Data Security Regulation Requirements Essay

Introduction

In daily operations of firms, companies and organizations that use large-size data require up to date and above standard security systems, methods and measures for the implementation of the security of data. In most cases, security professionals tend to focus their time on issues relating to employee access, implementing security measures and methods neglecting critical issues that might lead to data or information sabotage and interferences that can cripple a company that relies on data for its operations. As a chief Information officer in the government, I would like to educate on the regulatory requirements that will assist the employees of the firm to understand how critical information is and how to handle them in terms of protection from external and internal sources of interference. Under the regulatory requirements, a firm or agency must be conversant with the FISMA, PCI DSS, HIPAA, Intellectual Property Law, Gramm-Leach-Bliley Act and Sarbanes-Oxley Act policies that govern and dispel methods in which an agency or firm can implement to protect its information (Fitzgerald, 2016). The methods stipulated by these policies will depend on the implementation and compliance of the employees of the agency to yield the desired outcome of data and information protection. The agency should be aware:

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

FISMA

According to Axelrod (2011), FISMA is a United States' federal law recognizing the essence of information security (IS) to national security and economic interests in the US. This act requires the federal agencies to do the developing, documenting, and the implementation of the agency's wide program that provides IS to data or information and the IS responsible for handling data. This encompasses those information Systems managed and controlled by other agencies, sources, and contractors. FISMA policy has brought the attention of cybersecurity not only to the American governments but to other countries as well. This policy requires the company or agency program officials like the inspector general (IG), and the Chief Information officers (CIO) to conduct an annual review on the Information system's security of agencies. It then makes a report to the Budget and Management office (OMB) that uses the report to assist in oversight roles and finally prepares reports to Congress on the agency's compliance with regulations and policies. This law safeguards the integrity of information and counterchecks if in case there is compliance or insecurity of the information systems or the information itself. In addition, this law emphasizes on the risk-based policy that is cost-effective for information security encompassing both small and large corporations using information in their operations (Fitzgerald, 2016).

Sarbanes-Oxley Act

To Axelrod (2011), this is a law enacted in 2002 that expands the requirements of all public company boards of the United States, management and all public and private accounting firms that apply to willful evidence destruction that impedes any federal investigations on the firms. This bill aims at preventing corporate scandals especially on in the financial departments such as accounting scandals like the WorldCom and Enron. It comprises of eleven section that covers the responsibilities of the public and private corporation's board of directors and adds criminal penalties in case of misconduct besides creating regulations for compliance to the law by the public corporations (Axelrod, 2011). The eleven sections of the bill include the Auditor independence that establishes the independence of the external auditor, a public firm company accounting and an oversighting board that gives the independence of the oversight of the public accounting companies and firms that give auditing services. The third major element of this policy is the corporate responsibility that has 8 sections mandating executive officials to take personal responsibility for the information accuracy and completeness of financial reports. Other elements include the Enhanced Financial Disclosures (EFD), corporate fraud accountability and tax return, criminal fraud and accountability.

Gramm Leach Bliley Act or (GLBA)

GLBA is known, as a Financial Services Modernization Act enacted in 1999 is a policy that repeals the Glass-Steagall act by removing the obstacles and barriers on the market among the banking, insurance, and investment companies. This law prohibits any institution from acting as a combination of any commercial, investment banks and insurance companies. Therefore, passing this bill prompted the consolidation of the commercial, investment, insurance and security firms. The safeguard standards for GLBA require financial institutions to come up with a plan of the information security describing how the agency prepares to protect the nonpublic information of the clients. Therefore, GLBA compliance entails denoting a minimum of single employee to manage the cardholder information, doing a risk analysis on every department that handles the confidential information about the cardholder. The agency should also develop, do the monitoring and be testing the program to have a secure information system and change the security protocols when needed when there is a change in terms of information collection storage and usage.

PCI DSS

The Payment Card Industry Security Standard (PCI DSS) is the information security standard for firms or organizations handling credit cards is branded from a main card scheme. PCI DSS administered by the PCI SSC increases the controls around the data of the cardholder to reduce fraud on the credit card. The credit card contains the financial information of a customer that he or she uses to purchase goods and services. Either this also entails an annual validation of compliance by an external Quality Security Assessors (QSA) or a company specialized in graft like the Internal Security Assessors (ISA). These bodies are responsible for the creation of a compliance report on the agency's security for handling many transactions or use the Self-Assessment Questionnaire (SAQ) meant for small companies and agencies that handle low volumes of transactions.

