Health Information Privacy and Accountability Act (HIPAA)

 Posted by at 6:13 am  Governance & Standards, Organized Standrards  Comments Off on Health Information Privacy and Accountability Act (HIPAA)
Mar 192010

Issued in 1996 by the Health and Human Services (HHS) branch of the Federal Government, HIPAA is a set of national standards for the protection of certain health information: covered entities are held accountable for protected information. The major goal of the Act is to provide privacy of individuals’ health information and while allowing for the flow of said information to covered entities in support of health care services. Entities covered by the Rule are obligated to comply, and face real monetary penalties for failure to comply.� A sub group with in the HHS called the Office of Civil Rights (OCR) is in charge of implementing and enforcing the privacy rules including voluntary compliance and civil money penalties.

There are two specific regulations of interest to IT: the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule covers all protected health information (PHI) maintained by a covered entity, and the Security Rule covers the security of electronic PHI (ePHI) specifying five categories of required policies, procedures, and reporting mechanisms:

  1. Administrative Safeguards
  2. Physical Safeguards
  3. Technical Safeguards
  4. Organizational Requirements
  5. Policies and Procedures

Compliance with the Security Rule means implementing “reasonable and appropriate” measures.

This information compiled from the HHS website and an article from called HIPAA in a Nutshell, by Mike Chapple.

PCI DSS (Payment Card Industry Data Security Standard)

 Posted by at 5:01 am  Governance & Standards, Organized Standrards  Comments Off on PCI DSS (Payment Card Industry Data Security Standard)
Mar 192010

The PCI DSS is meant to encourage card holder data security and promote a consistent data security practice across entire organization. Compliance with the standard is assessed through adherence to a set of requirements and preparation of a Report on Compliance (ROC). The scope of the standard encompasses policies relating network segmentation, wireless components, third party and outsourced services, business facilities and system components, and compensating controls. The Payment Card industry’s data security standard has six major section containing a twelve requirements.

  • Build and Maintain a Secure Network
    • Requirement 1–Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2–Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • Requirement 3–Protect stored cardholder data
    • Requirement 4–Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • Requirement 5–Use and regularly maintain secure systems and applications
    • Requirement 6–Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • Requirement 7–Restrict access to cardholder data by business need-to-know
    • Requirement 8–Assign a unique ID to each person with computer access
    • Requirement 9–Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    • Requirement 10–Track and monitor all access to network resources and cardholder data
    • Requirement 11–Regularly test security systems and processes
  • Maintain an Information Security Policy
    • Requirement 12–Maintain a policy that addresses information security

ITIL overview

 Posted by at 9:55 pm  Governance & Standards, Organized Standrards  Comments Off on ITIL overview
Jul 282009

ITIL = Information Technology Infrastructure Library: is a set of concepts and policies for managing IT infrastructure, development and operations.

ITIL was developed in the UK by the Government’s CCTA (Central Computer and Telecommunications Agency).

ITIL certifications are managed by the ITIL Certification Management Board (ICMB).� ITIL developed during the 1980’s and was not widely adopted until the Mid 1990’s.

The wider adoption gave rise to a number of standards, including [1] ISO/IEC 20000, an international standard governing the IT Service Management elements of ITIL; [2] Information Services Procurement Library (ISPL); [3] Application Services Library (ASL); [4] Dynamic Systems Development Method (DSDM); [5] Capability Maturity Model (CMM/CMMI). In April 2001 the CCTA was merged into the OGC (Office of Government Commerce), and office of the UK Treasury, refreshing ITIL as v3.� ITIL has five core areas:

    1. Service Strtategy
    2. Service Design
    3. Service Transition
    4. Service Operation
    5. Continual Service Improvement