INFORMATION SECURITY STANDARDS

INTRODUCTION
Information security plays an important role in protecting the assets of an organization. As no single formula can guarantee 100% security, there is a need for a set of benchmarks or standards
to help ensure an adequate level of security is attained resources are used efficiently and the best security practices are adopted.

Domain Specific Standards

COBIT (Control Objective for Information and related Technology ) HIPAA (Health Insurance Probability and Accountability Act) PCI DSS (Payment Card Industry Data Security Standard)

What is

??

Control Objectives For Information and Related Technology Its a Road Map to Good IT Governance Accepted globally as a set of tools that ensures IT is working effectively Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in:
Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement

COBIT Framework 4.1

34 IT processes, grouped into 4 domains
Plan and Organize (PO)Provides direction to solution delivery (AI) and service delivery (DS) Acquire and Implement (AI)Provides the solutions and passes them to be turned into services Deliver and Support (DS)Receives the solutions and makes them usable for end users Monitor and Evaluate (ME)Monitors all processes to ensure that the direction provided is followed

Benefits of implementing COBIT

A common language for executives, management and IT professionals A better understanding of how the business and IT can work together for successful delivery of IT initiatives Improved efficiency and optimization of cost Reduced operational risk Clear policy development More efficient and successful audits Clear ownership and responsibilities, based on process orientation

Used by Organizations Worldwide

HIPAA is the Health Insurance Portability and Accountability Act of 1996.

Insurance Portability
Fraud Enforcement (Accountability) Administrative Simplification

Privacy Rule
Establish Mandatory guidelines regarding the use and disclosure of PHI (Protected Health Information)

Security Rule
Establish Requirements to protect the confidentiality, integrity, & availability of PHI created, maintained, transmitted in electronic format

Security Of Information
Protected Health Information (PHI) which is individually identifiable health information (IIHI) that is held or disclosed by a covered entity that can be communicated electronically, verbally, or written. Electronic Protected Health Information (EPHI) which is protected health information (PHI) that is transmitted by electronic media or maintained by electronic media. Sensitive Data which is protected health information that can be used to determine the identity of an individual and/or their diagnosis.

Security Rule
Administrative safeguards- Administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI. Physical safeguards- Physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards including unauthorized intrusion. Technical safeguards- The technology and policy and procedures for its use that protect electronic PHI and control access to it.

HIPAA Compliance

PCI DSS
Payment Card Industry Data Security Standard Its a information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, ATM cards. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.

PCI DSS Requirements

1. Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 2. Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications

PCI DSS Requirements Contd..

4. Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data Regularly test security systems and processes

6. Maintain an Information Security Policy

Maintain a policy that addresses information security

 Bank Of India
achieved PCI-DSS standard compliance for its debit card environment, and claims to be the first Indian bank to do so.

TimesOfMoney
a leading online remittance and payment service provider got PCI DSS certification

THANK YOU!!