Databases Reference
In-Depth Information
In effect this means that any business that maintains personal informa-
tion of a resident of California must have the appropriate provisions and
capabilities to know when this information may have been accessed by an
unauthorized person. This bill adds to a long line of bills that focus on pri-
vacy, but stresses not just the need for privacy but also the need for effective
controls that will allow one to know when access control has been compro-
mised and data has been accessed in an unauthorized manner.
11.2
Understand business needs and map to
technical requirements
Regulations and other privacy requirements do not typically define pre-
cisely what types of technologies need to be implemented (although there
are exceptions. E.g., HIPAA includes wording such as “Implement a
mechanism to encrypt electronic protected health information whenever
deemed appropriate”). Some regulations actually go out of their way to
not
mention any technical implementation detail, and this makes them open
to interpretation and more difficult for you in that you need to decide
what you need to implement and how. For example, interpretations of
SOX regarding what type of technical provisions should be implemented
can range wildly. Other regulations like HIPAA tend to be a little more
specific and define the types of technologies that should be implemented.
But even in HIPAA you can find wording such as the following defining
risk management requirements—“Implement security measures and
implementations that reduce risks and vulnerabilities to a reasonable and
appropriate level”—motherhood and apple pie! In most of these cases you
will often be asked to suggest a set of concrete implementation options to
bring your organization into compliance with these regulations. This map-
ping is critical because, on the one hand, you need to implement a set of
provisions that will comply with regulations (and will withstand a possible
external audit), and on the other hand, you need to come up with a set
that is implementable, does not cost an arm and a leg, and does not dis-
rupt the smooth operation of the organization.
It is surprising how difficult it can be to translate regulations and busi-
ness requirements into technical action items. HIPAA is one of the most
specific regulations, and even in this case mapping is difficult. HIPAA
requires that technical measures for securing private patient information are
integrated into the organization's information systems and that auditing of
this access is supported. It goes on to define various categories that must be
addressed, including authentication, authorization, accountability, integ-
Search WWH ::
Custom Search