• An IT lesson from the BP disaster

    04Jun
    Author: ned Categories: IT Management, Ramblings Comments: 1

    Sadly disasters happen, and when they do there are often valuable lessons to be learned. Unfortunately, poor IT infrastructure will limit the lessons the oil industry can learn from this incident.

    The Deepwater Horizon rig was equipped with a vessel management system (VMS), which records dozens of different metrics about the conditions on the rig and in the well. These VMS logs would contain valuable details about the blowout, much like an airplane “black box” is essential in understanding a plane crash.

    Read more »

    Tags: ,

  • PCI DSS-driven assessment

    15Feb
    Author: ned Categories: IT Management, Security Comments: 0

    The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment.  Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

    Below is an attempt to assemble those requirements into a single schedule.  Where the standard didn’t specify a frequency, I used reasonable “best practices” values.  I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan!  There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

    See anything that I missed?  Did I get something wrong?  Let me know in the comments and we’ll work toward an accurate sample schedule together!!

    Read more »

    Tags: , , , , ,

  • HITECH business associate deadlines looming

    10Feb
    Author: ben Categories: IT Management, Security Comments: 0

    We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

    • Comply with the HIPAA security and privacy rules
    • Provide medical information breach notifications
    • Work with the Department of Health and Human Services to perform compliance audits as requested
    • Train employees on HIPAA and its requirements for business associates

    BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

    Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

    First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

    If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

    If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

    And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , , ,

  • Compliance Series: PCI Data Security Standard

    28May
    Author: ben Categories: IT Management, Security Comments: 1

    I’ll kick off my much-delayed series on compliance and regulation with the Payment Card Industry’s Data Security Standard. This highly visible, widely applicable standard applies to any company that processes credit card data. Importantly, the standard was developed by the industry rather than congress. This is in direct contrast to many other industries (such as health care and finance) that are regulated by the federal government.

    The standard consists of 12 requirements, each with a number of sub-requirements, ranging from firewall configuration to security policy to ongoing vigilance. There are four tiers of merchants, and slightly different requirements apply depending on the tier. Read on for details and tips.

    Read more »

    Tags: , ,

  • New HIPAA modifications under the ARRA

    12Mar
    Author: ben Categories: IT Management, Security Comments: 0

    If you haven’t been paying attention, now is a good time to start. The recently passed American Recovery and Reinvestment Act of 2009 adds stunning, strict new provisions to the already-stringent federal health care legislation, HIPAA. In particular, the changes include:

    • Serious ramifications for business associates, or organizations that have signed agreements with health care organizations to handle patient data. Business Associates are now directly subject to the HIPAA Privacy and Security rule, and must implement all the safeguards employed by fully covered entities. The agreements themselves must be revised, a significant effort for most medium to large sized health care organizations.
    • New data breach notification requirements. Any protected health information (PHI) that has been compromised (accessed or disclosed, essentially) and is not encrypted must be disclosed to the affected individual and the Department of Health and Human Services. Breaches affecting 500 or more individuals must also be reported to the media.
    • Increased enforcement and auditing abilities. The DHHS will now be required to perform a formal investigation if a HIPAA complaint is received. Penalties for violations are also increased.
    • Accounting for treatment, payment, and health care operations for patients that request it. This might seem innocuous on the surface, but most large health care institutions face significant challenges with understanding full footprint of a patient’s health record. The change will create significant administrative burdens, new technical projects, and serious revisions to policies and procedures within and outside of IT.

    These changes seem to have taken the compliance industry by surprise. Few blogs, even those focused on HIPAA, have any analysis. At the time of this writing, Wikipedia neglects to mention the HITECH Act section of the stimulus package that includes the sweeping changes (only a vague $19 billion reference to “health information technology”). This article covers the changes in some detail. In depth analysis here.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

  • Compliance in Information Security (Series Introduction)

    22Jan
    Author: ben Categories: IT Management, Security Comments: 0

    I have a love/hate relationship with standards and regulations. On the one hand, they pay my bills, and I like having my bills paid. Without them, infosec would be mostly ignored, especially in large enterprises, and that’s not good for anyone. Our personal data would constantly be at risk without oversight or hope for improvement.

    On the flip side, despite the existence nine meaty, enforceable regulations that I plan to blog about in this series, we still have large scale compromises on a regular basis. Compliance costs billions of dollars to organizations of all shapes and sizes, and to what end? A single large-scale breach that affects tens or hundreds of millions of individuals, such as the recent Heartland breach, can undo most of that effort. Furthermore, many of the regulations are impractical, vague, or not enforced.

    In the end, however, I agree with Bruce Schneier who says that “more important than the specific list of countermeasures is a process of continual security improvement.” I’ll support any effort that protects my privacy and yours.

    So, without further adieu, I present a list of ten regulations that those of us in information security have come to know and love.

    Read more »

    Tags: , ,

Subscribe:

Popular Posts