Document IT
IT is great at supplying technology solutions to business problems, but we're not always the best at documenting this effort and providing written policies for computer resources and access to those resources. Both GLBA and HIPAA require written documents that evidence the infosec program, and these documents must be approved from the top and implemented all the way down to the operational level.
Say physical and technical safeguards detect an intrusion or compromise to customer information. What next? GLBA requires institutions to implement a response program that specifies actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information. This includes appropriate reports to regulatory and law enforcement agencies. Although GLBA does not require it, institutions should also notify customers promptly when nonpublic personal information is compromised. This was not written into the law because the cost of compliance would have a dramatic effect on these institutions. And how do you enforce it? What type of compromise would trigger the notification and the duty to inform? These and other questions will be answered at the state level (see "With 1386, California Leads the Way," ).
Once your written security program is in place, you must regularly test safeguards. Although the type and frequency of the tests can be based on the institution's risk assessment, they must be conducted by third parties or staff members that are independent from the group that maintains the security programs. The results of the testing should be added to your management reports to the board or an oversight committee.
Finally, institutions must exercise due diligence in selecting service providers. By contract, enterprises must require service providers to implement appropriate measures designed to meet GLBA objectives and protect customer information they handle for the institution. And, depending on potential risks, institutions should monitor service providers to verify their compliance by, for example, reviewing audits or test results done by service providers. Institutions with contracts in existence on or before March 5, 2001, had a two-year grace period to bring their service provider agreements into compliance. That grace period ended on July 1, 2003.
The Health Insurance Portability and Accountability Act of 1996 was developed as a two-step dance in health-care reform that puts the Centers for Medicare & Medicaid Services (CMS) in the lead, with the rest of the health-care industry to follow. And if anyone misses a step, HHS Office of Civil Rights will bring them in line. HIPAA's primary aim is to improve the efficiency and effectiveness of the nation's health-care system and promote the widespread use of EDI in health care. But it would be difficult, if not impossible, to accomplish this without assurances that patient health information will be kept secure and private.
Bob Friday, Chief AI Officer for Juniper Networks, explains how the advanced technology is transforming operations.
Contact center leaders from 8x8, Awaken Intelligence, and 360insight discuss the importance of agent experience.
AI may force enterprises to rewire parts of their data centers so they are fully optimized to run such workloads. The question is do you use Ethernet or InfiniBand?
