Keeping Up with Government Regulations
HIPAA. SOX. GLBA. Today, the information security field is filled with a veritable alphabet soup of government regulations, and the list continues to grow.
How do those in the field keep up with these regulations? The answer likely varies from person to person, but there are some common suggestions of where to find information on government regulations. Before you begin, however, it’s helpful to review a short list of some of the better-known regulations.
Perhaps the best-known regulation to those in the information security is the Health Insurance Portability and Accountability Act (HIPAA), which covers a wide range of topics related to medical information. What pertains to information security professionals is the requirement that organizations take steps to maintain any health-related data in a secure and private fashion. One of the best sources for information on HIPAA is here: http://www.hipaa.org.
Another well-known regulation is the Sarbanes-Oxley Act of 2002 (SOX), which was passed in an effort to prevent future corporate scandals such as those that happened at Enron and WorldCom. Section 404 of SOX deals with information security, specifically, maintaining the integrity of all accounting and financial data within an organization. More information about SOX can be found at http://www.sox-online.com/.
The last well-known government regulation is the Gramm-Leach-Bliley Act of 1999 (GLBA), whose primary focus was to change the regulations on what services financial institutions were allowed to offer. Part of the act is the Safeguards Rule, which requires financial institutions to document the steps they have taken to secure their customers’ private data, including some details on what the document must contain. Frequently asked questions about GLBA can be found at http://www.ftc.gov/privacy/glbact/glb-faq.htm.
How can an information security professional keep up with these and new regulations? Many sources are available, the first (of course) being the government itself.
Part of the Library of Congress’ Web site, http://thomas.loc.gov/, allows you to search all laws Congress has enacted. Details on any of the related regulations can be found here. The only drawback to this site is that the original text of the regulations was not written with the average person in mind.
One of the best sources for information security information in general and, more specifically, government regulations is SecurityFocus (http://www.securityfocus.org.) This site maintains information on all security-related topics, including government regulations. In addition, the organization sponsors many of security-related mailing lists.
Another good source of information is SearchSecurity.com (http://www.searchsecurity.com). As with SecurityFocus, it is a great source of information for all areas of information security. SearchSecurity.com offers many newsletters that discuss a wide range of security topics. Many times, these newsletters talk about specifics of different regulations.
Finally, there are the common search engines. It would be nearly impossible to cover every possible Web site that provides information on the different regulations, but a search with any of the popular search engines returns many hits for each topic. Of course, the quality of these sites will vary, so care must be taken when using these sites.
Steve Fletcher has more than 10 years of experience as an IT consultant with a focus on information security. He can be reached at editor (at) certmag (dot) com.