Information Security Regulations

Health Insurance Portability and Accountability Act (HIPAA)
The passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that all healthcare organizations adhere to new standards for privacy and security of private health information. These regulations require major changes in how healthcare organizations manage information and will have a far-reaching impact on all healthcare organizations and those who provide services for healthcare organizations. HIPAA compliance requires the thorough application of fundamental principles of information protection as expressed in HIPAA regulations and associated guidelines.

Links:
HIPAA Security Final Rule - Click for PDF
HIPAA Privacy Final Rule - Click for PDF

State Privacy Laws
On September 26, 2002 the Governor of California approved senate bill 1386, which requires businesses to report any security breach that may have disclosed personal information to an unauthorized person. In February 2005, ChoicePoint Inc. disclosed that there security measures had been breached and that 35,000 California residents private information may have been compromised. This figure was later revised to 145,000 and later 162,000. The initial notice to California residents only was based on the lack of privacy regulations in other states. Not surprisingly 21 other states have since (in 2005) adopted similar privacy regulations and a national privacy policy is being proposed.

California SB 1386 - Click for Article
Arkansas - S.B. 1167
Colorado - S.B. 137
Connecticut - S.B. 650
Delaware - H.B. 116
Florida - H.B. 481
Georgia - S.B. 230
Illinois - H.B. 1633, S.B. 1799 (SSN)
Indiana - S.B. 49, S.B. 503 (State Agencies)
Louisiana - S.B. 205
Maine - L.D. 1671
Minnesota - H.F. 2121 / S.F. 2118, H.F. 225 / S.F. 361 (Government Data)
Montana - H.B. 732
Nevada - S.B. 347, A.B. 1 (22nd Special Session),A.B. 334 (Government Agencies)
New Jersey - Assembly Committee Substitute for A.B. 4001 / S.B. 2665 / Senate Committee Substitute for Senate Bill Nos. 1914, 2154, 2155, 2440, 2441 and 2524/ A.B. 2048
New York - A.B. 4254 / S.B. 3492, A.B. 8937 / S.B. 5827
North Carolina - H.B. 1248 / S.B. 1048
North Dakota - S.B. 2251,
Rhode Island - H.B. 6191
Tennessee - H.B. 2170 / S.B. 2220
Texas- S.B. 122
Washington - S.B. 6043

 

Gramm-Leach-Bliley Act (GLBA)
Intro: Ensuring compliance with GLBA regulations is one of the biggest concerns of financial institutions today. The learning curve can be substantial and the effort daunting for those not accustomed to applying privacy and security controls to organizational practices. To become GLBA compliant, financial institutions must revise or establish policies and procedures covering a multitude of topics and situations, provide training to staff and officers, ensure the proper configuration of computer and network technology, implement monitoring and response procedures, perform a security risk assessment, and security testing. The production of the policy and procedures alone can be overbearing on the already stressed resources of most financial institutions and the training, technology configuration, and performance of information security tasks is typically beyond the abilities of the present staff. En Pointe offers complete GLBA compliance services performed by experienced security engineers to make the GLBA compliance quick and easy.
Links:
http://www.ftc.gov/os/2002/05/67fr36585.pdf

Federal Financial Institutions Examination Council (FFIEC)
The FFIEC is a formal interagency body that prescribes uniform principles, standards, and report forms for federal examiners of financial institutions for the following organizations: Federal Reserve Board FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
Information Systems Handbooks are part of the FFIEC “InfoBase”, which was developed to provide field examiners with a source of training and information regarding regulations and topics of concern to examiners. Each of these booklets briefly summarize the FFIEC member agencies’ expectations of financial institutions in the oversight and management of the following topics.

Information Technology Examination Handbooks
Audit - Click for Article
Business Continuity Planning - Click for Article
Development and Acquisition - Click for Article
E-Banking - Click for Article
FedLine - Click for Article
Information Security - Click for Article
Management - Click for Article
Operations - Click for Article
Outsourcing - Click for Article
Retail Payment Systems - Click for Article
Supervision of Technology Service Providers - Click for Article
Wholesale Payment Systems - Click for Article

National Credit Union Administration (NCUA) 748 - Click for Article

Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
Click for Article

8570.1 Primer
DoD Manual 8570.1 (“8570”) was issued on December 19th, 2005 and requires that all Information Assurance (IA) workers must be trained and certified in information security. In addition, all IA workers must receive at least 80 hours of training every 2 years.

8570.1-M specifies a roll out of the requirements based on FY.

Year

 

1 FY06

10% of IA positions filled with certified personnel.

2 FY07

40% of IA positions filled with certified personnel.

