Question

Assignment:

Discuss the article below. Your paper should be about 1000 words (give or take 10%) and must be in standard APA or MLA format. Be sure to include your interpretation of the document and how it can be used in a typical organization. You should cite the paper and any other resources you use.

1: Compliance With Security Laws Policy

Answer 1

Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.

Many major companies within the United States are subject to some type of security regulation. Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry and many organizations would welcome such information. The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation. The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to best implement them. Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as the HISP (Holistic Information Security Practitioner) that signify their understanding of the regulations. Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

First, companies need to assess which of the laws and acts apply to them. Then they need to organize their information security to address the boundaries put in place by the acts. This requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.

A cybersecurity assessment is a valuable tool for achieving these objectives as it evaluates your organization’s security and privacy against a set of globally recognized standards and best practices. It provides a roadmap to improve data privacy and the results can be used to validate adherence to relevant standards. To learn more about cybersecurity assessments, click here.

But how do we assess which laws apply to which company?

Talking about the particular bills and which companies they apply to is slightly vague. Therefore, take for example your local hospital. This local hospital is publicly traded and not a federal agency, therefore, it is not subject to the FISMA bill. However, since the company deals with healthcare patients it is subject to HIPAA. Now it must look carefully at what sort of protections it must offer patients and place safeguards in affect in order to prevent a breach of security. On the ground level it cannot give away patient information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised. This means that controls need to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of persons who interact with the systems and training needs to take place so that users of the systems perform their duties properly and do not intentionally or unintentionally misuse the system.

Some companies may have to comply with multiple regulations. In such cases it is best to outline all the regulations that impact the company first and then a determination can be made for which security controls to implement that satisfy the requirements of all the regulations they need to comply with. This process can reduce the amount of money the organization spends on compliance efforts because it reduces duplication of effort and the likelihood that competing systems would be put in place to satisfy the same regulatory requirement.

You and the university must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. In some cases, there are additional requirements based on the U-M data classification level of the data you are working with

Controlled Unclassified Information (CUI)-

Controlled Unclassified Information (CUI) is federal non-classified information that requires safeguarding compliant with the security controls delineated in NIST SP 800-171r1 or NIST SP 800-53r4, depending on specific contractual terms. The CUI program is a government-wide approach to creating a uniform set of requirements and information security controls directed at securing sensitive government information. The NIST document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. CUI requirements apply to U-M researchers when they are given access to CUI information under the terms of a FAR or DFARS contract or other agreement.

Federal Acquisition Regulations (FAR) Basic Safeguarding (52.204-21) and
Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7012)

The principal purpose of federal contracts awarded to U-M is to provide services or conduct research for the direct benefit or use of the U.S. government. Federal contracts are awarded under the federal government’s procurement process and are governed by a strict set of terms and conditions, including information security requirements in FARS and DFARS (contracts with the Department of Defense). The level of stringency of Information security and data protection controls depends on the specific category and subcategory of the controlled unclassified information (CUI) as identified in the CUI Registry and as required under FAR and DFAR clauses in contracts. FAR and DFAR clauses do not generally apply to federal grants.

Digital Millennium Copyright Act (DMCA) and Higher Education Opportunity Act (HEOA)-

The Digital Millennium Copyright Act of 1998 (DMCA) and the Higher Education Opportunity Act (HEOA) of 2008 require that U-M manage a digital copyright compliance program that consists of four components:

1. Annual disclosure/education and awareness
2. A strategy for effectively combating the distribution of unauthorized copyrighted materials
3. Provision of alternative sources for authorized copies of copyrighted materials
4. Strategic plan review

Export Control (ITAR/EAR/OFAC)-

Export controlled research falls under several regulations, including:

• International Traffic in Arms Regulation (ITAR, Department of State)
• Export Administration Regulations (EAR, Department of Commerce)
• Office of Foreign Assets Control (OFAC, Department of Treasury).

Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation.

Non-U.S. citizens are not allowed to work on this type of project, and this kind of data cannot be stored on systems outside the United States.

Social Security Number Privacy Act-

While Social Security numbers are a type of Personally Identifiable Information (PII), the legal requirements of the Michigan Social Security Number Privacy Act for protecting them are much more stringent than for other PII.

Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. U-M has not used Social Security numbers as identifiers for students and employees since 2004.

Health Insurance Portability and Accountability Act (HIPAA)-

Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes privacy and security rules that govern how PHI is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to ensure data availability and integrity, while limiting access to PHI to only authorized people.

HIPAA privacy and security rules apply only to covered entities in their role as a health care provider, health plan, or health care clearinghouse. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.

Federal Information Security Management Act (FISMA)-

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for IT systems and store certain data on servers located in the U.S. FISMA applies generally to federal contracts as opposed to grants.