Regulations

Information security is not just something you do when you get around to it. There are regulations that require organizations to protect personal information and the fines and penalties for not doing so can be significant.

These regulations, a subset is defined below, often result from past data breaches and are usually centered on protecting personally identifiable data such as Health Information, Credit/Debit Card numbers, Email Addresses, Passwords, Financial Account information and Social Security numbers. Compliance with regulations is not negotiable and cannot be achieved by simply purchasing a single product right before the auditor arrives. Compliance with regulations most always requires a combination of security products, policies and management commitment. The cost of non-compliance can be devastating to an organization.  Risk Based Security can help you be ready by performing an internal compliance review and gap analysis before the auditor shows up.

Regulation Who is affected? What does it cover?
Sarbanes-Oxley Act (SOX) Publicly held USA corporations Accuracy and reliability of corporate disclosures
Payment Card Industry Data Security Standard (PCI DSS)   (Standard vs. Regulation) Retailers, credit card companies, credit card  data handlers Security of payment customer account data
Gramm-Leach-Bliley Act (GLBA) Financial institutions handling Consumer Financial Information Protect consumers’ personal financial information
Health Insurance Portability and Accountability Act (HIPAA) Health care providers, health plans, health clearinghouses and business associates Efficiency and effectiveness of the health care system and the security and privacy of personal health information (PHI)
The Health Information Technology for Economic and Clinical Health Act (HITECH) Health care providers, health plans, health clearinghouses and business associates Widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.
Federal Information Security Management Act (FISMA) Federal agencies Implementation of a security program for information and information systems
Personal Information Protection and Electronic Documents Act (PIPED Act Private-sector companies doing business in Canada Collecting, using and disclosing personal information
Law on the Protection of Personal Data Held by Private Parties—Mexico Mexican businesses, as well as any company that operates or advertises in Mexico Requires organizations to have a lawful basis for collecting, processing, using and disclosing personally identifiable information
European Union Data Protection Directive  European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below). Places limits on the collection and use of personal data
Safe Harbor Act  U.S. companies doing business in Europe Transfer of personal data to non-European Union nations

Helpful Links

Regulation Helpful Links
Sarbanes-Oxley Act (SOX) http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html
Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/documents.php
Gramm-Leach-Bliley Act (GLBA) http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
Health Insurance Portability and Accountability Act (HIPAA) http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
The Health Information Technology for Economic and Clinical Health Act (HITECH) http://www.hipaasurvivalguide.com/hitech-act-text.php
Federal Information Security Management Act (FISMA) http://csrc.nist.gov/groups/SMA/fisma/
Personal Information Protection and Electronic Documents Act (PIPED Act http://www.parl.gc.ca/HousePublications/Publication.aspx?doc=c-6&language=E&parl=36&pub=bill&ses=2
Law on the Protection of Personal Data Held by Private Parties—Mexico http://www.dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010
European Union Data Protection Directive http://ec.europa.eu/justice/data-protection/index_en.htm
Safe Harbor Act http://export.gov/safeharbor/eu/eg_main_018476.asp

Call  855-RBS-RISK or eMail:  sales@riskbasedsecurity.com to arrange your compliance review.