With the increasing proliferation of information handling regulations and requirements that businesses, colleges, financial institutions, and health care providers of all kinds must operate under, it is no longer an option to examine information security and compliance for each regulation or requirement individually.
For all the variety in regulations, there are several core principles around which compliance can be established for all of the requirements. The best way to meet information security and regulatory needs is to have an Integrated Information Security Management Process in place that considers all of the relevant requirements and establishes the policies, procedures, and practices that can work together to meet all of the needs.
To maintain information privacy and security and regulatory compliance, you need to have a continuous process established to:
• Conduct an Information Inventory and Flow Analysis
• Implement Access and Configuration Control
• Know who and what’s been going on in your networks and systems
• Respond to and learn from Incidents
• Audit and review regularly, and when operations or environment change
• Improve your operations based on reduction of risk
You'll need to review your policies, procedures, and practices to ensure all applicable requirements and essential practices are met. Properly organized, your basic security policies need not be a chaotic jumble of specifications for individual regulations and requirements. Where possible, your policies can be organized under four fundamental security policies:
1) Information Security Management Policy - wherein the process itself is established, including requirements to perform the steps listed above
2) Access Control Policy - which covers the mechanics of allowing and preventing access as appropriate, through means such as administrative processes and technical measures (authentication, encryption, perimeter controls, etc.)
3) Contingency Policy - covering the essentials of data preservation, data destruction, and disaster recovery
4) User Policy - detailing the requirements of how individual users should and should not use their information devices and the organization's data
Lewis Creek Systems can help you establish your Integrated Information Security Management Process and all its underlying policies, procedures, documentation and training activities, so that you can be in compliance with HIPAA Privacy, HIPAA Security, PCI, FRCP E-Discovery, Security Breach Notification Laws, and any other regulations that affect information security and data management.
We can provide the Policy Review and Development Services, Information Flow Analysis, Risk Analysis, Risk Assessment, and Compliance Assessment Services to jump-start your process and help move you to compliance quickly, safely, and economically. Contact us today if you have any questions or would like any additional information.
Go to the Services Overview