IT has emerged as a central business function for many organizations in the recent years, and this holds true regardless of the industry that an organization caters to. Having said that, irrespective of the huge part that IT plays in reducing costs, standardizing processes, enhancing productivity and improving workflow and communications, its role in business planning is subservient to a large extent.
It is high time that establishments stop looking at IT as a mere implementation tool which does not have any role in shaping an organization’s business strategy. Today, technological developments pave the way for many business opportunities and IT can play a proactive and larger role in developing the long term business strategy of organizations.
Given below are some tips that would help your organization align its IT with its business objectives:
Understand your business and the nature of your organization
Unless you understand the nature of your business and how it fits into the sector and economy, it is very difficult to come up with a serious IT plan that would actually work. You can start by gathering important information such as organization charts, roles and responsibilities and associated markets and products. Needless to mention, you must also possess a crystal clear understanding of your customers and their persona. Also, you must take time to analyze the structure and cultural ethos of your organization. Once you have a map of your corporate model and how it fits into the larger picture, you can start planning for the future. At this stage, it is also crucial that you start documenting all IT assets and applications.
Identify and understand the relationship between your core business and your IT assets
Understand your business’ value chain and analyze its major components. You must have an in depth understanding of the factors that drive your business as these key scaling factors play a crucial role in planning IT strategy and alignment. At this stage, you must also duly collate information about internal as well as external factors.
Determine and set the change agenda
While setting the agenda, you must research and analyse your strategy several times; not only that, you must also ensure that there is a perfect balance between the cost, value and precedence of the IT estate and then identify the impact and implications of the IT alignment plan. Of course, you must also identify requirements, prioritize time frames and functionality, model and test the strategy well in advance to ensure that the final outcome is lucrative.
Once you have all the necessary information, chart out an IT plan that has business drive and is not extremely technology-eccentric
The most difficult hurdle that many organizations face while aligning IT with its business objectives is that most IT strategies lack business drive and are too technology-eccentric. This strategic variance can be counter-productive and can lead to overtly intricate IT infrastructures that are difficult to sustain and modify. In order to avoid such obstacles, it is recommended that organizations invest in strategic partnerships with IT Managed Service Providers who specialize in aligning IT with business objectives.
(Part 6 in our series on IT Compliance Concerns.)
In Part 5 of our series, we discussed how the Payment Card Industry Data Security Standard (PCI DSS) was created in an effort to o improve protections for storing, processing, and transmitting cardholder data. In this part, we will look at some of the details your IT team will need to deal with regarding PCI DSS compliance.
What are some of the Information Technology concerns for PCI DSS compliance?
Keeping in mind that the penalties for failing to comply with these standards can include fines and possibly the termination of privileges to process credit cards, your IT team will need to pay careful attention to many details. We discussed the twelve general requirements for PCI DSS compliance in our last post. Naturally, each one of these raises concerns for your IT department.
Firewalls
This includes installing and maintaining a firewall configuration to protect cardholder data. Additionally, your IT team will need to regularly test your firewall for effectiveness.
Not using vendor-supplied defaults for system passwords and other security parameters
Your company will need to create, maintain, and regularly update your system passwords with unique and secure passwords. You cannot allow your employees to simply continue to use passwords your vendors started them with. For an IT department, getting users to follow password requirements can be a frustrating process. Educating your employees so they understand the real need for inconvenient policies is key to winning their compliance.
Protecting stored cardholder data
(This applies only to companies that store cardholder data.) In addition to encrypting all stored cardholder data, your IT team may need to combine virtual and physical security features. Examples of virtual security: authorization, authentication, etc. Examples of physical security: restricted access, locks on cabinets, servers, etc.
Encrypting transmission of cardholder data across open, public networks
Given the increased use of public networks, your IT team will need to pay close attention to wireless networks and remote access solutions for this requirement.
Using and regularly updating antivirus software
Your IT department is probably already aware of the need for antivirus software. With this requirement in mind, to need to regularly update software and apply patches becomes even more important.
Developing and maintaining secure systems and applications
Your IT team will need to have a process for tracking newly discovered security vulnerabilities in the software your company uses. This may mean making use of alert systems provided by your software vendors.
