Oklahoma Reasonable Safeguards

Safeguard Families

Governance, Risk and Compliance (View)
Asset and Data Management (View)
Identity and Access Management (View)
Incident Response and Breach Management (View)
Business Continuity and Disaster Recovery (View)
Third-Party and Supply Chain Risk Management (View)

Acronyms

SB 626 : Security Breach Notification Act (View)
NIST : NIST Cybersecurity Framework (CSF) 2.0 (View)
HIPAA : HIPAA Security Rule (View)
OIDSA : Oklahoma Insurance Data Security Act (View)
OBCA : Oklahoma Business Corporations Act (View)

Relevant Links

Background

Provided below are security and privacy controls that align to the requirements of Oklahoma Reasonable Safeguards. Sample implementation guidance for one of the controls. You may review each of these collectively. Review information on how these controls are audited under the Audit Safeguards section of this website.

It is important to understand the implementation guidance and audit guidance for each control as this will determine your compliance to the requirement.

Safeguards

Governance, Risk and Compliance (GRC)

GRC.1 Information Security Governance

Cybersecurity responsibilities are clearly assigned within the organization, providing accountability and oversight. A defined governance structure is in place for during incidents with authority for security decision-making.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(a)(1)
      - NIST: ID.GV-1, ID.GV-2
      - HIPAA: §164.308(a)(1)(ii)(A)
      - OIDSA: §6103(a)(1)
      - OBCA: §108

GRC.2 Security Oversight

A designated official is responsible for cybersecurity and information security. This official oversees the information security program to ensure that strategic priorities, resources, and risk decisions are properly managed.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(a)(2)
      - NIST: ID.GV-3
      - HIPAA: §164.308(a)(1)(ii)(B)
      - OIDSA: §6103(a)(2)
      - OBCA: §108(a)

GRC.3 Policy Framework

Cybersecurity and information security policies are approved, reviewed and maintained at least annually. Policies guide personnel on acceptable use, data protection, and incident response. Updates more frequently than annually take place to remain aligned with evolving threats, technologies, and legal requirements.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(b)
      - NIST: ID.GV-4
      - HIPAA: §164.316(a)
      - OIDSA: §6103(b)
      - OBCA: §108(b)

GRC.4 Information Security Committee

A security committee is identified by the organization. The security committee meetings periodically. Meetings facilitate discussion of current risks, incidents, and compliance issues. Documented minutes are kept to evidence of oversight and support organizational accountability.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(c)
      - NIST: ID.GV-5
      - HIPAA: §164.308(a)(1)(ii)(C)
      - OIDSA: §6103(c)
      - OBCA: §108(c)

GRC.5 Metrics & Reporting

Key performance indicators (KPIs) for security posture are in place. KPIs track performance of security controls and identify trends in risk exposure. Reporting of such KPIs is in place to provide informative decision-making and resource allocation.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(d)
      - NIST: ID.GV-4
      - HIPAA: §164.308(a)(8)
      - OIDSA: §6103(d)
      - OBCA: §108(d)

GRC.6 Continuous Improvement

Security programs incorporate feedback from incidents, audits, and assessments. Continuous improvement takes place for ensuring resilience and adaptation to emerging threats and regulatory changes.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(e)
      - NIST: ID.GV-5
      - HIPAA: §164.308(a)(8)(ii)(B)
      - OIDSA: §6103(e)
      - OBCA: §108(e)

GRC.7 Risk Assessment & Treatment

Security risks are identified, evaluated, and treated risks across the organization. Risk management is in practiced for ensuring resources are focused on highest-impact threats.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(a) – Sec. 3(f)
      - NIST: ID.RA-1 – ID.RA-6
      - HIPAA: §164.308(a)(1)(ii)(A) – §164.308(a)(1)(ii)(C)
      - OIDSA: §6103(a) – §6103(e)
      - OBCA: §108(a)

GRC.8 Compliance Management

The organization monitors and manages compliance obligations. Assurance of regulatory adherence and reduces legal exposure is performed.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 3(f)
      - NIST: ID.GV-2
      - HIPAA: §164.308(a)(8)
      - OIDSA: §6103(f)
      - OBCA: §108(a)

Asset and Data Management (ADM)

ADM.1 Asset Inventory

The organization maintains a complete inventory of information assets.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 5(a)
      - NIST: ID.AM-1
      - HIPAA: §164.310(d)(2)(i)
      - OIDSA: §6106(a)
      - OBCA: §108(a)

ADM.2 Data Classification & Handling

The organization classifies and handles data according to sensitivity.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 5(b)
      - NIST: ID.AM-2
      - HIPAA: §164.312(a)(2)(iii)
      - OIDSA: §6106(b)
      - OBCA: §108(a)