3 FY08

70% of IA positions filled with certified personnel.

4 FY09

100% of IA positions filled with certified personnel.


What is DoD 8570?
DoD 8570.1 Manual (“8570”) provides requires training, certification, and management of the workforce involved in Information Assurance (IA).

What Agencies are affected by 8570?
All branches of the military, all military departments, Joint Chiefs of Staff, DoD Inspector General, The Intelligence Community, Defense Agencies, and anyone else within the DoD.

Who is affected by 8570?
All full- or part-time military service member, contractor, or federal employee with access to a DoD information system working in an IA information function.

This equates to about 110,000 IA professionals to be certified by 2011. The IA workforce is divided into six categories and specifies which security certifications are appropriate for each of those categories.

 

IAT Level I

IAT Level II

IAT Level III

A+
Network+
SSCP

GSEC
Security+
SCNP
SSCP

CISA
CISSP®
GSE
SCNA

IAM Level I

IAM Level II

IAM Level III

GISF
GSLC
Security+

GSLC
CISM
CISSP®

GSLC
CISM
CISSP®



DITSCAP
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) is the standard process for certifying (assessing the adequacy of security controls) and accrediting (obtaining approval to operate) IT systems within the Department of Defense (DoD).
Click for Article

Federal Information Security Management Act (FISMA)
FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.

http://csrc.nist.gov/policies/FISMA-final.pdf

Sarbanes – Oxley
The Sarbanes Oxley Act of 2002 … and includes specific provisions that impact information security, specifically:
Section 201: Services Outside The Scope of Practice of Auditors; Prohibited Activities. This provision makes it illegal for accounting firms to provide non-audit services, including system design and internal audit, while they are also performing financial audit services for the same company. [This clearly means that your Sarbanes-Oxley auditor cannot prepare you for the Sarbanes-Oxley audit – call En Pointe]
Section 404: Management Assessment Of Internal Controls. This provision requires a statement of management’s responsibility for establishing and maintaining adequate controls over financial reporting and an assessment of the effectiveness of those controls. Although, Sarbanes-Oxley does not require any specific method or definition of adequacy or effectiveness of controls, CobiT and COSO are widely used as roadmaps to these claims and assessment methods.

  • Sarbanes - Oxley Click for Article
  • Control Objectives for Information and related Technology (CobiT) - Click for Article [must be obtained directly from ISACA]
  • Committee of Sponsoring Organizations (COSO) Enterprise Risk Management -- Integrated Framework and Application Techniques -Click for Article [must be obtained directly from COSO]
Credit Card Data Security Standards (PCI Compliance)
Merchants and service providers that store, process, or transmit credit card information must take precautions to security cardholder information. Major credit card companies require the implementation of specific security measures and practices. Fines for non-compliance can reach as high as $500,000.
  • PCI Data Security - Click for Article
  • Master Card Site Data Protection (SDP) [same as PCI]
  • Visa Cardholder Information Security Program (CISP) [same as PCI]
  • American Express - Click for Article
  • Discover Information Security and Compliance - Click for Article

National Energy Regulatory Commission Security Standards
To reduce the risk to the reliability of the bulk electric systems from any compromise of critical cyber assets that support those systems.

NERC Cyber Security Standards [Draft 3] - Click for Article

Common Criteria
The National Institute of Standards and Technology (NIST) and The National Security Agency (NSA) have developed the Common Criteria Evaluation Validation Scheme (CCEVS) to provide the government and industry with cost-effective evaluation of IT assurance products. All procurements of Information Assurance (IA) products within the Federal Government are restricted to those products that vendors submit for Common Criteria evaluation and validation.

NIST Special Publications
  • 800-12 – An Introduction to Computer Security: The NIST Handbook Click for Article
  • 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Click for Article
  • 800-18 – Guide for Developing Security Plans for Information Technology Systems Last Final Version Click for Article Revision [DRAFT] Click for Article
  • 00-26 Security Self-Assessment Guide for Information Technology Systems Last Final Version Click for Article Revision [DRAFT] Click for Article
  • 800-30 Risk Management Guide for Information Technology Systems Click for Article
  • 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems Click for Article 800-53 Recommended Security Controls for Federal Information Systems Click for Article
  • 800-53 Recommended Security Controls for Federal Information Systems Click for Article
  • 800-53A Guide for Assessing the Security Controls in Federal Information Systems [DRAFT] Click for Article
  • 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories Volume I: Click for Article
    Volume II: Click for Article
  • 800-61: Incident handling Guide Click for Article
  • 800-70 The NIST Security Configuration Checklist Program Click for Article
FIPS
For Security Services: (888) 888-8223