Security Acronym Soup

February 21, 2019

2018 was the year of security and compliance at NextRequest. We have spent extraordinary amounts of time, resources, and brainpower to put security best-practices and measures in place and we’re really making some strides! Today we announce that we now map to CJIS and HIPAA Security rule controls, and there’s more on the way!

It seems as though new compliance acronyms pop-up overnight. We wanted to share what various compliance terms mean, who it applies to, and most importantly---in what ways our FOIA software is in compliance.

NOTE: This blog post is for informational purposes only and should not be taken as legal advice. You should contact an attorney or compliance professional to obtain advice with respect to your organization’s particular issues.


CJIS

WHAT DOES CJIS MEAN?
The Criminal Justice Information Services Division (CJIS) refers to a division of the U.S. Federal Bureau of Investigation (FBI). Established in 1992, the division is currently the largest division of the FBI. CJIS’s mission is to reduce criminal and terrorist activities by providing crucial and timely information to the FBI and qualified law enforcement and criminal justice agencies.

In order to preserve the integrity of data, CJIS has advanced a variety of policies for wireless networking, data encryption, remote access and authentication. Some of their rules include:

  • Session lockout after 30 minutes of inactivity
  • A limit of 5 unsuccessful login attempts per user
  • Access restriction based on a variety of factors including job assignment, time of day, IP address and physical location

DOES CJIS APPLY TO EVERYONE?
The CJIS Security Policy applies to all organizations and individuals that access CJI (criminal justice information) or support criminal justice services.

WHY IS CJIS COMPLIANCE IMPORTANT?
Every day, law enforcement agencies across the U.S. access CJIS databases to gain information that can help them identify lawbreakers or potential national threats, perform background checks, and track criminal activity. CJIS compliance is necessary to keep networks aligned on matters of data security and encryption. It is also necessary to ensure that sensitive intelligence data doesn’t fall into the wrong hands.

HOW IS NEXTREQUEST IN COMPLIANCE WITH CJIS?
NextRequest maps to CJIS security controls. Additionally we have undertaken an independent third party audit of our security and privacy practices.

That said, the FBI’s CJIS Division does not evaluate products or services for compliance itself, nor does it issue any document asserting a vendor or product meets particular requirements. An email from Stephen Exley, information security analyst within the CJIS Information Security Officer Program, testifies to that fact: “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS that I know of are in regard to facial recognition and fingerprint capture standards. Those do not have any relation to the CJIS Security Policy. … We do not certify, nor endorse any product, solution, or vendor.”

The sole certification activity conducted in connection with the CJIS Security Policy is self-certification — more properly called self-attestation. In that process, an agency carefully documents how it has complied with each requirement in the CJIS Security Policy. It then provides that documentation to the FBI’s CJIS Division, outlining the results of that audit. Compliance is an activity that an organization attests to, through policies, practices, hardware and software implementation, combined with personnel training and accountability, to prove they have achieved compliance with a specific mandate or regulation.

RESOURCES
https://www.nccpsafety.org/assets/files/library/Is_Your_Vendor_CJIS-Certified.pdf


HIPAA

WHAT IS HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996
, covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities.

HIPAA-covered entities include health plans, clearinghouses, and certain health care providers as follows:

For HIPAA purposes, health plans include:

  • Health insurance companies
  • HMOs, or health maintenance organizations
  • Employer-sponsored health plans
  • Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs


WHAT AGENCIES NEED TO ADHERE TO HIPAA?
A local government may operate a self-funded health plan that qualifies as HIPAA covered entity. The government may contract with a third-party administrator to manage the plan, but the plan itself may be a component of the local government. If so, the local government would be the covered entity.

Many local governments, especially counties, are HIPAA covered entities because they offer services or have staff that (1) meet the definition of “health care provider” under HIPAA and (2) transmit health information in electronic form in connection with a HIPAA-covered transaction.

For example, a county may operate a clinic in the health department that meets the definition of health care provider. Or a municipality may offer emergency medical services that meet the definition. The definition of health care is expansive and therefore it may be possible that unexpected components of the local government are also providers. For example, a department of social services may employ a nurse-social worker to counsel foster children.

If a covered entity, like a local government, has a mix of functions – some that are required to be covered and some that are not – the HIPAA regulations allow the entity to designate itself a “hybrid entity” thereby limiting its compliance responsibilities to only certain parts of the entity. By definition, a hybrid entity is simply a single legal entity that has both covered and non-covered components and designates itself a hybrid entity by identifying covered health care components.

In order to become a hybrid, the entity – such as the city or the county – must draw invisible lines throughout its organization identifying who will be required to comply and who will not.

WHY IS HIPAA COMPLIANCE IMPORTANT?
HIPAA streamlines administrative healthcare functions, improves efficiency in the healthcare industry, and ensures protected health information is shared securely.

HOW IS NEXTREQUEST IN COMPLIANCE WITH HIPAA?
NextRequest maps our security controls to HIPAA’s Security Rule.

There are a number of other rules within HIPAA (e.g. Privacy Rule), which cover business practices of covered entities. If a covered entity enters into a relationship with another entity to handle Personal Health Information (PHI) this requires the creation of a Business Associate Agreement (BAA), also called “business associate contracts”.

If you’re unsure whether you need to be HIPAA compliant ask the following questions:

  • Are you a covered entity under HIPAA?
  • Has your organization signed a BAA with other vendors handling similar data or records?

RESOURCES
https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.html

https://canons.sog.unc.edu/should-a-local-government-be-a-hipaa-hybrid-entity/


PCI

WHAT DOES PCI MEAN?
Payment Card Industry Data Security Standard, or PCI for short, is the compliance that applies to any organization, regardless of size or transaction volume, that accepts credit cards. Any organization that processes, stores or transmits credit card information must be PCI compliant.

In the event of a data breach, lack of PCI compliance could result in steep fines by the PCI Security Standards Council. PCI compliance for small business lessens the liability for your business when a data breach occurs.

WHO NEEDS TO BE PCI COMPLIANT?
Any entity that processes, handles, or stores credit card data is required to be PCI DSS Compliant.

WHY IS PCI COMPLIANCE IMPORTANT?
The main purpose of the PCI is to reduce the risk of debit and credit card data theft from hackers and thieves.

IS NEXTREQUEST PCI COMPLIANT?
All payments on NextRequest are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.

RESOURCES
https://www.centurybizsolutions.net/pci-compliance/what-does-pci-compliance-mean-for-your-business/

https://securionpay.com/blog/pci-compliance-important-every-merchant/