Implications of Acts in OrganizationsDeepak . SKasturi PalMervin.SSudhanshu cyrilSwarupa rani sahu

HIPAAHealth Insurance Portability and Accountability Act

What is HIPAA?• The Health Insurance Portability and Accountability

Act enacted by the U.S. Congress• Uses electronically exchangeable data to effectively

help in healthcare• Standards are used to monitor confidentiality and

security of the patient data

What information is covered under HIPPA?•Patient Health Information (PHI) is covered under

HIPPA•Any information related to the physical and mental

health of the patient in the past, present or future is considered a PHI

•PHI is either created or received by the organization in order to properly care for the patient

Why is this important?

•Almost all healthcare units started using electronic medical records to make care more efficient

•This leads to breaches from both outside and within the organization

•One’s health information can be used as a commercial advantage, personal gain, or malicious harms

Security in HIPPA

•Patients have the right to obtain and amend their PHI•They also have the right to know how PHI is used and

who it is disclosed to•Administrative measures must do detail record

keeping and procedure compliance

The USA Patriot Act

About the Act

• Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act

• Passed in Oct.2001 by then president Mr. George Bush Jr.

• Mother of all acts

Effect of PATRIOT act on E-commerce

Indirect repercussions Stringent measures for B2B and B2C transactions Wire transfer of money became difficult Increased interference of government in financial activities of Institutions

Effect on E-Governance

•Establishment of financial crime

network (FinCNE)

• Increased data sharing

• Increased screening of foreign nationals

•Greater emphasis on knowledge management

SOPA

STOP ONLINE PIRACY ACT (2012)

STOP ONLINE PIRACY ACT (2012)

• Introduced by U.S. Representative Lamar S. Smith in 2011

•Stack holders of SOPA▫Hollywood Production Houses e.g. Warner Brothers,

Columbia Motion Picture▫Recording Industry e.g. Recording Industry Association

of America▫Broadcasting Association

Organization opposing the act

• Wikipedia• Google• Online video hosting websites• Websites providing Torrent facility• Facebook• Twitter• Flicker

Implications of SOPA

•Domain name system (DNS) will be affected• Internal networks-VPN•Different from PROTECT IP•Blocking of websites with copyright content•Blocking the IP addresses

Child Online Protection Act

•The Child Online Protection Act

 (COPA)was a law in the United States of America, passed in 1998.

•  The law, however, never took effect, as three separate rounds of litigation led to a permanent injunction against the law in 2009

COPPA•Children’s Online Privacy Protection Act•Passed on 22nd April 2000•Protects the privacy of the children•Destroy the data collected from children of age less

than 13 within 1 year•To have verifiable consent of the parents• display the information collected on the website

PROTECT(Prosecutorial Remedies and Other Tools to

end the Exploitation of Children Today)Act

•The PROTECT Act of 2003 is a United States law with the stated intent of preventing child abuse.

•Authorizes wiretapping and monitoring of other communications in all cases related to child abuse or kidnapping.

•Provides for mandatory life imprisonment of sex offenses against a minor if the offender has had a prior conviction of abuse against a minor, with some exceptions.

Effects of PROTECT Act •Bars pre-trial release of persons charged with

specified offenses against or involving children.•Establishes a program to obtain criminal history

background checks for volunteer organizations.•Eliminates statutes of limitations for child abduction

or child abuse.•Assigns a national AMBER Alert Coordinator.•Prohibits drawings, sculptures, and pictures of such

drawings and sculptures depicting minors in actions or situations that meet the Miller test of being obscene.

Sarbanes–Oxley Act

Sarbanes Oxley Act

•Enron and WorldCom Collapse - Financial frauds – led to the formation of Sarbanes Oxley act

•Key Implications Independence of audit committee CE and CFO certification of financial statements – SOX

906 SOX 302 – Corporate responsibility for financial reports SOX 409 – Real time disclosure – disclose information on

material changes in finance on rapid and current basis Whistle-Blower Protection - Document Destruction

Key sections related to the Act

•SOX 404 – Management assessment of Internal controls over financial reporting – Role of IT

Management create reliable internal financial controls•Destruction of documents – Periodic policy needed•Responsibilities IT representatives on SOX teams

