Press "Enter" to skip to content

security regulation compliance

Introduction:

Information security is the act of ensuring that there is protection of information and information systems from unauthorized usage, access, modification, disruption or destruction to ensure that there is integrity, confidentiality, and availability. The information security ensures that information is accurate and complete when needed and only the authorized users can access it. The confidential nature of organization information is threatened nowadays due to the digital technology. Cyber crimes are increasing each day creating threats to computer systems. These risks include information theft, software attacks, sabotage, and identity theft and information extortion. Similarly, there is the risk of losing data in case of critical issues such as computer theft or malfunction, natural calamities or any other occurrence that may lead to data loss. These threats have necessitated organizations to come up with a mechanism of securing their information. Most of these methods of information security neglect the legal aspect of the whole process. Organization should inform its management as well as the employees about the different requirements of law regarding information technology to avoid any legal tussles that may arise. Most organizations have suffered losses due to the ignorance of this provisions of the law hence there is a need to sensitize employees and the leadership of the organization on these legal requirements.

Regulatory requirements:

The federal government has developed policies that govern the field of information technology. These laws regulate the use of internet, information dissemination, information security and the use of computer networking. Some the laws that regulate information security include:

Federal Information Security Management Act (FISMA):

A law enacted in 2002 recognizes the need of information security for national security interests of the United States. The act requires every federal entity to develop, document and implement a program that would provide information security to information and information systems used by the agency (Taylor, 2013). The aim of the act is to strengthen the information security systems of all the federal agencies. The heads of each agency are required to implement cost-effective procedures and policies that would reduce the information security to an acceptable level. The FISMA gives responsibilities to National Institute of Standards and Technology (NIST) together with the office of management and budget so that they can strengthen information security systems.

The organization should come up with a well-planned security system. The system should include documents that require frequent reviews and modifications, and there should be well laid out procedure indicating who reviews the plan, updates the plan and follows up on the security controls.

 Sarbanes–Oxley Act:

The legislation also known as SOX, came into force in 2002 and enhanced standards for all United States public company management, boards, and public accounting firms. The law protects investors by maintaining accuracy and reliability of disclosures by companies made pursuant to the security laws and for other purposes (Theodore, 2008). The bill contains eleven sections that address the responsibilities of public corporation’s board of governors. It also provides for criminal penalties for particular misconducts and requires the Securities and Exchange Commission to develop regulations on our public corporations would comply with the legislation. Section 303 of the acts terms it unlawful for any officer or director to influence fraudulently or manipulate any certified accountant engaged in carrying out an audit of the financial statements.

The organization should keep accurate and easily accessible data that it should provide to the auditors. It should also ensure that the information is secure by making it available to only the authorized individuals in order to ensure that the information provided to the auditors is accurate and original.

 Gramm-Leach-Bliley Act:

The law also known as Financial Services Modernization Act is a policy enacted to enhance competition in the financial institutes. It provides a clear framework for the affiliation of securities firms, banks and other institutions that provide financial services (Ciampa, 2008). The law removed barriers in the market among the financial institutions that hindered any of the financial institutions to act as a combination of either investment bank, insurance company or a commercial bank. The act defines a financial institution as one that provides financial services or products such as loans, insurance of financial advice to individuals. Subtitle A of the act contains the financial privacy rule that directs the financial institutions to provide their customers with a privacy notice during the establishment of the consumer relationship and annually thereafter. The privacy notice explains the type of information collected relating to the consumer, how the institution uses the information, which the institution shares the information with and how it protects the information. The notice has an option for the consumer to reject the sharing of the information with unaffiliated parties according to the provision of the fair credit report act (Ciampa, 2008). The act requires that the financial institutions give the customer the privacy notice before he/she enters into the agreement.  The subtitle B of the act provides for protection of personal information by people under impersonation or pretext.

Organizations should develop safeguards to protect against the pretext. The organizations develop, monitor and test an appropriate program that could secure the information. They should train employees to detect and deflect inquiries made under pretext and also have a follow up program that would test the effectiveness of this training program. The follow-up program would enable the organization to detect and improve the training program. Similarly, they should report any pretext recognized to the authorities since pretext is punishable under the United States laws.

