Compliance Advisory

With ever-increasing cyber regulations, you need to be sure your organization is in compliance to avoid large penalties, protect your data and mitigate risk. Ocellus Tech can help you understand cyber regulations related to your industry and navigate through them to help your organization establish preparedness and resilience. We provide compliance advisory services including, but not limited to, the following regulations:

• 23 NYCRR 500
  Enacted on March 1, 2017, the New York Department of Financial Services (DFS) issued a regulation designed to promote the protection of financial customer information, as well as information technology systems of regulated entities. 23 NYCRR 500 requires each regulated entity to assess its specific risk profile and design a program that addresses vulnerabilities in a robust fashion.It’s now mandatory that a formal Risk Assessment be performed (& maintained) as well as having a CISO or vCISO report out to whatever relevant governing-board is in place.

  Regulated entities involve a broad range of businesses, including Credit Unions, Banks, Credit Card companies, Insurance companies, Consumer Finance companies, Stock Brokerages, Investment Funds, Charitable Foundations, State-Regulated corporations and some Government-Sponsored enterprises.

• HIPAA
  Established in 1996 to develop standards for electronic healthcare transactions and national identifiers for providers, insurance plans and employers, the Health Insurance Portability & Accountability Act (HIPAA) regulates Protected Health Information (PHI) and how it is maintained & safeguarded. HIPAA violations have hefty penalties, so you’ll want to ensure your organization is protected & in compliance.

• HITECH
  The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act (ARRA) of 2009 and creates incentives related to health care information technology, including incentives for the use of electronic health record (EHR) systems among providers.

  Because HITECH legislation results in an expansion in the exchange of electronic protected health information (ePHI), it also widens the scope of privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA), including increasing legal liability for non-compliance as well as more enforcement actions and penalties. The following are highlights of key HITECH provisions as they relate to HIPAA.

• FERPA
  The Family Educational Rights & Privacy Act (FERPA) is a Federal law that protects the privacy of student education records and applies to all schools that receive funding from programs of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records, which transfer to the student when he or she reaches the age of 18 or attends an educational institution beyond high school.With FERPA, schools must provide:

  • access to education records
  • an opportunity to have records amended
  • control over disclosure of information from records

  Schools are required to redact and protect personally identifiable information about students and prevent exposure of this information without appropriate consent.

• GBLA
  The Gramm-Leach-Bliley Act (GBLA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

• FISMA
  The Federal Information Security Modernization Act of 2014 (FISMA) updates the Federal Government’s cybersecurity practices. It defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA designates responsibilities to various government agencies to ensure the security of data. The act requires these agencies to conduct annual reviews of information security programs.

Services Offered:

• Risk Assessment & Gap Analysis
• Cyber Program/Policies & Procedures Development
• Penetration & Vulnerability Assessment/Testing
• Incident Response Planning

References:

• https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf
• https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• https://www.asha.org/Practice/reimbursement/hipaa/HITECH-Act/
• https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
• https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
• https://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act