Security from a compliance perspective


GLBA requires financial institutions to better protect customer personally identifiable information (PII) with three rules:
- Financial Privacy Rule: Provide information to each customer regarding the protection of private customer data
- Safeguards Rule: Create a format written security plan that describes how customer PII will be protected
- Pretexting Protection: Requires precautions to prevent social engineering attempts to acquire customer PII
PCI DSS (Payment Card Industry Data Security Standard) applies to any organization that processes payment card transactions and compliance is required.
FERPA (U.S. Family Educational Rights and Privacy Act of 1974) protects the privacy of student education records and applies to all schools that receive funding from the US DoE (Department of Education).
The U.S. FISMA (Federal Information Security Management Act) of 2002 defines an information management framework which is applicable to all U.S. Federal agencies and is implemented by specific NIST standards and guidelines.
HIPAA was enacted in 1996 and requires covered entities (healthcare providers, health plans and healthcare clearinghouses) to protect the privacy and security of individual health information (PHI - Protected Health Information).

The specific implementation requirements for HIPAA are covered in theL
- HIPAA Security Rule (45 CFR parts 160, 162 and 164)
- HIPAA Privacy Rule (45 CFR parts 160 and 164)
The HITECH Act of 2009 broadens the scope of HIPAA compliance to include business associates of HIPAA covered entities. The HITECH Act introduces new security and privacy related requirements along with notification requirements.
While SOX does not mandate specific information security requirements, section 302 and 404 establish the responsibility of company management and independent auditors to determine and certify that appropriate internal controls have been established and are effective.
SB-1386, the California Security Breach Information Act of 2003 requires that all organizations notify affected individuals if their personal data has been stolen, lost or compromised. This act applies to any company that does business within the state of California.
Contact us for more information or questions.