Increasingly, organizations need to comply with one or more regulations. If you are in this situation, you can satisfy auditors or regulators by proactively establishing measurable and repeatable policies and procedures to ensure effective access control. In my last post, I outlined three steps to achieve effective access control. Here I will cover common regulations, who is affected, and common file transfer security requirements.
Healthcare Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HIPPA-HITECH)
- Who: Any organization – including hospitals, clinics, insurance brokers, and physician practices – that transmits or maintains health information.
- Requirements: Organizations and their business associates must ensure that all file transfer containing personal health information is secured and that the sender and recipients are properly verified.
- Who: Companies that are publicly registered on US stock exchanges (e.g., NYSE, NASDAQ). Holds executives personal accountable for violations. Increased penalties for corporations with >$75 million in market capitalization.
- Requirements: All companies must establish ‘internal controls’ on financial information and obtain an auditor’s opinion on management’s assessment. Encryption of financial information during file transfer is required to ensure data integrity.
- Who: Companies that are publicly registered on Japanese stock exchanges.
- Requirements: Management must provide an assessment of its internal control over its financial reporting and obtain an auditor’s opinion on management’s assessment. . Encryption of financial information during file transfer is required to ensure data integrity.
BASEL-II & BASEL-III
- Who: Banks, insurance firms, and other financial institutions. Sets international standards for banking regulators to control how much capital banks need to put aside to guard against financial and operational risks.
- Requirements: Firms must protect their IT networks and associated data as part of reducing operational risk. This includes safeguarding data (such as through encryption), file transfers, and operator interaction, to name a few.
Personal Credit Information – Data Security Standard (PCI-DSS)
- Who: PCI DSS applies to all entities involved in payment card processing (e.g., credit, debit, prepaid cards, etc.) – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
- Requirements: Secure storage and transmission of cardholder data against unauthorized disclosure, protection again malware, and other threats to the integrity of the cardholder data.
International Trade in Arms Regulation (ITAR) & Export Administration Regulations (EAR)
- Who: US-based companies whose products fall under either the ITAR’s United States Munitions List (USML) of restricted articles and services or EAR’s Commerce Control List (CCL) of regulated commercial items, including those items that are so-called ‘dual-use’ or have both commercial and military applications.
- Requirements: Establish protocols to prevent the disclosure or transfer of sensitive information to a foreign national.
The Data Protection Act of 1998
- Who: Organizations or individuals based in the United Kingdom (UK).
- Requirements: Organizations must establish policies and procedures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage, of personal data.
In my next post, I’ll cover three steps your organization can take to further address your compliance requirements, so check back soon!