The Federal Information Security Modernization Act (FISMA) of 2014 was initially passed in 2002 as the Federal Information Security Management Act. Its purpose is to ensure that federal agencies protect their data by assigning specific responsibilities to them. The 2014 update made significant changes to the original law.

First, the 2014 law authorizes the Secretary of the Department of Homeland Security (DHS) to assist the Office of Management and Budget (OMB) Director in administering the implementation of agency information and security practices for federal information systems. Second, the law changes the agency reporting requirements by modifying the scope of reportable information from primarily policies and financial information to specific information about threats, security incidents, and compliance with security requirements. Third, the update addresses cyberbreach notification requirements. Fourth, within one year of the passing of the updated law, the OMB Director is required to revise budget circular A-130 to remove inefficient reporting.

Agencies are responsible for:

• Protecting systems and data—Agency heads are responsible for all the systems and data in their agencies.
• Complying with all elements of FISMA—FISMA includes details on how to protect systems and data. Systems must be inventoried and risk assessments done to categorize systems and data. Different security controls can be used based on risk levels. Systems must go through a certification and accreditation process.
• Integrating security in all processes—Security must be used throughout the agency, and continuous monitoring must be done to ensure the systems stay secure.

FISMA requires annual inspections. Each year, agencies must have an independent evaluation of their program. The goal is to determine the effectiveness of the program. These evaluations are to include:

• Testing for effectiveness—A representative sample of policies, procedures, and practices are to be tested. The sample chosen should be realistic based on the expectations of the organization.
• Issuing an assessment or report—The report identifies and lists the agency’s compliance with FISMA as well as compliance with other standards and guidelines.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It ensures that health information data is protected. The passage of HIPAA has led to improved security of personal medical information, which was previously lax and often misused. There are three major areas that HIPAA covers in terms of compliance: administrative (ways to protect patient data and ensure that it can be accessed only by authorized parties), physical (ways to prevent physical theft and unauthorized access to systems with protected data), and technical (using technology to protect computer networks and devices from threats).

The Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey of 2019 identifies many of the trends in IT security. Some of this data helps to show the impact of HIPAA. The following data was gathered from survey respondents:

• About 65 percent of respondents were in the health services industry.
• More than 85 percent of respondents had to comply with HIPAA.
• HIPAA applies more than any other law or regulation.

If an organization handles health information, HIPAA applies, which makes the definition of health information important. HIPAA defines health information as any data that:

• Is created or received by:
  • Health care providers
  • Health plans
  • Public health authorities
  • Employers
  • Life insurers
  • Schools or universities
  • Health care clearinghouses
• And relates to the health of an individual, including:
  • Past, present, or future health
  • Physical health, mental health, or condition of an individual
  • Past, present, or future payments for health care

Title II of HIPAA includes a section titled Administrative Simplification. This section includes the requirements and standards of HIPAA for IT:

• Security standards—Every organization that handles health information must protect that information. Companies must also protect systems that handle the information, including all the health data the organization creates, receives, or sends. Specific standards are to be used for:
  • Storing data
  • Using data
  • Transmitting data
• Privacy standards—Data must not be shared with anyone without the express consent of the patient. A person who has gone to a doctor’s office or hospital has probably signed a consent form. The form also notifies patients of practices used to keep their health information private.
• Penalties—Penalties can be levied if the rules aren’t followed. Such penalties differ according to how culpable or neglectful the organization was:
  • “No knowledge” mistakes—Fines range from $100 to $50,000 per violation, with a maximum of $50,000 per year.
  • Reasonable cause—Penalties range from $1,000 to $50,000, with a maximum of $100,000 per year.
  • Willful neglect but corrected—Penalties range from $10,000 to $50,000, with a maximum of $250,000 per year.
  • Willful neglect and not corrected since discovery—­Penalties are $50,000 per violation, with a maximum of $1.5 million per year.

If an organization includes data covered by HIPAA, the organization must have a compliance plan. FIGURE 3-1 shows the process of creating a HIPAA compliance plan:

• Assessment—An assessment helps to identify whether an organization is covered by HIPAA. If it is, then what data needs to be protected must be identified.
• Risk analysis—A risk analysis helps to identify the risks. In this phase, how the organization handles data is analyzed. For example, is data only stored electronically or is it also transferred electronically?
• Plan creation—After the risks have been identified, a plan is created. This plan includes methods to reduce the risk.
• Plan implementation—The plan is implemented.
• Continuous monitoring—Security in depth requires continuous monitoring. Regulations and risks should be monitored for changes, and the plan should be monitored to ensure it is still used.
• Assessment—Regular reviews must be conducted. These reviews ensure that the organization remains in compliance.

