Compliance

Regulatory Compliance requirements are a series of directives that the United States federal government agencies established that summarize hundreds of federal laws and regulations.

Compliance is either a state of being in accordance with established guidelines or specifications, or the process of becoming so. Software, for example, may be developed in compliance with specifications created by a standards body, and then deployed by user organizations in compliance with a vendor’s licensing agreement. The definition of compliance can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation.

Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements. Regulatory Compliance requirements are a series of directives that the United States federal government agencies established that summarize hundreds of federal laws and regulations.

When you apply regulatory compliance to IT, the regulations apply to two different aspects of operations which include the internal requirements for IT and compliance standards that are set forth by external entities.  Both types of regulatory compliance affect IT operations and can potentially restrict what a agency can and cannot do.

DTS compliance requirement documentation:

• DTS Policies
• DTS Procedures
• DTS Public Standards
• DTS Secure Standards
• Safeguard Computer Security Evaluation Matrix

Requirements

Health Insurance Portability and Accountability Act of 1996 (HIPAA)  www.hhs.gov  

HIPAA was enacted by the United States Congress and signed by President Bill Clinton in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

Internal Revenue Service (IRS) – IRS Publication 1075 www.irs.gov/pub/irs-pdf/p1075.pdf

Publication 1075 is the Tax Information Security Guidelines for Federal, State and Local Agencies. It covers how Federal Tax Information (FTI) data should be handled and protected.

Social Security Administration (SSA) http://www.ssa.gov 

Government Information Exchange (GIX) Systems Security – FISMA guidance requires SSA to enforce security requirements on outside entities with access to federal information and/or federal systems – regardless of the method of access. SSA meets this requirement by ensuring that outside entities comply with SSA’s Information System Security Guidelines for Federal, State, and local agencies receiving electronic information from SSA.

Personally Identifiable Information (PII)

Is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying.   The U.S. government used the term “personally identifiable” in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). www.nist.gov

Payment Card Industry Data Security Standards (PCI DSS) www.pcisecuritystandards.org

PCI-DSS is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data. It is a critical component for minimizing risk and maximizing protection. Mandated since June 2001, this robust program is intended to protect cardholder data—wherever it resides.

Criminal Justice Information Service (CJIS)   https://ucjis.ps.utah.gov

CJIS is a component of the U.S. Federal Bureau of Investigation (FBI). The CJIS’s mission is to equip the U.S. law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the U.S. while preserving civil liberties. It is the largest division in the FBI.  CJIS is a system including the equipment, facilities, procedures, agreements, and organizations accepted and adopted for the collection, processing, preservation, or dissemination of criminal history record information.  In each state the criminal justice information system is maintained by Department of Justice (DOJ). The operations of the system may be performed manually or by using electronic computers or other automated data processing equipment.

Federal Information Security Management Act (FISMA) www.nist.gov

FISMA is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002. FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.

The Health Information Technology for Economic and Clinical Health Act (HITECH) Act  http://waysandmeans.house.gov/media/pdf/110/hit2.pdf

Requires the government to take a leadership role to develop standards by 2010 that allow for the nationwide electronic exchange and use of health information to improve quality and coordination of care. This legislation provides immediate funding for health information technology infrastructure, training, dissemination of best practices, telemedicine, inclusion of health information technology in clinical education, and State grants to promote health information technology.

The Family Educational Rights and Privacy Act (FERPA) www.ed.gov/policy/gen/guid/fpco/ferpa/index.html  (20 U.S.C. § 1232g; 34 CFR Part 99)

FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.