Sponsored by NetIQ
  Minimize

Ask Rebecca Herold your IT compliance questions!
 Contact Rebecca Herold
 through email, the
 discussion board, or IM.
  Learn more...

     

Presented by Realtimepublishers
Latest Articles on Realtime IT Compliance Minimize

All of the following articles are exclusive to the Realtime-IT Compliance Community, and authored by IT Compliance expert and Community leader Rebecca Herold. These articles are available to Realtime-IT Compliance Community members. Membership is free; simply click the Get a Free Account link above for access.

Articles:

Security and Privacy Contract Clause Considerations
What Healthcare Organizations Need to Know About HIPAA Minors and Privacy
State-Level Breach Notice Laws as of June 7, 2006
What IT Needs to Know About Compliance
Privacy, Compliance and International Data Flows
What Businesses Need To Know About Compliance
Managing Mobile Computing Risks
ISMS Certification in the United States
Addressing the Risks of Outsourcing
Data Retention Compliance
Do Compliance Requirements Help or Hurt Information Security?
How Encryption Supports Compliance
The Evolution of BS7799 to ISO27001 and ISMS Certifications
U.S. Federal Data Privacy Bills


White Papers:

Top Ten IT Compliance Reports
The Fusion of Compliance and Risk Management
Automating IT Security Audits to Ensure Compliance
Achieving Unified Compliance with NetIQ


Articles:

Security and Privacy Contract Clause Considerations

Compliance :: When you entrust business partners and vendors with your company’s confidential data, you are also entrusting them with all control of security measures for your organization’s data. That trust cannot be blind. Many recent privacy and security incidents have resulted from inadequate privacy and/or security practices within outsourced organizations handling another company’s customer or employee data.  Christopher Grillo and I discuss this topic at length in our two-day information security and privacy workshop.  This paper covers the issues we discuss in addition to a table we created for our workshop that lists the types of information security and privacy requirements that should be included within contracts with third parties.  The table has been very helpful for organizations addressing outsourcing and partnering security and privacy issues, so we are making it available in the hope it will also be helpful to you.

Please log in to access this article

What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy

Compliance :: The Health Insurance Portability and Accountability Act (HIPAA) has some specific requirements related to handling the protected health information (PHI) for minors and for the types of access that can be allowed to this information, even to parents and guardians. Many state-level laws also have requirements for restricting parental and guardian access to minors’ PHI under certain conditions. With the commonplace practice of allowing individuals access to their account information via Internet applications, particularly among health insurance companies and pharmacies, it is important that covered entities consider the issues and impacts of providing access to the PHI of minors through such automated means as well as in person. This paper provides information about the issues organizations, such as healthcare insurers, healthcare providers and pharmacies, need to address when establishing ways to restrict access to minors' PHI.

Please log in to access this article

State-Level Breach Notice Laws as of June 7, 2006

Compliance :: There are many resources throughout various locations on the Internet that have listings of state level breach notice laws.  Unfortunately most are not up-to-date, and often they are not presented in a format that can serve as a quick reference.  I have found it most helpful to have a basic listing of all the state breach notice laws, along with the effective date for each.  As of June 7, 2006, I have found 32 state-level breach notice bills that have been signed into law, with the exception of the bill in Hawaii, which has been enrolled to the governor. I have created a table to serve as a handy reference to these laws and their corresponding effective dates.  My goal is to keep this up-to-date and repost whenever new laws are signed.

Please log in to access this article

What IT Needs to Know About Compliance

Compliance :: Businesses must always be vigilant about data security, particularly in the global information-based economy. Businesses are dependent upon information technology (IT). The risks that are an inherent part of IT make it necessary for IT leaders and IT personnel to know the data protection laws and regulations more than ever before. It is with this knowledge that they can incorporate information security and privacy within all the IT processes, throughout the entire systems development life cycle (SDLC).  I discuss these issues, and the IT issues within a wide range of U.S. and international laws and regulations, within this article.

