Regulatory compliance is state, Federal or IT sets of rules that are defined and enforced by a governmental body. Compliance with these regulations is an on-going challenge for many IT and security professionals, and these problems will not diminish or disappear – rather they will continue to grow in both coverage and penalty.
The Secure Web Gateway provides assistance for regulatory compliance both protecting, controlling and managing internet traffic. The regulations below are all key legislation that effects the healthcare, education, government and enterprise communities that DeepNines serves.
The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes certain types of requirements on any school or library that receives funding for Internet access or internal connections from the E-rate program – a program that makes certain communications technology more affordable for eligible schools and libraries.
What CIPA Requires
Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy that includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene, (b) child pornography, or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal.
Schools subject to CIPA are required to adopt and enforce a policy to monitor online activities of minors.
Schools and libraries subject to CIPA are required to adopt and implement an Internet safety policy addressing: (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called “hacking,” and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) measures restricting minors’ access to materials harmful to them.
Schools and libraries are required to certify that they have their safety policies and technology in place before receiving E-rate funding.
CIPA does not affect E-rate funding for schools and libraries receiving discounts only for telecommunications, such as telephone service.
An authorized person may disable the blocking or filtering measure during any use by an adult to enable access for bona fide research or other lawful purposes.
CIPA does not require the tracking of Internet use by minors or adults.
Health Insurance Portability and Accountability Act
Healthcare, including, as required by Congress in HIPAA, the Privacy Rule covers:
Health plans
Health care clearinghouses
Health care providers who conduct certain financial and administrative transactions electronically
Title II of HIPAA is designed to protect the privacy and security of protected health information (PHI), and promote efficiency in the health care industry through the use of standardized electronic transactions.
The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access.
HIPAA Requirements:
Requires protection of confidentiality and assures the integrity and availability of all electronic protected health information (EPHI) that is created, received, maintained or transmitted
Eligible entities must protect against any reasonably anticipated threats or hazards to the security or integrity of such information
Requires protection against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and
Organizations must ensure compliance by their workforces
Sarbanes-Oxley Act was created to protect investors from corporate accounting fraud. Named after its sponsors, Sarbanes and Oxley, it is variously referred to as "SOX" and "Sarbox," but its official name is the Public Company Accounting Reform and Investor Protection Act of 2002. It is considered by many to be the biggest overhaul of U.S. securities regulations since the New Deal.
SOX Requirements:
Requires executives and auditors to confirm the effectiveness of internal controls for financial reporting.
Ensures control of unauthorized access to data or data deletion
Requires robust access controls, interoperable with enterprise authentication, access and auditing
Gramm-Leach-Bliley Act
Financial Services
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
GLBA Requirements:
Institutions governed by GLBA must assure the security and confidentiality of customer records and information
They must protect against any anticipated threats or hazards to the security or integrity of such records
They must protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. To promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act.
FISMA Requirements:
Standards for categorizing information and information systems by mission impact
Standards for minimum security requirements for information and information systems
Guidance for selecting appropriate security controls for information systems
Guidance for assessing security controls in information systems and determining security control effectiveness
Guidance for certifying and accrediting information systems
Privacy
GLBA compliance is not voluntary; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity. Major Components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:
• Financial Privacy Rule
• Safeguards Rule
• Pretexting Protection
California's Database Security Breach Notification Act (also known as Senate Bill 1386, or SB 1386 for short) went into effect in July 2003. The intent of the law is to protect California residents from identity theft by requiring organizations that have had computer security breaches to notify all affected California residents. The only way an organization can avoid notifying customers is to encrypt personal information prior to any security breaches. SB 1386 Requirements:
The bill applies to any person or business that conducts business in California and owns or licenses computerized data that contains personal information or maintains such computerized data for another. The law also applies to California state agencies.
All organizations must follow certain disclosure obligations following the discovery of a security breach that may have compromised customer data. The law states "Notice must be given to any resident of California whose PI is or is reasonably believed to have been acquired by an unauthorized person." Notice must be given in "most expedient time possible" and "without unreasonable delay" subject to certain provisions that define what reasonable is for your organization.
European Union Data Protection Directive
All European Companies
The European Union Data Protection Directive 95/46/EC of 1995 requires that E.U. member states (countries) protect the privacy of personal information that is processed using equipment in the member state, whether the processing is done by government agencies, businesses, or other organizations.
“Personal data” includes, but is not limited to, name, address, phone numbers, email addresses, ethnicity, religion, gender, sexual orientation, birth dates, employment, and financial account numbers.
The responsibility for compliance with the directive rests with the "controller”, which is the person, group of people, public authority, agency, or other body that determines the purposes and means of processing personal data.
“Member States shall protect the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data.”