The Need for Government Security Compliance
As the digital economy progresses and as governments incorporate more and more information technology to increase productivity, and improved information access, cybersecurity threats have proliferated and government data security compliance becomes increasingly important yet difficult to achieve.
The government mandates encryption, and major government security compliance regulations such as FISMA, NIST 800-53, FIPS (up to level 3), and Common Criteria need to be part of the any government data-security solution. And, as data moves to the cloud, government agencies need to comply with FedRAMP. Finally, depending on the government agency, HIPAA-HITECH and PCI DSS may also be important.
PCI DSS Requirements
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data. And, while PCI DSS requirements aren’t new, organizations’ technological environments and the threats that have to be combated continue to evolve as do PCI DSS guidelines.
PCI DSS 3.2.1 requirements might include the following:
- Protect cardholder data at rest
- Encrypt cardholder data in motion
- Restrict access to cardholder data
- Identify and authenticate access to systems storing cardholder data
- Track and monitor all access to cardholder data
FedRAMP
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is important that Federal Government agencies and their suppliers meet these FedRAMP compliance standards.
HIPAA
The HIPAA Security Rule requires healthcare organizations to use appropriate safeguards to ensure that electronic protected health information (ePHI) remains secure, and the HITECH Act, which expands the HIPAA encryption compliance requirement set, requires the timely disclosure of data breaches.
For many healthcare organizations, one of the most daunting provisions of complying with HIPAA and HITECH has been adhering to The Privacy Rule. Applying encryption solutions that protect patient data from all but a defined set of uses – and within the proscribed EDI sets – has proven to be a significant IT challenge. An effective implementation must not only be secure and adhere to these transaction standards but must also be manageable within the company’s IT framework.