Chapter 15: Compliance

Cards (58)

  • compliance
    once the laws are enacted, organizations must follow them
  • Federal Information Security Management Act of 2002 (FISMA)
    A U.S. federal law that requires U.S. government agencies to protect citizens’ private data and have proper security controls in place.
  • FISMA requires each federal agency to create an agency-wide information security program that includes the following:
    • risk assessments
    • annual inventory
    • policies and procedures
    • subordinate plans
    • security awareness training
    • testing and evaluation
    • remedial actions
    • incident response
    • continuity of operations
  • protected health information (PHI)

    any individually identifiable information about a person’s health
  • covered entity

    refers to very specific types of entities that must follow HIPAA
  • Covered entities include the following:
    • Health plans
    • Health care clearinghouses
    • Any healthcare provider that transmits PHI in an electronic form
  • HIPAA also applies to the business associates of covered entities. A business associate is
    an organization to which a covered entity has outsourced a health care activity, such as claims and billing
  • HIPAA Privacy Rule
    covered entities may not use or disclose people’s PHI without their written consent
  • In 2002, Congress created the Federal Information Security Management Act of 2002 (FISMA), which was created partly in response to the September 11, 2001, terrorist attacks, after which the government realized that the computer security for its IT systems was not what it should be. Today, is the primary law that defines how federal agencies must secure their IT systems.
  • The OMB is responsible for FISMA compliance.
  • The Federal Information Security Modernization Act of 2014 formally assigned the DHS the responsibility for developing, implementing, and ensuring federal government-wide compliance as per FISMA information security policies, procedures, and security controls. FISMA 2014 does not introduce additional security requirements, but it does clearly define the roles, responsibilities, accountabilities, requirements, and practices that are needed to fully implement FISMA security controls and requirements.
  • The following list presents a summary of the changes to the FISMA 2002 legislation introduced in the FISMA 2014 legislation:
    • DHS was anointed as the governing organization that is responsible for ensuring FISMA 2014 compliance, along with the OMB
    • Reporting requirements for U.S. federal government agencies were defined
    • New guidance and reporting requirements for security incidents were announced
    • Policies and guidelines were detailed for data breach notification compliance
  • The National Institute of Standards and Technology (NIST) creates guidance that all federal agencies use for their information security programs. It creates two types of documents:
    • Federal Information Processing Standards (FIPSs)
    • Special Publications (SPs)
  • NIST also recommends using a risk management framework (RMF) approach for FISMA compliance. The NIST RMF outlines six steps to protect federal IT systems. These steps are as follows:
    • Categorize information systems
    • Select the minimum security controls
    • Implement security controls in IT systems
    • Assess security controls for effectiveness
    • Authorize the IT system for processing
    • Continuously monitor security controls
  • There are two regulatory entities that support and oversee FISMA activities: NIST, which creates programs that guide IT security and risk management activities, and DHS, which is responsible for implementing the programs that NIST creates.
  • Even if a covered entity is allowed to use or disclose PHI without written consent, it must follow the minimum necessary rule, which means that...
    the covered entity may disclose only the amount of PHI necessary, and no more, to satisfy the reason for which the information is being used or disclosed
  • After the passage of the ----- Act, covered entities must notify people who have been affected by the breach of their PHI.
    HITECH
  • HIPAA Security Rule

