Laws, regulations, and standards
One of the key business drivers in forming and supporting an information security program is maintaining compliance with the many federal, state, local, and tribal laws, regulations, and standards. There's an ethical responsibility that, compliance requirements aside, every organization must honor the trust bestowed upon them by their stakeholders in protecting their information.
This display of due-diligence and due-care when handling their information is established through the use of appropriate Information Handling, Information Classification/Labeling, and Auditing policies. Some of the more well-know laws regulations and standards are:
Health Insurance Portability and Accountability Act (HIPPA)
Establishes national standards to protect individuals' medical records, and other personal health information, and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically (HHS, 2002).
Payment Card Industry Data Security Standard (PCI-DSS)
A set of security controls that businesses are required to implement to protect credit card data, and comply with the Payment Card Industry Data Security Standard (PCI DSS). The requirements were developed, and are maintained, by the Payment Card Industry (PCI) Security Standards Council.
General Data Protection Regulation (GDPR)
Enacted on May 25, 2018, this law establishes the responsibility of organizations handling the personal information of European citizens to maintain its privacy and security by restricting what is collected and processed, and by applying appropriate measures in safeguarding said data.
Within the context of GDPR, personal information is any data that can be used to identify an individual (subject), which could be as simple as a name, email address, etc...
California Consumer Privacy Act (CCPA)
Signed into law on June 28, 2018, this state law, which applies to all companies with an annual revenue of $25 million or more and serving California residents, allows for the consumer in California to demand access to the information a company collects and stores on them, as well as the organizations in which their information has been shared with.
This display of due-diligence and due-care when handling their information is established through the use of appropriate Information Handling, Information Classification/Labeling, and Auditing policies. Some of the more well-know laws regulations and standards are:
Health Insurance Portability and Accountability Act (HIPPA)
Establishes national standards to protect individuals' medical records, and other personal health information, and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically (HHS, 2002).
- Goals include:
- Improving portability and continuity of healthcare insurance when a patient changes jobs (Bosworth, Kabay, & Whyne, 2014)
- Minimizing waste, fraud, and abuse in healthcare insurance and healthcare delivery (Bosworth, Kabay, & Whyne, 2014)
- Ensuring individual patient information privacy through security means
- Simplifying healthcare insurance administration (Bosworth, Kabay, & Whyne, 2014)
Payment Card Industry Data Security Standard (PCI-DSS)
A set of security controls that businesses are required to implement to protect credit card data, and comply with the Payment Card Industry Data Security Standard (PCI DSS). The requirements were developed, and are maintained, by the Payment Card Industry (PCI) Security Standards Council.
General Data Protection Regulation (GDPR)
Enacted on May 25, 2018, this law establishes the responsibility of organizations handling the personal information of European citizens to maintain its privacy and security by restricting what is collected and processed, and by applying appropriate measures in safeguarding said data.
Within the context of GDPR, personal information is any data that can be used to identify an individual (subject), which could be as simple as a name, email address, etc...
California Consumer Privacy Act (CCPA)
Signed into law on June 28, 2018, this state law, which applies to all companies with an annual revenue of $25 million or more and serving California residents, allows for the consumer in California to demand access to the information a company collects and stores on them, as well as the organizations in which their information has been shared with.