3. Information Technology for Risk Managers Flashcards
Gramm‐Leach‐Bliley Act of 1999
1. Financial institutions – banks, brokerages and insurance companies
2. Securely store personal information
3. Disclose policies regarding information sharing / allow customers the opportunity to opt-out
Data Security and Breach Notification Act of 2015
- Requires business entities to:
a. Employ security measures that protect data from unauthorized access
b. Restore data systems, data integrity and confidentiality after a security breach
c. Determine whether a breach will result in economic loss, identity theft or financial fraud - In event of a breach, requires business entities to notify:
a. Affected U.S. residents
b. The FTC and U.S. Secret Service or FBI
c. Consumer reporting agencies if more than 10,000 individuals are affected
Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA)
- Allows consumers to request and obtain a free credit report once every twelve months
- Contains provisions to help reduce identity theft,
- Requires reporting agencies to block reporting of any information
Cybersecurity Information Sharing Act of 2015 (CISA)
makes it easier for companies to share personal information with the government, especially in cases of cybersecurity threats
- Creates a system for federal agencies to receive threat information from private companies
- Provisions to prevent sharing data known to be both personally identifiable and irrelevant to cybersecurity
Red Flags Rule
– created by the FTC to help prevent identity theft; applies to financial institutions and creditors
- Financial institution
- Creditor applies to any entity that regularly extends or renews credit A creditor:
a. Obtains or uses consumer credit reports and provides information to consumer reporting agencies, or
b. Advances funds which must be repaid in the future (or against collateral)
Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended
- Any healthcare provider that electronically stores, processes or transmits medical data
- documentation, handling and privacy of medical records
- HIPAA Security Rule – defines what administrative, physical and technical safeguards must be in place and defines who may have access to the data
- Provides a set of standardized codes for medical data – diagnoses, procedures and drugs
Federal Information Management Security Act Of 2002 (FISMA)
- Applies to federal agencies
- Has brought attention within the federal government to cybersecurity and explicitly emphasizes a “risk‐based policy for cost‐effective security”
- Requires agency program officials, chief information officers and inspectors general (IG) to conduct annual reviews of the agency’s information security program and report the results to the Office of Management and Budget
Fair Credit Reporting Act (FCRA)
was enacted to promote the accuracy, fairness and privacy of information gathered in the files of consumer reporting agencies
- Intended to protect consumers from inaccurate information in their credit reports; the FCRA regulates the collection, dissemination and use of consumer information
- The FCRA forms the foundation of consumer rights law in the United States; originally passed in 1970, it is enforced by the FTC, the Consumer Financial Protection Bureau and private litigants
Data Quality Act (DQA) or Information Quality Act (IQA)
sharing by federal agencies of, and access to, information disseminated by federal agencies, and
• Requires that each federal agency to which the guidelines apply:
Issue guidelines ensuring and maximizing the quality, objectivity, utility and integrity of information
Establish procedures allowing affected persons to seek and obtain a correction of information maintained and disseminated by the agency that does not comply with the guidelines
Report periodically to the director of the Office of Management and Budget:
The number and nature of complaints received by the agency regarding inaccuracy of information disseminated, and
How such complaints were handled by the agency
Data Risk Assessment
1. Data Inventory
2. Data Risk Analysis
3. Data Mapping
4. Data Protection
Data Inventory – What data do you have?
- What types of information are collected and stored?
- How many records are kept?
- Are the files sensitive in nature and are they subject to compliance?
Data Inventory – Are the files sensitive in nature and are they subject to compliance? Personal
a. Personally Identifiable Information (PII)
b. Personal Health Information (PHI)
c. Personally Identifiable Financial Information (PIFI)
d. Claims data
e. Intellectual property
f. Data of others (subject to confidentiality agreements)
Data Risk Analysis – Why is retention of data risky?
- Records have value
- The type and quantity of data stored may make the organization a target for hacking,
- The greater the volume, the greater the risk release creates
- What are the potential repercussions associated with the release of the information? a. Direct – data restoration, client-notification, credit-monitoring b. Indirect – reputation, loss of goodwill, etc.
Data Mapping – Tracking of the data cycle, from point of input through storage to output, to identify the organization’s systems that are involved and that expose the organization to risk
- Multiple databases
a. HR – employee records, performance appraisals, benefits
b. Accounting – accounts payable, accounts receivable, fixed assets, payroll
c. Procurement – vendor data, insurance information, product pricing
d. Proprietary information – scientific, market information, R&D, trade secrets
e. Claims management system - Information exchange – who is data shared with? a. Between departments b. With outside parties
Data Protection and Exposure Reduction – What steps have been taken by the organization to protect the data and reduce the exposure?
- Testing for firewalls, vulnerability, password strength, etc.
- Implementing new security measures and policies Biometrics Mandatory password change Email limitations
- Training and educating employees
- Monitoring and enforcing policies