ADM.3 Encryption Requirements

Information containing sensitive information is encrypted at rest and in transit.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 5(c)
      - NIST: PR.DS-1
      - HIPAA: §164.312(e)(2)(ii)
      - OIDSA: §6106(c)
      - OBCA: §108(a)

ADM.4 Data Minimization

Information collected is limited and retained only for the period necessary to conduct business operations.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 5(d)
      - NIST: PR.DS-2
      - HIPAA: §164.308(a)(4)(ii)(D)
      - OIDSA: §6106(e)
      - OBCA: §108(a)

ADM.5 Secure Data Destruction

Methods are in place for the destruction and verification of removal of verified destruction methods for obsolete data. Data that is destructed does not have the capability to be retrieved.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 5(e)
      - NIST: PR.DS-3
      - HIPAA: §164.310(d)(2)(ii)
      - OIDSA: §6106(e)
      - OBCA: §108(a)

Identity and Access Management (IAM)

IAM.1 Access Control

Access to data and systems is limited based on need-to-know and minimum access necessary to perform a job role.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 6(a)
      - NIST: PR.AC-1
      - HIPAA: §164.312(a)(1)
      - OIDSA: §6107(a)
      - OBCA: §108(a)

IAM.2 Multi-Factor Authentication

Multi-factor authentication is in place for all non-public systems and applications that have capability from being accessed externally from the organization.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 6(b)
      - NIST: PR.AC-2
      - HIPAA: §164.312(d)
      - OIDSA: §6107(b)
      - OBCA: §108(a)

IAM.3 Access Reviews & De-Provisioning

Access reviews are performed on a schedule based on risk. Obsolete accounts accounts are removed upon identification. User accounts are disabled upon termination.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 6(c)
      - NIST: PR.AC-3
      - HIPAA: §164.308(a)(4)(ii)(C)
      - OIDSA: §6107(c)
      - OBCA: §108(a)

Incident Response and Breach Management (IR)

IR.1 Incident Response Program

Roles, responsibilities, and procedures are defined for incidents. Within the procedures, timely detection, containment, and recovery is documented.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 8(a)
      - NIST: RS.RP-1
      - HIPAA: §164.308(a)(6)
      - OIDSA: §6109(a)
      - OBCA: §108(a)

IR.2 Breach Assessment & Notification

Evaluate security breaches and notify, both internal and external to the organization, stakeholders promptly. Regulatory compliance and protection of affected individuals is required within all breach-related and post-breach activities.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 8(b)
      - NIST: RS.CO-2
      - HIPAA: §164.404 – §164.414
      - OIDSA: §6109(b)
      - OBCA: §108(a)

Business Continuity and Disaster Recovery (BCDR)

BCDR.1 Backup & Recovery

Backups are in place on a regular basis, based on identified and documented risk. The restoring of backups is tested and validated on a periodic basis.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 9(a)
      - NIST: PR.IP-4
      - HIPAA: §164.308(a)(7)(ii)(A)
      - OIDSA: §6110(a)
      - OBCA: §108(a)

BCDR.2 Continuity Planning

Continuity plans are developed and tested for critical operations.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 9(b)
      - NIST: PR.IP-5
      - HIPAA: §164.308(a)(7)(ii)(B)
      - OIDSA: §6110(b)
      - OBCA: §108(a)

Third-Party & Supply Chain Risk Management (TSRM)

TSRM.1 Third Party and Supply Chain Governance

Policies, contract terms, and oversight for third parties is in place. Vendors uphold security standards equivalent to the internal controls of the organization.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 10(a)
      - NIST: ID.SC-1
      - HIPAA: §164.308(b)(1)
      - OIDSA: §6111(a)
      - OBCA: §108(a)

TSRM.2 Third Party and Supply Chain Assessment

Third parties are evaluated for third-party risks, with the intent of preventing supply chain compromise and supporting regulatory compliance.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 10(b)
      - NIST: ID.SC-2
      - HIPAA: §164.308(b)(2)
      - OIDSA: §6111(b)
      - OBCA: §108(a)

TSRM.3 Third Party and Supply Chain Monitoring

Third parties are monitored for third-party risks. Third-parties are monitored for security breaches and public announcements of regulatory non-compliance.

Related Compliance / Regulatory Requirement:

- - - - SB 626: Sec. 10(b)
      - NIST: ID.SC-2
      - HIPAA: §164.308(b)(2)
      - OIDSA: §6111(b)
      - OBCA: §108(a)