Security, Privacy and Compliance

Whether you are meeting the demand for better security and privacy protection, or required to comply with mandates from your industry, government or industry, our team works with partners and applies our years of experience to get you to your goal!

The estimated number of companies that are compliant with industry mandates varies with industry. Below are some recent estimates from security-focused research.

50%

GDPR Compliant

21%

HIPAA Compliant

70%

NIST 800-171 Compliant

PCI Compliant

GDPR

Whether you do business in the EU or not, your network reach may inadvertantly collect information on European citizens. You can be held accountable for the storage or loss of that information!
 
[read more...]

HIPAA

It is estimated that less than 25% of small medical practices and service companies are using HIPAA-compliant management software and data storage. 

[read more...]

NIST 800-171

Required by the DFARS 252.204-7102, the NIST's publication of security and privacy standards should be implemented at every DoD contractor's office and applies to all information systems and infrastructure that may store, transmit or process CUI.

[read more...]

SOX, G-L-B

Born of the financial crises of the past few years, protection of data, reporting of incidents and other mandates are required of financial institutions, publically-traded companies and the companies that serve them.

[read more...]

PCI/DSS

The payment card industry created this self-imposed standard to protect the personally identifiable information of people that use credit cards, debit cards and other financial instruments.

[read more...]

GDPR

General Data Protection Regulation

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to individuals over their personal data.

Controllers of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data, and use the highest-possible privacy settings by default, so that the data is not available publicly without informed consent, and cannot be used to identify a subject. 

No personal data may be processed unless it is done under a lawful basis specified by the regulation, or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. 

The data subject has the right to revoke this consent at any time.

A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.


HIPAA

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The Act consists of five Titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. 

The Health Information Technology for Economic and Clinical Health Act (HITECH) was created in 2009 as a way to encourage the creation of new technologies to improve the portability of Electronic Health Records and includes specific requirements for the protection of personally identifiable information and specifically the protection of electronic Personal Health Information (ePHI). 

NIST 800-171

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations

The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; 

and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. 

The Defense Federal Acquisition Regulation Supplement (DFARS 204.252-7012) made this a requirement of all new contracts beginning in 2015, but was actually not implemented until 2017.

Financial Regulations

Graham-Leach-Bliley
Sarbanes-Oxley

The financial regulations rising out of the crises of 2008 and other events have made it more difficult to manage the information of companies and their clients, but are designed to improve security, ensure proper handling and destruction of personal data.

PCI/DSS

Credit Card Regulations

The credit card industry developed its own standards for protecting personal financial information and mandates how that information is stored, managed, transmitted and destroyed. Meeting compiance is a requirement to be able to handle the financial information at all. Through a careful design of how the data is handled,  and managed, compliance and protection of personal data is assured.

logo
Resources

blog
Huntsville

Contact Us

email us
call: (256) 534-4620

Links

remote support
privacy policy


All Content © Copyright Novation Systems