies they apply to is slightly vague. Therefore, take for example your local hospital. This local hospital is publicly traded and not a federal agency. Therefore, it is not subject to the FISMA bill. However, since the company deals with healthcare patients, it is subject to HIPAA. Now it must look carefully at what sort of protections it must offer patients and place safeguards in effect to prevent a breach of security. On the ground level, it cannot give away patient information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised. This means that controls need to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of persons who interact with the systems and training need to take place so that users of the systems perform their duties properly and do not intentionally or unintentionally misuse the system.
Some companies may have to comply with multiple regulations. In such cases, it is best to outline all the regulations that impact the company first and then a determination can be made for which security controls to implement that satisfy the requirements of all the regulations they need to comply with. This process can reduce the amount of money the organization spends on compliance efforts because it reduces duplication of effort and the likelihood that competing systems would be put in place to satisfy the same regulatory requirement.
This table shows the different regulations and which corporations would be subject to the scope of the act.
What it regulates
|HIPAA (Health Insurance Portability and Accountability Act)||This act is a two-part bill|
Title I: protects the health care of people who are transitioning between jobs or are laid off.
Title II: meant to simplify the healthcare process by shifting to electronic data. Also, it protects the privacy of individual patients.
|The sort of company affected by this bill is any company or office that deals with healthcare. That includes but is not limited to doctor’s offices, insurance companies, and employers.|
|Sarbanes-Oxley Act||This act requires companies to maintain financial records for seven years. It was implemented to prevent another Enron scandal.||U.S. public company boards, Management and public accounting firms|
|Federal Information Security Management Act of 2002 (FISMA)||This act recognized the information security as matters of national security. Thus, it mandates that all federal agencies develop a method of protecting the information systems.||All Federal agencies fall under the range of this bill.|
|Gramm Leach Bliley Act (GLBA)||This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers||This Act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”|
|Family Educational Rights and Privacy Act (FERPA)||Section 3.1 of the Act is concerned with protecting student educational records.||Any postsecondary institution including universities, academies, colleges, seminaries, technical schools, and vocational schools.|
|Payment Card Industry Data Security Standard (PCI-DSS)||A set of 12 regulations designed to reduce fraud and protect customer credit card information.||Companies are handling credit card information.|
There is an abundance of laws and bills on the books designed to protect information. However, it is not always clear to the average business decision maker which regulations apply to their company. That is where a security professional can significantly help a business make sense of such an area that grows more complex with each new regulation. Compliance is critical, and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.