Restricting access to cardholder data by business need-to-know
This simply means limiting the number of employees who have access to cardholder data. It requires your company to have carefully designed processes for determining which employees will have that access so that your IT team can then provide that access.
Assigning a unique ID to each person with computer access
This will ensure that when actions are taken on critical data, those actions can be connected to known, authorised users.
Restricting physical access to cardholder data
Again, limiting access limits the chances of a security breach.
Tracking and monitoring all access to network resources and cardholder data
This means logging networks and appropriate devices, as well as storing those logs in case they need to be used later as evidence in case of a security breach.
Regularly testing security systems and processes
This means conducting regular vulnerability scans for possible weaknesses.
Maintaining a policy that addresses information security
To learn more about PCI DSS and related issues:
Other posts in this series:
Part 5: Is Your Company PCI DSS Compliant?
(Part 5 in our series on IT Compliance Concerns.)
What is the Payment Card Industry Data Security Standard?
In the first four parts of this series, we discussed SOX compliance (Sarbanes-Oxley or Sarbox) and HIPAA compliance (Health Insurance Portability and Accountability Act) and what Information Technology concerns arise from them. In this post we’ll look at what the Payment Card Industry Security Standard (PCI DSS or PCI) is, and how it can affect your company.
PCI DSS was originally separate security programs for five different companies: Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. Each company was attempting to improve protections for storing, processing, and transmitting cardholder data. On December 15, 2004, these companies released version 1.0 of the Payment Card Industry Data Security Standard. Version 3.1 was released recently in April, 2015.
Which companies should be concerned about PCI DSS compliance?
The PCI DSS is a proprietary standard for for organizations handling Visa, Mastercard, American Express, Discover, and JCB credit cards. Private label cards are not included in the PCI DSS.
What are the penalties for failing to comply with PCI DSS?
Penalties are enforced by the payment brands, and can vary. They can include fines for banks from between $5,000 to $100,000 per month. Banks are likely to pass these fines on to merchants, who may also face having the bank terminate their relationship with the merchant or increasing transaction fees, both of which can have a profound negative effect on small businesses.
What does a business need to do to comply with PCI DSS?
Although detailed requirements can vary depending on the level of the business (determined by number of transactions), the twelve general requirements remain the same:
These requirements naturally mean challenges for your IT department. They may have to implement new security measures or more strictly enforce existing ones. (We will discuss this more detail in the next part of our series on IT compliance concerns.)
Coming soon: Part 6 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About PCI DSS Compliance?”
(Part 4 in our series on IT Compliance Concerns.)
In Part 3 of our series, we discussed how the HIPAA Act was created in an effort to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. In this post, we will focus some of the concerns faced by your IT team with regard to HIPAA compliance.
What are some of the Information Technology concerns for HIPAA compliance? The main issue faced by IT with regard to HIPAA is keeping Protected Health Information (PHI) secure. The HIPAA Security Rule covers what is expected of companies with regard to maintaining the security of PHI in electronic form, but does not state the way that entities must go about providing this protection. Instead, it states the factors that should be considered for security measures. These factors include an entity’s size and capabilities, its information technology infrastructure, costs of security measures, and the chance and magnitude of anticipated risks to the security of PHI.
The Security Rule does specifically require that security measures include: measures to maintain the confidentiality, integrity, and availability of all electronic PHI an entity creates, handles, or transmits; measures to identify and protect against threats to the security or integrity of PHI that can be reasonably anticipated; measures to protect against uses or disclosures of electronic PHI that are prohibited by HIPAA; and efforts to ensure that employees comply with HIPAA requirements.
Some of the areas affected by these security needs include: ● Data encryption. ● Email encryption. ● Multi-factor authentication (a system of security that requires multiple methods of authentication from different categories of credentials in order to identify a user for login purposes or for other transactions). ● Compliance training. ● Social engineering awareness. (You can read about social engineering in our blog post, “Technology Alone Is Not Enough for Security”.)
