The document discusses several US acts related to privacy, security and commerce including HIPAA, the Patriot Act, COPPA, SOPA, Sarbanes-Oxley Act, and FISMA. It provides overviews of what each act covers, when they were passed, their key implications and requirements. For example, it notes that HIPAA protects patient health information, the Patriot Act increased government interference in financial activities, and FISMA requires appropriate security controls and training for federal information systems.
3. What is HIPAA?
• The Health Insurance Portability and Accountability
Act enacted by the U.S. Congress
• Uses electronically exchangeable data to effectively
help in healthcare
• Standards are used to monitor confidentiality and
security of the patient data
4. What information is covered under
HIPPA?
• Patient Health Information (PHI) is covered under
HIPPA
• Any information related to the physical and mental
health of the patient in the past, present or future is
considered a PHI
• PHI is either created or received by the organization
in order to properly care for the patient
5. Why is this important?
• Almost all healthcare units started using electronic
medical records to make care more efficient
• This leads to breaches from both outside and within
the organization
• One’s health information can be used as a
commercial advantage, personal gain, or malicious
harms
6. Security in HIPPA
• Patients have the right to obtain and amend their
PHI
• They also have the right to know how PHI is used and
who it is disclosed to
• Administrative measures must do detail record
keeping and procedure compliance
8. About the Act
• Uniting (and) Strengthening America (by) Providing
Appropriate Tools Required (to) Intercept (and)
Obstruct Terrorism Act
• Passed in Oct.2001 by then president Mr. George
Bush Jr.
• Mother of all acts
9. Effect of PATRIOT act on E-commerce
Indirect repercussions
Stringent measures for B2B and B2C transactions
Wire transfer of money became
difficult
Increased interference of government
in financial activities of Institutions
10. Effect on E-Governance
• Establishment of financial crime
network (FinCNE)
• Increased data sharing
• Increased screening of foreign nationals
• Greater emphasis on knowledge management
12. STOP ONLINE PIRACY ACT (2012)
• Introduced by U.S. Representative Lamar S. Smith in
2011
• Stack holders of SOPA
▫ Hollywood Production Houses e.g. Warner Brothers,
Columbia Motion Picture
▫ Recording Industry e.g. Recording Industry Association
of America
▫ Broadcasting Association
13. Organization opposing the act
• Wikipedia
• Google
• Online video hosting websites
• Websites providing Torrent facility
• Facebook
• Twitter
• Flicker
14. Implications of SOPA
• Domain name system (DNS) will be affected
• Internal networks-VPN
• Different from PROTECT IP
• Blocking of websites with
copyright content
• Blocking the IP addresses
16. • The Child Online Protection
Act (COPA)was a law in the United States of
America, passed in 1998.
• The law, however, never took effect, as three
separate rounds of litigation led to a permanent
injunction against the law in 2009
17. COPPA
• Children’s Online Privacy Protection Act
• Passed on 22nd April 2000
• Protects the privacy of the children
• Destroy the data collected from children of age less
than 13 within 1 year
• To have verifiable consent of the parents
• display the information collected on the website
18. PROTECT(Prosecutorial Remedies and Other Tools to end
the Exploitation of Children Today)Act
• The PROTECT Act of 2003 is a United States law with
the stated intent of preventing child abuse.
• Authorizes wiretapping and monitoring of other
communications in all cases related to child abuse
or kidnapping.
• Provides for mandatory life imprisonment of sex
offenses against a minor if the offender has had a
prior conviction of abuse against a minor, with some
exceptions.
19. Effects of PROTECT Act
• Bars pre-trial release of persons charged with
specified offenses against or involving children.
• Establishes a program to obtain criminal history
background checks for volunteer organizations.
• Eliminates statutes of limitations for child abduction
or child abuse.
• Assigns a national AMBER Alert Coordinator.
• Prohibits drawings, sculptures, and pictures of such
drawings and sculptures depicting minors in actions
or situations that meet the Miller test of being
obscene.
