In the past few years, governments around the world have focused on protecting consumers and companies against inadequate management of sensitive information. While this is great for consumers, it’s led to a wide variety of complex laws and regulations for businesses.
Laws and Regulations
Depending on the industry, organizations may or may not be used to regulations. During the late 1990s and early 2000s, many new laws governing information security, privacy, and accountability were enacted due to the volume of personal and sensitive information stored in and transmitted through Internet channels.
Most regulations were developed with the intention to protect the confidentiality and integrity of information that impacted a corporation’s stakeholders. Today, these laws have a few essential goals, such as:
- To maintain, protect, and address compliance issues,
- To establish and implement controls,
- To identify and solve vulnerabilities, and
- To provide reports that proves an organization’s compliance with regulations.
But, which of these laws and regulations have an impact on IT professionals? Depending on your location, there are a number of laws in the U.S. and across the world that you may be required to follow.
Laws and Regulations That Impact IT Professionals
- The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability act (HIPAA) includes privacy and security rules that are focused on Protected Health Information (PHI) and electronic PHI gathered in the healthcare process. These rules mandate the standardization of electronic transactions, identifiers, and code sets. While HIPAA focuses primarily on the healthcare industry, other companies can be impacted, such as those that provide services to healthcare organizations.
The Sarbanes-Oxley Act of 2002, Section 404, is important from an IT perspective. Section 404 requires the annual reports of publicly traded companies to include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. In addition, Section 404 requires that independent auditors report on this assessment.
Also known as the Financial Services Modernization Act of 1999, the Gramm-Leach-Bliley Act protects the security and privacy of individually identifiable financial information collected, stored, and processed by financial institutions. The privacy aspect requires financial institutions to provide an annual notice of their privacy standards to their customers and allow customers to choose whether or not they’d like to share this information. Furthermore, financial institutions are required to establish an extensive security program for the protection of the private financial information contained within their records.
The Bank Secrecy Act (BSA), also known as an Anti-Money-Laundering Law (AML), is an older law created in the United States in 1970. The BSA requires financial institutions and banks to report certain transactions, such as deposits or withdrawals, of more than $10,000 cash in one day, to government agencies; as well as withholdings from clients a report was filed about. In addition, monetary instruments purchased, such as cashiers or traveler’s checks, worth more than $3,000 must be reported. . Banks must also supply information in a currency transaction report, about the individual doing the transaction, to the Internal Revenue Service. The BSA law is a primary reason for complex monitoring of accounts.
The USA PATRIOT Act is federal legislation in the U.S., passed shortly after the September 11th, 2001 terrorist attacks. The Act expands the authority of U.S. law enforcement for the purpose of fighting terrorist acts in the U.S. and abroad, as well as detecting and prosecuting other crimes. The aspect of the Act that impacts IT professionals is called the Financial Anti-Terrorism Act, and works in conjunction with the BSA/AML mentioned above.
- Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal regulation governing the collection, use, and disclosure of personally identifiable information during commercial transactions. PIPEDA makes provisions of the Canadian Standards Association’s Model Privacy Code of 1995 mandatory.
- European Union Data Protection Directive
The European Union Data Protection Directive (EUDPD) was created to standardize the protection of data privacy for European Union (EU) citizens. The EUDPD requires all EU member states to adhere to national regulations, and abide by international regulations when sending EU citizens’ personal information outside of the EU.
- Payment Card Industry Data Security Standard
The Cardholder Information Security Program (CISP) was introduced by MasterCard International, and Visa USA with the intention of protecting cardholder data, as well as ensuring that members, service providers, and merchants use the highest information security standards. CISP was created using the Payment Card Industry (PCI) Data Security Standard as its foundation. The PCI Data Security Standard includes 12 basic requirements:
- The Federal Information Security Management Act
The Federal Information Security Management Act of 2002 (FISMA) was enacted to strengthen computer and network security within the U.S federal government and affiliated parties using yearly audits. Cyber security wasn’t of primary importance until the FISMA was created.
- International Convergence of Capital Measurement and Capital Standards – A Revised Framework
Also called Basel II, or the New Accord, this law represents the recommendations by central bankers from the 13 countries that comprise the Basel Committee on Banking Supervision. The recommendations include revising the international standards for measuring the adequacy of a bank’s capital, and encouraging consistency in the way banks and regulators approach risk management.
- California Senate Bill 1386
The California Senate Bill (CA SB 1386) was passed in July 2003 to address identity theft problems. The bill creates requirements for businesses and government agencies that experience security breaches that could endanger the personal information of California residents. Many U.S. organizations are subject to these requirements.
Complying with the Laws and Regulations
Compliance is important for IT professionals. Unfortunately, IT departments have been tasked by their CFO’s, CEO’s, and Audit Committee’s with ensuring their company is compliant, due to the fact that many of the laws impose personal liability penalties for directors and officers of organizations.
A variety of software vendors have developed solutions for compliance, but sorting through the offerings can be difficult. When it comes to compliance, most interpretations have been done by auditing and IT security specialists.
As an IT professional, you’ll have to choose the practices that work best for your organization. There are two groups of best practices: process or technology. In addition, there’s a group of general best practices to review.
