by Brad Wilson, CPP
It seems like the three branches of
our federal government can be equal opportunity headaches when it comes
to creating  rules, regulations, and rulings that create challenges for the integrator. Four recent examples are the Health Portability and Accountability Act (HIPPA), the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and Homeland Security Presidential Directive 12. Keeping up with the why's, what's, when's and how's of these gems
of regulatory wisdom is getting to be a full time hobby for us all!
Given their number, scope and complexity, it's a big job to fully understand the requirements and implications of these new laws. However, for anyone whose responsibilities include security in their organization, it is extremely important to do so. To help out, future issues of the Integrator will feature examples of industry Best Practices and Lessons Learned from life in the regulatory jungle. In this issue, I'll start us off with a discussion of some of the major developments that have occurred in recent years.
HSPD12 Driving Convergence of Physical and IT Security
During the last several years two major events have had a powerful and continuing impact on security-related issues. The first of these of course is 9/11, and the subsequent creation of the Department of Homeland Security. The other is the passage of regulations such as Sarbanes-Oxley and HIPAA, which have resulted in the need to leverage technology, including security systems such as access control, to meet compliance and reporting requirements.
Homeland Security Presidential Directive (HSPD) 12, issued in August, 2004 is not only having an immediate impact on government agencies and contractors, but is speeding the convergence of physical and IT security. This convergence will undoubtedly result in important benefits in the months and years ahead.
HSPD 12 requires “a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).” As a result of this directive, for the first time a single standardized credential is required for access to both federal facilities as well as information systems.
This move to tighten federal security through integration of physical and IT access control processes is already beginning to bleed over to the private sector. Regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley, which are driving much higher levels of  accountability and the need to know who has access to both physical facilities and IT systems, are also accelerating the need for a common identification process. I believe these developments are paving the way for new solutions that will close security gaps between physical and IT security. (For more information on convergence, I invite you to read the “Why Convergence?” article in this issue of the Integrator.)
As one of the country’s leading systems integrators, at RFI we are not only closely monitoring these developments but are actively involved in bringing them to fruition. We will keep you posted as progress continues in the months ahead.
New Regulations Require Enhanced, Documented Security
It is also important for organizations to be aware of other security-related regulations that impact them today. One example is the Health Insurance Portability and Accountability Act (HIPAA), which requires healthcare professionals and institutions to protect the security and integrity of patients’ private information. The recently released guideline for HIPAA implementation, NIST Special Publication 800-66, details links between physical security, information security, and data assurance.
The FDA’s Code of Federal Regulations Article 21, Part 11 (FDA 21 CFR 11) mandates that all pharmaceutical, healthcare, food services and medical equipment manufacturing companies preserve and secure information by establishing audit trails. And under Section 404 of Sarbanes-Oxley, organizations across all industries are required to document and assess their control environments.
As this brief overview illustrates, the ever-evolving regulatory environment directly impacts security procedures and practices, and so requires close and continuous attention. Again, we'll continue to keep you abreast of important developments in future issues. Of course, if you would like to discuss your particular situation we would be more than happy to answer any questions you might have.
|
