Compliance and Risk Service Industry Standards:
- PCI DSS:Payment Card Industry Data Security Standard Compliance;
- HIPAA: Health Insurance Portability and Accountability Act;
- GDPR- General Data Protection Regulations:
- CMMI-Capability Maturity Model Integration.
- Introduction to PCIDSS-Payment Card Industry Data Security Standard Compliance
Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
- What is PCI-DSS:
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
- Why PCI-DSS
- To reduce the risk of debit and credit card data loss.
- It suggests how this could be prevented, detected, and how to react if potential data breaches occur.
- It provides protection for both merchants and cardholders.
- What benefits it bring to business:
- Reduces the Risk of a Data Breach
- Helps to Avoid Fines
- Protects Customers
- Improves Brand Reputation
- Imparts a Mindset of Security
- Serves as a Globally Accepted Standard
- Provides a Starting Point for Other Regulations
- Peace of Mind
- Applicable to
Those who are associated with payment cards including merchants of all sizes, financial institutions, point-of-sale vendors, hardware and software developers.
- Introduction to HIPAA- Health Insurance Portability and Accountability Act:
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for delicate patient data protection. Organizations which deal with protected health information (PHI) have to have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Anyone who provides treatment, payment, and operations in healthcare and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates have to also be in compliance
- What is HIPAA- Health Insurance Portability and Accountability Act:
The HIPAA privacy rule addresses the use and disclosure of individuals’ health information called “Protected Health Information (PHI)”.
The HIPAA Privacy Rule is to assure that an individual’s health information is properly protected while allowing the individual’s necessary health information that is needed to provide and promote quality health care, is protected. The HIPAA Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.
The HIPAA Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. Covered entities regulated by the Rule are required to comply with all of its applicable HIPAA requirements.
3. Why HIPAA- Health Insurance Portability and Accountability Act:
- Secure and confidential storage of patient’s data.
- Better coordination of healthcare data due to standardisation of data formats.
- Do away with health plan–specific reporting and filing requirements for hospitals and health care providers.
- Reduce paper involvement in managing healthcare records.
- Avoid sanctions due to improper handling of data records and data breaches.
- What are the benefits of HIPAA
HIPPA protects patients against following violations:
- Disclosure or use of protected health information (PHI) without authorization.
- Absence or lack of technical safeguards to protected health information.
- Inability for patients to access their protected health information.
- Lost or stolen devices with PHI data.
- Illegal or excessive access to patient’s files by employees.
- HIPAA is applicable to:
HIPPA regulations include: medical centres, clinics, and hospitals; private practices; outpatient providers; hospices and adult care providers; pharmacies; laboratories; health plans and insurance providers.
1.Introduction to GDPR-General data protection regulations
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it – and those people often have malicious intent.
Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
2.What is GDPR- General data protection regulations
GDPR stands for General Data Protection Regulation. It’s the core of Europe’s digital privacy legislation.
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
- What does GDPR mean for businesses?
GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states. This means the reach of the legislation extends further than the borders of Europe itself, as international organisations based outside the region but with activity on ‘European soil’ will still need to comply.
- Why GDPR
- Obligations for data controllers;
- Rights for data subjects;
- Impact on cross-border data flows;
- Global influence.
- What benefits it brings to business:
· Improved consumer confidence
· Better data security
· Reduced maintenance costs
· Better alignment with evolving technology
· Greater decision-making
- Who does GDPR apply to?
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’.
1.Introduction to CMMI-Capability Maturity Model Integration
Originally created for the U.S. Department of Defense to assess the quality and capability of their software contractors, CMMI models have expanded beyond software engineering to help any organization in any industry build, improve, and measure their capabilities and improve performance.
For over 25 years, high-performing organizations around the world have achieved demonstrable, sustainable business results with CMMI.
Descriptive Practices Focused on Improvement
CMMI best practices focus on what needs to be done to improve performance and align operations to business goals. Designed to be understandable, accessible, flexible, and integrate with other methodologies such as agile, CMMI models help organizations understand their current level of capability and performance and offer a guide to optimize business results.
