Professional Documents
Culture Documents
Evan McGrath
Spohn Consulting
January 16, 2022
Expertise for Navigating Business Challenges
Agenda
Recent Breaches
Cost of a Security Breach
What Hackers Target
Regulatory Compliances & State Codes
Cyber-Terrorism
Things You can do
To comply with the federal standard, agencies must first determine the security category of their information system in
accordance with the provisions of FIPS 199, Standards for Security Categorization of Federal Information and Information
Systems, and then apply the appropriate set of baseline security controls in NIST Special Publication 800-53
The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all
federal information and information systems.
The agency's Risk Assessment validates the security control set and determines if any additional controls are needed to
protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other
organizations, or the Nation. The resulting set of security controls establishes a level of “security due diligence” for the
federal agency and its contractors.
In addition to the security requirements established by FISMA, there may also be specific security requirements in different
business areas within agencies that are governed by other laws, Executive Orders, directives, policies, regulations, or
associated governing documents, (e.g., the Health Insurance Portability and Accountability Act of 1996)
It is important that agency officials (including authorizing officials, chief information officers, senior agency information
security officers, information system owners, information system security officers, and acquisition authorities) take steps to
ensure that: (i) all appropriate security requirements are addressed in agency acquisitions of information systems and
information system services; and (ii) all required security controls are implemented in agency information systems.
SECTION 13402 OF THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH
(HITECH) ACT by requiring HIPAA covered entities and their business associates to provide notification following a
breach of unsecured protected health information.
•INDIVIDUAL NOTICE: Covered entities must provide this individual notice in written form by first-class mail, or
alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has
insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute
individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or
broadcast media where the affected individuals likely reside.
•MEDIA NOTICE: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction
are required to provide notice to prominent media outlets serving the State or jurisdiction.
•Notice to the (HHS) Secretary: Covered entities must notify the Secretary of breaches of unsecured protected health
information.
•A maximum penalty amount of $1.5 million for all violations of an identical provision.
•ENFORCEMENT: HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005.
OCR became responsible for enforcing the Security Rule on July 27, 2009. (Summary: While HIPAA was established in
1996, it was not until 2009 that we saw widespread enforcement )
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
I’m a small merchant who has limited payment card transaction volume. Do I need to
be compliant with PCI DSS? If so, what is the deadline?
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the
requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the
security standards while each individual payment brand is responsible for managing and enforcing compliance to these
standards.
Does PCI DSS apply to merchants who use payment gateways to process
transactions on their behalf, and thus never store, process or transmit cardholder
data?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored,
processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares
cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third
party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible
for the security of the cardholder data it possesses.
Possible cyber-threats
Q&A
Thank you!
Evan McGrath
Spohn Consulting
Phone: 512.685.1804
Email: emcgrath@spohncentral.com