Final project term about information governance

INDUSTRY-STANDARD INFORMATION SECURITY

Security requirements have been a matter of individual concern until recently unless you were handing government or military data, there were few legal requirements. This is rapidly changing. A variety of laws have been passed to enforce the privacy and accuracy of data and information.

SARBANES-OXLEY (SOX) ACT: The Sarbanes-Oxley Act enacted July 30th, 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation's electronic records. The Sarbanes- Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation..This law requires that public companies strengthen and document internal controls to prevent individual from committing fraudulent acts that may compromise an organizations financial statements or reporting. The chief executive officer and chief financial officer must attest to the adequacy of the internal control and accuracy of the financial report. These officers are subject to fines and imprisonment for fraudulent reports. The details of sox include requirements for providing the information that is used to generate the reports and internal control that are used to assure the integrity of the financial information.

HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY (HIPAA) ACT: This law is intended to protect personally identifiable health information from release or misuse. Information from release or misuse. Information holders must protect provide audit trails of all who access this data in the U.S.A. The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. HIPAA is also known as the Kennedy- Kassebaum Health Insurance Portability and Accountability Act (HIPAA-Public Law 104-191), effective August 21, 1996. The basic idea of HIPAA is that an individual who is a subject of individually identifiable health information should have:

• Established procedures for the exercise of individual health information privacy rights. • The use and disclosure of individual health information should be authorized or

required. One difficulty with HIPAA is that there must be a mechanism to authenticate the patient who demands access to his/her data. As a result, medical facilities have begun to ask for Social Security Numbers from patients, thus arguably decreasing privacy by simplifying the act of correlating health records with other records. The issue of consent is problematic under HIPAA, because the medical providers simply make care contingent upon agreeing to the privacy standards in practice.

UK DATA PROTECTION ACT: This act is intended to protect individual privacy by restricted access to individual identifiable data. It has eight (8) points one of which requires that data be kept secure and confidential. The 8 points are:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

• At least one of the conditions in Schedule 2 is met, and • In the case of sensitive personal data, at least one of the conditions in Schedule 3

is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and

shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

23

Journal of Information Engineering and Applications www.iiste.org ISSN 2224-5782 (print) ISSN 2225-0506 (online) Vol.6, No.9, 2016

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. About the rights of individuals e.g. 7. Appropriate technical and organizational measures shall be taken against unauthorized or

unlawful

processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of

data subjects in relation to the processing of personal data.

• FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA): This law covers health and

personal information held by schools.

• CALIFORNIA BREACH LAW: this law requires that an organization holding a variety of PII (for

example credit card numbers driver’s license, and government identity number) must provide safety and security measures to protect that information. If the information may have been compromised, the organization must notify all individuals involved. There are two laws, CA-SB-1386 and CA-AB-1950, which apply to organizations that hold PII. CA-SB-1386 is a California law regulating the privacy of personal information. The first of many U.S. and international security breach notification laws, it was introduced by California State Senator Peace on February 12, 2002, and became operative July 1, 2003. Essentially, it requires an agency, person or business that conducts business in California and owns or licenses computerized 'personal information' to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed).The bill mandates various mechanisms and procedures with respect to many aspects of this scenario, subject also to other defined provisions.

• FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA): This law is creating security guidance and standards through federal information processing standards (FIPS) documents that are managed by the national institute of standards (NIST). These standards are applied to organizations that are processing information for the U.S government.