A multitude of internal and external requirements, including but not limited to PCI, HIPAA, NERC, FISMA, Red Flags Rule, SOX and frameworks such as COBIT and ISO27002, are addressed within organizational silos, leading to redundant workflows and an inefficient allocation of resources. Data gathering for audits is often performed manually, with survey results captured in numerous disjointed spreadsheets creating errors and higher costs for every audit.
- CMR 17.00
Standards for The Protection of Personal Information of Residents of the Commonwealth Massachusetts will require businesses which own, license, store or maintain personal information about a resident of the Commonwealth to follow comprehensive information security requirements. The goal is to safeguard personal information contained in both paper and electronic records. Any and all organizations with operations and/or customers in the state of Massachusetts must adhere to these standards by March 1, 2010.
The Federal Desktop Core Configuration (FDCC), developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS), provides a set of security configuration standards by which all federal agencies must adhere to as mandated by the Office of Management and Budget (OMB).
The National Institute of Standards and Technology (NIST) 800-53 provides recommended security controls of federal information systems and is used to determine the baseline security controls for the system. Federal IT systems must adhere to these security guidelines to comply with FISMA.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), advances the electronic exchange of large amounts of health information and expands the reach of the HIPAA data privacy and security requirements to ensure the security of ePHI. The HIPAA Security Rule covers health plans, healthcare clearinghouses and healthcare providers. As of February 17, 2010, under the HITECH Act, business associates are also required to comply with the security rule requirements. HITECH establishes mandatory federal security breach reporting requirements, along with expanded criminal and civil penalties for non-compliance.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is focused on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) which is created, received, maintained, or transmitted by any covered entity (CE) against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Covered entities include: covered healthcare providers, health plans, healthcare clearinghouses, Medicare prescription drug card sponsors and business associates. By meeting the requirements set forth in the Security Rule for ePHI, CEs will also meet the ePHI requirements of the Privacy Rule.
- NERC CIP Standards 002-009
The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems.
- OMB M-06-16
Office of Management and Budget M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on laptops and workstations. To achieve compliance with the M-06-16 Mandate, agencies must enforce security measures that safeguard the integrity and availability of sensitive agency information at the endpoint.
- PCI Data Security Standard
The continuation of massive credit card data breaches at many high profile organizations, prompted the development of the Payment Card Industry Data Security Standard (PCI DSS), which standardizes how credit card data should be protected. Under the PCI DSS, a business or organization should be able to assure their customers that its credit card data/account information and transaction information is safe from hackers or any malicious system intrusion, whether from those outside the organization or from within.