1 / 34

Fundamentals of Information Systems Security Chapter 15 U.S. Compliance Laws

Fundamentals of Information Systems Security Chapter 15 U.S. Compliance Laws. Learning Objective. Apply U.S. compliance laws to real-world applications in both the public and private sectors. Key Concepts. Overview of U.S. compliance laws

vivi
Download Presentation

Fundamentals of Information Systems Security Chapter 15 U.S. Compliance Laws

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fundamentals of Information Systems Security Chapter 15 U.S. Compliance Laws

  2. Learning Objective • Apply U.S. compliance laws to real-world applications in both the public and private sectors.

  3. Key Concepts • Overview of U.S. compliance laws • Impact of U.S. compliance laws on IT infrastructures of verticals and industries • Role of NIST FIPS and SPs, and RMF, in relation to FISMA

  4. DISCOVER: CONCEPTS

  5. Standards, Policies, and Laws • Standard: An established and proven norm or method, which can be procedural or technical • Policy: A document that states how anorganization is to perform and conduct business functions • Law: A collection or system of rules imposed by authority

  6. U.S. Compliance Laws

  7. U.S. Compliance Laws (Continued)

  8. Children’s Internet Protection Act (CIPA) Requirements • Schools and libraries must • Use technology protection measures • Protect against access to harmful visual depictions • Adopt and enforce a policy to monitor the online activities of minors • Minors are those 17 years of age or less

  9. Critical Aspects of FERPA

  10. School Disclosure Exceptions in FERPA School officials with legitimate educational interest Other schools to which a student is transferring Specified officials for audit or evaluation purposes Appropriate parties in connection with financial aid to a student

  11. School Disclosure Exceptions in FERPA (Cont.) Organizations conducting certain studies for or on behalf of the school Accrediting organizations Response to judicial order or lawfully issued subpoena Appropriate officials in cases of health and safety emergencies State and local authorities within a juvenile justice system, pursuant to specific State law

  12. Directory Information

  13. Federal Information Security Management Act (FISMA) Categorizing information and information systems by mission impact Complying with minimum security requirements for information systems Selecting appropriate security controls for information systems

  14. Federal Information Security Management Act (FISMA) (Continued) Assessing security controls in information systems Determining security control effectiveness Establishing security authorization of information systems Monitoring security controls Assuring security authorization of information systems

  15. FISMA Implementation Project

  16. FISMA Procedures

  17. The Gramm-Leach Bliley Act (GLBA) The Financial Modernization Act of 1999 Protects personal financial information held by financial institutions

  18. GLBA GLBA―Principal Parts Safeguards Rule Commission’s Financial Privacy Rule Pretexting

  19. GLBA Rules to Protect Consumer Financial Information

  20. Protects the privacy and security of certain health information • Office for Civil Rights (OCR) enforces the privacy and security rules • Financial penalties for non-compliance Health Insurance Portability and Accountability Act of 1996 (HIPAA)

  21. HIPAA Privacy and Security Rules

  22. HIPAA Privacy Rule vs. HIPAA Security Rule

  23. The HITECH Act • Part of the American Recovery and Reinvestment Act (ARRA) • Strengthens HIPAA privacy and security protections • Increases fines for noncompliance • Introduces a federal breach notification rule • Requires audits of covered entities • Allows state enforcement of HIPAA compliance

  24. Critical Aspects of Sarbanes-Oxley (SOX) Protect investors by requiring accuracy and reliability in corporate disclosures Created new standards for corporate accountability Created new penalties for acts of wrongdoing, both civil and criminal Changes how corporate boards and executives must exchange information and work with corporate auditors

  25. Critical Aspects of Sarbanes-Oxley (SOX) (Continued) Specifies new financial reporting requirements Requires all financial reports to include an internal control report Auditing firms are also required to attest to the accuracy of the assessment

  26. Critical Sections of Sarbanes-Oxley Act

  27. Critical Sections of Sarbanes-Oxley Act

  28. U.S. Regulators • Federal Trade Commission (FTC) • Securities and Exchange Commission (SEC) • U.S. Department of Education • Department of Health and Human Services • Office of Management and Budget

  29. DISCOVER: ROLES

  30. NIST FIPS and SPs • Federal Information Processing Standards (FIPS) • Special Publications (SPs)

  31. Risk Management Framework (RMF)

  32. DISCOVER: RATIONALE

  33. Impact of Policies, Standards, and Compliance Laws • Strengthens individual privacy • Fosters trust by customers • Requires more money, time, and effort by organizations to meet compliance requirements and standards • Helps companies become more secure and organized

  34. Summary • Overview of U.S. compliance laws • Impact of U.S. compliance laws on IT infrastructures of verticals and industries • Role of NIST FIPS and SPs, and RMF, in relation to FISMA

More Related