programming4us
           
 
 
Programming

Cloud Security and Privacy : Regulatory/External Compliance (part 2)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/11/2010 11:38:08 AM

2. PCI DSS

Companies that process credit card transactions are required to comply with the Payment Card Industry (PCI) Data Security Standard (DSS) as evidenced through third-party assessments and/or self-assessments depending on the volume of card processing activity. These requirements apply whether cardholder data is processed and stored by the company or by a third party.

PCI DSS contains the following set of 12 high-level requirements that are supported by a series of more detailed requirements:[77]

[77] Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures, Version 1.2, October 2008.

  • Install and maintain a firewall configuration to protect cardholder data.

  • Do not use vendor-supplied defaults for system passwords and other security parameters.

  • Protect stored cardholder data.

  • Encrypt transmission of cardholder data across open, public networks.

  • Use and regularly update antivirus software.

  • Develop and maintain secure systems and applications.

  • Restrict access to cardholder data based on the business’s need to know.

  • Assign a unique ID to each person with computer access.

  • Restrict physical access to cardholder data.

  • Track and monitor all access to network resources and cardholder data.

  • Regularly test security systems and processes.

  • Maintain a policy that addresses information security.

2.1. Cloud computing impact of PCI DSS

Organizations are also required to ensure that their contracts with third-party service providers include PCI DSS compliance where such service providers store or process cardholder data. In a cloud environment, the organization and the supporting CSP should clearly define their responsibilities for protection of cardholder data, whether those responsibilities are shared or can be attributed to one party.

A fundamental component of PCI DSS is the need to segment systems and networks that store or process cardholder data from other systems and networks. Limiting the number of systems that process or store cardholder data, and isolating them on separate network segments, has the double benefit of reducing exposure to breaches and narrowing the scope of systems that must be assessed for compliance with the PCI DSS requirements as they are applicable only to systems used to store or process cardholder data. If the CSP provides services including processing of credit card transactions, it is important that the CSP clearly define its information flows and segment credit card processing and storage activities from other activities, thereby narrowing the scope of the infrastructure that would be subject to PCI compliance requirements. In addition, utilizing end-to-end encryption of sensitive data, such as cardholder data, is a desirable approach to mitigate risk.

From the perspective of a CSP, it is important to be aware of the PCI requirements. Although it is important for organizations to take a programmatic approach to PCI compliance, it is equally important for a CSP to do the same where the CSP supports processing of credit card transactions. The ultimate objective of PCI is to protect cardholder data, prevent breaches, and quickly contain a breach if it occurs. These objectives, as applied to all sensitive data, ring true for the cloud computing environment as well.

3. HIPAA

Entities that process protected health information (PHI) are required to comply with the security and privacy requirements established in support of HIPAA. The HIPAA security and privacy rules focus on health plans, health care clearinghouses, health care providers, and system vendors.

The following is a summary of the topics addressed by the HIPAA Security Standards.[78]

[78] Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, February 20, 2003.

3.1. Administrative safeguards

Security management process

Risk analysis

Risk management

Sanction policy

Information system activity review

3.2. Assigned security responsibility

Workforce security

Authorization and/or supervision

Workforce clearance procedure

Termination procedures


Information access management

Isolation of health care clearinghouse function

Access authorization

Access establishment and modification


Security awareness and training

Security reminders

Protection from malicious software

Log-in monitoring

Password management


Security incident procedures

Response and reporting


Contingency plan

Data backup plan

Disaster recovery plan

Emergency mode operation plan

Testing and revision procedure

Applications and data criticality analysis


Evaluation

Business associate contracts and other arrangements

Written contract or other arrangement

3.3. Physical safeguards

Facility access controls

Contingency operations

Facility security plan

Access control and validation procedures

Maintenance records


Workstation use


workstation security


device and media controls

Disposal

Media reuse

Accountability

Data backup and storage

3.4. Technical safeguards

Access control

Unique user identification

Emergency access procedure

Automatic logoff

Encryption and decryption


Audit controls


integrity

Mechanism to authenticate electronic PHI


Person or entity authentication


transmission security

Integrity controls

Encryption

The following is a high-level summary of the topics addressed in the HIPAA Privacy Standards.[79]

[79] Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000 and August 14, 2002.

3.5. Summary of HIPAA privacy standards

  • Uses and disclosures of PHI: General rules

  • Uses and disclosures: Organizational requirements

  • Consent for uses or disclosures to carry out treatment, payment, and health care operations

  • Uses and disclosures for which an authorization is required

  • Uses and disclosures requiring an opportunity for the individual to agree or to object

  • Uses and disclosures for which consent, an authorization, or an opportunity to agree or object is not required

  • Other procedural requirements relating to uses and disclosures of PHI

  • Notice of privacy practices for PHI

  • Rights to request privacy protection for PHI

  • Access of individuals to PHI

  • Amendment of PHI

  • Accounting of disclosures of PHI

  • Administrative requirements

  • Transition requirements

3.6. Cloud computing impact of HIPAA

The HIPAA security and privacy rules emphasize health organizations’ (covered entities) obligations to ensure that individually identifiable health information (PHI) is adequately protected when entrusted to business associates (e.g., third-party service providers).

The level of security afforded particular electronic PHI should not decrease just because the covered entity has made the business decision to entrust a business associate with using or disclosing that information in connection with the performance of certain functions instead of performing those functions itself.[80]

[80] Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, February 20, 2003.

Business associate agreements (contracts) are generally used by organizations to extend the HIPAA requirements to their third-party service providers that process or store health information. Accordingly, where the CSP processes or stores individually identifiable health information on behalf of entities which are subject to HIPAA, the HIPAA security and privacy requirements apply. In addition, further regulations regarding the protection of health information and breach notification requirements are under development in support of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.

As the move toward electronic medical records accelerates, CSPs serving the health care industry should be mindful of these emerging requirements. A GRC program can provide a strong foundation to adequately safeguard sensitive medical information and a means to effectively address new requirements.
Other -----------------
- Developing an SEO-Friendly Website : Root Domains, Subdomains, and Microsites (part 2)
- Developing an SEO-Friendly Website : Root Domains, Subdomains, and Microsites (part 1)
- Parallel Programming with Microsoft .Net : Parallel Aggregation - An Example
- Parallel Programming with Microsoft .Net : Parallel Aggregation - The Basics
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 4)
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 3)
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 2)
- Developing an SEO-Friendly Website : Creating an Optimal Information Architecture (part 1)
- Cloud Security and Privacy : Governance, Risk, and Compliance (GRC)
- Cloud Security and Privacy : Internal Policy Compliance
- jQuery 1.3 : Improving a basic form (part 8) - Checkbox manipulation
- jQuery 1.3 : Improving a basic form (part 7)
- jQuery 1.3 : Improving a basic form (part 6)
- jQuery 1.3 : Improving a basic form (part 5) - Conditionally displayed fields
- jQuery 1.3 : Improving a basic form (part 4)
- jQuery 1.3 : Improving a basic form (part 3) - Required field messages
- jQuery 1.3 : Improving a basic form (part 1) - The legend
- jQuery 1.3 : Improving a basic form (part 1) - Progressively enhanced form styling
- Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing
- Cloud Security and Privacy : What Are the Key Privacy Concerns in the Cloud?
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us