implications of acts in organizations
DESCRIPTION
TRANSCRIPT
Implications of Acts in OrganizationsDeepak . SKasturi PalMervin.SSudhanshu cyrilSwarupa rani sahu
HIPAAHealth Insurance Portability and Accountability Act
What is HIPAA?• The Health Insurance Portability and Accountability
Act enacted by the U.S. Congress• Uses electronically exchangeable data to effectively
help in healthcare• Standards are used to monitor confidentiality and
security of the patient data
What information is covered under HIPPA?•Patient Health Information (PHI) is covered under
HIPPA•Any information related to the physical and mental
health of the patient in the past, present or future is considered a PHI
•PHI is either created or received by the organization in order to properly care for the patient
Why is this important?
•Almost all healthcare units started using electronic medical records to make care more efficient
•This leads to breaches from both outside and within the organization
•One’s health information can be used as a commercial advantage, personal gain, or malicious harms
Security in HIPPA
•Patients have the right to obtain and amend their PHI•They also have the right to know how PHI is used and
who it is disclosed to•Administrative measures must do detail record
keeping and procedure compliance
The USA Patriot Act
About the Act
• Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act
• Passed in Oct.2001 by then president Mr. George Bush Jr.
• Mother of all acts
Effect of PATRIOT act on E-commerce
Indirect repercussions Stringent measures for B2B and B2C transactions Wire transfer of money became difficult Increased interference of government in financial activities of Institutions
Effect on E-Governance
•Establishment of financial crime
network (FinCNE)
• Increased data sharing
• Increased screening of foreign nationals
•Greater emphasis on knowledge management
SOPA
STOP ONLINE PIRACY ACT (2012)
STOP ONLINE PIRACY ACT (2012)
• Introduced by U.S. Representative Lamar S. Smith in 2011
•Stack holders of SOPA▫Hollywood Production Houses e.g. Warner Brothers,
Columbia Motion Picture▫Recording Industry e.g. Recording Industry Association
of America▫Broadcasting Association
Organization opposing the act
• Wikipedia• Google• Online video hosting websites• Websites providing Torrent facility• Facebook• Twitter• Flicker
Implications of SOPA
•Domain name system (DNS) will be affected• Internal networks-VPN•Different from PROTECT IP•Blocking of websites with copyright content•Blocking the IP addresses
Child Online Protection Act
•The Child Online Protection Act
(COPA)was a law in the United States of America, passed in 1998.
• The law, however, never took effect, as three separate rounds of litigation led to a permanent injunction against the law in 2009
COPPA•Children’s Online Privacy Protection Act•Passed on 22nd April 2000•Protects the privacy of the children•Destroy the data collected from children of age less
than 13 within 1 year•To have verifiable consent of the parents• display the information collected on the website
PROTECT(Prosecutorial Remedies and Other Tools to
end the Exploitation of Children Today)Act
•The PROTECT Act of 2003 is a United States law with the stated intent of preventing child abuse.
•Authorizes wiretapping and monitoring of other communications in all cases related to child abuse or kidnapping.
•Provides for mandatory life imprisonment of sex offenses against a minor if the offender has had a prior conviction of abuse against a minor, with some exceptions.
Effects of PROTECT Act •Bars pre-trial release of persons charged with
specified offenses against or involving children.•Establishes a program to obtain criminal history
background checks for volunteer organizations.•Eliminates statutes of limitations for child abduction
or child abuse.•Assigns a national AMBER Alert Coordinator.•Prohibits drawings, sculptures, and pictures of such
drawings and sculptures depicting minors in actions or situations that meet the Miller test of being obscene.
