Compliance Management White Paper

Compliance Management

PCI-DSS, Sarbanes-Oxley, HIPAA, GLAB, COBIT,
and ISO 27000 Compliance Tools

Order Compliance Managment KitDownload Selected Pages

Numerous laws and regulatory mandates focus on corporate governance and accountability around sensitive information (specifically financial, non-public information and protected health care information). This has significantly impacted the underlying IT systems that support the applications and repositories holding this sensitive information.

Organizations are continuously looking for help in preventing fraud and protecting sensitive information. The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations. Additionally, there are other internal cost-containment requirements that can be effectively met by defining and implementing a sound auditing and compliance methodology. Most corporations agree that compliance leads to better corporate governance and management.

Compliance Process

Federal and state government regulations (see state compliance requirements) can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.

Exposure for non-Compliance

Regulation

Penalty

Fine

 GLBA

10 Years Prison

$1,000,000

 HIPAA

10 Years Prison

$100 per occurrence maximum of $25,000 per year

 SOX

10 Years Prison

$15,000,000

 Sec Rule 17a-4

Suspension

$1,000,000

State Notification Laws

The graphic clearly depicts the magnitude of the current situation and the table provided by The National Conference of State Legislatures includes links to the individual states.The Security Manual Template address each of these mandate requirements.

Regulation

Gramm-Leach-Bliley Act (GLBA)

Financial services regulations on information security, initiated by the, require financial institutions in the United States to create an information security program to:

  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

Health Insurance Portability and Accountability Act (HIPAA)

Under the new American Recovery and Reinvestment Act of 2009, there are new rules that affect the health care industry and those entities that might handle process or maintain personal health information. The new rules revolve around two primary areas:

  • The mandated adoption of new electronic health record systems (and standards, controls and protections around that adoption)
  • The expansion of breach notification rules concerning personal health records. If is the Recovery Act raises any concerns, it is that these new rules outlined in the Act clearly must coexist with the 1996 HIPAA law.

HIPAA security rules did not address the security of Protected Health Information (PHI) by all entities that might handle or process protected health information; specifically, it did not address the electronic health records, aggregators, personal health record (PHR) vendors, and processors that are addressed by the Recovery Act. While the Recovery Act tries to recognize and address the boundaries between the Recovery Act and HIPAA, some in the industry express concern that the next steps are unclear and have doubts that the Recovery Act will be flexible enough to address the business structures that it will create.

SOX (Sarbanes - Oxley) and Other SEC rules

The Securities and Exchange Commission (SEC) has mandated requirements defined for broker-dealers to store required records in electronic form. Under the rule, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation clarifies that broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period.

SEC rules 17a-3 and 17a-4  specify the type of data records for securities transactions to be created and maintained by broker-dealers.

  • SEC Rule 17a-3 requires broker-dealers to make certain records, including trade blotters, asset and liability ledgers, income ledgers, customer account ledgers, securities records, order tickets, trade confirmations, trial balances and various employment related documents.
  • SEC Rule 17a-4 specifies the manner and length of time that the records maintained by broker-dealers must be preserved.

Together, these rules require

  • Written and enforceable retention policies
  • Storage of data on indelible, non-rewriteable media
  • Searchable index of all stored data
  • Readily retrievable and viewable data
  • Storage of data off site

The Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The PCI DSS was developed to help facilitate the broad adoption of consistent data security measures on a global basis. This comprehensive standard is intended to help enterprises pro actively protect customer account data, and will be continually enhanced as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks.

PCI DSS applies to all enterprises that store, process or transmit cardholder data, and provides guidance for software developers and manufacturers of applications and devices used in those transactions. The PCI Security Standards Council is responsible for managing the security standards, while compliance with the PCI is enforced by the founding members of the Council -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

While the PCI DSS is specific to applications and systems that store, process, or transmit payment card data, the standard is derived from industry best practices applicable to many regulations and industry standards. Consequently, many enterprises may find benefit in implementing the controls required to achieve compliance with PCI DSS in areas outside of their payment card environment. By establishing an enterprise-wide framework and standards for implementing controls, organizations will benefit by attaining compliance in other areas of their business where they are subject to regulation or wish to meet industry standards.

PCI DSS applies to any organization that accepts, stores or processes payment cards of any type and is a comprehensive checklist of actions these organizations must take to improve the security of global payment systems. Although the adoption of PCI DSS by an organization will most likely improve its security posture, being compliant with the PCI DSS does not ensure the organization is secure.

See Also Government Control of Internet

Compliance Management Toolkit Versions

Janco offers a full range of tools to help enterprises of all sizes to address these issues. The Compliance Management kit provides the infrastructure tools

In addition to the Compliance Management White Paper we provided the The Compliance Management tool kit in three (3) versions: Silver, Gold, and Platinum.

OrderCompliance Management White Paper

Compliance Management White Paper
  • Compliance Management White Paper - Summarizes mandated compliance requirements and provides a summary level work plan for how to implement Compliance Management policies and procedures.

    White Paper contains a table of manadated record retention periods and a list of all of the states and US possessions with their mandated notification requirements.

OrderCompliance Management - Silver Edition

Compliance Management White PaperSecuirty Audit ProgramPCI Audit ProgramCompliance Job Descriptions
  • Compliance Management White Paper
  • Security Audit Program - fully editable -- Comes in MS EXCEL and PDF formats -- Meets ISO 27001, 27002, Sarbanes-Oxley, PCI-DSS and HIPAA requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 39 separate task groupings including BYOD.
  • PCI Audit Program - Word and PDF
  • Job Descriptions (25 key positions) - Word Format - fully editable and PDF
    • Chief Commpliance Officer (CCO), Director Electronic Commerce, e-Commerce Specialist, Internet-Intranet Administrator, Manager Internet - Intranet Activities, Manager Internet Systems, Manager Point of Sale, Manager Record Administration, Manager Transaction Processing, Manager Video and Website Content, Manager Web Content, Manager Wireless Systems, On-Line Transaction Processing Analyst, PCI-DSS Administrator, PCI-DSS Coordinator, POS Coordinator, POS Hardware Coordinator, POS Senior Coordinator, Record Management Coordinator, System Administrator - Unix, System Administrator - Windows, Web Analyst, Web Site Designer, Webmaster, and Wireless Coordinator

OrderCompliance Management - Gold Edition

Compliance Management White PaperSecuirty Audit ProgramPCI Audit ProgramCompliance Job DescriptionsRecord Management Policy
  • Compliance Management White Paper
  • Security Audit Program
  • PCI Audit Program
  • Job Descriptions (25 key positions) including Chief Compliance Officer (CCO)
  • Record Management Policy - Word - Records management retention and destruction policy which complies with manadated US and ISO requirements

OrderCompliance Management - Platinum Edition

Compliance Management White PaperSecuirty Audit ProgramPCI Audit ProgramCompliance Job DescriptionsRecord Management PolicySecurity Manual
  • Compliance Management White Paper
  • Security Audit Program
  • PCI Audit Program
  • Job Descriptions (25 key positions) including Chief Compliance Officer (CCO)
  • Record Management Policy
  • Security Manual Template - Word - 240 plus packed pages which are usable as is. Over 3,000 companies world wide have chose this is the basis for their best practices to meet mandated US, EU and ISO requirements

Compliance Managment