SlideShare una empresa de Scribd logo

DKapellmann_Security Compliance Models

D
Daniel Kapellmann Zafra
1 de 4
Descargar para leer sin conexión
Daniel Kapellmann 04/04/2016 Security Compliance Models: Checklists vs. Risk Based Summary The growing importance of information technologies for the optimal operation of companies and organizations has led both private and public actors to develop comprehensive regulations for handling information assets. However, there are different types of compliance models that may be used by regulators to create security frameworks depending on the nature of the problems addressed, the number of organizations in the industry and the homogeneity of industry practices, among other things. Some examples of this are PCI framework based on a checklist of security requirements, GLBA Risk-Based approach to comply with customer data protection and HIPAA framework based on a flexible hybrid approach that combines both rigid Checklist requirements and flexible Risk-Based guidance for companies. Introduction In the last few years, Information Technologies have become a vital asset for organizations to manage data, optimize their processes, increase their performance and establish enhanced decision-making mechanisms. As the reliance of both public and private institutions on technology keeps increasing, it is each time more important to protect their systems for making sure about the health of their overall performance. The adoption of these technologies has no doubt generated numerous benefits, but it has also led to the conformation of a more dangerous environment in which it is day by day more difficult to keep information assets safe from different threats. In order to address this issue, governments and key industry actors have created different security compliance standards or frameworks that protect information assets in different fields. These guidelines may be grouped in three main security compliance models, which are Checklists, Risk- Based and Hybrids. Checklists are overall risk analyses created for particular industries. They are easy to implement and audit due to their generalized approach that consists in fulfilling a set of fix conditions. Differently, Risk-Based models consist in the case by case elaboration of risk analyses that are tailored for a particular organization, but are difficult to express and audit because of the lack of unified requirements. Hybrid models contain elements of the two former cases. Throughout the following lines, three of the most well-known security frameworks will be briefly described and categorized according to the compliance model in which they are based. Later on, some examples of the framework’s application will be provided and finally the regulator’s decision for applying that certain compliance model will be discussed. It is important to highlight that the following text will show a particular interpretation, there is no uniquely accepted or standardized categorization of the three discussed security frameworks in terms of their compliance models.
Health Insurance Portability and Accountability Act (HIPAA) The HIPAA protects the privacy, confidentiality and security of Protected Health Information (PHI), providing guidelines for the correct handling of users’ data. It regulates the processes and procedures that must be followed in order to share, transfer and receive customer’s information in such a way that only the minimum necessary health data is utilized in order to conduct the organization’s duties. (DHCS) This framework operates under a hybrid compliance model, establishing both a checklist of data protection requirements –whose non-compliance may result in direct government sanctions– and the recommendation of implementing Risk Management-Based actions to effectively comply with the requirements. Besides from explicit regulation protecting the information of the users, the US. Health Department of Health and Human Services (HHS) provides guidance on risk analysis, emphasizing that it is necessary to “identify and implement the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information. (U.S. Department of Health and Human Services) HIPAA framework is applicable in organizations that are part of the health industry, such as hospitals, insurance companies and clinics. It is designed to protect the information of health services users’, task that is relevant to government regulation because of the direct involvement with individual’s well-being. Based on this, the regulatory institutions decided to implement two levels of security: first the enforcement of direct compliance with a general standards checklist and second, the provision of support to promote individual risk analysis for each organization. While the Compliance Checklist promotes a unified basis for protecting user’s information, the Risk-Based component invites organizations to choose the strategies that their organizations will use to fully comply with the main requirements. Payment Card Security (PCI) The Payment Card Security Industry Data Security Standard (PCI DSS) works under the governance of five institutions: American Express, Discover, JCB International, MasterCard and Visa Inc. It regulates the whole payment ecosystem from devices to users – including manufacturers, PIN entry devices, software developers, payment applications, merchants and providers – enforcing companies to responsibly handle client’s payment information and protect their monetary transactions. (PCI Compliance Guide) This framework is enforced directly by credit card processors and consists in a series of guidelines that allow companies to know whether they comply or not. In other words, there is an established industry checklist and, if a company does not fulfill its requirements, the regulator may impose fines or sanctions. The PCI checklist framework is appropriate for different sorts of establishments such as retails stores, restaurants or theaters that directly obtain customer’s payments and must work as intermediaries between them and credit/debit card processors. Taking into consideration that PCI works directly under the supervision of private institutions, it is important to mention that it does not generate any legal responsibilities unless an actual data
