Archive - November 2000
Stop Hoarding! Improve Security, Efficiency and the Bottom Line through an Effective Data Retention Policy
Organizations are accumulating data at a pace that would cause a hoarder to blush. Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.” This practice, however, comes at a cost.
Some organizations think that it is inexpensive to store data, especially with the steady decline in hard drive prices. The fact is, however, data is expensive to keep. Organizations spend a significant portion of time managing, archiving and securing data. Data is housed on servers, each of which must be maintained. Data is also archived regularly according to the organization’s backup schedule and it is audited and secured against loss. Each of these activities consumes the time (i.e. increases the cost) for those in information management.
Information Security Compliance: ISO 27000
The last two articles on compliance have covered the Health Insurance Portability and Accountability Act (HIPAA) and the ramifications of that bill on healthcare providers and business associates and the Payment Card Industry Data Security Standard (PCI-DSS) which provides guidelines for securely handling credit card and related personal data. This article outlines the ISO (International Organization for Standardization) 27000 and its benefits for organizations.
Transferring Information Security Risk with Cyber Insurance
There are four ways of dealing with risk; Avoid, Mitigate, Accept, or Transfer. Avoiding a risk would involve changing procedures or systems so that the risk does not apply anymore such as removing old encryption protocols so that their risk is avoided. Risks are mitigated by implementing security controls. If the risk is within acceptable levels it can be accepted and lastly risks can be transferred, primarily through insurance.
Information Security Compliance: PCI-DSS
Our last two articles have focused on compliance. Last time we looked at HIPAA and the ramifications of that bill on healthcare providers and business associates. Today the spotlight will fall on the Payment Card Industry Data Security Standard (PCI-DSS). Following a who, what, how approach, this article presents the characteristics of entities that would benefit from or are required to follow the PCI-DSS standards. It then addresses what the PCI-DSS requirements are and concludes by describing how the compliance process works.
Information Security Compliance: HIPAA
This is the first entry in a set of three blogs that deal with information compliance. We wish to provide corporations a guide that outlines which laws they are subject to and how to follow them properly. In this particular blog we will discuss the Health Insurance Portability and Accountability Act (HIPAA). A brief overview of the act will be included, as well as a discussion of where HIPAA applies and some of the requirements.
HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI). The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in their definition of a covered entity. In addition to those seen in the diagram below, HIPAA applies to companies that provide services that would use e-PHI such as suppliers or outsourced IT providers.
Information Security Compliance: Which regulations relate to me?
This entry is part of a series of information security compliance articles. In subsequent articles we will discuss the specific regulations and their precise applications, at length. These regulations include HIPAA or the Health Insurance Portability and Accountability Act, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and the Gramm Leach Bliley Act (GLBA) among other acts and regulations.
Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.
Reducing privacy and compliance risk with data minimization
Eric Vanderburg
What if I told you that you could reduce risk and costs at the same time? Skeptical? I would be. It sounds like some cheesy marketing ploy chuck full of hidden costs or high upfront costs with low ROI. No, I am not pitching a product or trying to sell you a solution. I am however trying to get your attention. I am talking about data minimization.
Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a general fear of removing data lest it be needed some day but this practice is quickly becoming a problem that creates privacy and compliance risk. Some call it “data hoarding” and I am here to help you clean your closet of unnecessary bits and bytes.
