1. HIPAA Overview :

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law.
• It required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

2. HIPAA Security Rule :

• Requires physicians to protect patients' electronically stored, protected health information (ePHI).
• Utilizes appropriate administrative, physical, and technical safeguards.
• Ensures the confidentiality, integrity, and security of ePHI.

3. Safeguarding PHI :

• Protects PHI, including bio data and medical records.
• Requires covered entities, such as healthcare providers and insurance companies, to keep patient health information private.

4. HIPAA Compliance : There are two main parts to HIPAA compliance

• Privacy Rule: Protects the privacy of all patient health information.
• Security Rule: Specifically protects ePHI by ensuring appropriate security measures are in place.

1. PCI Compliance :

• PCI compliance refers to adherence to The Payment Card Industry Data Security Standard (PCI DSS).
• It ensures that all companies that process, store, or transmit credit card information maintain a secure environment.

2. Scope of PCI DSS :

• PCI DSS is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data.
• Helps reduce fraud and data breaches across the entire payment ecosystem.
• Applicable to any organization that accepts or processes payment cards.

3. Components of PCI DSS Compliance :

Handling Ingress of Credit Card Data :
• Ensure sensitive card details are collected and transmitted securely.
Storing Data Securely :
• Implement measures such as encryption, ongoing monitoring, and security testing of access to card data.
• Follow the 12 security domains of the PCI standard.
Annual Validation :
• Includes forms, questionnaires, external vulnerability scanning services, and third-party audits.
• Validate that the required security controls are in place.

1. Overview of ISO/IEC 27701:2019 :

• Outlines specifications and offers recommendations for developing a Privacy Information Management System (PIMS).
• Intended for organizations to manage privacy information within their context.

2. Compliance Requirements :

• Organizations must design, develop, and implement PIMSs in line with ISO 27701.
• Must also comply with applicable local, national, and international laws, such as the GDPR.

3. Integration with Existing Standards :

• PIMS works in tandem with the organization's Information Security Management System (ISMS).
• Compliance with ISO/IEC 27001 is required before an organization can effectively handle its privacy needs.

4. Relation to ISO/IEC 27002 :

• ISO/IEC 27701 builds on the guidelines provided by ISO/IEC 27002 for privacy management.

1. Worldwide Standard :

• ISO 9001:2015 is a global standard for Quality Management Systems (QMS).

2. Requirements for QMS :

• Sets requirements for a strong QMS.
• Details specific processes, procedures, and activities organizations must create, implement, maintain, and improve.

1. Privacy Information Management System (PIMS) :

• Outlines specifications and recommendations for developing a PIMS within the organization.

2. Compliance Requirements :

• Organizations must design, develop, and implement PIMSs in line with ISO 27701 and applicable local, national, and international laws, such as the GDPR.

3. Integration with ISMS :

• PIMS works in tandem with the organization's Information Security Management System (ISMS).
• Compliance with ISO 27001 is required before the organization can handle its privacy needs.

1. Principles and Requirements :

• Contains principles and requirements for a body certifying persons against specific requirements.
• Includes the development and maintenance of a certification scheme for individuals.

2. Certification Scheme :

• Specifies principles and specifications for creating and maintaining a certification scheme for individuals.
• Sets requirements for a body certifying people in accordance with specified standards.

3. Utilization of the Standard :

• Governmental agencies, scheme owners, and others may use ISO/IEC 17024:2012 as a criteria document.
• It can be used for accreditation, peer evaluation, or recognition purposes.

4. HIPAA Compliance : There are two main parts to HIPAA compliance

• Privacy Rule: Protects the privacy of all patient health information.
• Security Rule: Specifically protects ePHI by ensuring appropriate security measures are in place.

1. International Standard for IT Service Management :

• ISO/IEC 20000 is the international standard for IT service management.
• Developed by ISO/IEC JTC1/SC7, revised in 2011 and 2018.

2. Origins and Development :

• Originally based on BS 15000 developed by BSI Group.
• Reflects best practice guidance from the ITIL framework.

3. Publication and Revisions :

• First published in December 2005.
• Updated to ISO/IEC 20000-1:2011 in June 2011.
• ISO/IEC 20000-2:2012 was updated in February 2012.

4. Recent Revision :

• ISO/IEC 20000-1:2018, Information technology — Service management — Part 1: Service management system requirements, was released in July 2018.
• Certified entities enter a three-year transition period to update to the new version.

1. General Data Protection Regulation (GDPR) :

• GDPR stands for General Data Protection Regulation, a European Union (EU) law.
• Came into effect on 25th May 2018.

2. Purpose :

• Governs the way in which personal data (information about an identifiable, living person) can be used, processed, and stored.

3. Scope :

• Protects the personal data of EU citizens and residents.
• Applies to all organizations, both EU and non-EU, that process the personal information of European citizens.

4. Key Principles :

• Requires organizations to obtain consent for data processing activities.
• Imposes obligations on organizations to protect personal data and ensure its confidentiality, integrity, and availability.

5. Rights of Data Subjects :

• Gives individuals rights over their personal data, including rights to access, rectify, erase, and restrict the processing of their data.

6. Penalties :

• Non-compliance with GDPR can lead to fines and penalties imposed by data protection authorities, which can be significant.

1. Definition and Purpose :

• Capability Maturity Model Integration (CMMI) is a process level improvement training and appraisal program.
• Administered by the CMMI Institute, a subsidiary of ISACA, and developed at Carnegie Mellon University (CMU).
• Required by many U.S. Government contracts, especially in software development.
• CMU claims CMMI can guide process improvement across projects, divisions, or entire organizations.

2. Maturity Levels :

• CMMI defines five maturity levels (1 to 5) for processes: Initial, Managed, Defined, Quantitatively Managed, and Optimizing.
• Each level represents a different stage in the maturity of an organization's processes, from ad hoc and chaotic to continuously improving.

3. Versions and Publication :

• CMMI Version 3.0 was published in 2023.
• Version 2.0 was published in 2018, and Version 1.3 was published in 2010.
• CMMI is registered in the U.S. Patent and Trademark Office by CMU.

1. Definition and Purpose :

• SOC Audit evaluates the effectiveness of a company’s internal controls over financial reporting.
• Conducted by a certified public accountant (CPA) or a credible company to provide assurance that financial statements are accurate and reliable.
• Typically required by service providers such as cloud computing providers, data centers, and payment processors.

2. Types of SOC Audits :

• SOC 1 : Evaluates internal controls over financial reporting.
• SOC 2 : Evaluates internal controls over security, availability, processing integrity, confidentiality, and privacy.
• SOC 3 : Provides a general overview of internal controls over security, availability, processing integrity, confidentiality, and privacy; less detailed than SOC 2 audits.

3. Focus Areas: :

• SOC 1 focuses on financial reporting controls.
• SOC 2 and SOC 3 focus on controls related to security, availability, processing integrity, confidentiality, and privacy.

4. Audience and Assurance :

• Provides assurance to stakeholders that the company’s controls meet established criteria.
• Helps service organizations demonstrate their commitment to security and reliability to customers and partners.