PCI DSS

The Payment Card Industry Data Security Standard composed of an information security standards set for organizations that deal with branded credit card from the major credit card brands. The creation of these standards aimed at increasing the controls on cardholder data to reduce the credit card frauds though their exposure. The payment card industry security standards council runs the PCI standards mandated by the card brands. The PCI DSS standards have six requirements that every organization that deals with credit cards need to comply with or to observe (Jennings, 2010). These requirements include:

Build and maintain a secure network: requires organizations to install and maintain a firewall configuration that would protect cardholder data. The requirement also prohibits the organizations from using vendor-supplied defaults for system passwords.

Protect cardholder data: it requires organizations to protect the stored cardholder data by encrypting its transmission across open and public networks.

Maintain a vulnerability management program: it requires organizations to have secure systems and applications by regularly updating anti-virus software on all systems affected by malware.

Implementing a strong access control measures: requires organizations to restrict physical access to cardholder by giving a unique identity to each person using a computer.

Regularly test and monitor networks: organizations should test security systems and processes regularly and monitor all the access networks.

Maintain an information security policy: organizations should have a policy that addresses information security.

Organizations should develop a security system that reduces the instances of fraud through the use of credit cards by its customers. They should also update their anti-virus software regularly to avoid any case of system compromise. Similarly, they should assign secret ID to card users to limit the accessibility of their information in case the credit card gets on the wrong hands. There should also be a regular test on the security systems installed to sure that they are fully functional and effective.

HIPAA:

Health Insurance Portability and Accountability Act is a legislature enacted by the United States congress in 1996. The act sought  to improve continuity and portability of health insurance policy for individuals and other groups (Stephen, 2007). Section I of the legislation aimed at protecting health insurance coverage for workers together with their families in case they switch to other jobs or lose their jobs. Title II of HIPAA provides for the creation of national standards for electronic health care transactions together with the identifiers for providers and employers.

Organizations can comply with these laws by controlling access to their computer systems and protecting the PHI being transmitted electronically from interceptions by anyone else other than the intended parties. The organization should also take other physical measures like proper facility security plans and locate the facilities away from high traffic areas in order to protect the physical accessibility of information.

Intellectual Property Law:

Intellectual Property Law is the rules that secure and enforce legal rights pertaining inventions, artistic works, and designs. The first article of section 8 of the American constitution provides for direct authority to congress to grant inventors the rights to their creations (Richard, 2009). The United States copyright office and patent and trademark office enforces the law. The law ensures that people who develop creative works benefits by giving them the patent rights thus the investors can make profits from their inventions by selling the right to someone else. The law also protects names, slogans, and symbols used to market a product.

The organization can implement this law by educating the leadership and employees on the importance of respecting the patent rights of others and the need to get permission to use someone’s creation.

 National Institute of Standards and Technology

NIST is responsible for formulating the guidelines, standards and methods and techniques required in providing information security for agency operations and assets. NIST has developed a framework of standards and guidelines that include the creation of the inventory of information systems, setting security requirements. The guidelines also include carrying out risk assessment to validate the security control and certification and accreditation after the assessment.

The Department of Health and Human Services

The Department of Health and Human Services develops rules related to HIPAA. These rules include privacy rule, the enforcement, and the security rule. The privacy rule of HIPAA regulates the use of and disclosure of protected health information possessed by employer-sponsored health plans, medical service providers, and health insurers. The covered entity holds the PHI concerning the health status, payments for health care or the provisions of health care. There is a disclosure of the PHI only when the law requires the covered entities to do so, and the law requires that the covered entities should notify individuals of the usage of their PHI. The security rule of 2003 encompasses both the paper and electronic PHI and deals with electronic protected health information (EPHI). The rule also provides three requirements by the Department of Health and Human Services that include physical safeguard requirements, technical safeguard requirements, and the administrative safeguards.

Taylor P (2013) FISMA Compliance Handbook: Second Edition Newnes publishers, USA

Ciampa M (2008) Security+ Guide to Network Security Fundamentals (pg 14) Cengage Learning, USA

Jennings R. (2010) Cloud Computing with the Windows Azure Platform (pg 124) John Wiley & Sons, USA

Stephen S. (2007) Guide to HIPAA Security and the Law, American Bar Association

Theodore N (2008) The Sarbanes-Oxley Act: Implementation, Significance, and Impact Nova Publishers, USA

Richard A (2009) The Economic Structure of Intellectual Property Law Harvard University Press, USA

Sherry Roberts is the author of this paper. A senior editor at MeldaResearch.Com in urgent custom research papers. If you need a similar paper you can place your order from nursing school papers services.

Be First to Comment

Leave a Reply

%d bloggers like this: