As we know, the epidemic of identity theft has created a business climate where a documented Information Security Program is becoming a pre-requisite for doing business.

We see almost daily security breaches and according to statistics, over 50 million individuals have been exposed in the past 18 months. In addition, there have been 8.9 million adult victims of identity theft in the last year alone.

In response, numerous laws and regulations for securing the confidentiality of consumer data have been enacted in recent years and more are under consideration at both the state and federal level.

Clearly, your clients and business partners are implementing security programs and undergoing information security audits, and in turn, are requiring service providers to demonstrate the same level of diligence. The purpose of this article is to provide you a brief overview on information security for you to consider in preparing your own Information Security Program.

What does an Information Security program entail?

Several guidelines have emerged for creating an Information Security Program for compliance with federal and state laws. While a thorough review of these guidelines is outside the scope of this article, some general observations help form the context for understanding how Columbia Ultimate’s products and services fit into the big picture of Information Security.

Surprisingly, the guidelines provide no definitive checklist for compliance. Instead, they generally state that reasonable procedures and controls must be implemented based on an assessment of the security risks of each organization. Therefore, the first step for any company reassessing its data-security posture is to take an inventory of all data assets, especially customer data and other sensitive information, and determine the company's vulnerability and what might happen if that data were to be lost or stolen. An Information Security Program can then be developed to mitigate those risks.

In general, an Information Security Program describes the practices, procedures and technology implemented by a company to protect systems, media and facilities to ensure the availability, integrity and confidentiality of data as follows:

Availability —The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

Integrity —System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

Confidentiality —Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

Information Security Policies encompass a wide range of topics including hiring and training practices, securing facilities, storage and proper disposal of paper and electronic data, disaster recovery (business continuity), network and application user access controls (password security and role permissions), data encryption, and monitoring for and reporting breaches.

Columbia Ultimate’s software applications are just one component of the overall security picture. The Collector System and ManageMed provide tools that aid in ensuring the availability, integrity and confidentiality of data in your organization. However, it also important to understand these applications function within the boundaries of your organization's operational procedures and management controls.  The application, therefore, can help you meet your compliance requirements, but it cannot in itself be considered compliant with any of the various guidelines and regulations.

Information Security guidelines and best practices will continue to evolve as a more common interpretation of the regulations is achieved through experience, case law and other methods. Columbia Ultimate will continue to monitor these developments and enhance our products as needed to provide tools to assist our customers in meeting their Information Security objectives.