Another point to consider is that any company that allows the uses of mobile devices for business (particularly hospices, which do much of their work in patients’ homes), will need to be aware of and have solutions for mobile devices’ known security issues. As an example, consider the $50,000 penalty paid by the non-profit Hospice of North Idaho. In this case, an unencrypted company laptop was stolen, which contained electronic PHI for 441 patients. The investigation found that the company had not conducted adequate risk analysis. Additional Concerns for HIPAA Regulations for the Use of PHI Additionally under HIPAA, certain uses of PHI may be curtailed or prohibited. For instance, HIPAA prohibits the use or disclosure of PHI for marketing to individuals without obtaining an authorization, with only some exceptions. HIPAA also prohibits the receipt of direct or indirect remuneration in exchange for PHI. It also has rules for when PHI can and cannot be used for further research.
Coming soon: Part 5 in our series on IT Compliance Concerns, “Your Company and PCI DSS Compliance.”
Additional HIPAA resources: ● National Hospice and Palliative Care Organization’s Compliance Tip Sheet.
Other posts in this series: ● Part 1: Making Sure Your Business is SOX Compliant ● Part 2: SOX Compliance and Your IT Team ● Part 3: Making Sure Your Business is HIPAA Compliant
(Part 3 in our series on IT Compliance Concerns.)
What is the Health Insurance Portability and Accountability (HIPAA) Act? In the first two parts of this series, we discussed the Sarbanes-Oxley (Sarbox or SOX) Act and what it means in terms of Information Technology concerns. In this article, we’ll look into what the Health Insurance Portability and Accountability Act is, and what it means to your company.
Enacted in 1996, the main purpose of the Health Insurance Portability and Accountability Act (also known as HIPAA or the Kennedy-Kassebaum Act) is to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. Title I of HIPAA is concerned with protecting health insurance coverage of workers and their families when they change or lose their jobs; Title II requires the establishment of national standards for electronic health care transactions and the establishment of national identifiers for providers, health insurance plans, and employers. (Title II is also referred to as the Administrative Simplification, or AS, provisions.)
What company types are affected by HIPAA compliance? Covered entities and their business associates are the entities primarily affected by HIPAA.
Under HIPAA, there are three types of covered entities: health care providers, health plans, and health care clearing houses. ● Examples of health care providers include hospitals, clinics, medical and dental practices, nursing homes, hospices, and pharmacies. ● Health plans can include HMOs and employee-sponsored health plans. ● Health care clearinghouses include entities that transmit claims or billing information.
Companies that provide services for covered entities and handle Protected Health Information (also known as Personal Health Information or PHI) can be considered business associates under HIPAA. While it is not always easy to determine if a company is considered a business associate, typical examples can include accounting firms, law firms, consultants, software vendors, ISPs, and cloud storage companies. If such a company works with covered entities, their contracts with those covered entities may require them to be compliant with HIPAA.
What are the penalties for failing to comply with HIPAA? Penalties for covered entities include monetary fines of $1,000 per violation up to an annual maximum of $25,000. These fines are not the only concern; for criminal violations, the fines can be as high as $250,000 and may include up to ten years in prison. And while business associates cannot be prosecuted under HIPAA, they may still face certain penalties. A violation of a business agreement with a covered entity might lead to termination of contracts, and could lead to the risk of civil lawsuits filed by harmed individuals.
How does the HIPAA Privacy Rule work? Covered entities and business associates are subject to the HIPAA Privacy Rule, which concerns the use and disclosure of PHI. Types of information covered by this rule include name, address, date of birth, Social Security number, any other information that can be used to identify a patient. It also includes information about: a patient’s past, present, or future health condition; the provision of health care to the patient; the past, present, or future payment for the provision of health care to a patient.
All of these requirements naturally mean challenges for your IT department. We will discuss these in the next part of our series on IT compliance concerns.)
Coming soon: Part 4 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About HIPAA Compliance?”
● How companies are (and are not) allowed to use PHI (Protected Health Information). ● Additional details concerning business associates and subcontractors.
Other posts in this series: ● Part 1: Making Sure Your Business is SOX Compliant ● Part 2: SOX Compliance and Your IT Team
Sign up today for free & stay current with local IT news.
