WHITE PAPER: IT COMPLIANCE. Compliance Field Guide. Symantec Control Compliance Suite
|
|
- Norah Stevens
- 8 years ago
- Views:
Transcription
1 WHITE PAPER: IT COMPLIANCE Compliance Field Guide Symantec Control Compliance Suite
2 Contents Reducing the Cost of IT Compliance in an Increasingly Regulated World... 3 Symantec Control Compliance Suite the Choice of Market Leaders... 5 The Six Best Practices of Highly Successful Companies... 7 FISMA GLBA HIPAA JOINT COMMISSION PCI DSS SOX State Data Privacy Laws COBIT ISO 27002:2005 (formerly ISO 17799) ISO 27799: ISO 27789: ITIL (Information Technology Infrastructure Library) NIST SP (National Institute of Standards Special Publication Resource Guide for Implementing HIPAA)... 30
3 Reducing the Cost of IT Compliance in an Increasingly Regulated World In the last few years alone, IT Compliance has become a critical business function that can significantly affect an organization s growth and bottom line. The reason? An ever-expanding regulatory landscape whose complexity is straining already tapped IT Compliance organizations and accelerating external audit fees. In a recent IT Policy Compliance Group survey, 70 percent of the respondents reported being subject to multiple regulatory compliance mandates. Factors Driving Compliance Costs Higher Recently, the IT Policy Compliance Group estimated that, on average, 34 percent of IT resources are being spent on meeting multiple regulatory compliance demands. As more organizations struggle to address these mandates, the cost of compliance and audits continues to climb. Regulations are commonly revised or added, a trend accelerating under the current administration. Regulations often are not prescriptive costing additional resources to interpret rules or create one-off policies. Many organizations continue to address compliance through a collection of manual processes and loosely integrated technologies. This further strains limited security and IT resources, and prevents a proactive security posture. Different groups in separate departments often duplicate efforts by meeting the demands of the same controls. The heterogeneous nature of the corporate network creates a ripple effect that complicates the process of establishing, maintaining, and auditing controls. Mergers and acquisitions result in additional entitlements and controls and a larger regulatory footprint for the surviving entity. Addressing Risk in IT Simply put, IT risk is business risk. Audit failures, security threats, data loss incidents, and system outages all represent potential risk scenarios for the business, each with consequences that range from fines and remediation costs to reputation damage and revenue loss. In addition, every large company comprises multiple, heterogeneous environments, making it extremely difficult to centrally view, analyze, and report on compliance risks. To prioritize compliance efforts and get better alignment with the business, companies must take a riskbased approach. They must be able to: 3
4 View and assess risk for policies, technical controls, required procedures, and IT assets across all platforms and business units throughout the enterprise. Normalize risk calculations across multiple technical controls. Combine risk assessments for both technical controls and manual procedures. Prioritize remediation to address top priority risks. Addressing Risk in IT Simply put, IT risk is business risk. Audit failures, security threats, data loss incidents, and system outages all represent potential risk scenarios for the business, each with consequences that range from fines and remediation costs to reputation damage and revenue loss. In addition, every large company comprises multiple, heterogeneous environments, making it extremely difficult to centrally view, analyze, and report on compliance risks. To prioritize compliance efforts and get better alignment with the business, companies must take a riskbased approach. They must be able to: View and assess risk for policies, technical controls, required procedures, and IT assets across all platforms and business units throughout the enterprise. Normalize risk calculations across multiple technical controls. Combine risk assessments for both technical controls and manual procedures. Prioritize remediation to address top priority risks. The Financial Benefits of Risk-Based Performance Budgeting Risk-based performance budgeting for information security and audit in IT establishes shared goals and objectives for delivering better results. According to the IT Compliance Institute, the financial exposure due to the loss or theft of customer data and business downtime depends almost entirely on the types of compliance and audit practices that IT implements to manage these risks. Further, such practices impact both the magnitude and frequency of financial loss. Best-in-class firms experience the lowest and most infrequent financial losses. Normative performing organizations experience higher financial losses. Firms operating at the worse levels experience the highest and most frequent financial losses. Organizations that have implemented best practices in information security and audit enjoy, on average, 52% annual reductions in audit expenses, and 38% annual reductions in overall spend (i.e., audit expenses + security). Whereas most other organizations are not spending enough on the correct practices and are not receiving benefits from the money they do spend the best performers have aligned spending with practices that are delivering results. 4
