Information security legislation
-
Upload
stuimrozsm -
Category
Documents
-
view
516 -
download
0
description
Transcript of Information security legislation
1
Information Security Legislation
“A Practical Guide to Security Assessments”By Sudhanshu Kairab(Chapter 10)
Sohel Imroz4/4/2006
2
Some “not-so-bad” News
• U.S. government has set significant penalties for noncompliance with HIPAA
• Penalties for noncompliance with HIPAA Regulations:– Individual noncompliance
• Up to $100
3
Some “very bad” News
• Penalties for noncompliance with HIPAA Regulations (cont’d):– Multiple occurrences of same
noncompliance• Up to $25,000.00 per year
– Wrongful disclosure of health information• Up to $50,000.00 • 1 year in prison
4
Some “scary” News
• Penalties for noncompliance with HIPAA Regulations (cont’d):– Wrongful disclosure of health information
under false pretense• Up to $100,000.00• 5 years in prison
– Wrongful disclosure of health information with intent to sell, transfer, or use• Up to $250,000.00• 10 years in prison
5
But, I have good
news !
6
Agenda
• Why such legislation acts?• Various legislation acts:
– HIPAA– GLBA– Sarbanes-Oxley Act– Safe Harbor– FISMA
7
HIPAA
• Health Insurance Portability and Accountability Act
• Formerly known as the Kennedy/ Kassebaum Act
• Was enacted by the Congress in 1996• Primary purpose:
– Improve health insurance accessibility for people changing employers or leaving the workforce (Source: http://www.emrworld.net/emr-research/articles/hipaa.ppt#257,2,Overview)
- Provide “Administrative Simplification” provisions
8
HIPAA (cont’d)
• Administrative Simplification provisions:– National standards– Unique health identifiers– Security standards– Privacy and confidentiality
9
HIPAA (cont’d)
• Objectives of Administrative Simplification provisions:– Improve efficiency of NHS– Reduce cost– Reduce fraud– Protect patient rights– Access to consistent clinical data– Information availability– Security standards for web-based
technology
10
HIPAA (cont’d)
• Who must comply with HIPAA:– Health care providers– Health plans– Health care clearinghouses
• Key points to note:– HIPAA does not say how compliance will
be achieved– Requirements are too broad– A lot of room for interpretation
11
GLBA
• Gramm-Leach-Bliley Act• Was signed into law in 1999, and was
in effect as of July 2001• GLBA repealed the Glass-Steagall Act• Primary purpose:
– Provide customers with privacy notice– Privacy notice must be given to customer
BEFORE any business agreement– Customers may “opt-out”
12
GLBA (cont’d)
• GLBA security requirements:– Information security program– Coordination of Information Security
program– Regular risk analysis– Implementation of controls to mitigate
risks– Overseeing the service providers– Evaluation and adjustment
13
GLBA (cont’d)
• Penalties for noncompliance with GLBA:– Financial institutions:
• Up to $100,000.00 for each violation
– Officers and directors:• Up to $10,000.00 for each violation
14
Sarbanes-Oxley Act
• Was enacted in July 30, 2002• Answer to a series of corporate
financial scandals, e.g. Enron, Tyco International, WorldCom
• Named after Senator Paul Sarbanes, and Representative Michael Oxley
15
Sarbanes-Oxley Act (cont’d)
• Some key provisions– CEO and CFO must certify financial reports
(Section 302)– Ban on personal loans to executive officers
(Section 402-A)– Prohibition on internal trades (Section 306)– Public reporting of CEO and CFO
compensation (Section 304)– Criminal and civil penalties (Title IX)– Results of management testing and
evaluation (Section 404)
16
Sarbanes-Oxley Act (cont’d)
• Cost of Sarbanes-Oxley compliance:
“FEI surveyed 224 public companies with average revenues of $2.5 billion to gauge Section 404 compliance cost estimates. Results showed the total cost of compliance is now estimated at $3.14 million, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. The companies surveyed expect to pay their auditors $823,200 in fees for attestation of their internal controls, in addition to the annual audit fees. This compares to the $590,100 companies expected auditors would charge for attestation in January 2004.”
Source: Financial Executive Internationals (http://www.fei.org/news/404_july.cfm)
17
Safe Harbor
• Result of European Commission’s Directive of Data Protection
• Was enacted in October 1998• Primary purpose:
– Personal data cannot be transmitted between European companies and non-European companies that do not meet the EC’s privacy standard
18
Safe Harbor (cont’d)
• EU Safe Harbor Principles:– Notice to individuals about the specific
purposes of the data collection – Choice to opt-out of disclosure to third-
parties or additional uses (opt-in for sensitive information)
– Require third-party agents who receive personal information to provide the same level of privacy protection
19
Safe Harbor (cont’d)
• EU Safe Harbor Principles (cont’d):– Allow means for an individual to access
personal information held – Take reasonable precautions from loss,
misuse or unauthorized access – Keep data reliable for its intended use – Provide a readily available recourse
mechanism – Provide procedures verifying
implementation of principles
20
FISMA
• Federal Information Security Management Act
• Was enacted in 2002• Primary purpose:
– To strengthen information security programs at federal agencies
– Provide a information security framework– Does not provide any hard standards or
guidelines
21
FISMA (cont’d)
• Key responsibilities:– Provide information security
commensurate with the associated risk– Perform a risk assessment– Implement policies and procedures – Conduct periodic test– Have a CISO– Conduct ongoing evaluation and
adjustment
22
A Final
Thought