Quite often, it comes to our mind that there are dozens of information security laws & regulations but which one to choose that can certainly satisfy an organization’s need. Most commonly used regulations are Health Insurance Portability and Accountability Act, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002, Family Educational Rights and Privacy Act, The Gramm Leach Bliley Act etc.
Is it that laws and regulations can help control the risk of your organization data? To some extent yes, but in reality to achieve compliance, an organization should consider information security from top to bottom. Regulations can help an organization to improve information security but non-compliance of it can result in forfeits. It is very difficult for an organization to understand which laws are applicable to them and interpreting the requirements of the regulation because many different sets of laws can apply to one organization which may not be relevant for other organization. Regulations are not written in a way which can be easily understood by every business person. Most of the times organization hires a security professional to understand the requirements and how to best implement them. Initially, they need to assess which of the laws and acts apply to them. Also, it is required to identify areas where the law is applicable and which requires a consistent and effective plan to deal with security violations.
Let us take an example of Health Insurance Portability and Accountability Act (HIPAA) which comprises both security and privacy requirements. Suppose there is a hospital which is publicly traded and it is not a federal agency. Therefore, we can decide that since the organization deals with healthcare patients hence, it is subject to HIPAA and not FISMA. So we have identified what law would be applicable. Now we would need to identify what sort of protection that needs to apply to protect patient’s data from any security breach. Without patient consent hospital cannot share his/her data to anyone. Moreover, from technological perspective, the hospital cannot allow any system that handles patient information to be compromised. This means that hospital needs to implement controls for the systems and the equipment that allows access to the systems. Also, policies and procedures need to be prepared to govern the activities of persons who interact with the systems. It is a must to provide awareness training to users of the systems to perform their duties properly and not to intentionally or unintentionally misuse the system and data.
Below are some list of laws and their applicability:
HIPAA: It was legislated in 1996, HIPAA is envisioned to develop the efficiency and effectiveness of the health care system. It protects the privacy of individual patients.
- Who is affected: Health care providers or, any organization that deals with healthcare information.
SOX: Legislated in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It was enacted after the high-profile Enron and WorldCom financial humiliations of the early 2000s. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long.
- Who is affected: U.S. public company boards, management and public accounting firms
FISMA: Legislated in 2002, FISMA requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of the E-Government Act of 2002.This act recognized the information security as matters of national security. Thus, it mandates that all federal agencies develop a method of protecting the information systems.
- Who is affected: All Federal agencies
GLBA: Gramm–Leach–Bliley Act was enacted in November 12, 1999. It is a federal law enacted in the United States to control the ways of financial institutions that deal with the private information of individuals. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions. As for security, it mandates that companies secure the private information of clients and customers.
- Who is affected: Financial service providers for example loans, investment advice, insurance etc.
FERPA: Family Educational Rights and Privacy Act Law enacted in 1974. Under Section 3.1 of the Family Educational Rights and Privacy Act is concerned with protecting student educational records.
- Who is affected: Any postsecondary institution for example universities, academies, colleges, vocational schools etc.
With increased trend of technology and ever-presence of threats it is decisive to access the need of a regulation for the organization and act upon applicable controls to prevent inevitable incidents towards corporate data as well as lowering the eventual cost of the security breach.
Authored by Tapasi Chavan