FISMA

Comparison of eight Governance Risk Control (GRC) Regulatory Compliances from Health Insurance Portability and Accountability Act (HIPAA), European Union Data Protection Directive (EUDPD), AICPA Generally Accepted Privacy Principles (GAPP), Payment Card Industry Data Security Standard (PCI DSS, ISO 27002 Code of Practice for Information Security Management, COBIT, The Sarbanes-Oxley Act of 2002 (SOX), Gramm-Leach-Bliley Act (GLBA)

1. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA includes among its components privacy and security rules for the handling of personal and medical information within the health care industry. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) that result from efforts to streamline the health care system in the United States and mandate the standardization of electronic transactions, code sets, and identifiers. The privacy and security rules for this act are detailed and prescriptive. Although the regulation focuses on organizations in the U.S. health care industry, it can extend to other organizations if they engage in certain activities, such as managing employee group health plans, or providing services to organizations that this regulation directly affects. If your organization is in the United States and maintains a health plan for its employees, HIPAA most likely applies to the collected and stored information. The U.S. Health and Human Services department (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.

An access control policy should be established, documented, and reviewed based on business and security requirements for access. The policy and procedures should covers:

- Security requirements of individual business applications
- Identification of all information related to the business applications and the risks the information is facing
- Policies for information dissemination and authorization, e.g. the need to know principle and security levels and classification of information
- Consistency between the access control and information classification policies of different systems and networks
- Relevant legislation and any contractual obligations regarding protection of access to data or services
- Standard user access profiles for common job roles in the organization
- Management of access rights in a distributed and networked environment which recognizes all types of connections available
- Segregation of access control roles, e.g. access request, access authorization, access administration
- Requirements for formal authorization of access requests