5 Symantec Control Compliance Suite the Choice of Market Leaders Symantec Control Compliance Suite (CCS) is proven at some of the world s most demanding companies in a range of industries; 9 of the top 10 commercial banks 8 of the top 10 health care providers 6 of the top 10 energy companies Symantec Control Compliance Suite - An Integrated, Automated Approach The Symantec Control Compliance Suite Platform is an integrated solution that offers regulatory content, risk-based reporting, and process automation of all policies, standards, and controls required to manage IT governance, risk, and compliance on a global enterprise scale. These capabilities are delivered via four product modules: Policy Manager Standards Manager Response Assessment Manager Vulnerability Manager The Control Compliance Suite unique Control Rationalization Framework dramatically reduces the IT operations and security resources required to satisfy internal policies and multiple mandates. The framework contains more than 2,000 control statements that have been interpreted from volumes of regulatory authority documents. This adaptable library of control statements is then linked to processes that automate the task of gathering evidence from technical and procedural controls. Control Compliance Suite also includes over 200 customizable sample policies, policy templates, questionnaires and technical standards covering over 60 regulations, frameworks and best practices. This content is automatically updated on a quarterly basis, as regulations change, ensuring customers have the most relevant and up-todate regulatory and technical content. By providing these technologies in a single solution, Control Compliance Suite helps companies prioritize IT risk, automate compliance processes, and eliminate redundancies for bottom-line savings. How Control Compliance Suite Helps Companies Reduce Cost and Risk, and Improve Results Symantec CCS enables organizations to automate all phases of IT Governance, Risk, and Compliance (IT GRC). With Symantec, companies can prioritize IT risk, automate compliance processes, and eliminate redundancies for bottom-line savings. 5
6 Symantec s CCS Control Rationalization Framework 2000 control statements mapped to thousands of technical and procedural controls and linked to customizable policies is key to helping organizations drive down compliance costs and risk. For example, one control statement Secure your network from external attacks may apply to GLBA, HIPAA, PCI DSS, and SOX. CCS links this control statement to relevant procedural and technical activities, from monitoring hand scanner access to a data center, to auditing server patch logs, to gathering attestation that a newly-terminated employee has turned in his security badge. Companies subject to multiple regulations need only report on these associated activities once. But they can apply their findings across each relevant regulation. Further, organizations that run these types of reports more frequently identify and remediate potential compliance violations proactively. This is why companies with the most frequent reporting and assessment, experience fewer incidents that require IT intervention to pass audit. Control Compliance Suite supports efforts to practice more cost-effective compliance: By taking a holistic, automated approach to managing your compliance processes with Symantec CCS, you can effectively address three key challenges. To gain visibility and control over your IT risk posture, the Symantec solution allows you to automatically gather information from multiple sources, identify threats to critical assets and information, prioritize deficiencies based on risk and trigger workflows for rapid remediation. To support compliance for multiple mandates, Symantec Control Compliance Suite provides up-to-date content on standards and regulations, and then lets you de-duplicate common controls to eliminate redundant efforts and deliver the right information to the right people through Web-based, dynamic dashboards. To help you cut the cost of compliance, Control Compliance Suite enables you to automate costly and error-prone manual compliance assessment processes, facilitate more frequent assessments and evaluate all of your operating systems, databases and key applications with one powerful tool that covers the breadth of your environment. 6
7 Six Best Practices of Highly Successful Companies Look at the organizations with the best recent track record of compliance and audit. These companies: Have the lowest amount of system downtime due to IT failure. Experience the fewest data breaches and data loss. Incur the fewest problems with regulatory compliance deficiencies that must be corrected with IT in order to pass audit. These companies share a similar approach to their regulatory challenges: 1. Form a senior leadership team to drive the compliance initiative. 2. Take key actions to improve results. 3. Assess and report continuously. 4. Focus on specific technical security and user account controls. 5. Report comprehensively. 6. Manage the information security budget to manage business risk. Automating the compliance process is critical. Without automation, many of these practices would not be possible. Automation enables these organizations to monitor and report their positions frequently and costeffectively. It also virtually eliminates the ad hoc rush of error-prone manual procedures typically involved in preparing for an audit. 1. Form a Senior Leadership Team to Drive the Compliance Initiative Identifying needs, selecting a solution, and assessing program effectiveness requires input from technical, executive, and business stakeholders. If they are disconnected, they may waste resources on duplicate or insufficient compliance tools and processes. Successful companies create a senior leadership team, which includes the CISO, IT, CIO, legal counsel, and representatives of relevant business units and physical plant security. They identify the business information that is the object of regulatory requirements, and evaluate the business risk of non-compliance. The team also ascertains the IT procedures and technical controls required to manage such risk, meet regulatory and compliance reporting requirements, and keep core business operations running smoothly. 7