Understanding organization’s internal control program and financial reporting process

Mapping the two to find financial statements Designing and implementing controls Documenting and testing the controls designed to mitigate

risk – continuous monitoring

Contd ..•Strong IT controls needed

External auditors – rely on process approach- Evaluation based on manual/automated controls

Inherent security and control risk – due to virtual corporate and ecommerce

Large corporate spending on IT - Greater return expected

•Entry level It securities needed Trusted Path Firewall Architectures and Connections with

Public Network – denial of services and unauthorized access to internal resources

Identification, Authentication, and Access User account management

Case – Retail Chain•The Scenario

IT process used for creation, update and manipulation of financial data

Own database – ERP for creation of all financial data and reports for SEC filings

•Audit findings Variety of database tools used to insert/delete/modify

(unmitigated) data from underlying ERP databases User id/password for internal authentication No controls in org. beyond basic authentication.

Solutions •Controls on data access and updating of underlying

financial databases - ERP system access and any other access

•Automated provisioning process - segregation of duties to approve the creation of system user IDs and access privileges, as well as modification and removal.

•Audit logging and reporting infrastructure for reporting system - conformance to the organization’s internal policies and standards.

FISMA

Federal Information Security Management Act (2003)

How did FISMA originate?

•FISMA was introduced by replacing GISRA, title III of the Electronic Government Act of 2002

•The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation of USA.

Need for FISMA?The need to secure information infrastructure used in all federal agencies.

OBJECTIVES:▫ For the implementation of a cost-effective, risk-based information

security programs

▫ For the establishment of a level of security due diligence for federal agencies and contractors supporting the federal government

▫ To create a more consistent and cost-effective application of security controls across the federal information technology infrastructure

▫ To create a more consistent, comparable, and repeatable security control assessments

Contd..

▫To generate a better understanding of enterprise-wide mission risks resulting from the operation of information systems

▫ Lastly, to create a more complete, reliable, and trustworthy information for authorizing officials--facilitating more informed security authorization decisions

▫And also to make sure that there are more secure information systems within the federal government including the critical infrastructure of the United States

Requirements of FISMA

•Appropriate officials should be assigned•Periodical review of the security controls of the

information system•Security awareness training should be done•Guidelines laid by NSIT for information security

control should be followed• Lastly, plan for security should be followed

How to implement FISMA?

How to implement FISMA?•Generally, CIO’s are given the responsibility in

compliance with the CISO•Then the IG’s review the process and reporting •Reports are sent to the OMB by the end of each

financial year.•Reporting standards are governed by OMB 130 and

NSIT special publication 800-26 with changes including of 800-53

Advantages of FISMA• Its considered the best approach to ensure that

sensitive government systems and data are secure• Helps manage government systems and information,

include insurance companies, e.g. Medicare claims, and out sourcecing companies which manage federal systems, such as Lockheed Martin, Northrop Grumman

• FISMA reports by mandating a standard interface and follow a format for entering FISMA data. The OMB then provides this data via reports to other agencies.

References

•http://csrc.nist.gov/groups/SMA/fisma/index.html•http://www.authorstream.com/Presentation/

aSGuest7375-125409-fisma-business-finance-ppt-powerpoint/

•http://community.ca.com/blogs/iam/archive/2009/11/12/the-relative-adoption-of-fisma.aspx

•http://csrc.nist.gov/groups/SMA/fisma/index.html•http://searchsecurity.techtarget.com/definition/

Federal-Information-Security-Management-Act

References contd ….

• Wikipedia• http://www.coppa.org/coppa.htm• www.fincen.gov › Statutes & Regulations• www.hhs.gov• http://news.cnet.com/8301-31921_3-57329001-281/how-sopa-would-affect-you-

faq/• http://www.pwc.lu/en_LU/lu/it-effectiveness/docs/pwc-sarbanes-oxley210606.pdf• http://www.sans.org/reading_room/whitepapers/casestudies/impact-sarbanes-

oxley-act-security_1344• . http://www.auerbach-publications.com/dynamic_data/2928_1724_76-10-01.pdf.

http://accounting.smartpros.com/x43196.xml• http://www.stalback.net/duppsats.pdf• http://www.aacsb.edu/publications/archives/julyaug05/p24-29.pdf