Question

The purpose of this assignment is to develop a security program aligned with regulatory compliance and security control frameworks.

Select a company for the focus of your assignment. Using the following, map the standard controls to the regulatory compliance that would be appropriate for the organization:

1. The "Security Controls Mapping Template."
2. Regulatory compliance information, such as HIPAA, PCI, SOX, GLBA, etc.
3. Security control frameworks, such as NIST, CIS, COBIT, COSO, ITIL, etc.

On the template, map the regulatory rules (one per line) and security controls (as many per line as necessary). List an enforcement or measurement policy, procedure(s), or process to audit the rule/controls applied.

Write a 500-word summary that defines the regulatory compliance and security controls and includes the following information:

1. Overview of the company, goods, or services provided; the industry; and the customer demographics.
2. Identification of compliance regulations to which the company must adhere (e.g., medical-based companies should apply HIPAA regulations) and an explanation of why adherence is essential.
3. Justification for the selection of the control framework chosen to effectively implement the identified regulations.
4. Paste a copy of the completed content of the "Security Controls Mapping Template" table into the Word document.

Submit the Word document and the completed "Security Controls Mapping Template."

Prepare this assignment according to the guidelines found in the APA Style Guide, located in the Student Success Center. An abstract is not required.

Answer 1

Compliance and restrictive frameworks square measure sets of tips and best practices. Organizations follow these tips to satisfy restrictive needs, improve processes, strengthen security, and win alternative business objectives (such as turning into a public company, or commerce cloud solutions to government agencies).

These frameworks offer USA a typical language which will be used from the server area to the council chamber. These standards square measure leveraged by:

Internal auditors and alternative internal stakeholders to judge the controls in situ among their own organization.

External auditors to judge and attest to the controls in situ among a corporation.

Third parties (potential customers, investors, etc.) to judge the potential risks of partnering with a corporation.

HIPAA, the insurance movableness and answerableness Act, sets the quality for shielding sensitive patient knowledge. Any company that deals with protected health data (PHI) should make sure that all the desired physical, network, and method security measures square measure in situ and followed.

This includes lined entities (CE), anyone World Health Organization provides treatment, payment and operations in attention, and business associates (BA), anyone with access to patient data and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, should even be in compliance.

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and private data of somebody, whereas the HIPAA Security Rule a lot of specifically outlines national security standards to shield health knowledge created, received, maintained or transmitted electronically, conjointly called electronic protected health data (ePHI).

If you're hosting your knowledge with a HIPAA compliant hosting supplier, they need to have bound body, physical and technical safeguards in situ, consistent with the U.S. Department of Health and Human Services. The physical and technical safeguards square measure most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant knowledge center.

• Physical safeguards embody restricted facility access and management, with licensed access in situ. All lined entities, or corporations that has got to be HIPAA compliant, should have policies concerning use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health data (ePHI).
• Technical safeguards need access management to permit solely the licensed to access electronic protected health knowledge. Access management includes exploitation distinctive user IDs, associate emergency access procedure, automatic log out and secret writing and cryptography.

Audit reports, or trailing logs, should be enforced to stay records of activity on hardware and code. this can be particularly helpful to pinpoint the supply or reason behind any security violations.

• Technical policies ought to conjointly cowl integrity controls, or measures place in situ to verify that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup square measure key to confirm that any electronic media errors or failures will be quickly remedied and patient health data will be recovered accurately and intact.
• Network, or transmission, security is that the last technical safeguard needed of HIPAA compliant hosts to shield against unauthorized public access of ePHI. This considerations all strategies of transmission knowledge, whether or not it's email, Internet, or maybe over a non-public network, corresponding to a non-public cloud.

A supplemental act was passed in 2009 known as The Health data Technology for Economic and Clinical Health (HITECH) Act that supports the social control of HIPAA needs by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was fashioned in response to health technology development and multiplied use, storage and sending of electronic health data.