High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation...
Transcript of High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation...
![Page 1: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/1.jpg)
High Level Policy meets Compliance
Dr. HaleUniversity of Nebraska at OmahaInformation Security and Policy– Lecture 5
![Page 2: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/2.jpg)
Today’s topics:Last time recapHigh Level Policy Wrap up
Types of documents (expanded)Categorizing Policy by IT domain
Introduction to Compliance and Security ControlsU.S. Compliance LawsIndustry standards (Common Criteria, PCI-DSS, ITIL)Aligning Policy with Regulations and industry
Policy/security control frameworksModel and its relation to the organizationCOBIT, ISO/IEC 27000, NIST SP800-53
![Page 3: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/3.jpg)
Previously on..Information Security, Policy, and Awareness
![Page 4: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/4.jpg)
good policies
InformationAssurance
Σ ATLEs
GoodPolicy
Business Risk SpendingCost
Perceived SecurityLevel
Optimal
Recap
![Page 5: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/5.jpg)
and…Policy Making Process overviewStart
“End”
Review Existing Policies
Yes
No
Risk Assessment Performed
Existing Policies?
Perform Risk Assessment,
Calculate ATLEs
No
Determine mitigations
options
YesForm decision trees or other
model of tradeoff
Determine Organizational
Structure
Communicate with business leaders and
project managers
Determine Compliance
Requirements
Write/Modify Policy
Implement Policy
Security Training and Awareness
Preliminary Assessments
Monitoring / Audit
Expands into its own
process
Recap
![Page 6: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/6.jpg)
Policy Writing OverviewWrite / Modify Policy
Determine policy writing
teamExisting Policies?
From Compliance
Determine style guidelines
compatible with existing policy
Yes
No
Decide changes to scope of mission and objectives
Make Single Policy Change
Staff Review and/or Assess on
sample population
All Policies changed?
No
Acquire Sign off from management
and executives
Yes
Define Roles and Responsibilities
Determine Strategic Metrics and Monitoring /
Audit Plan
To Implementation
Feasible?YesNo
Create style guidelines
Create Policy statement for addressing a
goal
Staff Review and/or Assess on
sample population
All goals covered?
No
Yes
Recap
![Page 7: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/7.jpg)
Said we would return in later lectures
Determine Compliance
Requirements
Security Training and AwarenessImplement Policy
Monitoring / Audit
Recap
![Page 8: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/8.jpg)
This is a later lecture
Determine Compliance
Requirements
Implement PolicyThen…
![Page 9: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/9.jpg)
But first…
High Level Policy Wrap up
![Page 10: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/10.jpg)
Different types of policy documents
High Level Policy Wrap up
Policy
Procedure
Guideline
Law / Regulation
Standard
Security Control
s
Internal External
![Page 11: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/11.jpg)
Different types of policy documents
High Level Policy Wrap up
Procedure
Guideline
Law / Regulation
Standard
Security Control
s
Internal External
• highest level (most abstract)• goals, behaviors, consequences• roles and responsibilities• divided into categories, different
connotations by IT Domain (next)
Policy
![Page 12: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/12.jpg)
Policy
Different types of policy documents
High Level Policy Wrap up
Procedure
Guideline
Law / Regulation
Standard
Security Control
s
Internal External
• More detailed policy support document• sets the parameters for policies or
procedures• may refine policy statements with
implementation details• supports a particular policy category
![Page 13: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/13.jpg)
Policy
Different types of policy documents
High Level Policy Wrap up
Procedure
Guideline
Law / Regulation
Standard
Security Control
s
Internal External
• More detailed than policies• provides step by step instructions• should be designed to meet guidelines
and controls• supports a particular policy category
![Page 14: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/14.jpg)
Policy
Different types of policy documents
High Level Policy Wrap up
Procedure
Guideline
Law / Regulation
Standard
Security Control
s
Internal External• Very high level, some mapping to policy• Specifies responsibilities and
consequences for enforcement• e.g. FISMA
![Page 15: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/15.jpg)
Policy
Different types of policy documents
High Level Policy Wrap up
Procedure
Guideline
Law / Regulation
Security Control
s
Internal External• Implements law or may be stand-alone• Specifies best practices for policy
