Thus, in most cases there are no hard and fast rules regarding which specific security measures to implement. Instead, the legal standard for security focuses on a process to identify and implement measures that are reasonable under the circumstances to achieve the desired security objectives. This requires companies to engage in an ongoing and repetitive process that is designed to assess risks, identify and implement responsive security measures, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.
What Companies Need to Do
The essence of the process-oriented approach to security compliance is
implementation of a comprehensive written security program that includes:
Asset assessment – identifying the systems and information that need to be protected
Risk assessment – conducting periodic assessments of the risks faced by the company
Security measures – developing and implementing security measures designed to manage and control the specific risks identified
Address third parties – overseeing third party service provider arrangements.
Education – implementing security awareness training and education
Monitoring and testing – to ensure that the program is properly implemented and effective
Reviewing and adjusting – to revise the program in light of ongoing changes.
The legally-mandated process may be summarized as follows:
When addressing information security, the first step is to define the scope of the effort. What information, communications, and processes are to be protected? What information systems are involved? Where are they located. What laws potentially apply to them? As is often the case, little known but sensitive data files are found in a variety of places within the company.
Periodic Risk Assessment
Implementing a comprehensive security program to protect these assets
requires a thorough assessment of the potential risks to the organization’s information systems and data.62 This involves identifying all reasonably foreseeable internal and external threats to the information assets to be protected.63 Threats should be considered in each area of relevant operation, including information systems, network and software
See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(A).
63 See, e.g., Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 25(b), p. 5; Eli Lilly Decision at II.B; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.B(1)