Please log in to access this article

Privacy, Compliance, and International Data Flows

Compliance :: In this information technology (IT) and communications revolution, computers are more mobile and more powerful than ever before. Information is shared more easily, more quickly, and in more ways than previously possible. One voice-activated command can send a message or document to many different locations throughout the world in milliseconds. This revolution certainly has improved business efficiency and expediency.  However, it has also created potential threats to the privacy of personal information and violations of new and emerging data protection laws.  In this article I discuss privacy, compliance and international data flow issues and what organizations need to do to address them.

Please log in to access this article

 

What Businesses Need to Know About Compliance

Compliance :: I think often this whole concept of "compliance" is rather nebulous and fuzzy. I see different vendors referencing it in different ways. I hear different practitioners worrying about different things. I wanted to speak with some IT compliance professionals with significant experience to see how they are handling this "compliance" responsibility. I wanted to get the viewpoint of not only a practitioner responsible for an organization's compliance efforts, but also a consultant who has worked with a wide range of organizations to see where the compliance efforts, successes and challenges are greatest. On April 17, I had the opportunity to speak with two such folks, Chris Pick, Vice President of Corporate Strategy at NetIQ, and Wayne Crane, CIO, also from NetIQ about a wide range of compliance issues, and what—from their perspectives and based on their experiences—they believe businesses need to know about the whole concept of compliance. As a publicly traded company, NetIQ must themselves meet the same strict regulatory requirements, such as SOX, as many other organizations, so it was interesting to hear their thoughts.
Please log in to access this article

Managing Mobile Computing Risks

Information Security :: As demonstrated over and over again throughout the past several months, mobile computing devices and storage media present a huge risk to business and personal information. Because of the very portability of these devices, organizations are entrusting the security of the information stored upon them into the hands of the people using them. It is vital that an effective mobile computing device and storage media security management program is in place. This paper discusses the issues involved.
Please log in to access this article

ISMS Certification in the United States

Standards :: Significantly fewer United States-based organizations are pursuing formal ISMS certification than in many other countries. In this article, I share my discussions with 10 chief information security officers (CISOs) from U.S.-based organizations about whether they are going to pursue ISMS certification and why. I also share the feedback given to me from a U.S.-based ISMS certification preparer group.
Please log in to access this article

Addressing the Risks of Outsourcing

Information Security :: When you entrust business partners with your company’s confidential data, you are placing all control of security measures for your organization’s data completely into their hands. That trust cannot be blind. Many recent security incidents have resulted from inadequate security practices within outsourced organizations handling another company’s customer or employee data.
Please log in to access this article


Data Retention Compliance

Compliance :: Many laws and regulations exist throughout the world that require specific retention time periods and associated safeguards for a wide range of data types. Organizations need to be aware of these data retention requirements and plan to meet the compliance challenges.
Please log in to access this article


Do Compliance Requirements Help or Hurt Information Security?

Compliance :: I discussed this issue with seven seasoned information security and privacy professionals to get their opinions about whether regulatory compliance requirements help or hurt information security initiatives. They were wholly in agreement that compliance can help or hurt information security and associated initiatives depending upon the culture of the organization. Key points from each of them are included in the following discussions of how compliance helps and hurts information security.
Please log in to access this article


How Encryption Supports Compliance

Compliance :: Encryption is an underutilized security tool. Facing the infinite number of today’s risks, threats, and vulnerabilities, encryption can effectively keep unauthorized individuals and systems from accessing sensitive information and thwart many types of attacks. In today’s business environment—with sensitive information being stored in multiple locations, many of them mobile—encrypting information is an effective privacy safeguard organizations can add to their arsenal of protection tools.
Please log in to access this article


The Evolution of BS7799 to ISO27001 and ISMS Certifications

Standards and Certification :: Growing numbers of laws and regulations are being passed and implemented throughout the world. Such legislation has justifiably captured the attention of business leaders who are now more seriously considering how to meet compliance regulations and perform information security due diligence than ever before. Establishing an effective information assurance program to incorporate information security into business activities is now high on the executives’ to-do list.
Please log in to access this article