8 2. Take Key Actions to Improve Results Companies that take a reactive approach to compliance that is, they gather data only to prepare for a scheduled audit experience more data breaches, greater system downtime due to IT failure, and more compliance deficiencies found on audit. Proactive companies have learned to prioritize risks, improve controls, and automate the procedures and collection of IT audit data all on their own timeline. Taking these actions can virtually eliminate the fire drill of one-off audit preparation, while also significantly decreasing the number of deficiencies an audit may uncover. 3. Assess and Report Continuously It is more cost-effective to monitor and measure risk management controls constantly, rather than only in advance of scheduled audits. This enables companies to fix issues before they are uncovered on audit. Successful companies measure the effectiveness of their controls weekly, and assess business and financial risks bi-monthly. This reporting framework has been demonstrated to be most effective at managing the business and financial risk profile. 4. Focus on Specific Technical Security and User Account Controls Compliance violations often occur around issues involving active directory controls; access control lists; storage and backup controls; and IT change management. For example, a single weak password on one server could cause an organization to fall out of compliance. Companies that have failed to automate controls in these areas have historically demonstrated reduced compliance and incurred a greater cost of audit. Successful organizations make it a priority to identify what controls are needed around technical security and user authorization accounts, and monitor and measure these controls automatically and regularly. 5. Report Comprehensively Compliance stakeholders may come from many different areas of the organization, yet each may receive the same bi-monthly or quarterly report. Stakeholders require customizable reports to understand what s working, identify the factors that could lead to a problem, and take steps to avoid that problem in the future. Organizations that have demonstrated the most successful compliance efforts deliver a wide range of customized reports appropriate to each audience. These may cover: Real-time events that relate to information security controls, related IT security tests, and audit controls. Operational service levels that help IT understand where gaps in compliance may be occurring in order to prioritize accordingly. Financial and business impact statements that go to the CIO and the executive leadership team, office of legal counsel, and business unit owners. The effectiveness of change management controls on legal and regulatory compliance, within the context of past audits. 8
9 6. Manage the Information Security Budget to Manage Business Risk An increase in compliance risk or regulatory footprint may not bring with it an increase in the resources required to manage risk. But by targeting their limited IT resources on the areas of greatest impact, companies can expand coverage or improve operating margin. Successful companies leverage their leadership team to prioritize risk, change select business practices, and re-allocate resources in highlytargeted fashion to deliver significant ROI. In fact, returns for incremental spending on improvements that reduce the financial and business risks from the use of IT far surpass the 20% hurdle rates that are typical of the alternative cash investment analysis that Finance usually seeks. Relevant Compliance Regulations With one exception, the regulations that follow are external mandates that have been passed by the state or federal legislature. They present requirements that affected companies must follow; failure to comply can result in substantial financial and legal penalties. The one exception is PCI DSS the Payment Card Industry Data Security Standard which affects virtually any company storing and/or processing credit card information. While PCI is an industry standard, failure to comply carries with it penalties as severe as or even more severe than those described in some state or federal security regulations. 9
10 FISMA Overview and Implications In 2002 the Federal Information Security Management Act (FISMA) was signed into law. The primary purpose of FISMA is to provide a comprehensive framework to ensure effective information security controls are in place for all U.S. federal agencies and affiliates. FISMA replaced the Government Information Security Reform Act (GISRA) and the Computer Security Act of 1987 with permanent mandates. FISMA imposes a mandatory set of processes that encompass Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, plus the special publications SP-800 series issued by the National Institute of Standards and Technology (NIST) and other legislation (such as HIPAA) that is pertinent to federal information systems. These processes must be followed by federal agencies or by contractors or other organizations on behalf of such agencies. To comply with FISMA organizations must: Complete periodic risk assessments and regularly test the effectiveness of security policies, procedures, and practices. Develop security policies and procedures. Take specific actions to mitigate or reduce risks. Establish a pre-determined process for remediating security deficiencies as they are discovered. Participate in yearly audits and provide a process for reporting security incidents. In December 2006, NIST released Special Publication : Revision 1, Recommended Security Controls for Federal Information Systems. The final draft of this publication was delivered in September 2007, after which federal agencies had 120 days after final publication to comply. NIST issued a draft of Revision 3 of SP in February, 2009 its first major update since initial publication. The public comment period on this draft extended until March 27, In June 2010, NIST released Special Publication A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. Industries/Types of Companies Affected: All U.S. federal agencies and their affiliates must comply. Governing Organization: OMB (Office of Management and Budget). Who this is Important to: Compliance, Privacy, and Security officials. Executive officers of all U.S. federal agencies or organizations that perform contract or other affiliate work for any U.S. federal agency. 10
11 Fines and Penalties: There is no fine associated with this framework. 11