Sarbanes–Oxley Act
Sarbanes Oxley Act
•Enron and WorldCom Collapse - Financial frauds – led to the formation of Sarbanes Oxley act
•Key Implications Independence of audit committee CE and CFO certification of financial statements – SOX
906 SOX 302 – Corporate responsibility for financial reports SOX 409 – Real time disclosure – disclose information on
material changes in finance on rapid and current basis Whistle-Blower Protection - Document Destruction
Key sections related to the Act
•SOX 404 – Management assessment of Internal controls over financial reporting – Role of IT
Management create reliable internal financial controls•Destruction of documents – Periodic policy needed•Responsibilities IT representatives on SOX teams
Understanding organization’s internal control program and financial reporting process
Mapping the two to find financial statements Designing and implementing controls Documenting and testing the controls designed to mitigate
risk – continuous monitoring
Contd ..•Strong IT controls needed
External auditors – rely on process approach- Evaluation based on manual/automated controls
Inherent security and control risk – due to virtual corporate and ecommerce
Large corporate spending on IT - Greater return expected
•Entry level It securities needed Trusted Path Firewall Architectures and Connections with
Public Network – denial of services and unauthorized access to internal resources
Identification, Authentication, and Access User account management
Case – Retail Chain•The Scenario
IT process used for creation, update and manipulation of financial data
Own database – ERP for creation of all financial data and reports for SEC filings
•Audit findings Variety of database tools used to insert/delete/modify
(unmitigated) data from underlying ERP databases User id/password for internal authentication No controls in org. beyond basic authentication.
Solutions •Controls on data access and updating of underlying
financial databases - ERP system access and any other access
•Automated provisioning process - segregation of duties to approve the creation of system user IDs and access privileges, as well as modification and removal.
•Audit logging and reporting infrastructure for reporting system - conformance to the organization’s internal policies and standards.
FISMA
Federal Information Security Management Act (2003)
How did FISMA originate?
•FISMA was introduced by replacing GISRA, title III of the Electronic Government Act of 2002
•The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation of USA.
Need for FISMA?The need to secure information infrastructure used in all federal agencies.
OBJECTIVES:▫ For the implementation of a cost-effective, risk-based information
security programs
▫ For the establishment of a level of security due diligence for federal agencies and contractors supporting the federal government
▫ To create a more consistent and cost-effective application of security controls across the federal information technology infrastructure
▫ To create a more consistent, comparable, and repeatable security control assessments
Contd..
▫To generate a better understanding of enterprise-wide mission risks resulting from the operation of information systems
▫ Lastly, to create a more complete, reliable, and trustworthy information for authorizing officials--facilitating more informed security authorization decisions
▫And also to make sure that there are more secure information systems within the federal government including the critical infrastructure of the United States
Requirements of FISMA
•Appropriate officials should be assigned•Periodical review of the security controls of the
information system•Security awareness training should be done•Guidelines laid by NSIT for information security
control should be followed• Lastly, plan for security should be followed
How to implement FISMA?
How to implement FISMA?•Generally, CIO’s are given the responsibility in
compliance with the CISO•Then the IG’s review the process and reporting •Reports are sent to the OMB by the end of each
financial year.•Reporting standards are governed by OMB 130 and
NSIT special publication 800-26 with changes including of 800-53
Advantages of FISMA• Its considered the best approach to ensure that
sensitive government systems and data are secure• Helps manage government systems and information,
include insurance companies, e.g. Medicare claims, and out sourcecing companies which manage federal systems, such as Lockheed Martin, Northrop Grumman
• FISMA reports by mandating a standard interface and follow a format for entering FISMA data. The OMB then provides this data via reports to other agencies.
References
•http://csrc.nist.gov/groups/SMA/fisma/index.html•http://www.authorstream.com/Presentation/
aSGuest7375-125409-fisma-business-finance-ppt-powerpoint/
•http://community.ca.com/blogs/iam/archive/2009/11/12/the-relative-adoption-of-fisma.aspx
•http://csrc.nist.gov/groups/SMA/fisma/index.html•http://searchsecurity.techtarget.com/definition/
Federal-Information-Security-Management-Act
References contd ….
• Wikipedia• http://www.coppa.org/coppa.htm• www.fincen.gov › Statutes & Regulations• www.hhs.gov• http://news.cnet.com/8301-31921_3-57329001-281/how-sopa-would-affect-you-
faq/• http://www.pwc.lu/en_LU/lu/it-effectiveness/docs/pwc-sarbanes-oxley210606.pdf• http://www.sans.org/reading_room/whitepapers/casestudies/impact-sarbanes-
oxley-act-security_1344• . http://www.auerbach-publications.com/dynamic_data/2928_1724_76-10-01.pdf.
http://accounting.smartpros.com/x43196.xml• http://www.stalback.net/duppsats.pdf• http://www.aacsb.edu/publications/archives/julyaug05/p24-29.pdf