Overview#The items listed are a small snapshot of the some of the MANY Regulatory compliance or Standard Compliance items that exist that may be appropriate to explore.
Regulations such as:
Regulations such as:
Cost of Compliance#According to research by Ponemon Institute, the average cost of compliance with privacy and data protection laws for the organizations was $3.5 million, with a range of $446,000 to over $16 million.
Adjusting total cost by organizational headcount (size) yields a per capita compliance cost of $222 per employee.
In addition, the average cost for organizations that experience non-compliance problems was nearly $9.4 million. 
Industry Specific IDM Related Compliance Items#There are many Industry Specific IDM Related Compliance Items AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled "Reports on the Processing of Transactions by Service Organizations".
SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers.
Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.Sarbanes-Oxley Act Gramm-Leach-Bliley Act (GLB) Act of 1999 (otherwise known as the Financial Modernization Act of 1999).
In basic terms GLBA requires financial institutions to implement Information Technology controls to maintain the confidentiality and privacy of consumer information.
The GLB Act was established primarily to repeal restrictions on banks affiliated with securities firms, but it also requires financial institutions — including any organization that works with people such as:
- Preparers of income tax returns
- Consumer credit reporting agencies
- Real estate transaction settlement services
- Debt collection agencies
- People that receive protected information from financial institutions
Following are key areas in information security that the GLB Act requires financial institutions to address:
- Evaluate IT environments and understand the security risks — define those risks internal and external to the organization
- Establish information security policies to assess and control risks — these include authentication, access control, and encryption systems
- Conduct independent assessments — third-party testing of the institutions’ information security infrastructure
- Provide training and security awareness programs for employees
- Scrutinize business relationships to ensure they have adequate security
- Establish procedures to upgrade security programs that are in place
"Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees)."
Homeland Security Presidential Directive #12 (HSPD-12) affects all executive branch federal employees and contractors. It requires all agencies to conduct a thorough background investigation and to issue tamperproof credentials. HSPD-12 federated credentials are now required for federal executive-branch employees and contractors. NIST FIPS 201—guidance for implementing HSPD-12—establishes consistent guidelines for:
- background investigations;
- physical smartcard internal structures (containers);
- allowable digital Certificates, uses, and their assigned containers;
- when a PIN is and is not required to unlock the private keys associated with those digital certificates;
- Biometrics types and format stored in smartcard containers;
- requirements for issuing cross-certificates between federal Public Key Infrastructure programs; and
- and infrastructure for supporting digital certificate validation and certificate path discovery (Authentication)
Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:
- . Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
- . Protection of confidentiality and security of health data through setting and enforcing standards.
More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:
- . Standardization of electronic patient health, administrative and financial data
- . Unique health identifiers for individuals, employers, health plans and health care providers
- . Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.
Effective compliance requires organization-wide implementation. Compliance requirements include:
- Building initial organizational awareness of HIPAA
- Comprehensive assessment of the organization's privacy practices, information security systems and procedures, and use of electronic transactions
- Developing an action plan for compliance with each rule
- Developing a technical and management infrastructure to implement the plans
- Implementing a comprehensive implementation action plan, including
- Developing new policies, processes, and procedures to ensure privacy, security and patients' rights
- Building business associate agreements with business partners to support HIPAA objectives
- Developing a secure technical and physical information infrastructure
- Updating information systems to safeguard protected health information (PHI) and enable use of standard claims and related transactions
- Training of all workforce members
- Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a Privacy Officer and a Security Officer
In basic terms, the Payment Card Industry (PCI) mandates the protection of customer information residing with merchants, safe from hackers, viruses and other potential security risks.
The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning:
- Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs
- MasterCard's Site Data Protection (SDP) program
The DSS standard is available from the PCI Web Site.
The basis is a strategic initiative to modernize the regulation of pharmaceutical manufacturing and product quality. This initiative aims at ensuring that regulatory review, compliance and inspection policies are based on state-of-the-art pharmaceutical science, and do not impede rapid adoption of new technological advances by the pharmaceutical industry.
It also promises to enhance safety and quality in drug manufacturing while increasing efficiencies. Its achievements reflect valuable advice provided to FDA through many public workshops and meetings, and written comments from experts and interested parties in academics, industry, and other groups.education records kept by the university. The federal law is called the Family Educational Rights and Privacy Act, also known as FERPA or the Buckley Amendment.
First, it requires the university to keep those records private. There are exceptions for emergencies, court orders, university officials who have a need to know, etc.
Second, it provides that students have the right to inspect records about themselves that are maintained by the university.
The purpose of CALEA is to preserve the ability of law enforcement to conduct electronic surveillance in the face of rapid advances in telecommunications technology. Further details can be found at H.R. Rep. No. 103-827, 103d Cong., 2d Sess.(1994), reprinted in 1994 U.S.C.C.A.N. 3489PIPEDA is based on balancing an individual's right to the privacy of personal information with the need of organizations to collect, use or disclose personal information for legitimate business purposes. The Act also established the Privacy Commissioner of Canada as the ombudsman for privacy complaints.
Payment Card Industry Compliance (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data.
The control objectives and their requirements are:#
|Build and Maintain a Secure Network|
|Requirement 1||Install and maintain a firewall configuration to protect cardholder data|
|Requirement 2||Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data|
|Requirement 3||Protect stored Cardholder Data|
|Requirement 4||Encrypt transmission of Cardholder Data] across open, public networks|
|Maintain a Vulnerability Management Program|
|Requirement 5||Use and regularly update anti-virus software|
|Requirement 6||Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures|
|Requirement 7||Restrict access to Cardholder Data] by business Need to know|
|Requirement 8||Assign a Unique Identifier to each person with computer access|
|Requirement 9||Restrict physical access to Cardholder Data]|
|Regularly Monitor and Test Networks|
|Requirement 10||Track and monitor all access to network resources and Cardholder Data]|
|Requirement 11||Regularly test security systems and processes|
|Maintain an Information Security Policy|
|Requirement 12||Maintain a policy that addresses information security|
Outline of the Standard#After the introductory sections, the standard contains the following twelve main sections:
- 1: Risk Assessment
- 2: Security policy - management direction
- 3: Organization of information security - governance of information security
- 4: Asset management - inventory and classification of information assets
- 5: Human resources security - security aspects for employees joining, moving and leaving an organization
- 6: Physical and environmental security - protection of the computer facilities
- 7: Communications and operations management - management of technical security controls in systems and networks
- 8: Access control - restriction of access rights to networks, systems, applications, functions and data
- 9: Information systems acquisition, development and maintenance - building security into applications
- 10: Information security incident management - anticipating and responding appropriately to information security breaches
- 11: Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- 12: Compliance - ensuring conformance with information security policies, standards, laws and regulations
Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:
- . Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT security - Security Techniques, and BS 7799 Part 3.
- . It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidance for ISO/IEC 27001 and 27002 are anticipated to give advice tailored to organizations in the telecomms, financial services, healthcare, lotteries and other industries.
In basic terms, FISMA requires that federal agencies establish risk-based information security programs to secure federal information.
The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
More Information#There might be more information for this subject on one of the following:
- Best Practices for LDAP Security
- Data Classification
- EDIM Needs Analysis Requirements Definition
- EIDM Check-list for Other Integrated Applications
- Governance Risk Management And Compliance
- People And Things Every IDM Person Should Know
- Personally Identifiable Information
- Resource Provisioning
- Self-regulating Provisioning
- User Provisioning
[#1] http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 [#2] In-depth conversations with 160 business leaders spanning 46 multinational companies in multiple verticals revealed that dedicated investments in compliance activities.