21. Sarbanes Oxley Act
• Enron and WorldCom Collapse - Financial frauds –
led to the formation of Sarbanes Oxley act
• Key Implications
Independence of audit committee
CE and CFO certification of financial statements – SOX
906
SOX 302 – Corporate responsibility for financial reports
SOX 409 – Real time disclosure – disclose information on
material changes in finance on rapid and current basis
Whistle-Blower Protection - Document Destruction
22. Key sections related to the Act
• SOX 404 – Management assessment of Internal
controls over financial reporting – Role of IT
Management create reliable internal financial controls
• Destruction of documents – Periodic policy needed
• Responsibilities IT representatives on SOX teams
Understanding organization’s internal control program
and financial reporting process
Mapping the two to find financial statements
Designing and implementing controls
Documenting and testing the controls designed to mitigate
risk – continuous monitoring
23. Contd ..
• Strong IT controls needed
External auditors – rely on process approach-
Evaluation based on manual/automated controls
Inherent security and control risk – due to virtual
corporate and ecommerce
Large corporate spending on IT - Greater return
expected
• Entry level It securities needed
Trusted Path
Firewall Architectures and Connections with Public
Network – denial of services and unauthorized access
to internal resources
Identification, Authentication, and Access
User account management
24. Case – Retail Chain
• The Scenario
IT process used for creation, update and manipulation of
financial data
Own database – ERP for creation of all financial data and
reports for SEC filings
• Audit findings
Variety of database tools used to insert/delete/modify
(unmitigated) data from underlying ERP databases
User id/password for internal authentication
No controls in org. beyond basic authentication.
25. Solutions
• Controls on data access and updating of underlying
financial databases - ERP system access and any
other access
• Automated provisioning process - segregation of
duties to approve the creation of system user IDs
and access privileges, as well as modification and
removal.
• Audit logging and reporting infrastructure for
reporting system - conformance to the organization’s
internal policies and standards.
27. How did FISMA originate?
• FISMA was introduced by replacing GISRA, title III of
the Electronic Government Act of 2002
• The FISMA Implementation Project was established
in January 2003 to produce several key security
standards and guidelines required by Congressional
legislation of USA.
28. Need for FISMA?
The need to secure information infrastructure used in all federal
agencies.
OBJECTIVES:
▫ For the implementation of a cost-effective, risk-based information
security programs
▫ For the establishment of a level of security due diligence for federal
agencies and contractors supporting the federal government
▫ To create a more consistent and cost-effective application of security
controls across the federal information technology infrastructure
▫ To create a more consistent, comparable, and repeatable security
control assessments
29. Contd..
▫ To generate a better understanding of enterprise-wide mission
risks resulting from the operation of information systems
▫ Lastly, to create a more complete, reliable, and trustworthy
information for authorizing officials--facilitating more informed
security authorization decisions
▫ And also to make sure that there are more secure information
systems within the federal government including the critical
infrastructure of the United States
30. Requirements of FISMA
• Appropriate officials should be assigned
• Periodical review of the security controls of the
information system
• Security awareness training should be done
• Guidelines laid by NSIT for information security
control should be followed
• Lastly, plan for security should be followed
32. How to implement FISMA?
• Generally, CIO’s are given the responsibility in
compliance with the CISO
• Then the IG’s review the process and reporting
• Reports are sent to the OMB by the end of each
financial year.
• Reporting standards are governed by OMB 130 and
NSIT special publication 800-26 with changes
including of 800-53
33. Advantages of FISMA
• Its considered the best approach to ensure that sensitive
government systems and data are secure
• Helps manage government systems and information,
include insurance companies, e.g. Medicare claims, and
out sourcecing companies which manage federal
systems, such as Lockheed Martin, Northrop Grumman
• FISMA reports by mandating a standard interface and
follow a format for entering FISMA data. The OMB then
provides this data via reports to other agencies.