breach happens. The regulator, which in this case is the founder’s group, generated a checklist of requirements in order to make sure that diverse vendors follow similar guidelines to protect card- holders’ data, thus allowing them at the same time to increase the security of credit/debit card users. Besides, it makes it possible to continuously audit the security offered by a large number of different organizations without requiring a case by case review. Gramm-Leach-Bliley Act (GLBA) The GLBA, also known as the Financial Modernization Act of 1999, is a federal law that establishes guidelines and standards for safeguarding private customer information handled by organizations that offer financial products or services. Compliance with this regulation, requires companies to fulfill three main requirements: protecting customer’s data from unauthorized access or disclosure, explaining how personal information is used or shared, and describing how the confidentiality of information is ensured. (Federal Deposit Insurance Corporation) In spite of the clear requirements, the GLBA framework may be treated as a Risk-Based compliance model because most of its conditions require institutions to implement particularized risk assessments in order to comply. For example, the Federal Trade Commission (FTC) generated a Safeguards Rule to facilitate the implementation of GLBA in financial institutions that operate under its supervision. Basically, this rule provides guidance for organizations to perform risk assessment and adjust their operations for constant security testing and monitoring. (FTC) Another example of institutions where GLBA may apply is in universities, which normally offer online their own individual plans for compliance. In the case of GLBA, in spite of the requirements checklist offered, the regulator promotes Risk- Based approach that is more flexible and allows organizations to find their particular ways to comply with the established requirements. Considering that each organization is different and their services may be diverse, the framework asks companies to privilege the protection of customers no matter the strategies used for compliance. Conclusion Based on the former analysis, it is possible to conclude that regulators design security compliance models based on their main objectives, their overall goals and the main characteristics of the environment or industry that is regulated. Although it is sometimes difficult to determine whether a certain framework is Risk-Based, Checklist or Hybrid, definitely the chosen approach will make a difference on how organizations comply with a certain regulation. For example, Checklists seem to be more useful for an environment that is very diverse, such as the case of PCI. So to say, many different organizations may comply and it should be easy for the regulators to understand whether they are acting accordingly with the main requirements. Otherwise, Risk-Based methodologies are more complex and allow organizations to choose their own strategies for compliance, thus promoting a major emphasize on the objective from a flexible
perspective. While the first one cares just about meeting requirements, the second one deals with the process that is followed to comply. Finally, hybrid approaches combine characteristics from both models thus promoting the compliance with a selection of requirements while allowing organizations to act according to their own structures and objectives. Although the hybrid approach seems like the most adequate for an integral security strategy, it is also necessary to consider that it requires more implementation efforts than simple Checklists and represents less flexibility than pure Risk-Based models. Sources: California Department of Health Care Services, Health Insurance Portability and Accountability Act. Available in: http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx Complianceguide.org, PCI FAQS. Available in: https://www.pcicomplianceguide.org/pci-faqs-2/ Federal Deposit Insurance Corporation, Privacy Act Issues under Gramm-Leach-Bliley. Available in: https://www.fdic.gov/consumers/consumer/alerts/glba.html Federal Trade Commission, Financial Institutions and Customer Information: Complying with the Safeguards Rule. Available in: https://www.ftc.gov/tips-advice/business- center/guidance/financial-institutions-customer-information-complying Georgia Tech, GLBA Information Security Program. Available in: http://policylibrary.gatech.edu/information-technology/glba-information-security-program PCI Security Standards Council, PCI Security. Available in: https://www.pcisecuritystandards.org/pci_security/ U.S. Department of Health and Human Services, Guidance on Risk Analysis. Available in: http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

Recomendados

Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access IntelligenceTim Bell
 
AICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityAICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityMHM (Mayer Hoffman McCann P.C.)
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and SecurityPYA, P.C.
 
Ready or Not? Compliance in a World of New Models
Ready or Not? Compliance in a World of New ModelsReady or Not? Compliance in a World of New Models
Ready or Not? Compliance in a World of New ModelsPYA, P.C.
 
Data and Network Security: What You Need to Know
Data and Network Security: What You Need to KnowData and Network Security: What You Need to Know
Data and Network Security: What You Need to KnowPYA, P.C.
 

Recomendados

Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access IntelligenceTim Bell
 
AICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityAICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityMHM (Mayer Hoffman McCann P.C.)
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and SecurityPYA, P.C.
 
Ready or Not? Compliance in a World of New Models
Ready or Not? Compliance in a World of New ModelsReady or Not? Compliance in a World of New Models
Ready or Not? Compliance in a World of New ModelsPYA, P.C.
 
Data and Network Security: What You Need to Know
Data and Network Security: What You Need to KnowData and Network Security: What You Need to Know
Data and Network Security: What You Need to KnowPYA, P.C.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...Patton Boggs LLP
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Jason Glass, CFA, CISSP
 
Regulatory relationship-management
Regulatory relationship-managementRegulatory relationship-management
Regulatory relationship-managementMetricStream Inc
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityKym Canty
 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Ben-Ari Boukai
 
Update on Regs & Rules & Policies
Update on Regs & Rules & PoliciesUpdate on Regs & Rules & Policies
Update on Regs & Rules & PoliciesPYA, P.C.
 
Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...vivacidade
 
2004-cost-report
2004-cost-report2004-cost-report
2004-cost-reportMatthew W. Stephan, CISM, CISSP, CRISC, CGEIT, PMP
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Mohammed J. Khan
 
Establishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsEstablishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsAppsian
 
Accounting
AccountingAccounting
Accountingjerryrabin
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
A Primer on U.S. Privacy and Security Law for Business
A Primer on U.S. Privacy and Security Law for BusinessA Primer on U.S. Privacy and Security Law for Business
A Primer on U.S. Privacy and Security Law for BusinessParsons Behle & Latimer
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
 
crucet1crucet2crucet
crucet1crucet2crucetcrucet1crucet2crucet
crucet1crucet2crucetMargenePurnell14
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 

Más contenido relacionado

La actualidad más candente

HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...Patton Boggs LLP
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Jason Glass, CFA, CISSP
 
Regulatory relationship-management
Regulatory relationship-managementRegulatory relationship-management
Regulatory relationship-managementMetricStream Inc
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityKym Canty
 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Ben-Ari Boukai
 
Update on Regs & Rules & Policies
Update on Regs & Rules & PoliciesUpdate on Regs & Rules & Policies
Update on Regs & Rules & PoliciesPYA, P.C.
 
Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...vivacidade
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Mohammed J. Khan
 
Establishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsEstablishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsAppsian
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
A Primer on U.S. Privacy and Security Law for Business
A Primer on U.S. Privacy and Security Law for BusinessA Primer on U.S. Privacy and Security Law for Business
A Primer on U.S. Privacy and Security Law for BusinessParsons Behle & Latimer
 

La actualidad más candente (19)

HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
 
Regulatory relationship-management
Regulatory relationship-managementRegulatory relationship-management
Regulatory relationship-management
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016
 
Update on Regs & Rules & Policies
Update on Regs & Rules & PoliciesUpdate on Regs & Rules & Policies
Update on Regs & Rules & Policies
 
Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...
 
2004-cost-report
2004-cost-report2004-cost-report
2004-cost-report
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
 
Establishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsEstablishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft Systems
 
Accounting
AccountingAccounting
Accounting
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
A Primer on U.S. Privacy and Security Law for Business
A Primer on U.S. Privacy and Security Law for BusinessA Primer on U.S. Privacy and Security Law for Business
A Primer on U.S. Privacy and Security Law for Business
 

Similar a DKapellmann_Security Compliance Models

CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?Daniel Message
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
AI Regulation Is Coming to Life Sciences: Three Steps to Take Now
AI Regulation Is Coming to Life Sciences: Three Steps to Take NowAI Regulation Is Coming to Life Sciences: Three Steps to Take Now
AI Regulation Is Coming to Life Sciences: Three Steps to Take NowCognizant
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
consultation consumer protection
consultation consumer protectionconsultation consumer protection
consultation consumer protectionJames (Jim) Callon
 
Questions On The Healthcare System
Questions On The Healthcare SystemQuestions On The Healthcare System
Questions On The Healthcare SystemAmanda Gray
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...
The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...
The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...Health Catalyst
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulationsNicholas Davis
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry RegulationsNicholas Davis
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 

Similar a DKapellmann_Security Compliance Models (20)

CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chap
 
crucet1crucet2crucet
crucet1crucet2crucetcrucet1crucet2crucet
crucet1crucet2crucet
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. Framework
 
Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
AI Regulation Is Coming to Life Sciences: Three Steps to Take Now
AI Regulation Is Coming to Life Sciences: Three Steps to Take NowAI Regulation Is Coming to Life Sciences: Three Steps to Take Now
AI Regulation Is Coming to Life Sciences: Three Steps to Take Now
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
 
consultation consumer protection
consultation consumer protectionconsultation consumer protection
consultation consumer protection
 
Questions On The Healthcare System
Questions On The Healthcare SystemQuestions On The Healthcare System
Questions On The Healthcare System
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...
The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...
The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches a...
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
 
Data as a Hidden Gem in Compliance Programs
Data as a Hidden Gem in Compliance ProgramsData as a Hidden Gem in Compliance Programs
Data as a Hidden Gem in Compliance Programs
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 

DKapellmann_Security Compliance Models

  • 1. Daniel Kapellmann 04/04/2016 Security Compliance Models: Checklists vs. Risk Based Summary The growing importance of information technologies for the optimal operation of companies and organizations has led both private and public actors to develop comprehensive regulations for handling information assets. However, there are different types of compliance models that may be used by regulators to create security frameworks depending on the nature of the problems addressed, the number of organizations in the industry and the homogeneity of industry practices, among other things. Some examples of this are PCI framework based on a checklist of security requirements, GLBA Risk-Based approach to comply with customer data protection and HIPAA framework based on a flexible hybrid approach that combines both rigid Checklist requirements and flexible Risk-Based guidance for companies. Introduction In the last few years, Information Technologies have become a vital asset for organizations to manage data, optimize their processes, increase their performance and establish enhanced decision-making mechanisms. As the reliance of both public and private institutions on technology keeps increasing, it is each time more important to protect their systems for making sure about the health of their overall performance. The adoption of these technologies has no doubt generated numerous benefits, but it has also led to the conformation of a more dangerous environment in which it is day by day more difficult to keep information assets safe from different threats. In order to address this issue, governments and key industry actors have created different security compliance standards or frameworks that protect information assets in different fields. These guidelines may be grouped in three main security compliance models, which are Checklists, Risk- Based and Hybrids. Checklists are overall risk analyses created for particular industries. They are easy to implement and audit due to their generalized approach that consists in fulfilling a set of fix conditions. Differently, Risk-Based models consist in the case by case elaboration of risk analyses that are tailored for a particular organization, but are difficult to express and audit because of the lack of unified requirements. Hybrid models contain elements of the two former cases. Throughout the following lines, three of the most well-known security frameworks will be briefly described and categorized according to the compliance model in which they are based. Later on, some examples of the framework’s application will be provided and finally the regulator’s decision for applying that certain compliance model will be discussed. It is important to highlight that the following text will show a particular interpretation, there is no uniquely accepted or standardized categorization of the three discussed security frameworks in terms of their compliance models.
  • 2. Health Insurance Portability and Accountability Act (HIPAA) The HIPAA protects the privacy, confidentiality and security of Protected Health Information (PHI), providing guidelines for the correct handling of users’ data. It regulates the processes and procedures that must be followed in order to share, transfer and receive customer’s information in such a way that only the minimum necessary health data is utilized in order to conduct the organization’s duties. (DHCS) This framework operates under a hybrid compliance model, establishing both a checklist of data protection requirements –whose non-compliance may result in direct government sanctions– and the recommendation of implementing Risk Management-Based actions to effectively comply with the requirements. Besides from explicit regulation protecting the information of the users, the US. Health Department of Health and Human Services (HHS) provides guidance on risk analysis, emphasizing that it is necessary to “identify and implement the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information. (U.S. Department of Health and Human Services) HIPAA framework is applicable in organizations that are part of the health industry, such as hospitals, insurance companies and clinics. It is designed to protect the information of health services users’, task that is relevant to government regulation because of the direct involvement with individual’s well-being. Based on this, the regulatory institutions decided to implement two levels of security: first the enforcement of direct compliance with a general standards checklist and second, the provision of support to promote individual risk analysis for each organization. While the Compliance Checklist promotes a unified basis for protecting user’s information, the Risk-Based component invites organizations to choose the strategies that their organizations will use to fully comply with the main requirements. Payment Card Security (PCI) The Payment Card Security Industry Data Security Standard (PCI DSS) works under the governance of five institutions: American Express, Discover, JCB International, MasterCard and Visa Inc. It regulates the whole payment ecosystem from devices to users – including manufacturers, PIN entry devices, software developers, payment applications, merchants and providers – enforcing companies to responsibly handle client’s payment information and protect their monetary transactions. (PCI Compliance Guide) This framework is enforced directly by credit card processors and consists in a series of guidelines that allow companies to know whether they comply or not. In other words, there is an established industry checklist and, if a company does not fulfill its requirements, the regulator may impose fines or sanctions. The PCI checklist framework is appropriate for different sorts of establishments such as retails stores, restaurants or theaters that directly obtain customer’s payments and must work as intermediaries between them and credit/debit card processors. Taking into consideration that PCI works directly under the supervision of private institutions, it is important to mention that it does not generate any legal responsibilities unless an actual data
  • 3. breach happens. The regulator, which in this case is the founder’s group, generated a checklist of requirements in order to make sure that diverse vendors follow similar guidelines to protect card- holders’ data, thus allowing them at the same time to increase the security of credit/debit card users. Besides, it makes it possible to continuously audit the security offered by a large number of different organizations without requiring a case by case review. Gramm-Leach-Bliley Act (GLBA) The GLBA, also known as the Financial Modernization Act of 1999, is a federal law that establishes guidelines and standards for safeguarding private customer information handled by organizations that offer financial products or services. Compliance with this regulation, requires companies to fulfill three main requirements: protecting customer’s data from unauthorized access or disclosure, explaining how personal information is used or shared, and describing how the confidentiality of information is ensured. (Federal Deposit Insurance Corporation) In spite of the clear requirements, the GLBA framework may be treated as a Risk-Based compliance model because most of its conditions require institutions to implement particularized risk assessments in order to comply. For example, the Federal Trade Commission (FTC) generated a Safeguards Rule to facilitate the implementation of GLBA in financial institutions that operate under its supervision. Basically, this rule provides guidance for organizations to perform risk assessment and adjust their operations for constant security testing and monitoring. (FTC) Another example of institutions where GLBA may apply is in universities, which normally offer online their own individual plans for compliance. In the case of GLBA, in spite of the requirements checklist offered, the regulator promotes Risk- Based approach that is more flexible and allows organizations to find their particular ways to comply with the established requirements. Considering that each organization is different and their services may be diverse, the framework asks companies to privilege the protection of customers no matter the strategies used for compliance. Conclusion Based on the former analysis, it is possible to conclude that regulators design security compliance models based on their main objectives, their overall goals and the main characteristics of the environment or industry that is regulated. Although it is sometimes difficult to determine whether a certain framework is Risk-Based, Checklist or Hybrid, definitely the chosen approach will make a difference on how organizations comply with a certain regulation. For example, Checklists seem to be more useful for an environment that is very diverse, such as the case of PCI. So to say, many different organizations may comply and it should be easy for the regulators to understand whether they are acting accordingly with the main requirements. Otherwise, Risk-Based methodologies are more complex and allow organizations to choose their own strategies for compliance, thus promoting a major emphasize on the objective from a flexible
  • 4. perspective. While the first one cares just about meeting requirements, the second one deals with the process that is followed to comply. Finally, hybrid approaches combine characteristics from both models thus promoting the compliance with a selection of requirements while allowing organizations to act according to their own structures and objectives. Although the hybrid approach seems like the most adequate for an integral security strategy, it is also necessary to consider that it requires more implementation efforts than simple Checklists and represents less flexibility than pure Risk-Based models. Sources: California Department of Health Care Services, Health Insurance Portability and Accountability Act. Available in: http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx Complianceguide.org, PCI FAQS. Available in: https://www.pcicomplianceguide.org/pci-faqs-2/ Federal Deposit Insurance Corporation, Privacy Act Issues under Gramm-Leach-Bliley. Available in: https://www.fdic.gov/consumers/consumer/alerts/glba.html Federal Trade Commission, Financial Institutions and Customer Information: Complying with the Safeguards Rule. Available in: https://www.ftc.gov/tips-advice/business- center/guidance/financial-institutions-customer-information-complying Georgia Tech, GLBA Information Security Program. Available in: http://policylibrary.gatech.edu/information-technology/glba-information-security-program PCI Security Standards Council, PCI Security. Available in: https://www.pcisecuritystandards.org/pci_security/ U.S. Department of Health and Human Services, Guidance on Risk Analysis. Available in: http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html