Compliance Managment

Compliance Management

PCI-DSS, Sarbanes-Oxley, HIPAA, GLAB, COBIT,
and ISO 27000 Compliance Tools

Numerous laws and regulatory mandates focus on corporate governance and accountability around sensitive information (specifically financial, non-public information and protected healthcare information). This has significantly impacted the underlying IT systems that support the applications and repositories holding this sensitive information. Organizations are continuously looking for help in preventing fraud and protecting sensitive information. The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations. Additionally, there are other internal cost-containment requirements that can be effectively met by defining and implementing a sound auditing and compliance methodology. Most corporations agree that compliance leads to better corporate governance and management.

Federal and state government regulations (see state compliance requirements) can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.

Exposure for non-Compliance

Regulation	Penalty	Fine
GLBA	10 Years Prison	$1,000,000
HIPAA	10 Years Prison	$100 per occurrence maximum of $25,000 per year
SOX	10 Years Prison	$15,000,000
Sec Rule 17a-4	Suspension	$1,000,000

Gramm-Leach-Bliley Act (GLBA) Financial services regulations on information security, initiated by the, require financial institutions in the United States to create an information security program to:

Ensure the security and confidentiality of customer information;
Protect against any anticipated threats or hazards to the security or integrity of such information; and
Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

HIPPA - Under the new American Recovery and Reinvestment Act of 2009, there are new rules that affect the health care industry and those entities that might handle process or maintain personal health information. The new rules revolve around two primary areas:

The mandated adoption of new electronic health record systems (and standards, controls and protections around that adoption)
The expansion of breach notification rules concerning personal health records. If is the Recovery Act raises any concerns, it is that these new rules outlined in the Act clearly must coexist with the 1996 HIPAA law.

HIPAA security rules did not address the security of Protected Health Information (PHI) by all entities that might handle or process protected health information; specifically, it did not address the electronic health records, aggregators, personal health record (PHR) vendors, and processors that are addressed by the Recovery Act. While the Recovery Act tries to recognize and address the boundaries between the Recovery Act and HIPAA, some in the industry express concern that the next steps are unclear and have doubts that the Recovery Act will be flexible enough to address the business structures that it will create.

SOX (Sarbanes - Oxley) and Other SEC rules - The Securities and Exchange Commission (SEC) has mandated requirements defined for broker-dealers to store required records in electronic form. Under the rule, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation clarifies that broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period.

SEC rules 17a-3 and 17a-4 specify the type of data records for securities transactions to be created and maintained by broker-dealers.

SEC Rule 17a-3 requires broker-dealers to make certain records, including trade blotters, asset and liability ledgers, income ledgers, customer account ledgers, securities records, order tickets, trade confirmations, trial balances and various employment related documents.
SEC Rule 17a-4 specifies the manner and length of time that the records maintained by broker-dealers must be preserved.

Together, these rules require

Written and enforceable retention policies
Storage of data on indelible, non-rewriteable media
Searchable index of all stored data
Readily retrievable and viewable data
Storage of data offsite

The Payment Card Industry Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The PCI DSS was developed to help facilitate the broad adoption of consistent data security measures on a global basis. This comprehensive standard is intended to help enterprises proactively protect customer account data, and will be continually enhanced as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks.

PCI DSS applies to all enterprises that store, process or transmit cardholder data, and provides guidance for software developers and manufacturers of applications and devices used in those transactions. The PCI Security Standards Council is responsible for managing the security standards, while compliance with the PCI is enforced by the founding members of the Council -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

While the PCI DSS is specific to applications and systems that store, process, or transmit payment card data, the standard is derived from industry best practices applicable to many regulations and industry standards. Consequently, many enterprises may find benefit in implementing the controls required to achieve compliance with PCI DSS in areas outside of their payment card environment. By establishing an enterprise-wide framework and standards for implementing controls, organizations will benefit by attaining compliance in other areas of their business where they are subject to regulation or wish to meet industry standards.

PCI DSS applies to any organization that accepts, stores or processes payment cards of any type and is a comprehensive checklist of actions these organizations must take to improve the security of global payment systems. Although the adoption of PCI DSS by an organization will most likely improve its security posture, being compliant with the PCI DSS does not ensure the organization is secure.