Overview#

The items listed are a small snapshot of the some of the MANY Regulatory compliance or Standard Compliance items that exist that may be appropriate to explore.

Regulations regarding Compliance is growing all the time and you should do your own due diligence to determine what your organization may need to be in compliance.

Use Entirely at Your Own Risk Services.willeke.biz nor anyone else is responsible if you use a tool or any information on this site and causes damages to anyone or anything! You are required to read Our Standard Disclaimer

Regulations such as:

require stronger security, to protect sensitive business processes.

Regulations such as:

require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively.

Cost of Compliance#

According to research by Ponemon Institute, the average cost of compliance with privacy and data protection laws for the organizations was $3.5 million, with a range of $446,000 to over $16 million.

Adjusting total cost by organizational headcount (size) yields a per capita compliance cost of $222 per employee.

In addition, the average cost for organizations that experience non-compliance problems was nearly $9.4 million. [2]

Industry Specific IDM Related Compliance Items#

There are many Industry Specific IDM Related Compliance Items

SAS 70#

Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled "Reports on the Processing of Transactions by Service Organizations".

SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers.

Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

Sarbanes-Oxley Act#

The Sarbanes-Oxley Act

Gramm-Leach-Bliley Act (GLB) Act of 1999#

On February 1, 2001, the U.S. Treasury Department issued guidelines interpreting the privacy and security requirements of the Gramm-Leach-Bliley Act (GLB) Act of 1999 (otherwise known as the Financial Modernization Act of 1999).

In basic terms GLBA requires financial institutions to implement Information Technology controls to maintain the confidentiality and privacy of consumer information.

The GLB Act was established primarily to repeal restrictions on banks affiliated with securities firms, but it also requires financial institutions — including any organization that works with people such as:

  • Preparers of income tax returns
  • Consumer credit reporting agencies
  • Real estate transaction settlement services
  • Debt collection agencies
  • People that receive protected information from financial institutions
These organizations are to adopt strict privacy measures relating to customer data.

Following are key areas in information security that the GLB Act requires financial institutions to address:

  • Evaluate IT environments and understand the security risks — define those risks internal and external to the organization
  • Establish information security policies to assess and control risks — these include authentication, access control, and encryption systems
  • Conduct independent assessments — third-party testing of the institutions’ information security infrastructure
  • Provide training and security awareness programs for employees
  • Scrutinize business relationships to ensure they have adequate security
  • Establish procedures to upgrade security programs that are in place

Homeland Security Presidential Directive/Hspd-12#

Policy for a Common Identification Standard for Federal Employees and Contractors

"Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees)."

Homeland Security Presidential Directive #12 (HSPD-12) affects all executive branch federal employees and contractors. It requires all agencies to conduct a thorough background investigation and to issue tamperproof credentials. HSPD-12 federated credentials are now required for federal executive-branch employees and contractors. NIST FIPS 201—guidance for implementing HSPD-12—establishes consistent guidelines for:

  • background investigations;
  • physical smartcard internal structures (containers);
  • allowable digital Certificates, uses, and their assigned containers;
  • when a PIN is and is not required to unlock the private keys associated with those digital certificates;
  • Biometrics types and format stored in smartcard containers;
  • requirements for issuing cross-certificates between federal Public Key Infrastructure programs; and
  • and infrastructure for supporting digital certificate validation and certificate path discovery (Authentication)
The Personal Identity Verification (PIV) program phases, as laid out in FIPS 201, specify requirements that meet the control and security objectives of HSPD-12. PIV I specifies minimum requirements for identity proofing; PIV II provides detailed technical specifications of the components and processes necessary for PIV smartcards to interoperate with personnel authentication, access control, and PIV card management systems across the federal government.

Health Information Portability and Accountability Act (HIPAA)#

In basic terms, HIPAA regulates the security and privacy of health data, including patient records and all individually identifiable health information.

Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:

  1. . Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
  2. . Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

  1. . Standardization of electronic patient health, administrative and financial data
  2. . Unique health identifiers for individuals, employers, health plans and health care providers
  3. . Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

Effective compliance requires organization-wide implementation. Compliance requirements include:

  • Building initial organizational awareness of HIPAA
  • Comprehensive assessment of the organization's privacy practices, information security systems and procedures, and use of electronic transactions
  • Developing an action plan for compliance with each rule
  • Developing a technical and management infrastructure to implement the plans
  • Implementing a comprehensive implementation action plan, including
    • Developing new policies, processes, and procedures to ensure privacy, security and patients' rights
    • Building business associate agreements with business partners to support HIPAA objectives
    • Developing a secure technical and physical information infrastructure
    • Updating information systems to safeguard protected health information (PHI) and enable use of standard claims and related transactions
    • Training of all workforce members
    • Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a Privacy Officer and a Security Officer

PCI Security Standards Council#

Payment Card Industry (PCI) created the Data Security Standard (DSS).

In basic terms, the Payment Card Industry (PCI) mandates the protection of customer information residing with merchants, safe from hackers, viruses and other potential security risks.

