Importance of Mainframe Encryption

Importance of Mainframe EncryptionHaving a solid encryption tool in place is not a luxury anymore in 2014; it’s just another cost of doing business in the world we live in today. The importance of encryption, and mainframe encryption for organizations using the mainframe, is evident every time a news agency breaks a story describing an epic loss of data, usually resulting in millions of dollars stolen or customer’s personal information taken. These stories tend to have staying power in the news and also in the minds of current and potential customers.

If avoiding negative press and a loss of customers isn’t enough to highlight the importance of having a sound data security plan and encryption tool in place, the many compliance regulations will. The regulations that organizations must adhere to are not optional and as such, we’re providing a summary of four of these mandatory compliance regulations.

This, by no means, is an exhaustive list of compliance regulations any organization needs to follow, but it’s a place to start. Depending on your organization’s industry, this list may encompass most of the main regulations of concern or it may only be a small portion. Needless to say, being in compliance is of utmost importance for any company and having help to achieve it can be priceless. E-Business Server™ is a cross-platform encryption tool that can take much of the burden off an organization’s quest for compliance. E-Business Server is an excellent z/OS mainframe encryption solution while also working on the other major platforms (Windows, Linux, AIX, Solaris, HP-UX and of course System z).

Protecting data is a key component to most vital regulations and it’s the basis for encryption and for those organizations that use the z/OS mainframe, mainframe encryption. These comprehensive overviews contain the main components of each regulatory agency and even more information can be found on their respective websites via the links provided. There is no substitute for legal advice when it comes to being in line with these regulations.


PCI DSS (Payment Card Industry’s Data Security Standard)

The following explanation of the PCI DSS is from the PCI Security Standards Council™

Introduction and PCI Data Security Standard Overview

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks. Below is a high-level overview of the 12 PCI DSS requirements.

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel

HIPAA (Health Insurance Portability and Accountability Act)

This explanation of HIPAA is from the U.S. Department of Health & Human Services

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

This is a summary of key elements of the Privacy Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all of its applicable requirements and should not rely on this summary as a source of legal information or advice…

HITECH (Health Information Technology for Economic and Clinical Health) Act

This HITECH summary is from the website.

The Health Information Technology for Economic and Clinical Health (HITECH) Act seeks to improve American health care delivery and patient care through an unprecedented investment in Health IT (HIT). The provisions of the HITECH Act are specifically designed to work together to provide the necessary assistance and technical support to providers, enable coordination and alignment within and among states, establish connectivity to the public health community in case of emergencies, and assure the workforce is properly trained and equipped to be meaningful users of certified Electronic Health Records (EHRs). These programs collaboratively build the foundation for every American to benefit from an EHR as part of a modernized, interconnected, and vastly improved system of care delivery.

Title IV, Division B of the HITECH Act establishes incentive payments under the Medicare and Medicaid programs for EPs and EHs that meaningfully use Certified EHR Technology (CEHRT). The Centers for Medicare and Medicaid Services (CMS) is charged with managing the Medicare and Medicaid EHR Incentive Programs.

The HITECH Act also amended several sections of the Social Security Act (SSA) and in doing so, established the availability of incentive payments to EPs and EHs to promote the adoption and Meaningful Use of CEHRT.

FFIEC (Federal Financial Institutions Examinations Council)

The explanation below is from the Federal Financial Institutions Examination Council website

The Federal Financial Institutions Examination Council (FFIEC) was established on March 10, 1979, pursuant to title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. In 1989, title XI of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) established The Appraisal Subcommittee (ASC) within the Examination Council.

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions. To encourage the application of uniform examination principles and standards by the state and federal supervisory authorities, the Council established, in accordance with the requirement of the statute, an advisory State Liaison Committee composed of five representatives of state supervisory agencies. In accordance with the Financial Services Regulatory Relief Act of 2006, a representative state regulator was added as a voting member of the Council in October 2006.

The Council is responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies. It conducts schools for examiners employed by the five federal member agencies represented on the Council and makes those schools available to employees of state agencies that supervise financial institutions.

The Council was given additional statutory responsibilities by section 340 of the Housing and Community Development Act of 1980 to facilitate public access to data that depository institutions must disclose under the Home Mortgage Disclosure Act of 1975 (HMDA) and the aggregation of annual HMDA data, by census tract, for each metropolitan statistical area (MSA).

More about the FFIEC Council:
The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).