2. What is CMMI
The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.
The CMMI was developed by the Software Engineering Institute at Carnegie Mellon University as a process improvement tool for projects, divisions or organizations.
The CMMI starts with an appraisal process that evaluates three specific areas: process and service development, service establishment and management, and product and service acquisition. It’s designed to help improve performance by providing businesses with everything they need to consistently develop better products and services.
- Why CMMI
- Due to a process model;
- Behavioural model. Businesses
- To tackle the logistics of improving performance by developing measurable benchmarks;
- Create a structure for encouraging productive, efficient behavior throughout the organization.
- CMMI Maturity Levels
The CMMI model breaks down organizational maturity into five levels. For businesses that embrace CMMI, the goal is to raise the organization up to Level 5, the “optimizing” maturity level. Once businesses reach this level, they aren’t done with the CMMI. Instead, they focus on maintenance and regular improvements.
CMMI’s five Maturity Levels are:
Initial:
Processes are viewed as unpredictable and reactive. At this stage, “work gets completed but it’s often delayed and over budget.” This is the worst stage a business can find itself in — an unpredictable environment that increases risk and inefficiency.
Managed:
There’s a level of project management achieved. Projects are “planned, performed, measured and controlled” at this level, but there are still a lot of issues to address.
Defined:
At this stage, organizations are more proactive than reactive. There’s a set of “organization-wide standards” to “provide guidance across projects, programs and portfolios.” Businesses understand their shortcomings, how to address them and what the goal is for improvement.
Quantitatively managed:
This stage is more measured and controlled. The organization is working off quantitative data to determine predictable processes that align with stakeholder needs. The business is ahead of risks, with more data-driven insight into process deficiencies.
Optimizing:
Here, an organization’s processes are stable and flexible. At this final stage, an organization will be in constant state of improving and responding to changes or other opportunities. The organization is stable, which allows for more “agility and innovation,” in a predictable environment.
Once organizations hit Levels 4 and 5, they are considered high maturity, where they are “continuously evolving, adapting and growing to meet the needs of stakeholders and customers.” That is the goal of the CMMI: To create reliable environments, where products, services and departments are proactive, efficient and productive.
- What benefits CMMI can bring to business:
- Increased customer satisfaction
- Improved success with landing and retaining new clients
- Better productivity and efficiency, which will create more profits
- Decreased risk
Latest Version:
CMMI V2.0 helps organizations quickly understand their current level of capability and performance in the context of their own business objectives and compared to similar organizations.
Designed to optimize business performance in an ever-changing global landscape, the CMMI V2.0 model is a proven set of global best practices that enables organizations to build and benchmark the key capabilities that address the most common business challenges, including:
- Ensuring Quality
- Engineering & Developing Products
- Delivering & Managing Services
- Selecting & Managing Suppliers
- Planning & Managing Work
- Managing Business Resilience
- Managing the Workforce
- Supporting Implementation
- Sustaining Habit & Persistence
- Improving Performance
- CMMI is applicable to
CMMI has been adopted by government organizations and across many industries (e.g., software, finance, manufacturing, services).
Our Consulting approach:
- Gap Analysis: Assessment of existing management system practices against the selected standard requirements.
- Project Plan: Prepare a implementation project plan based on the time lines looking for;
- Orientation Training: Top/Senior Management orientation on selected standard requirements and implementation action plans preparation;
- Developing different levels of documentation ( Tier 1-3/4): Identification of processes required for the products produced and services provided; External and internal issues affecting the business, interested parties needs and expectations, Framing draft quality policy, organizational objectives, role, responsibility and authority, various risks affecting and opportunities arises, functional and system procedures, different implementation formats and checklists;
- System Implementation: Implementation of the selected management system as per the developed documentation;
- Company-wide Training: Training on detailed clause wise requirements and relating them to their departments, 5-S implementation, and Internal audit.
- Internal Audits: Periodic assessment of system implementation and corrective actions.
- Pre assessment: Initial audit by Certifying agency, and, implementation of corrective actions.
- Final Assessment: Certification audit by the Certifying agency and recommendation for certification.