Pabrai Blogs on “Learning from PCI Access Control Mandate”

Pabrai Blogs on “ Learning from PCI Access Control Mandate ”

The objective of PCI DSS Requirements 7, 8, and 9 is for organizations to implement strong access control measures. Just about all regulations – including the HIPAA Security Rule, as well as FISMA, and PCI DSS is no exception – emphasize the area of access control. As you look for your organization to meet compliance mandates for HIPAA or FISMA or State regulations in the area of access control, do review closely the information included in this PCI DSS requirement.

For example, PCI DSS Requirement #7 - Restrict Access to Cardholder Data by Business Need to Know – requires that :

organization’s must ensure that critical data  can only be accessed by authorized personnel, systems and processes must be in  place to limit access based on a need to know and according to job responsibilities.  “Need to know” is when access rights are granted to only the least amount of  data and privileges needed to perform a job.

This is fairly similar to the requirement in HIPAA in the area of Minimum Necessary. The associated HIPAA Security Rule Access Control Standard is resulting in organizations addressing the area of Role Based Access Control (RBAC) – which identifies all valid job roles and associated system and application privileges. Given the emphasis in the HITECH Act’s Data Breach Notification mandate, you will find the access control requirement and associated guidance provided in the PCI DSS standard to be valuable in establishing your organization’s minimal capabilities in this area.

So when is the last time that the RBAC matrix was updated by your organization? You must ensure that Human Resources (HR) and the Information Technology (IT) departments or business units work closely in updating this area of growing significance for compliance and information security.

http://searchhealthit.techtarget.com/healthitexchange/pabraionhipaahitechcompliance/learning-from-pci-access-control-mandate/