top of page
Search

FISMA

  • Sep 17, 2019

FISMA, is the Federal Information Security Management Act. This statute was passed in 2002 in order to ensure that government agencies would follow certain steps in order to keep the government's information secure. The law was amended in 2014 in order to address a rise in cyber attacks. NIST has established official guidelines for the implementation of the program. A framework was adopted calling for these measures:

1. Preparation to manage security risks.

2. Categorization of stored information.

3. The selection of baseline controls.

4. The implementation of these controls.

5. Assess whether or not the controls were keeping information secure.

6. Authorize the system to operate based on the level of risk involved.

7. Monitor the controls on an ongoing basis.


 
 

ISO 27001 Certification

  • Sep 12, 2019

ISO 27001 in an information security standard established by the International Organization for Standardization. It provides specifications on how management may implement information security. A system must be implemented to enforce permanent security standards.

In order to achieve ISO 27001 certification an organization must establish the following:

1. An overall information security policy.

2 A risk assessment process.

3. The ability of personnel responsible for information security.

4. An internal audit program

5. Documentation of actions taken to correct failures to comply with the policy.

6. Review of the system by top management.

ISO 27001 certification address the regulations and standards of HIPAA; the Sarbanes-Oxley Act; the American Institute of CPAs Service Organization Control SOC 2 client data standards; and the Federal Information Security Management Act.

Some clients request law firms that have this information security standard. Firms like White & Case LLP; Paul Weiss LLP; and Cravath, Swain, & Moore LLP have ISO 27001 certification.

A firm may begin to define the scope of their information security program with a review of their document management system. Best practices are detailed in ISO 27002, which covers cryptography; human resources; access control; communications; incident response; and legal compliance. Examples of specific measures include:

1. Prohibiting photos or videos of restricted areas without special permission.

2. User accounts must be locked after a certain number of unsuccessful login attempts.

3. Computers must be set to require re-logging in with a password after no more than 10 minutes of inactivity.

4. Write permission for USB drives and DVDs must be disabled unless there is specific authorization.


 
 

California Law on Data Breaches

  • Aug 26, 2019

California law requires businesses and states agencies to notify individuals when their unencrypted data was in fact acquired by an unauthorized person, or if it is reasonable to believe that such a person has accessed the data. See, California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a). A breach involving the data of more than 500 California residents must be reported to the state attorney general. See the online form available here. The form itself should not include PII. The form is not covered by the provisions of the California Public Records Act which requires that law enforcement agencies disclose information if it would not jeopardize ongoing investigations.

The owner of the data must receive immediate notification of the breach. The actual, "Notice of Data Breach,” must be comprised of five sections:

1. What Happened

2. What Information Was Involved

3. What We Are Doing

4. What You Can Do

5. For More Information.

The statute itself includes a model form for businesses to use.

Businesses are required to indicate the estimated date of the breach if it is possible to reach a determination about when the breach occurred. If the business caused the breach it must offer theft prevention and mitigation services for 12 months. Personal information is defined as a person's name when used with any of the following:

1. Social security number

2. Driver's license number

3. Account number

4. Medical information

5. Health insurance information

6. Automated license plate recognition system information.


 
 

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page