Best Practices: Process
The turnbull report was developed by the Institute of Chartered Accountants of England and Wales for process guidance, internal control, and risk management. The internal control statement with this best practice provides an opportunity to understand the risk and control issues facing a company.
CobiT was developed by the Information Systems Audit and Control Association for process control and management. The framework addresses both IT and business functionality across an organization, and considers the IT-related interests of internal and external stakeholders.
COSO was developed by the Committee of Sponsoring Organizations of the Tread Way Commission for process enterprise risk management. Their goal is to provide a leadership team with information about internal controls, enterprise risk management, and fraud deterrence.
ITIL uses a detailed process-oriented approach to IT services management in order to provide a practical framework for identifying, planning, delivering, and supporting IT services to an organization
- ISACA/ITGI Harmonization Document
The purpose of ISACA/ITGI is to benefit enterprises by assisting enterprise leaders in their mission to make IT successful in the support of their enterprise’s goals and values.
ISO 17799 is an information security code of practice, including a number of sections that cover a wide range of security issues, and to inform organizations about creating an IT security program.
- Common Criteria (ISO 15408)
Common Criteria (ISO 15408) is a detailed technical best practice used to develop criteria for evaluation of IT security.
Developed by the National Institute of Standards (NIST), U.S. Government, NIST SP 800 Series includes detailed implementations by technology or process in regards to IT security.
The best practices listed above can be very helpful for an organization. For example:
- If your organization experiences SOX compliance issues, the best approach would be to use a combination of CobiT and ISO 17799.
- If your financial services organization is trying to meet the requirements of BSA/AML, GLBA, and USA PATRIOT Act, the best approach would be to use ISO 17799.
- For organizations striving to comply with HIPAA, a blended approach involving elements of ISO 17799 and direct requirements of the HIPAA Final Rule would be the best approach.
Best Practices: Security Solutions
While many organizations don’t specialize in compliance laws, an IT Security and Compliance specialist can assist you by providing a cost-effective method of compliance. However, the simplest approach is to obtain a ready-made solution. The following are a few security-related solutions:
- Application Security Solutions
Application Security Solutions such as CCS and Radware involve a combination of good development practices with specific software security solutions.
- Identity Management Solutions
Identity Management Solutions such as Tivioli, Sun, and MIIS, are tools used to manage the digital identities and entitlements of users. These solutions control the privileges assigned to both identities and resources.
- Data Encryption and Transmission Solutions
Data Encryption and Transmission Solutions such as Windows Server 2003 or PGP deal with the protection of data that’s in transmission or at rest.
- Security and Compliance Training Delivery
Security and Compliance Training Delivery such as Kronos or Ascentis provides the important link between people, technologies, and processes that make a security program work.
- Network Security Solutions
Network Security Solutions such as MOM or Windows Server are used to address the security of all aspects of a network, including firewalls, clients, servers, switches, routers, and access points.
- Security Integration Solutions
Security Integration Solutions such as IBM, Avanade, and Accenture are used for the integration of data security in transmission or at rest.
- Malicious Software Prevention
Malicious Software Protection such as Microsoft Anti-spyware Beta involves anti-virus, anti-spam, and anti-spyware solutions.
- Physical Security Solutions
Physical Security Solutions provide solutions for physical access, security, and control of workstations and systems.
- Authentication, Authorization, and Access Control Solutions
Authentication, Authorization, and Access Control Solutions such as Windows XP and IBM involve usernames and passwords, retina scans, voice recognition or fingerprints to verify access based on a variety of criteria.
- Document Management Solutions
Document Management Solutions such as FileNET and SharePoint products offer a combination of processes and software to help manage unstructured information within an organization.
- Change Management Solutions
Change management solutions such as SMS and SharePoint involve a structure process that proposes changes for business and technical readiness in a consistent manner, with the ability to adjust to changes according to the business’s needs.
- Project Management Solutions
Project Management Solutions such as Microsoft Office Project involve tools used in the implementation, operation, and maintenance of compliance programs. These solutions provide control and feedback to project managers and teams.
- Vulnerability Identification Solutions
Vulnerability Identification Solutions such as ISS, Core Impact, and Retina use tools to discover vulnerabilities within information systems.
Host Control Solutions such as Windows XP and Windows Server 2003 are solutions that control the operating system in workstations and servers.
- Disaster Recovery and Failover
Disaster Recovery and Failover such as Data Protection Manager involve applications that bring enterprise information back to a state of operation as quickly as possible.
- Audit and Logging Solutions
Audit and Logging Solutions such as Tivoli and MOM are used to collect and audit logs that result from authentication and access to systems.
- Risk Assessment Solutions
Risk Assessment Solutions typically involve a combination of consulting and assessment tools, using a systematic method to identify the assets of an information-processing system, as well as threats to those systems and vulnerabilities associated with those threats.
Ensure Your Organization is Familiar with the Laws
These solutions require experienced implementation with firewalls, and an efficiently designed network, as well as vulnerability assessment and intrusion-detection applications. In addition, they require complete documentation including security policies and overall document management methods.
The complications of regular compliance can be difficult, but time and effort can be saved by becoming familiar with the laws and hiring specialists who can implement the best practices suitable to your organization.