Your SlideShare is downloading. ×
0
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Information security legislation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information security legislation

345

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
345
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Security Legislation “ A Practical Guide to Security Assessments” By Sudhanshu Kairab (Chapter 10) Sohel Imroz 4/4/2006
  • 2. Some “not-so-bad” News
    • U.S. government has set significant penalties for noncompliance with HIPAA
    • Penalties for noncompliance with HIPAA Regulations:
      • Individual noncompliance
        • Up to $100
  • 3. Some “very bad” News
    • Penalties for noncompliance with HIPAA Regulations (cont’d):
      • Multiple occurrences of same noncompliance
        • Up to $25,000.00 per year
      • Wrongful disclosure of health information
        • Up to $50,000.00
        • 1 year in prison
  • 4. Some “scary” News
    • Penalties for noncompliance with HIPAA Regulations (cont’d):
      • Wrongful disclosure of health information under false pretense
        • Up to $100,000.00
        • 5 years in prison
      • Wrongful disclosure of health information with intent to sell, transfer, or use
        • Up to $250,000.00
        • 10 years in prison
  • 5.
    • But, I have good news !
  • 6. Agenda
    • Why such legislation acts?
    • Various legislation acts:
      • HIPAA
      • GLBA
      • Sarbanes-Oxley Act
      • Safe Harbor
      • FISMA
  • 7. HIPAA
    • Health Insurance Portability and Accountability Act
    • Formerly known as the Kennedy/ Kassebaum Act
    • Was enacted by the Congress in 1996
    • Primary purpose:
      • Improve health insurance accessibility for people changing employers or leaving the workforce
      • (Source: http://www.emrworld.net/emr-research/articles/hipaa.ppt#257,2,Overview )
      • Provide “Administrative Simplification” provisions
  • 8. HIPAA (cont’d)
    • Administrative Simplification provisions:
      • National standards
      • Unique health identifiers
      • Security standards
      • Privacy and confidentiality
  • 9. HIPAA (cont’d)
    • Objectives of Administrative Simplification provisions:
      • Improve efficiency of NHS
      • Reduce cost
      • Reduce fraud
      • Protect patient rights
      • Access to consistent clinical data
      • Information availability
      • Security standards for web-based technology
  • 10. HIPAA (cont’d)
    • Who must comply with HIPAA:
      • Health care providers
      • Health plans
      • Health care clearinghouses
    • Key points to note:
      • HIPAA does not say how compliance will be achieved
      • Requirements are too broad
      • A lot of room for interpretation
  • 11. GLBA
    • Gramm-Leach-Bliley Act
    • Was signed into law in 1999, and was in effect as of July 2001
    • GLBA repealed the Glass-Steagall Act
    • Primary purpose:
      • Provide customers with privacy notice
      • Privacy notice must be given to customer BEFORE any business agreement
      • Customers may “opt-out”
  • 12. GLBA (cont’d)
    • GLBA security requirements:
      • Information security program
      • Coordination of Information Security program
      • Regular risk analysis
      • Implementation of controls to mitigate risks
      • Overseeing the service providers
      • Evaluation and adjustment
  • 13. GLBA (cont’d)
    • Penalties for noncompliance with GLBA:
      • Financial institutions:
        • Up to $100,000.00 for each violation
      • Officers and directors:
        • Up to $10,000.00 for each violation
  • 14. Sarbanes-Oxley Act
    • Was enacted in July 30, 2002
    • Answer to a series of corporate financial scandals, e.g. Enron, Tyco International, WorldCom
    • Named after Senator Paul Sarbanes, and Representative Michael Oxley
  • 15. Sarbanes-Oxley Act (cont’d)
    • Some key provisions
      • CEO and CFO must certify financial reports (Section 302)
      • Ban on personal loans to executive officers (Section 402-A)
      • Prohibition on internal trades (Section 306)
      • Public reporting of CEO and CFO compensation (Section 304)
      • Criminal and civil penalties (Title IX)
      • Results of management testing and evaluation (Section 404)
  • 16. Sarbanes-Oxley Act (cont’d)
    • Cost of Sarbanes-Oxley compliance:
    • “ FEI surveyed 224 public companies with average revenues of $2.5 billion to gauge Section 404 compliance cost estimates. Results showed the total cost of compliance is now estimated at $3.14 million, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. The companies surveyed expect to pay their auditors $823,200 in fees for attestation of their internal controls, in addition to the annual audit fees. This compares to the $590,100 companies expected auditors would charge for attestation in January 2004.”
    • Source: Financial Executive Internationals (http://www.fei.org/news/404_july.cfm)
  • 17. Safe Harbor
    • Result of European Commission’s Directive of Data Protection
    • Was enacted in October 1998
    • Primary purpose:
      • Personal data cannot be transmitted between European companies and non-European companies that do not meet the EC’s privacy standard
  • 18. Safe Harbor (cont’d)
    • EU Safe Harbor Principles:
      • Notice to individuals about the specific purposes of the data collection
      • Choice to opt-out of disclosure to third-parties or additional uses (opt-in for sensitive information)
      • Require third-party agents who receive personal information to provide the same level of privacy protection
  • 19. Safe Harbor (cont’d)
    • EU Safe Harbor Principles (cont’d):
      • Allow means for an individual to access personal information held
      • Take reasonable precautions from loss, misuse or unauthorized access
      • Keep data reliable for its intended use
      • Provide a readily available recourse mechanism
      • Provide procedures verifying implementation of principles
  • 20. FISMA
    • Federal Information Security Management Act
    • Was enacted in 2002
    • Primary purpose:
      • To strengthen information security programs at federal agencies
      • Provide a information security framework
      • Does not provide any hard standards or guidelines
  • 21. FISMA (cont’d)
    • Key responsibilities:
      • Provide information security commensurate with the associated risk
      • Perform a risk assessment
      • Implement policies and procedures
      • Conduct periodic test
      • Have a CISO
      • Conduct ongoing evaluation and adjustment
  • 22.
      • A
      • Final
      • Thought

×