Information security is not just something you do when you get around to it. There are regulations that require organizations to protect personal information and the fines and penalties for not doing so can be significant.
These regulations, a subset is defined below, often result from past data breaches and are usually centered on protecting personally identifiable data such as Health Information, Credit/Debit Card numbers, Email Addresses, Passwords, Financial Account information and Social Security numbers. Compliance with regulations is not negotiable and cannot be achieved by simply purchasing a single product right before the auditor arrives. Compliance with regulations most always requires a combination of security products, policies and management commitment. The cost of non-compliance can be devastating to an organization. Risk Based Security can help you be ready by performing an internal compliance review and gap analysis before the auditor shows up.
|Regulation||Who is affected?||What does it cover?|
|Sarbanes-Oxley Act (SOX)||Publicly held USA corporations||Accuracy and reliability of corporate disclosures|
|Payment Card Industry Data Security Standard (PCI DSS) (Standard vs. Regulation)||Retailers, credit card companies, credit card data handlers||Security of payment customer account data|
|Gramm-Leach-Bliley Act (GLBA)||Financial institutions handling Consumer Financial Information||Protect consumers’ personal financial information|
|Health Insurance Portability and Accountability Act (HIPAA)||Health care providers, health plans, health clearinghouses and business associates||Efficiency and effectiveness of the health care system and the security and privacy of personal health information (PHI)|
|The Health Information Technology for Economic and Clinical Health Act (HITECH)||Health care providers, health plans, health clearinghouses and business associates||Widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.|
|Federal Information Security Management Act (FISMA)||Federal agencies||Implementation of a security program for information and information systems|
|Personal Information Protection and Electronic Documents Act (PIPED Act||Private-sector companies doing business in Canada||Collecting, using and disclosing personal information|
|Law on the Protection of Personal Data Held by Private Parties—Mexico||Mexican businesses, as well as any company that operates or advertises in Mexico||Requires organizations to have a lawful basis for collecting, processing, using and disclosing personally identifiable information|
|European Union Data Protection Directive||European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below).||Places limits on the collection and use of personal data|
|Safe Harbor Act||U.S. companies doing business in Europe||Transfer of personal data to non-European Union nations|
Call 855-RBS-RISK or eMail: [email protected] to arrange your compliance review.