Your SlideShare is downloading. ×
Information security legislation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information security legislation

342

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
342
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Security Legislation “ A Practical Guide to Security Assessments” By Sudhanshu Kairab (Chapter 10) Sohel Imroz 4/4/2006
  • 2. Some “not-so-bad” News
    • U.S. government has set significant penalties for noncompliance with HIPAA
    • Penalties for noncompliance with HIPAA Regulations:
      • Individual noncompliance
        • Up to $100
  • 3. Some “very bad” News
    • Penalties for noncompliance with HIPAA Regulations (cont’d):
      • Multiple occurrences of same noncompliance
        • Up to $25,000.00 per year
      • Wrongful disclosure of health information
        • Up to $50,000.00
        • 1 year in prison
  • 4. Some “scary” News
    • Penalties for noncompliance with HIPAA Regulations (cont’d):
      • Wrongful disclosure of health information under false pretense
        • Up to $100,000.00
        • 5 years in prison
      • Wrongful disclosure of health information with intent to sell, transfer, or use
        • Up to $250,000.00
        • 10 years in prison
  • 5.
    • But, I have good news !
  • 6. Agenda
    • Why such legislation acts?
    • Various legislation acts:
      • HIPAA
      • GLBA
      • Sarbanes-Oxley Act
      • Safe Harbor
      • FISMA
  • 7. HIPAA
    • Health Insurance Portability and Accountability Act
    • Formerly known as the Kennedy/ Kassebaum Act
    • Was enacted by the Congress in 1996
    • Primary purpose:
      • Improve health insurance accessibility for people changing employers or leaving the workforce
      • (Source: http://www.emrworld.net/emr-research/articles/hipaa.ppt#257,2,Overview )
      • Provide “Administrative Simplification” provisions
  • 8. HIPAA (cont’d)
    • Administrative Simplification provisions:
      • National standards
      • Unique health identifiers
      • Security standards
      • Privacy and confidentiality
  • 9. HIPAA (cont’d)
    • Objectives of Administrative Simplification provisions:
      • Improve efficiency of NHS
      • Reduce cost
      • Reduce fraud
      • Protect patient rights
      • Access to consistent clinical data
      • Information availability
      • Security standards for web-based technology
  • 10. HIPAA (cont’d)
    • Who must comply with HIPAA:
      • Health care providers
      • Health plans
      • Health care clearinghouses
    • Key points to note:
      • HIPAA does not say how compliance will be achieved
      • Requirements are too broad
      • A lot of room for interpretation
  • 11. GLBA
    • Gramm-Leach-Bliley Act
    • Was signed into law in 1999, and was in effect as of July 2001
    • GLBA repealed the Glass-Steagall Act
    • Primary purpose:
      • Provide customers with privacy notice
      • Privacy notice must be given to customer BEFORE any business agreement
      • Customers may “opt-out”
  • 12. GLBA (cont’d)
    • GLBA security requirements:
      • Information security program
      • Coordination of Information Security program
      • Regular risk analysis
      • Implementation of controls to mitigate risks
      • Overseeing the service providers
      • Evaluation and adjustment
  • 13. GLBA (cont’d)
    • Penalties for noncompliance with GLBA:
      • Financial institutions:
        • Up to $100,000.00 for each violation
      • Officers and directors:
        • Up to $10,000.00 for each violation
  • 14. Sarbanes-Oxley Act
    • Was enacted in July 30, 2002
    • Answer to a series of corporate financial scandals, e.g. Enron, Tyco International, WorldCom
    • Named after Senator Paul Sarbanes, and Representative Michael Oxley
  • 15. Sarbanes-Oxley Act (cont’d)
    • Some key provisions
      • CEO and CFO must certify financial reports (Section 302)
      • Ban on personal loans to executive officers (Section 402-A)
      • Prohibition on internal trades (Section 306)
      • Public reporting of CEO and CFO compensation (Section 304)
      • Criminal and civil penalties (Title IX)
      • Results of management testing and evaluation (Section 404)
  • 16. Sarbanes-Oxley Act (cont’d)
    • Cost of Sarbanes-Oxley compliance:
    • “ FEI surveyed 224 public companies with average revenues of $2.5 billion to gauge Section 404 compliance cost estimates. Results showed the total cost of compliance is now estimated at $3.14 million, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. The companies surveyed expect to pay their auditors $823,200 in fees for attestation of their internal controls, in addition to the annual audit fees. This compares to the $590,100 companies expected auditors would charge for attestation in January 2004.”
    • Source: Financial Executive Internationals (http://www.fei.org/news/404_july.cfm)
  • 17. Safe Harbor
    • Result of European Commission’s Directive of Data Protection
    • Was enacted in October 1998
    • Primary purpose:
      • Personal data cannot be transmitted between European companies and non-European companies that do not meet the EC’s privacy standard
  • 18. Safe Harbor (cont’d)
    • EU Safe Harbor Principles:
      • Notice to individuals about the specific purposes of the data collection
      • Choice to opt-out of disclosure to third-parties or additional uses (opt-in for sensitive information)
      • Require third-party agents who receive personal information to provide the same level of privacy protection
  • 19. Safe Harbor (cont’d)
    • EU Safe Harbor Principles (cont’d):
      • Allow means for an individual to access personal information held
      • Take reasonable precautions from loss, misuse or unauthorized access
      • Keep data reliable for its intended use
      • Provide a readily available recourse mechanism
      • Provide procedures verifying implementation of principles
  • 20. FISMA
    • Federal Information Security Management Act
    • Was enacted in 2002
    • Primary purpose:
      • To strengthen information security programs at federal agencies
      • Provide a information security framework
      • Does not provide any hard standards or guidelines
  • 21. FISMA (cont’d)
    • Key responsibilities:
      • Provide information security commensurate with the associated risk
      • Perform a risk assessment
      • Implement policies and procedures
      • Conduct periodic test
      • Have a CISO
      • Conduct ongoing evaluation and adjustment
  • 22.
      • A
      • Final
      • Thought

×