U.S. Federal Data Privacy Bills

Privacy :: With most of the states in the United States having passed privacy breach notification legislation, and several federal breach notification bills of various flavors looming on the horizon, the issue of how to not only better protect personal information but also respond to breaches of personal information certainly should be on organizations’ radar. There was a spate of bill writing activity during the summer of 2005, just before the August U.S. congress recess, and personal information security was at the top of the agenda. Three federal bills were proposed at that time addressing the protection of personal information.
Please log in to access this article

 

White Papers

Top Ten IT Compliance Reports

White Paper :: Many of today’s regulations can be broken down into a common set of organizational, managerial and technical controls that, if addressed as discrete elements, can satisfy similar requirements across numerous regulations. With this in mind, by wrapping a distinct number of regularly repeated activities and reporting into their security processes, organizations can take a huge step in their compliance activities. This white paper presents the Top 10 IT Compliance Reports that can help organizations address their compliance and risk management requirements, as well as how and where NetIQ’s Knowledge-Based Service Assurance solutions can aid in creating an automated infrastructure to repeatedly and easily create those reports.
Please log in to access this white paper


The Fusion of Compliance and Risk Management

White Paper :: Many IT departments and security officers strive to implement successful policy compliance programs. These programs are often designed to satisfy regulatory and audit-related requirements to protect the integrity of financial reporting or other critical information (e.g., pharmaceutical trial results, operational data) or prevent the loss of sensitive information (e.g., health information, customer records, credit card numbers). Consequently, these programs serve a vital purpose in business today. Unfortunately, many attempts are fraught with problems that result in less than satisfactory results. This whitepaper describes an effective approach for IT compliance – NetIQ’s compliance and risk management methodology – and how to leverage NetIQ’s methodology and solutions to consistently achieve better results.
Please log in to access this white paper
 

Automating IT Security Audits to Ensure Compliance

White Paper :: Most auditors today are relying on or, in many cases, reporting on the effectiveness of IT security. IT security is a large part of the general controls structure, enabling auditors to rely on automated controls in applications such as financial reporting systems. Moreover, IT auditors and compliance professionals are often responsible for performing security audits in order to identify policy and regulatory compliance issues (e.g., Sarbanes-Oxley, Basel II Accord) and unacceptable risks. Unfortunately,  performing IT security audits are often difficult and time-consuming and require significant technical expertise. The expertise alone is often hard to find and, when it is available it must scale to meet the needs of the business and clients. As a result, manual procedures for auditing IT security do not suffice. This whitepaper describes the drivers for better IT security auditing, the problems with current approaches and how to leverage NetIQ Vulnerability Manager to automate IT security audits on key distributed platforms.
Please log in to access this white paper


Achieving Unified Compliance with NetIQ

White Paper :: With the widening focus on Information Security, organizations face a number of compliance requirements from state and federal agencies, customers and suppliers and even credit card companies. Having met the initial compliance requirements, organizations are just now coming to recognize the full significance and cost of their compliance programs. Setting up compliance and control processes has been time-consuming and labor-intensive for many organizations, creating a drag on the bottom line. Analysts estimate that spending for compliance programs will top $15 billion in 2005. This realization is driving the need for a single approach to multiple compliance drivers and the use of more automation. The term that is emerging is, “Unified Compliance”. This white paper takes a close look at the aspects of Unified Compliance that can be addressed with NetIQ solutions. With NetIQ, companies can implement and manage controls which make compliance programs sustainable and repeatable, while gaining visibility into sources of vulnerability and risk exposure.
Please log in to access this white paper


Back to Top

     

Latest eBooks on Realtime IT Compliance Minimize

The Practical Guide to Compliance and Security Risks

PGCSR_cover_small.PNGDo you know how to protect customer data and secure your infrastructure? Have you done everything necessary to prove compliance—with HIPAA and the Sarbanes-Oxley Act in the United States as well as international laws and regulations? In The Practical Guide to Compliance and Security Risks, industry expert Rebecca Herold provides in-depth explanations about how security professionals can fulfill their responsibilities to balance compliance while meeting business goals. Get the insight you need to assure compliance, secure your assets, and manage your IT risks.
Please log in to access this eBook




All of these articles and eBooks are available to Realtime-IT Compliance Community members. Membership is free; simply click the Get a Free Account link above or log in here for access.