12 GLBA Overview and Implications The Financial Services Modernization Act of 1999, a.k.a. the Gramm-Leach-Bliley Act (GLBA), gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to financial institutions, which include not only banks, securities firms, and insurance companies, but also companies providing financial products and services to consumers including; lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, residential real estate settlement services, collecting consumer debts, and an array of other activities. GLBA was signed into law in November The Act required financial institutions to have a comprehensive, written information security program in place by July 1, Financial institutions had until July 1, 2003 to comply with the Safeguard Rule, which required proactive steps to ensure free security of customer information. Specifically, GLBA: Mandates privacy and protection of customer records. Defines non-public personal information (NPPI). Creates uniform standard of notification to consumers about their rights regarding the use of NPPI by financial institutions. Requires that banks and other financial institutions enact a board-approved information security policy that supports the privacy program. Enables states to enforce existing or even enact new privacy laws. Specific Rules Relevant to IT Assets The types of institutions that are regulated by GLBA vary widely, as do the types of agencies charged with overseeing these institutions. As a result, the list of rules that enforce all or portions of GLBA (below) is significant. In most cases each rule applies only to a specific subset of regulated companies: Title V CFTC (Commodity Futures Trading Commission) 17 CFR Section FDIC (Federal Deposit Insurance Commission) 12 CFR Part 364, appendix B FRB (Federal Reserve Board) 12 CFR Part 208, appendix D-2, and 12 CFR Part 225, appendix S FTC (Federal Trade Commission) 16 CFR Part 314 NCUA (National Credit Union Association) 12 CFR Part 748, appendices A, B OCC (Office of the Comptroller of Currency) 12 CFR Part 30, appendix B OTS (Office of Thrift Supervision) 12 CFR Part 570 appendix D SEC (Securities and Exchange Commission) 17 CFR Section
13 Industries/Types of Companies Affected Financial institutions: banks and bank holding companies, insurance companies, credit unions, etc., as well as auto leasing companies, check cashing services, travel agencies, and retailers who issue credit cards. Governing Organizations Federal Financial Institutions Examinations Council (FFIEC), which includes the Federal Deposit Insurance Commission (FDIC), the Federal Reserve System, and the Office of the Comptroller of Currency (OCC) SEC (Securities and Exchange Commission) FTC (Federal Trade Commission) OTS (Office of Thrift Supervision) CFTC (Commodity Futures Trading Commission) NCUA (National Credit Union Administration) State insurance authorities Who this is Important to CISO CFO / Accounting Legal Director of IT Boards of Directors Fines and Penalties for Individuals Officers and directors of the financial institution are subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation. Additional fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both. Where a violation occurs while violating another Federal law, or as a part of a pattern of any illegal activity involving more than $100,000 within a twelve-month period, the violator will be subject to a fine of up to twice the amount provided in Title 18 and imprisoned for up to ten years, or both. Fines and Penalties for Financial Institutions A civil penalty of not more than $100,000 for each violation. Additional sanctions, including the penalties specified in section 8 of the Federal Deposit Insurance Act. Termination of FDIC insurance. Implementation of Cease and Desist Orders barring policies or practices deemed in violation of the Act s privacy provisions. Removal of the financial institution s management including directors, officers, etc., and potentially barring them permanently from working in the banking industry. Fines of up to $1,000,000 for the individual or the lesser of $1,000,000 or 1% of the total assets of the financial institution. 13
14 Alternative fine based on gain or loss: If any person derives pecuniary gain from the offense, or if the offense results in pecuniary loss to a person other than the defendant, the defendant may be fined not more than the greater of twice the gross gain or twice the gross loss, unless imposition of a fine under this subsection would unduly complicate or prolong the sentencing process. 14
15 HIPAA Act: Enforcement Rule: Overview and Implications The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated that further rules be implemented to create standards for the use and dissemination of health care information. The first of these rules the Privacy Rule took effect in 2003, and was later refined in the American Recovery and Reinvestment Act of The Privacy Rule requires any organization entrusted with Protected Health Information (PHI) to safeguard this data against deliberate or inadvertent misuse or disclosure. HIPAA applies to both electronic and non-electronic information. Successive HIPAA rules include: The Security Rule, which governs the security of electronic protected health information (ephi) The Enforcement Rule, which sets forth civil penalties for violating HIPAA rules The Unique Identifiers Rule, which mandates the use of unique identifiers for healthcare providers. In February, 2009, Congress broadened and strengthened HIPAA by enacting the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH directly regulates certain organizations not heretofore subject to HIPAA fines and penalties. These organizations, or business associates, include vendors that receive, use, maintain, and disclose PHI on behalf of health care providers and health plans. These vendors must comply with HIPAA Security Rule provisions mandating administrative, physical, and technical safeguards. They must adhere to the terms of their business associate agreements, including any restrictions on the use and disclosure of PHI. They must also notify covered entities, as well as any affected individual, of any security breach. Essentially, HITECH is the first national data breach notification law. To show compliance with HIPAA rules, health organizations must, among other things: Ensure the confidentiality, integrity, and availability of all ephi the covered entity creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Ensure compliance by their workforce. Any unauthorized leak of information that makes any patient identifiable as an individual is a breach of the Privacy Rule. This could include: An employee using a peer-to-peer (P2P) file sharing application to download music to his computer. This employee is inadvertently exposing to every user of that file sharing application all patient health information to which he has access that s located on that computer. A nurse casually discussing a patient s medical condition with a friend in an instant message session. 15