    requires covered entities to use security safeguards to protect electronic protected health information (ePHI), which is PHI that is stored in electronic form
  • The Security Rule also requires covered entities to protect ePHI by using administrative, physical, and technical safeguards that follow information security principles. Some safeguards are required (i.e., covered entities must implement them), and others are ------ (i.e., covered entities have discretion in implementing them).
    addressable
  • The HITECH Act defined a tiered system for assessing the level of each HIPAA privacy violation and, therefore, its penalty as follows:
    • Tier A—Violations for which offenders did not realize that they were violating the act and would have handled the matter differently if they had.
    • Tier B—Violations due to reasonable cause but not “willful neglect.”
    • Tier C—Violations due to willful neglect that the organization ultimately corrected.
    • Tier D—Violations of willful neglect that the organization did not correct.
  • In January 2013, the ---- was released, providing a catchall update to HIPAA and the HITECH Act rulings. The ---- tightens the requirements of covered entities and business associates.
    Omnibus Rule
  • The Gramm-Leach-Bliley Act (GLBA) addresses the privacy and security of consumer financial information. GLBA, also known as the Financial Services Modernization Act of 1999, made great changes in the banking industry.
  • Acting in concert with the GLBA is the Federal Financial Institutions Examination Council’s (FFIEC’s) regulatory committee, which services the U.S. banking community. The FFIEC is a formal interagency body responsible for defining and prescribing uniform principles, standards, and report forms for the federal examination of financial institutions.
  • The FFIEC developed a Cybersecurity Assessment Tool that banks and financial institutions could use to determine their cybersecurity maturity. The assessment tool consists of two parts:
    • Inherent Risk Profile
    • Cybersecurity Maturity
  • The GLBA applies to consumer financial activities only, which are transactions made for personal, family, or household services, such as borrowing, lending, credit counseling, debt collection, or similar activities; it does not apply to business transactions.
  • The GLBA requires financial institutions to protect consumers’ ----, which is PII in either paper or electronic form that a consumer shares with a financial institution during a financial transaction.
    nonpublic personal information (NPI)
  • Under the GLBA, NPI includes the following:
    • Social Security number
    • Financial account numbers
    • Credit card numbers
    • Date of birth
    • Name, address, and phone numbers when collected with financial data
    • Details of any transactions or the fact that an individual is a customer of a financial institution
  • GLBA Privacy Rule
    Under this rule, a financial institution may not share a consumer’s NPI with nonaffiliated third parties. A financial institution can share this information only when it first provides the consumer with notice of its privacy practices.
  • Financial institutions must give their privacy notice to consumers if they plan to share the consumers’ NPI with non affiliated parties and must give the consumers a chance to stop them from sharing that information. This is called an...
    opt-out provision
  • Nonaffiliated parties are entities that are not legally related to a financial institution, whereas affiliated parties do have a legal relationship in that they are members of the same corporate family.
  • The GLBA distinguishes between customers and consumers for its notice requirements. A consumer is any person who gets a consumer financial product or service from a financial institution, whereas a customer is a consumer who has a continuing relationship with the institution.
  • GLBA Safeguards Rule
    Requires the agencies that regulate financial institutions to issue security standards for those institutions to follow. The law requires each agency to create security standards that protect the security and confidentiality of customer data, protect against threats to the security or integrity of customer data, and protect against unauthorized access to or use of customer data that could result in harm to a customer.
  • The FTC Safeguards Rule requires a financial institution to create a written information security program, which must state how the institution collects and uses customer data and must describe the controls used to protect that data.
  • Sarbanes-Oxley Act of 2002
    SOX or Sarbox for short, is a U.S. federal law requiring officers of publicly traded companies to have accurate and audited financial statements. SOX also requires proper security controls to protect financial records and insider information.
  • The main goal of SOX is to protect investors from financial fraud by supplementing other federal securities laws that apply to only publicly traded, not privately held, companies that must register with the SEC.
  • SOX Section 404 requires an organization’s executive officers to establish, maintain, review, and report on the effectiveness of the company’s internal controls over financial reporting (ICFR) by making a certification on documents that the company files with the SEC. The certification helps to ensure that the company’s financial reports are accurate, which in turn helps protect investors from fraudulent financial activities.
  • SOX contains provisions for records retention:
    • SOX requires public companies to maintain their financial audit papers (i.e., the materials that support the conclusions made in an audit report) for seven years
    • Furthermore, SOX requires that a public company permanently retain the records and documentation that it uses to assess its ICFR
  • Most SOX provisions are overseen and enforced by the SEC, which was created under the Securities and Exchange Act of 1934.
  • The Family Educational Rights and Privacy Act (FERPA) is the main federal law protecting the privacy of student information.
  • Congress created FERPA in 1974. It applies to any education agency or institution that receives federal funding. Educational institutions include the following:
    • Community colleges
    • Colleges and universities
    • Primary and secondary schools (kindergarten through 12th grade)
    • State and local educational agencies (such as a school board)
    • Schools or agencies offering a preschool program
    • Any other educational institution that receives federal funding