development• Contains or references security controls• e.g. PCI, NIST SP800-53, ISO 27000 Standard
![Page 16: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/16.jpg)
Policy
Different types of policy documents
High Level Policy Wrap up
Procedure
Guideline
Law / Regulation
Internal External
Standard
Security Control
s
• Typically the meat and potatoes of policy implementation (more later)
• Applies to a particular IT domain (next)• a safeguard or countermeasure that mitigates a
risk• generally maps to a procedure or guideline• compliance is measured against controls
![Page 17: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/17.jpg)
IT Domains
High Level Policy Wrap up
• IT covers a range of assets
• controls and policies typically apply categorically to different domains
User Domain
WorkstationDomain
LANDomain
Switch
Server
LAN-to-WAN(DMZ) Domain
Router
Firewall
WAN
System/Application Domain
Web App ServerCloud Resources
MobileDomain
![Page 18: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/18.jpg)
IT Domains
High Level Policy Wrap up
Policies, procedures, guidelines, and controls should be applied appropriately by domain
User Domain
WorkstationDomain
LANDomain
Switch
Server
LAN-to-WAN(DMZ) Domain
Router
Firewall
WAN
System/Application Domain
Web App ServerCloud Resources
MobileDomain
![Page 19: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/19.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
User Domain
Challenge MitigationEnsuring Employees know about policy TrainingGetting employees to comply with policy
enforcement, rewards
Not impeding work / productivity Good policy design
![Page 20: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/20.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
Challenge MitigationPreventing security breaches Technical security controlsNot being draconian Not being draconianMaintaining privacy while ensuring correct use of resources
Use of windows policies, limit access, secure logging
WorkstationDomain
![Page 21: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/21.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
Challenge MitigationAvailability of the network Acceptable use policyIntegrity and confidentiality of data Technical security controls,
use of segmented network
LANDomain
Switch
Server
![Page 22: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/22.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
Challenge MitigationSecuring the DMZ Technical security controls,
configuration testing, monitoring and audit
Adapting to threats Monitoring and audit, incident responseRouter
Firewall
LAN-to-WAN(DMZ) Domain
![Page 23: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/23.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
Challenge MitigationPreventing data breaches Data loss protection security controls -
perimeter monitoring of data in motion, inventory of data at rest, encryption of data outside of secure space
Reducing or limiting vulnerabilities Baking security into the SDLC, failsafes, incident response, risk management
System/Application Domain
Web App ServerCloud Resources
![Page 24: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/24.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
Challenge MitigationSecuring data Personally owned device policy, data
management protocolsSecure remote access VPN usage, authentication, access control
MobileDomain
![Page 25: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/25.jpg)
Policy Challenges with each domain
High Level Policy Wrap up
Challenge MitigationReliability Service level agreement with ISPSpeed Service level agreement with ISPThird party web/cloud application/data security
Service level agreements with web/cloud service provider
WAN
![Page 26: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/26.jpg)
Time for compliance!
Intro to compliance
![Page 27: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/27.jpg)
Intro to compliance
![Page 28: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/28.jpg)
Time for compliance!
Intro to compliance
Definition:Compliance is adhering to [stuff].
![Page 29: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/29.jpg)
Time for compliance!
Intro to compliance
Definition:[stuff] => Laws | Regulations | Standards | Internal Policy
![Page 30: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/30.jpg)
Time for compliance!
Intro to compliance
Standards offers preferential treatment or added value to compliant organizations.
![Page 31: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/31.jpg)
Time for compliance!
Intro to compliance
Laws and regulations mandate compliance and levy external penalties (usually money) for non-compliance.
![Page 32: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/32.jpg)
Time for compliance!
Intro to compliance
Internal policy offers yourself the things you’ve decided are best. Not following them is cognitive dissonance.
