Regulations, Standards, and Laws
Return to the main Resources page
• NIST has released a very useful HIPAA Security Rule Toolkit, which is a Java-based application that uses a tree of questions based on the regulations and NIST SP 800-series guidance to help organizations understand their HIPAA Security compliance position. The user guide, install guide, and applications are all freely available at http://scap.nist.gov/hipaa/
• The National Institute of Standards and Technology (NIST) has a wide variety of very useful information security guidance available in their Special Publications 800-series documents. Several SP 800 documents are listed below; see the list of available documents at http://csrc.nist.gov/publications/PubsSPs.html
• NIST releases ITL Security Bulletins approximately every two months, covering a variety of relevant information security topics, some more technical than others, but always worth perusing when looking for guidance. These bulletins work in concert with the SP 800 series documents to provide more background, context, and specific recommendations. The ITL Security Bulletins are available at: http://csrc.nist.gov/publications/PubsITLSB.html
• NIST pprovides a useful, simple Risk Assessment Procedure in the original version of SP 800-30, Risk Management Guide for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf . Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach. It is thick with theory and explanations that only serve to obfuscate the meaning and goals. The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations. So warned, the new version is available at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, but the original version (recommended) is still available. The October 2012 NIST ITL Security Bulletin, available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_10.pdf provides additional guidance on using the new revision SP 800-30 Revision 1.
• NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), released April 6, 2010, provides practical, context-based guidelines for identifying PII and appropriate levels of protection, including safeguards and incident response plans. The guide is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-122 The April 2010 NIST ITL Security Bulletin discussing the SP 800-122 guide is available at: http://csrc.nist.gov/publications/nistbul/april-2010_guide-protecting-pii.pdf
• NIST SP 800-53 Revision 4, updated May, 2012, is a comprehensive update of the Recommended Security Controls guide, providing a comprehensive set of safeguards and countermeasures for information systems. The updated SP 800-53 Rev. 4 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-53 and the guide for assessing security controls, SP 800-53A Revision 1 (draft) is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-53A-rev1 Also available is the May 2013 NIST ITL Bulletin, featuring the Topic of the Month: ITL Publishes Security And Privacy Controls For Federal Agencies. The bulletin is available at http://csrc.nist.gov/publications/nistbul/itlbul2013_05.pdf and to see past ITL Bulletins, visit: http://csrc.nist.gov/publications/PubsITLSB.html
• NIST provides some excellent guidance for telework and remote access to an organization's nonpublic computing resources and is recommended for security implementers, policy developers, trainers, and end users. See SP 800-114 User's Guide to Securing External Devices for Telework and Remote Access: http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
• NIST offers a guide to encryption of laptops and portable devices in SP 800-111 Guide to Storage Encryption Technologies for End User Devices, available at: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
• NIST provides a good overall reference and lists key compliance activities for HIPAA Security Rule compliance in SP 800 - 66 Revision 1 (October 2008): Introductory Resource Guide for Implementing the HIPAA Security Rule, at:
http://csrc.nist.gov/publications/PubsSPs.html#800-66-Rev1
• If you're considering moving information to "the cloud", you'd best consider the security implications. December 9, 2011 saw the release of NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing, available at: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
• On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing. It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing. The guide is available at: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
• On June 29, 2012, NIST published its June 2012 NIST ITL Security Bulletin, on the topic of Cloud Computing: A Review Of Features, Benefits, And Risks, And Recommendations For Secure, Efficient Implementations. The bulletin is at: http://csrc.nist.gov/publications/nistbul/june-2012_itl-bulletin.pdf
• NIST provides a list of cryptographic modules meeting the FIPS 140-2 standard, used in products meeting the HIPAA Breach notification exemption, at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm
• NIST released in August 2012 an update to their Computer Security Incident Handling Guide in SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process as required under HIPAA, PCI, and many other information security regulations and standards. See: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, providing additional insights and guidance, available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf
• NIST released on October 1, 2008, SP 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies, including recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures. SP 800-115 is available at: http://csrc.nist.gov/publications/PubsSPs.html#SP800-115
• NIST released on October 31, 2008, SP 800-124, Guidelines on Cell Phone and PDA Security, providing an overview of cell phone and personal digital assistant (PDA) devices in use today and offering insights into making informed information technology security decisions on their treatment. SP 800-124 gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. The Executive Summary of this report is highly recommended reading for all cell phone and PDA users. SP 800-124 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-124
• NIST provides a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that protect them from cyber crime. The video describes hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current. To see the video and other resources, go to: http://csrc.nist.gov/groups/SMA/sbc/library.html#04 Also see the draft of NISTIR 7621, Small Business Information Security: The Fundamentals, intended to help small businesses and organizations implement the fundamental concepts of an effective information security program. The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621