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning:

  • Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs
  • MasterCard's Site Data Protection (SDP) program
The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.

The DSS standard is available from the PCI Web Site.

Title 21 Code of Federal Regulations (21 CFR Part 11)#

This deals with Electronic Records and Electronic Signatures.

The basis is a strategic initiative to modernize the regulation of pharmaceutical manufacturing and product quality. This initiative aims at ensuring that regulatory review, compliance and inspection policies are based on state-of-the-art pharmaceutical science, and do not impede rapid adoption of new technological advances by the pharmaceutical industry.

It also promises to enhance safety and quality in drug manufacturing while increasing efficiencies. Its achievements reflect valuable advice provided to FDA through many public workshops and meetings, and written comments from experts and interested parties in academics, industry, and other groups.

§ 1232g. Family educational and privacy rights (Buckley Amendment) (FERPA)#

Federal law gives students two rights concerning their education records kept by the university. The federal law is called the Family Educational Rights and Privacy Act, also known as FERPA or the Buckley Amendment.

First, it requires the university to keep those records private. There are exceptions for emergencies, court orders, university officials who have a need to know, etc.

Second, it provides that students have the right to inspect records about themselves that are maintained by the university.

Communications Assistance for law enforcement Act of 1994 (CALEA) #

In October 1994, Congress took action to protect public safety and national security by enacting the Communications Assistance for law enforcement Act of 1994 (CALEA), Pub. L. No. 103-414, 108 Stat. 4279. The law further defines the existing statutory obligation of telecommunications carriers to assist law enforcement in executing electronic surveillance pursuant to court order or other lawful authorization and requires carriers to design or modify their systems to ensure that lawfully-authorized electronic surveillance can be performed.

The purpose of CALEA is to preserve the ability of law enforcement to conduct electronic surveillance in the face of rapid advances in telecommunications technology. Further details can be found at H.R. Rep. No. 103-827, 103d Cong., 2d Sess.(1994), reprinted in 1994 U.S.C.C.A.N. 3489

Personal Information Protection and Electronic Documents Act (PIPEDA)#

PIPEDA is based on balancing an individual's right to the privacy of personal information with the need of organizations to collect, use or disclose personal information for legitimate business purposes. The Act also established the Privacy Commissioner of Canada as the ombudsman for privacy complaints.

Payment Card Industry Compliance (PCI)#

The Payment Card Industry Compliance (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data.

The control objectives and their requirements are:#

Build and Maintain a Secure Network
Requirement 1Install and maintain a firewall configuration to protect cardholder data
Requirement 2Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
Requirement 4Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5Use and regularly update anti-virus software
Requirement 6Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7Restrict access to cardholder data by business need-to-know
Requirement 8Assign a unique ID to each person with computer access
Requirement 9Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10Track and monitor all access to network resources and cardholder data
Requirement 11Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12Maintain a policy that addresses information security

ISO/IEC 27002#

ISO/IEC 27002 is an information security Standard Compliance published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

Outline of the Standard#

After the introductory sections, the standard contains the following twelve main sections:
  • 1: Risk Assessment
  • 2: Security policy - management direction
  • 3: Organization of information security - governance of information security
  • 4: Asset management - inventory and classification of information assets
  • 5: Human resources security - security aspects for employees joining, moving and leaving an organization
  • 6: Physical and environmental security - protection of the computer facilities
  • 7: Communications and operations management - management of technical security controls in systems and networks
  • 8: Access control - restriction of access rights to networks, systems, applications, functions and data
  • 9: Information systems acquisition, development and maintenance - building security into applications
  • 10: Information security incident management - anticipating and responding appropriately to information security breaches
  • 11: Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  • 12: Compliance - ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:

  1. . Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT security - Security Techniques, and BS 7799 Part 3.
  2. . It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidance for ISO/IEC 27001 and 27002 are anticipated to give advice tailored to organizations in the telecomms, financial services, healthcare, lotteries and other industries.

Basel II Accord#

Basel II Accord is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II, which was initially published in June 2004, is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face. Advocates of Basel II believe that such an international standard can help protect the international financial system from the types of problems that might arise should a major bank or a series of banks collapse. In practice, Basel II attempts to accomplish this by setting up rigorous risk and capital management requirements designed to ensure that a bank holds capital reserves appropriate to the risk the bank exposes itself to through its lending and investment practices. Generally speaking, these rules mean that the greater risk to which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard its solvency and overall economic stability. Read more...

FFIEC#

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

FISMA#

The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899).

In basic terms, FISMA requires that federal agencies establish risk-based information security programs to secure federal information.

The act recognized the importance of information security to the economic and national security interests of the United States.[1] The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.[1]

NERC CIP#

North American Electric Reliability Council’s Critical Infrastructure Protection (NERC CIP) standards that establish minimum security requirements for IT assets managing daily operations for the Utilities.

More Information#

There might be more information for this subject on one of the following:
[#1] http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 [#2] In-depth conversations with 160 business leaders spanning 46 multinational companies in multiple verticals revealed that dedicated investments in compliance activities.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-71) was last changed on 21-Dec-2016 11:56 by jim