![Page 33: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/33.jpg)
US Compliance Laws
Intro to compliance
Despite what you think of congress, laws ideally codify the good
![Page 34: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/34.jpg)
Motivations for Law
Intro to compliance
• Three main drivers• Consumer Protection, Civil Rights• Economic Stability• Social Contract (order)
• Drivers usually linked• Tend to focus more on economics than others
Consumer Protection, Civil Rights
Social Contract
Economic Stability
![Page 35: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/35.jpg)
U.S. Info. Sec. Laws
Intro to compliance
Law / Regulation Applies to Scope of Governance
Health Insurance Portability and Accountability Act (HIPAA)
Heath care providers, health insurance providers
Applies to privacy of any protected health information
Federal Information Security and Management Act (FISMA)
All government agencies, all entities that process federal data
Information security (all domains)
Gramm-Leach-Bliley Act (GLBA) Banks, Investment companies, financial service providers
Customer data privacy
Sarbanes-Oxley Act (SOX) Public corporations Financial accuracy and public disclosure to investors
Family Educational Rights and Privacy Act (FERPA)
Educational organizations (schools) Privacy of student records
Children’s Internet Protection Act (CIPA)
Federally funded Schools and libraries
Access to sexually explicit materials on computers
Attempts (SOPA- PIPA) Nothing Thank goodness
![Page 36: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/36.jpg)
US Info. Sec. Laws
Intro to compliance
(or if you are following along later)http://lmgtfy.com/?q=fisma+filetype%3Apdfhttp://lmgtfy.com/?q=hipaa+filetype%3Apdf
http://lmgtfy.com/?q=gramm+leach+bliley+filetype%3Apdf
![Page 37: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/37.jpg)
(some) U.S. Info. Sec. Industry Standards
Intro to compliance
Standard Applies to Scope of Governance
PCI-DSS Payment card industry (almost everyone)
Regulates transaction, point of sale system, and network security
Common Criteria ISO/IEC 15408
Organizations that want to certify their systems or products
A system or set of systems in an Org.E.g. windows XP is CC certified
ITIL (Information Technology Infrastructure Library) ISO/IEC 20000
Businesses with IT seeking best practices. Typically large companies
All IT in an organization
ISO/IEC 27000 seriesInformation Technology Security Techniques Code of Practice for Information Security Management
Organizations that want a security certification to show their customers and clients
All information security elements of an organization
![Page 38: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/38.jpg)
US Info. Sec. Laws
Intro to compliance
…you get the idea(hint: go look them up)
![Page 39: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/39.jpg)
Intro to compliance
Context: Competing Goals
Security Policies
Security Team Regulators
Shareholders
Maximize Profit, Minimize Loss
Protect Consumer and Public Interest
Squash all the Bugs!Mitigate all the vulnerabilities!
![Page 40: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/40.jpg)
Intro to compliance
Good when goals align..
![Page 41: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/41.jpg)
Intro to compliance
Determine Compliance
Requirements
I promised..
![Page 42: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/42.jpg)
Intro to compliance
First identify laws that you need to comply with.
Determine Compliance Requirements
![Page 43: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/43.jpg)
Intro to compliance
Next identify industry regulations you want to comply with.
Determine Compliance Requirements
![Page 44: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/44.jpg)
Intro to compliance
Both of these identifications should be integrated into an organizational risk assessment.
Determine Compliance Requirements
![Page 45: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/45.jpg)
Intro to compliance
Now examine and integrate security controls suggested/required by the selected laws/standards.*
Determine Compliance Requirements
![Page 46: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/46.jpg)
Intro to compliance
*This is a big task
Determine Compliance Requirements
![Page 47: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/47.jpg)
Intro to compliance
…so big we should probably stop here
![Page 48: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/48.jpg)
Reading
Brotby 3 and 7
![Page 49: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/49.jpg)
Next
Ti
me
Continue this lecture
![Page 50: High Level Policy meets Compliance · U.S. Info. Sec. Laws Intro to compliance Law/ Regulation Applies to Scopeof Governance Health Insurance Portability and Accountability Act (HIPAA)](https://reader034.fdocuments.in/reader034/viewer/2022050309/5f717334d3e671479b661656/html5/thumbnails/50.jpg)
Questions?
Matt Hale, PhDUniversity of Nebraska at Omaha
Assistant Professor of Cybersecurity [email protected]
Twitter: @mlhale_
All else © 2014-2017 Matthew L. HaleSome material © 2013 Jones and Bartlett Learning, LLC