16 An employee using her web mail account to send a list of patients with diabetes (and their contact information) to a friend working for a pharmaceutical company looking to market a new brand of insulin. Specific Rule Relevant to CCS 45 CFR, Part 164. This rule provides security standards for the protection of electronic protected health information, and standards for the use of individually identifiable health information in such a way as to maintain privacy. Industries/Types of Companies Affected Health insurance firms Claims processing services Health care providers, especially hospitals Healthcare clearinghouses Companies that self-insure and/or administer their own healthcare plans Business Associates, i.e., vendors that receive, use, maintain, and disclose protected health information on behalf of health care providers and health plans, such as: technology vendors practice management companies transcription services billing services attorneys accountants Governing Organizations Health & Human Services (HHS) Office of Civil Rights (OCR) Department Of Justice (DOJ) Who this is Important to Corporate officers, such as the CEO; the CFO; or the CIO CISO Compliance officers, such as Regulatory Affairs Mgr, Dir., or VP; Compliance Officer; Privacy Officer; Security Officer; or QA Director 16
17 Fines and Penalties American Recovery and Reinvestment Act of 2009 (ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations. HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million Criminal Penalties: A person who knowingly obtains or discloses personally identifiable health information in violation of HIPAA faces a fine of $50,000 and up to a one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use this information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice. In September 2008, HIPAA levied its first fine; $100,000 against Providence Health Systems, a non-profit hospital system based in Seattle. In February of 2009 the HHS and the FTC fined CVS Caremark, (i.e., the CVS pharmacy chain) $2.25 million for failing to safeguard identifying information during disposal. In July 2009, the California department of Public Health issued an administrative penalty of $187,500 against Kaiser after concluding that the hospital didn't do enough to protect patient health information. These fines suggest the Federal Government as well as local governments will be aggressive about enforcing HIPAA. 17
18 JOINT COMMISSION Overview and Implications The Joint Commission (formerly JCAHO Joint Commission on Accreditation of Healthcare Organizations) is an independent, non-profit organization that establishes standards and accreditation criteria for the healthcare industry. The Joint Commission is the nation s predominant standards-setting and accrediting body in healthcare, evaluating more than 16,000 U.S. healthcare organizations. It is also the accrediting agency for HIPAA, and its accreditation is a requirement for Medicare billing. The Joint Commission was established in 1951 to continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. The Joint Commission s process evaluates an organization s compliance with select standards and other accreditation or certification requirements. Among the 18 accreditation standards published by the Joint Commission, one standard is focused on Information Management. This standard applies to all types of information managed by the organization, except where the standard limits itself to a defined set of health care information. The Information Management standard includes five core sections: 1. Planning for the Management of Information 2. Protecting the Privacy of Health Information 3. Capturing, Storing and Retrieving Data 4. Knowledge-Based Information 5. Monitoring Data and Health Information Management Processes Governing Organizations Joint Commission Who this is Important to Privacy Officers and Risk Officers; CISO Industries/Types of Companies Affected General, psychiatric, children s and rehabilitation hospitals Critical access hospitals Medical equipment services, hospice services, and other home care organizations Nursing homes and other long term care facilities Behavioral health care organizations, addiction services Rehabilitation centers, group practices, office-based surgeries, and other ambulatory care providers Independent or freestanding laboratories 18
19 PCI DSS Overview and Implications The Payment Card Industry (PCI) formed in 2004 to create a common industry security requirement called Data Security Standard (DSS) acceptable to all cardholder associations, who until this point had been enforcing their own individual security programs. These common standards define how card and cardholder data should be managed and processed to keep it secure, and establish security best practices for networks, systems, and applications. The standards were revised in September, 2006 as version 1.1, which limits the type of data companies can store, and also mandated that companies not store data unless absolutely necessary. Version 1.2, published in October 2008, included explanatory and clarifying enhancements. In October 2010, PCI Security Standards Council released version 2.0 of the Data Security Standard. The effective date of this version is January 1, 2011 although companies are not forced to validate against version 2.0 until December Version 2.0 does not introduce any additional requirements, but rather adds clarifying language to facilitate the understanding and adoption of the standard. PCI DSS consist of 12 basic requirements; violating any one of these requirements will trigger overall PCI non-compliance. To remain in compliance, merchants must: Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Use and regularly update anti-virus software. Develop and maintain secure systems and applications. Implement Strong Access Control Measures Restrict access to data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. 19
