Is
Your Business Prepared?
Sentry with Managed
Security
Satisfies the technical safeguards
required within federal laws and credit card industry rules.
GLBA
The Gramm-Leach-Bliley ACT,
passed by congress in recent years, addresses the Disclosure of
Non-public Personal Information by financial institutions. However,
the Act defines financial institutions not only as banks, credit
unions, etc. but also, mortgage brokers, realtors, auto dealers
and more who collect and process personal information from customers.
The enforcement of this law is the responsibility of the Federal
Trade Commission (FTC).
The FTC's Safeguards Rule, which implements the security provisions
of the Gramm-Leach-Bliley Act,is in effect. Financial institutions
subject to the Rule must have in place a comprehensive security
program to ensure the security and confidentiality of customer information.
It requires safeguards for each
agency or authority described "shall establish appropriate
standards for the financial institutions subject to their jurisdiction
relating to administrative, technical, and physical safeguards -
(1) to insure the security and confidentiality of customer records
and information;
(2) to protect against any anticipated threats or hazards to the
security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records
or information which could result in substantial harm or inconvenience
to any
customer.
More....
Sarbanes-Oxley
Act (SOX)
In the wake of fraud perpetrated
by a few highly publicised publicly traded companies congress also
passed SOX. SOX is a corporate governance law that requires publicly
traded companies to implement certain financial controls within
a company. Financial controls include testing of business management
applications and the systems that support them. Security measures
are called for to protect the system from compromise, data integrity,
contingency planning and continuity of business.
It also requires a company to
be independently audited annually for compliance to their stated
controls.
Health
Insurance Portability & Accountability Act (HIPAA)
The Health Insurance Portability
& Accountability Act of 1996 (HIPAA) promises to have a sweeping
impact on the healthcare system. The Act imposes broad and complex
new patient information privacy & security requirements on virtually
every segment of healthcare. This requirement directly impacts every
healthcare provider. Failure to satisfy these requirements can result
in civil and criminal penalties for you as well as your staff. The
civil penalties can range from $50,000 to $250,000 per violation.
Today however, the greatest risk
to a practice, is civil litigation. The HIPAA requirements generally
equate to a Standard of Care. Some may consider this a platform
for malpractice. However, HIPAA Security & Privacy malpractice
is not usually covered by existing malpractice insurers. The exposure
is tremendous, for the first time in American law, public standards
for security & privacy have become codified. Trial lawyers can
now point to explicit requirements to support their case. History
is there as well, during the 1980's the most frequent and expensive
litigations were based upon "Failure to Provide Adequate Security".
Needless to say, this was fertile ground even without security standards
for litigators to reference. With HIPAA there are now a thousand
trip wires to step over!
All of these regulations require
security safeguards for compliance.
Technical
Safeguards Rule
To begin implementation of an
information security program, each covered entity (subject to the
law) must:
1. Designate an employee or employees to coordinate the program;
2. Identify reasonably foreseeable internal and external
risks to the security, confidentiality, and integrity of customer
information and assess the sufficiency of any safeguards in place
to control the risks;
3. Design and implement safeguards to address the risks and
monitor the effectiveness of these safeguards;
4. Select and retain service providers that are capable of
maintaining appropriate safeguards for the information and require
them, by contract, to implement and maintain such safeguards; and
5. Firewalls & Active Management and Monitoring of the
security of a network; and
6. Adjust the information security program in light of developments
that may materially affect the program.
Although each information security program must include these basic
elements, the Rule allows companies to select specific safeguards
that are appropriate to their size and complexity, the nature and
scope of their activities, and the sensitivity of the customer information
they maintain.
California
House Bill 1950
This bill, a civil code, requires a business, other than specified
entities, that owns or licenses personal information about a California
resident to implement and maintain reasonable security procedures
and practices to protect personal information from unauthorized
access, destruction, use, modification, or disclosure.
More....
Payment
Card Industry Security & Privacy Rules
CISP
The credit card associations (Visa,
Mastercard, American Express, etc.) passed a security & rule
that became effective July 2005. Known as the Customer Information
Security Program it put security & privacy compliance requirements
on companies who collect, process & store a customers credit
card information. The intent is to prevent Identity Theft. Companies
specifically targeted are payment gateways, merchant aquirers, independent
sales organizations (ISO's) and merchants.
Separate and distinct from the
mandate to comply with CISP requirements is the validation of compliance.
It is a fundamental and critical function that identifies and corrects
vulnerabilities, and protects customers by ensuring that appropriate
levels of cardholder information security are maintained. Visa has
prioritized and defined levels of CISP compliance validation based
on the volume of transactions, the potential risk, and exposure
introduced into the Visa system by merchants and service providers.
CISP responsibilities
Members must comply with CISP and
are responsible for ensuring the CISP compliance of their merchants,
service providers, and their merchants' service providers. Although
there may not be a direct contractual relationship between merchant
service providers and acquiring members, all members remain responsible
for any liability that may occur as a result of CISP non-compliance.
Acquirers must include a CISP compliance provision in all contracts
with merchants and Nonmember agents.
CISP Non-Compliance Penalties
If a member, merchant or service
provider does not comply with the security requirements or fails
to rectify a security issue, Visa may:
1. Fine the responsible member
2. Impose restrictions on the merchant or its agent
Members receive protection from fines for merchants or service providers
that have been compromised but found to be CISP-compliant at the
time of the security breach. Members are subject to fines, up to
$500,000 per incident, for any merchant or service provider that
is compromised and not CISP-compliant at the time of the incident.
More....
PCI
To achieve compliance with CISP,
merchants and service providers must adhere to the Payment
Card Industry (PCI) Data Security Standard, which offers
a single approach to safeguarding sensitive data for all card brands.
This Standard is a result of a collaboration between Visa and MasterCard
and is designed to create common industry security requirements,
incorporating the CISP requirements. Other card companies operating
in the U.S. have also endorsed the PCI Data Security Standard within
their respective programs.
Using the PCI Data Security Standard
as its framework, CISP provides the tools and measurements needed
to protect against cardholder data exposure and compromise across
the entire payment industry. The PCI Data Security Standard consists
of twelve basic requirements supported by more detailed sub-requirements:
PCI
Data Security Standard
Build and Maintain a Secure
Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information
across public networks
Maintain a Vulnerability Management
Program
5. Use and regularly update anti-virus software 6. Develop and maintain
secure systems and applications
Implement Strong Access Control
Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder
data
11. Regularly test security systems and processes
Maintain an Information Security
Policy
12. Maintain a policy that addresses information security
|
s