This week we're talking about Information Security (AKA InfoSec) and Compliance.
I apologize in advance for the number and frequency of acronyms in this article! In this article I will review some of the major areas of interest for Information Security and Compliance. The two issues are intertwined and it may help to think of Compliance as the theory and Information Security as the practice for these fields. Compliance includes documentation, policies and procedures. Information Security is the implementation of those policies and procedures and follows the documentation. Requirements gathering and analysis and audits should adhere to your policies and procedures and update the documentation as needed.
EAR stands for Export Administration Regulations. It is part of the United States government export control regulations, along with ITAR. (There are other regulations for military items, but those are beyond the scope of this article.) EAR is a catch-all category to regulation items that are not covered by ITAR. EAR controls commercial and dual-use items, information and technology. Dual-use means items that may have military use, like (unarmed) helicopters can be modified to carry weapons. EAR is enforced by the Department of Commerce, Bureau of Industry and Security (BIS). Regulated items may be found on the Commerce Control List. If you export goods, you need to know what EAR covers and what's on the CCL.
FERPA is the Family Educational Rights and Privacy Act. If your business involves education, such as K-12 or higher education, then you should know what FERPA entails. Essentially, it means that you must protect educational records of students, especially minor students, the same way you would protect health information if you were in the medical industry.
FERPA provides parents of students and eligible students:
FedRAMP is short for Federal Risk and Authorization Management Program. It is a federal government program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services.
Agencies involved with FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.
Companies that offer cloud services who wish to offer them to the US government must demonstrate compliance with FedRAMP. Companies should reerence the NIST Special Publication 800 series and undergo an independent security assessment conducted by a third-party assessment organization to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA).
FIPS is the Federal Information Processing Standard (FIPS). It is detailed in Publication 140-2 which is a US-Candadian standard that specifies the security requirements for cryptographic modules that protect sensitive information, including patient data and student data.
Any data that requires encryption should conform to the FIPS standard. Encryption may encompass encrypted storage, encrypted transfer and/or encryption on the fly. A best practice for an organization is to establish encryption standards for each project. Standards should be set at the company level and be administered through Information Security participation in project planning and project audits.
FISMA, the Federal Information Security Management Act, codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agency compliance with those policies, and assisting OMB in developing those policies.
Documents are published annually with updates and guidelines for CIOs and compliance officers. The latest are for 2019.
FISMA compliance requires substantial, sustained effort. It is a multi-year project to phase in and requires annual updates and reviews. Companies that lack a dedication Information Security department should strongly consider outsourcing their FISMA compliance efforts.
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. It is a set of standards and practices established by the federal government protecting the privacy and security of health information.
The HIPAA Privacy Rule establishes national standards to protect the medical records and other personal health information of patients and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Appropriate safeguards must be used to protect the privacy of personal health information. In addition, limits and conditions are set on the uses and disclosures that may be made of such information without patient authorization. Patients have rights over their health information, including the right to examine and obtain a copy of their health records, and to request corrections.
The HIPAA Security Rule establishes national standards to protect the electronic personal health information of patients that is created, received, used, or maintained by an entity covered by the Rule. Appropriate administrative, physical and technical safeguards must be made to ensure the confidentiality, integrity, and security of electronic protected health information.
ISO/IEC 27000 standards (also known as 27K) are an evolving family of standards established to help organizations keep information assets secure. They are part of the ISMS (Information Security Management Systems) standards. The goal of the 27K standards is to create proactive, meaningful management of information assets. Currently, there are about three dozen standards in the family.
The family of standards follows the Plan, Do, Check, Act (PDCA) cycle similar to the one found in ISO 9000 and other standards.
During the Plan phase, organizations establish policy, objectives, processes, and procedures related to risk management and the improvement of information security to provide results in line with the overall policies and procedures of the organization.
During the Do phase, organizations implement and exploit the ISMS policies, controls, processes, and procedures created during the Plan phase.
The assess phase constists of assessing the performances of the processes against the policy and objectives created during the plan phase and reporting results to management.
The act phase involves acting on the results of the previous phases. Actions may include corrective measures, contingency planning, initiating a new cycle of PDCA, or creating a lessons learned report.
International Traffic in Arms Regulations (ITAR) controls the export from the United States of defense-related articles. The regulations state that no non-US person can have physical or logical access to items/information stored in the ITAR environment. Items that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens.
Information Security and Compliance is a broad, complex area. A dedicated staff is required to keep on top of the policies and procedures that ensure your organization is compliant with all applicable rules and regulations. While you can choose to outsource compliance and information security, your organization is ultimately responsible. You should dedicate at least one internal person to oversee information security and compliance related issues. This person should be responsible for (at a minimum):
Amazon maintains a page dedicated to information security and compliance: Amazon's compliance program page. You should bookmark that page if your job involves information security and/or compliance, even if you don't use Amazon.
Until next time, thanks for Talking Technology with me!
Copyright ©