20 Maintain an Information Security Policy Maintain a policy that addresses information security. Any violation of any one requirement causes a merchant to become non-pci compliant. This could include: An employee not authorized to see the full credit card account numbers is accidentally provided with logon to an internal application that will display complete cardholder information. A quality control manager s to a superior a wav file of a customer conversation that includes the customer s account number and PIN. A merchant scans hard-copy records such as credit card imprints into an unsecured database. Third-party audits are determined by four levels of merchant transaction volume: Level 1 Organizations processing over 6,000,000 transactions per year, any merchant that has suffered a hack or an attack that resulted in an account data compromise, or any merchant that the any of the card brands determine should meet the Level 1 merchant requirements Validation requirements include annual onsite data security assessment and quarterly network scans by PCI-qualified vendors. Level 2 Organizations processing 1,000,000 to 6,000,000 payment card transactions per year. Validation requirements include annual self-assessment questionnaire and quarterly network scans. Level 3 Organizations processing 20,000 to 1,000,000 Payment card e-commerce transactions per year. Validation requirements are the same as for Level 2. Level 4 Organizations processing 20,000 to 1,000,000 Payment card e-commerce transactions per year. May be required to conduct quarterly network scans and complete annual self-assessment questionnaire. Industries/Types of Companies Affected Merchants or service providers, who accept, capture, store, transmit, or processes credit card data. Governing Organizations Payment Card Industry Security Standards Council Federal agencies include the DOJ (Department of Justice) and the FTC (Federal Trade Commission) State and local law enforcement agencies Who this is Important to Corporate officers, such as the CEO; the CFO; the CIO; or the CISO Compliance officers, such as Regulatory Affairs Mgr, Dir., or VP; Compliance Officer; Privacy Officer; Security Officer; or QA Director Legal counsel 20
21 Fines and Penalties Penalties for non-compliance with PCI are discretionary and not made public; estimates range from $100/year to $40M/year depending on industry, company size and maturity. A rare penalty is restriction or termination of the ability to process credit card transactions. More commonly, organizations are charged an increased transaction fee (the percentage you render back on every card run). NOTE: Acquirers can pass on penalties to their merchants and service providers through their contractual relationships. 21
22 SOX Overview and Implications The Sarbanes-Oxley (SOX) Act imposes far-reaching and specific requirements on financial accounting and applies to all firms traded on U.S. securities markets. Though most of this law is focused on timeliness and accuracy of financial reporting, creating an audit trail to prove no data has been compromised is also critical for SOX compliance. SOX began phasing in when it was signed into law in July Section 404, regarding financial and documentation controls, took effect in November The SEC provided new guidance updates in May 2005 and December 2006, to help companies reduce excessive testing of controls and documentation so that smaller firms can comply with the law without incurring excessive costs. Information leaks can force the early disclosure of financial results, which can lead to revenue loss, remediation expense, and non-compliance. The acquisition of proprietary IP by a competitor can also lead to legal exposure and revenue loss. Companies affected by SOX are thus strongly motivated to prevent the disclosure of confidential information, and to be able to prove that no such event occurred. When the law first took effect, implementing programs for SOX compliance was costly, labor-intensive, and inefficient. Now companies can refer to methodologies, such as that laid out in the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT). GAIT was developed by the Institute of Internal Auditors (IIA), and is intended to help corporate managers and external auditors identify and implement the key controls that need to be monitored and reported out. In addition, companies can leverage proven best practices for SOX compliance. Two examples common among organizations with the least IT control deficiencies: shifting spending from consultants and contract labor to automated tools, and automating IT measurements, reporting, controls, change management processes, and IT security policies. Specific Rule Relevant to CCS Section 404: Executives must design, implement, maintain, and assess an internal control structure; external auditors must attest to management assertions Industries/Types of Companies Affected Financial accounting firms are most directly affected, but all publicly-traded U.S. companies must comply Governing Organizations SEC (Securities and Exchange Commission) Who this is Important to CISO, CIO Corporate officers such as the CEO and CFO (in recognition of their personal accountability) Compliance Officers (may also have titles such as Corporate Legal Counsel, or Internal Audit Director 22
