Category: IT Compliance

What are WIFs?

My notes from the EthicsPoint webinar on intake models and the value of web intake forms.  The presenter was Erin Watkinson a business solutions consultant at EthicsPoint.

A custom web intake form is a replacement for paper based forms. You can use the web to report on issues.

Reporting should encourage employees to first go to a supervisor and not go anonymously right away.

A custom WIF is a case intake mechanism for non-licensed users. Its a custom report form that you can brand and format as needed or desired. The WIF can eliminate the re-keying of data. The form dumps the information into a central database.  in a WIF you can have explanatory text, images, fields and/or links to other documentation. The WIF is mapped to fields in the EthicsPoint Event Manager. You can create custom print forms to match the look and feel of the WIF. All of the data elements are available for reporting and analytics. There is also branching logic available depending on how questions are answered.

Erin then showed an example of an HR Management report. This highlighted the branching features. Another demo was the Hospira HR system. They used the system for people to ask questions. The system tracks the questions and the answers given.

Public Hearing on Massachusetts Data Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business has published a Notice of Public Hearing on 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. (.pdf)

The hearing is on Friday, January 16, 2009 at 2:00 pm in Room No. 5-6, Second Floor of the Transportation Building, 10 Park Plaza, Boston.

Computer System Requirements for New Massachusetts Privacy Regulations

As discussed in earlier alerts (Additional Guidance on the Massachusetts Privacy Regulations, Privacy and Security Alert: Massachusetts Has New Data Security Regulations and New Massachusetts Privacy Laws), starting on January 1, 2009, businesses will be held to a higher standard regarding the protection of Massachusetts residents’ personal information. The regulations set out in detail the required minimum standards to be met by persons or businesses who own, license, store, or maintain personal information about a Massachusetts consumer or employee 201 CMR 17.00. The Standards apply to paper as well as to electronic records.

The regulations have some very specific requirements for computer system security 201 CMR 17.04:

  1. Secure user authentication protocols
  2. Secure access control measures
  3. Encryption of transmitted records and files (to the extent feasible)
  4. Reasonable monitoring of systems (for unauthorized access to personal information)
  5. Encryption of all personal information stored on laptops or other portable devices
  6. Reasonably up-to-date firewall protection for files containing protected information on a system that is connected to the Internet
  7. Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions
  8. Education and training of employees on the proper use of the System and the importance of personal information security
  9. Features required for secure user authentication protocols and secure access control measures.

Compliance and Cloud Computing

Sara Peters wrote an article on Security Provoked: How Can You Prove Compliance in the Cloud?

Whether you’re in the midst of an audit or a forensic investigation, thorough logs are the key to proving compliance with security regulations. So how do you prove your organization is/was compliant when you aren’t able to maintain logs? This is the nagging question that gnaws hungrily at my weary brain every time I ponder cloud computing.

I am a big fan of cloud computing from a sharing and information architecture perspective, it may not be the right answer for critical information that is subject to regulatory control.

Yet.

The folks at Google and other cloud computing providers are not going to let compliance issues fall through the cracks for long. Cloud computing can provide similar service and less cost. Who has better understanding of security, your IT staff or the folks at Google?

 

New Link to the article: http://www.informationweek.com/security/can-you-prove-compliance-in-the-cloud/229209812