You need to research Health Insurance Portability and Accountability Act (HIPAA) compliance as it is a federal law designed to protect the health insurance coverage of workers who change or lose their jobs. The important part from an IT perspective is how it protects the privacy of patient records. HIPAA defines protected health information (PHI) and regulates how it can be used or disclosed. It also defines security standards for the storage and access of PHI.

You are practicing due diligence and complying with FISMA before migrating some of the internally hosted data to a cloud-based service. Due diligence involves taking a regulated activity or anything else that could lead you into a legal liability. You must investigate the situation you’re entering, understand the risks and obligations it brings, then take reasonable care in your following actions whereas Federal Information Security Management Act (FISMA) is a law applying to all federal agencies. It requires every agency to develop, document, and implement an information security and protection program.

Technical controls enforce confidentiality, integrity, and availability in the digital space. Technical controls include firewall rules, access control lists, intrusion prevention systems, and encryption. In modern data systems, technical controls do a great amount of work and require the most exacting knowledge. However, they’re still only effective in conjunction with human activities used to implement and enforce them.

It’s costly when your organization’s data and other resources aren’t available to those who need it, when they need it. Apart from any other harm done by a security incident, the more it disrupts your business operations, the more harm it will do. Many attacks are designed to damage solely by targeting availability. Availability is typically described in the percentage of the time a system or resource is expected to be operating and responsive. There are many security controls used to enhance availability during routine operations and during or after attacks or system errors.

> Redundancy

> Fault tolerance

> Patch management

For a typical example of regulatory compliance, PCI DSS defines twelve mandated controls needed to meet them.

> Install and maintain a firewall configuration to protect cardholder data.

> Do not use vendor-supplied defaults for system passwords and other security parameters.

> Protect stored cardholder data.

> Encrypt transmission of cardholder data across open, public networks.

> Use and regularly update antivirus software or programs.

> Develop and maintain secure systems and applications.

> Restrict access to cardholder data by business need to know.

> Assign a unique ID to each person with computer access.

> Restrict physical access to cardholder data.

> Track and monitor all access to network resources and cardholder data.

> Regularly test security systems and processes.

> Maintain a policy that addresses information security for all personnel.

Due care is less about the research you put in ahead of time and more about the ongoing actions you perform for whatever assets you’re responsible for. For example, maintaining the safety standards of your property over time or making reasonable business decisions for a company you manage for others are examples of due care. If something goes wrong anyway, due care allows you to establish that you worked in good faith to protect the company and its assets from harm.

The audit is a systematic evaluation of effectiveness against a set of established criteria, such as to verify regulatory compliance or cost-effectiveness. Audits are intended to provide independent proof of performance to parties such as upper management, investors, external partners, and regulatory bodies. They tend to be formal and follow strictly designed criteria, and there can be severe consequences for production systems failing an audit. Depending on the audience of an audit, it might be performed by an independent internal team, or by an external contractor.