23 State Data Privacy Laws Overview and Implications As of January 2010, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have now enacted legislation requiring that organizations doing business in these states notify consumers of any security breaches involving unauthorized access to unencrypted computerized Personally Identifiable Information (PII). Massachusetts led the in 2009 with 201 CMR 17 Standards for The Protection of Personal Information of Residents of the Commonwealth. Laws in some of these states go even further, requiring organizations to proactively protect the customer data in their databases. In nearly all cases, the laws cover any transmission of unencrypted personal information, whether malicious or unwitting, as well as any unauthorized access to and modification or theft of personal information. The standards for what prompts a mandatory disclosure notice to consumers also vary from state to state. For instance, some states require notification when a detected breach creates a reasonable likelihood of harm to customers; others require notification when a breach is reasonably believed to have caused harm. In most cases the term reasonable is also left up to the discretion of the company or organization controlling the data. California s data breach disclosure law SB 1386 is strict, and has served as the model for many other state laws. SB 1386 requires that companies immediately disclose a data breach to customers, usually in writing. There is also a private right of action, with very few exemptions. Massachusetts 201 CMR 17 originally intended to take effect January 31, 2009, but delayed to May 1, 2009 is one of the most wide-ranging. 201 CMR 17 requires all businesses that collect personal data from or about Massachusetts residents to adopt a comprehensive written security program, conduct internal and external security reviews, and complete employee training regarding their programs. More specifically, businesses will be required to encrypt documents sent over the Internet or saved on laptops or flash drives; encrypt wirelessly transmitted data; and deploy up-to-date firewalls to create an electronic gatekeeper between the data and the outside world that only allows authorized users to access or transmit data. In addition, third-party service providers also have to prove they are capable of protecting personal information and are contractually obligated to do so. Finally, the law sets forth minimum technical requirements and controls for computer systems that electronically store or transmit personal information regarding Massachusetts residents. 23
24 To ensure compliance in all cases of state laws, companies must map out where they have customers, and then find the highest common denominator of applicable state laws, and work to comply with those laws. This could entail complying just with the standards of the most stringent state, or compiling a list of the most stringent statutes from multiple applicable states and complying with those. Generally, and at a minimum, this will require companies to: Safeguard customer data at the most granular levels. Designate one or more employees responsible for security. Perform a risk assessment and evaluate the effectiveness of current safeguards for controlling those risks. Design and implement safeguards, regularly monitor and test them, and adjust them according to test findings. Extend safeguards and data security practices to include any service providers. Industries/Types of Companies Affected Companies that compile, trade, or store consumer data in any of the affected states Governing Organizations Attorneys General of each individual state Who This is Important to Boards of Directors Owner, CEO CISO Relevant Compliance Standards and Frameworks Guidelines and frameworks are essentially internal mandates. They are generally used to strengthen security practices. Organizations also use them to gain clarity for an external mandate, such as HIPAA or Sarbanes- Oxley. Guidelines and frameworks provide an important roadmap for implementing the infrastructure and tailoring the policies that help companies demonstrate compliance. 24
25 COBIT Overview and Implications The IT Governance Institute (ITGI) has published version 4.1 of the Control OBjectives for Information and related Technology (COBIT ) to help IT organizations comply with increasing regulatory demands and manage risk effectively. COBIT 4.1 is an IT governance framework and supporting toolset that provides good practices across a domain and process framework. The COBIT framework links IT initiatives to business requirements, organizes IT activities into a generally accepted process model, identifies major IT resources to be leveraged, and defines the management control objectives to be considered. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT enables managers to bridge the gap between control requirements, technical issues, and business risks. It can make audit work more consistent, facilitate control self-assessments, and generally enhance governance over information technology. The standardized framework includes tools to measure and assess a company s capabilities in 34 IT processes, addressing many elements of security. Among them are a list of critical success factors that provides best practices for each IT process, maturity models to help in benchmarking, and performancemeasurement elements. COBIT 5.0 is scheduled to release in 2011, COBIT 5 will consolidate and integrate the COBIT 4.1 framework with the Val IT 2.0 and Risk IT frameworks. It will also draw significantly from the Business Model for Information Security (BMIS) and ITA. Industries/Types of Companies Affected Cross-industry every organization that wants to improve its IT controls relevant to improved compliance with regulations such as Sarbanes-Oxley. Also, all companies for whom compliance with this standard is a function of marketing and other business agreements. Governing Organizations IT Governance Institute (ITGI). ITGI is a research think tank that exists to be the leading reference on ITenabled business systems governance for the global business community. Who this is Important to IT, security, and auditing managers Senior corporate officers, such as the CEO; the CTO; or the CIO Fines and Penalties There is no fine associated with this framework. 25