HIPAA

HIPAA is the US's legislative act that aims at protecting the privacy of data and providing other security provisions for safeguarding medical information. This law has five sections such as the health insurance reform that safeguards the health insurance coverage especially for the people who change or lose their jobs besides prohibiting group health plans from not giving cover to individuals with special ailment and pre-existing conditions. The second section of the HIPAA law is the Administrative Simplification that sets standards nationally for the processing the transactions of electronic healthcare by the HHS (Health and Human services department). Other sections include the revenue offsets, enforcement and application of group health requirements, and the tax-related provisions (Koschorreck, 2011).

Intellectual Property Law

Intellectual property is a group of properties that include the intangible creation of human intellect that encompasses patents, copyrights, and trademarks. In addition, it entails other rights like trade secrets, rights against unfair competition, and moral rights. It also extends to the artistic works like discoveries, words, phrases, inventions, designs, and symbols. Therefore, intellectual property law aims at protecting both tangible and intangible human creation from duplication and production of counterfeit products (Axelrod, 2011).

The security methods and controls needed

According to Gikas (2010), FISMA, the Sarbanes-Oxley Act, GLBA, PCI DSS, HIPAA and Intellectual Property Law have different methods and controls needed for their implementation into the agency. Due to the diversity and the difference in the type of data and information protected by the policies, it is hard to come up with one security method and control that will encompass all the policies. Therefore, the uptick in regulations for the operational transparency of agencies, corporations, and organizations, it is advisable that the agencies should adopt and use a harmonized and consolidated set of the compliance controls. This will enable the agency to ensure that all the necessary government requirements are met without duplication of activities and efforts from resources (Karadsheh, 2012).

Some of the controls and methods needed by the agency are to have a top-down approach that will enable a standard security check and access to information regardless of the position owned in the agency.

All employees should be subjected to access restriction to information by having a top-down access protocol that will allow the agency to monitor information access. The agency should also segregate and categorize critical information for protection that will ease the sorting and arranging of critical information since large volumes of transactions are broken into several categories depending on the criticality involved. Another control measure is for the agency to have a department or outsource a firm specialized in security regulation compliance after a specified time (e.g. Quarterly or annually) to ensure that the agency complies with the regulations and standards (Karadsheh, 2012).

The guidance provided by NIST

NIST outlines the steps toward the compliance with these regulatory requirements and standards that will help govern the operation of the agency. The first compliance is to categorize the data and information to be safeguarded. This will give the agency an easy time to analyze and monitor the access and transaction of data according to the priority of how important they are. The second step of ensuring compliance according to the NIST is to have a selection of minimum baseline controls that will be applicable in safeguarding the entire information system. The agency should then refine the controls by the use of a risk assessment procedure that will help in detecting any signs and attempts of noncompliance with the regulations and standards stipulated. There should be a proper documentation of the controls in the security system plans. The fifth compliance is the implementation of the security controls incorrect Information Systems that will enhance compatibility of the types of data and the information systems (Koschorreck, 2011).

The agency should also assess how effective the security controls after the implementation process. Another compliance with the regulations is the determination of the agency-level risks to the business to mission involved. There should be an implementation of the information system for processing to facilitate monitoring of the security controls and protocols on a continuous basis to enhance the security around the information involved. To PCI DSS for compliance, an agency should build and maintain a very secure network and system that will enhance the protection of a cardholder's data. There should be maintenance of the vulnerability Management program (VMP) and implement strict Access control measures that will reduce the frequency at which cardholder's data moves from one employee to another (Fitzgerald, 2016). This will reduce cases of data and information interference. The regular monitoring and testing of networks and the maintenance of information security will provide the agency with the necessary steps that will enhance the security of information from external and internal interference. Provision of criminal punishment from this policy will provide a protective measure to ensure that the employees especially those at the top and the ones responsible for information handling do not interfere with the integrity and originality of information.

References

Axelrod, C. W. (2011, May). Applying lessons from safety-critical systems to security-critical software....