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, was passed in 1999. GLBA is broad in scope. Most of it relates to how banking and insurance institutions can merge. However, two parts of GLBA are relevant to IT security and apply to financial institutions in the United States. They are:

• Financial Privacy Rule—This rule requires companies to notify customers about their privacy practices. Anyone who has a bank account has probably received such a notification from the bank. Anyone who has a credit card has received one from the credit card company. It explains how the bank or company collects and shares data.
• Safeguards Rule—Companies must have a security plan to protect customer information, which should ensure data isn’t released without authorization and ensure data integrity. Companies are responsible for ensuring risk management plans are used. All employees must be trained on security issues. The Federal Trade Commission (FTC) proposed updates to the Safeguards Rule in April 2019, which are currently in review.

The Sarbanes-Oxley Act (SOX) was passed in 2002. This law applies to all companies that are publicly traded. It is designed to hold company executives and board members personally responsible for financial data. If the data is not accurate, these people can be fined and sent to jail.

The goal is to reduce fraud. Because individuals can be held liable, there is more pressure to ensure the reported data is accurate. Chief executive officers (CEOs) and chief financial officers (CFOs) must be able to:

• Verify accuracy of financial statements
• Prove the statements are accurate

Most of SOX is outside the direct scope of IT. However, Section 404 has elements that are directly related. Section 404 pertains to the accuracy of data and requires that a company use internal controls to protect the data. Section 404 also requires reports from both internal and external auditors to verify compliance. For many companies, the cost of the audits represents the greatest impact of this law.

The Family Educational Rights and Privacy Act (FERPA) was passed in 1974 and has been amended at least nine times since then. The goal of the act is to protect the privacy of student records, which includes education and health data.

FERPA applies to all schools that receive funding from the U.S. Department of Education. These schools include:

• State or local educational agencies
• Institutions of higher education
• Community colleges
• Schools or agencies that offer a preschool program
• All other education institutions

FERPA grants rights to parents of students under 18. The parent can inspect records and request corrections. When the student reaches 18, these rights pass to the student.

All PII about the student must be protected. Schools usually need permission from either the parent or the student to release PII.

There are a few exceptions to when PII can be accessed or released:

• Some school officials may view records.
• Data can be transferred to a new school if the student is transferred.
• Data can be transferred when some types of financial aid are used.
• Accrediting organizations can access data.
• Data can be accessed when required by a court.
• Data can be accessed for health and safety emergencies.

The Children’s Internet Protection Act (CIPA) was passed in 2000 and is designed to limit access to offensive content from school and library computers. All schools and libraries that receive funding from the E-Rate program are covered under CIPA. More information on the E-Rate program is available at https://www.fcc.gov/consumers/guides/universal-service-program-schools-and-libraries-e-rate.

CIPA requires that schools and libraries:

• Block or filter Internet access to pictures that are:
  • Obscene
  • Child pornography
  • Harmful to minors (if the computers are accessed by minors)
• Adopt and enforce a policy to monitor online activity of minors
• Implement an Internet safety policy addressing:
  • Access by minors to inappropriate content
  • Safety and security of minors when using email and chat rooms
  • Unauthorized access
  • Unlawful activities by minors online
  • Unauthorized use of minors’ personal information
  • Measures restricting minors’ access to harmful materials

Some of these terms are difficult to define, such as what is obscene or harmful to minors. CIPA includes a definitions section that identifies other specific sections of U.S. code where some of these terms are defined.

The Children’s Online Privacy Protection Act (COPPA), which is managed by the FTC, was passed in 1998 and took effect in 2000. The act was designed to protect the privacy of children under 13.

The act specifies the following:

• Sites must require parental consent for the collection or use of all personal information of young website users.
• The contents of a privacy policy, including the requirement that the policy itself be posted everywhere data is collected.
• When and how to seek verifiable consent from a parent or guardian.
• The responsibility of a website operator regarding children’s privacy and safety online, including restrictions on the types and methods of marketing that targets those under 13.

Although COPPA does not define the process to gain parental consent, the FTC shares guidelines to help website operators. Some of these requirements are:

• Consent forms that can be easily downloaded and mailed or faxed to the operator must be clearly displayed.
• A parent must use a credit card to authenticate age and identity.
• A parent must call a toll-free phone number.
• Accepting an email from a parent that includes a digital signature.

CIPA was challenged on freedom of speech grounds. The U.S. Supreme Court upheld the law in June 2003. All libraries were given until early 2004 to comply. At this point, all schools and libraries accepting E-Rate funds are expected to be complying with CIPA.