26 ISO 27002:2005 (formerly ISO 17799) Overview and Implications ISO represented the most widespread information security framework available at the time, and many organizations used it as the basis for their information security programs. In July 2005 the International Organization for Standards (ISO) released a new version; ISO 17799, and in July 2007 it renumbered the standard ISO/IEC 27002:2005 to bring it in line with other ISO/IEC series standards. ISO/IEC 27002:2005 is entitled Information Technology - Security Techniques - Code of Practice for Information Security Management. It establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. This standard contains best practices of control objectives and controls in the following areas: Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance ISO/IEC specifies some 39 control objectives to protect information assets against threats to their confidentiality, integrity, and availability. These control objectives in effect comprise a generic functional requirements specification for an organization s information security management controls architecture. The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC is a code of practice - a generic, advisory document, not truly a standard or formal specification. Instead, it is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities. Industries/Types of Companies Affected Cross-industry. Particularly affects organizations that have adopted ISO/IEC 17799:2000, and companies for whom compliance with this standard is a function of marketing and other business agreements. Who this is Important to Corporate officers, such as the CEO, CFO, CIO, or CISO IT and operations managers Security team 26
27 ISO 27799: Overview and Implications ISO 27799:2008 is an information security standard developed by the International Organization for Standardization (ISO). Its full title is Health informatics -- Information Security Management in Health Using ISO/IEC The purpose of ISO 27799:2008 is to provide guidance to health organizations and other holders of personal health information (PHI) on how to protect such information via implementation of the ISO standard. It specifically covers the security management needs in this sector, with respect to the particular nature of the data involved. ISO 27799:2008 defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC and is a companion to that standard. It specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. Healthcare organizations and other custodians of health information that implement this international standard will be able to ensure a minimum requisite level of security that is appropriate to their organization s circumstances and that will maintain the confidentiality, integrity, and availability of personal health information. Adoption of ISO 27999:2008 is anticipated to assist interoperation and better enable the adoption of new collaborative technologies in healthcare delivery. Industries/Types of Companies Affected Healthcare Any organization who maintains PHI on premises Who this is Important to Corporate officers, such as the CEO, CFO, CIO, or CISO IT and operations managers Security team 27
White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationSolutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson
Solutions Brief PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy Gerald Hopkins Cam Roberson March, 2013 Personal Information at Risk Legislating the threat Since the
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper
ARRA HITECH Stimulus HIPAA Security Compliance Reporter White Paper ARRA HITECH AND ACR2 HIPAA SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems,
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationWhite Paper #6. Privacy and Security
The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
More informationSECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS
COMPLIANCE AND INDUSTRY REGULATIONS INTRODUCTION Multiple federal regulations exist today requiring government organizations to implement effective controls that ensure the security of their information
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationwww.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!
Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100
More information12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013
Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationPresented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationTop Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER
Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER Regulatory compliance. Server virtualization. IT Service Management. Business Service Management. Business Continuity planning.
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationHIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1
HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationCDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance
Industry Research Publication Date: 1 May 2008 ID Number: G00156708 CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance Barry Runyon Care delivery organizations (CDOs) are
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationREFERENCE 5. White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry
REFERENCE 5 White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry Shannah Koss, Program Manager, IBM Government and Healthcare This
More informationNet Report s PCI DSS Version 1.1 Compliance Suite
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More information8 Key Requirements of an IT Governance, Risk and Compliance Solution
8 Key Requirements of an IT Governance, Risk and Compliance Solution White Paper: IT Compliance 8 Key Requirements of an IT Governance, Risk and Compliance Solution Contents Introduction............................................................................................
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationDartmouth College Merchant Credit Card Policy for Managers and Supervisors
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationPayment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationSecurity standards PCI-DSS, HIPAA, FISMA, ISO 27001. End Point Corporation, Jon Jensen, 2014-07-11
Security standards PCI-DSS, HIPAA, FISMA, ISO 27001 End Point Corporation, Jon Jensen, 2014-07-11 PCI DSS Payment Card Industry Data Security Standard There are other PCI standards beside DSS but this
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationHIPAA Compliance and the Protection of Patient Health Information
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationSecurity Information Lifecycle
Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4
More informationIntroduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com
More information