compliances , security

Keeping up with the Regulatory Climate

November 6, 2012

The CIO is on the firing line for much of the new attention – he or she is getting pressure from CEO and the board of directors as well as newly created Chief Compliance Officer Positions.

They are being asked to address new business concerns:

  • Control costs while managing complexity
  • Focusing on core competencies
  • Increasing end-user productivity
  • Meeting regulations

Risk didn’t used to be on the radar screen for CIOs (according to Gartner studies) – at least this type of risk

Increased dependencies and exposures – reliance on value chain partners – according to Gartner analyst half of all spent in IT is for some form of interoperability

  • Executive criminality — explosion of scandals – breeds new regulations – not fully interpreted (explain how process goes with supervisory guidance) – greater risk of misunderstanding and non compliance
  • Demand for privacy protection – consumer, government, etc
  • Managing degree of risk directly impacts margin
  • CEO’s and the Board are directly seeking answers for Emotional Security

Several regulations affecting the management of information were passed long before wide-spread use of computers.

  • During the 1980’s the use of desktops began to increase, but we had not yet truly entered the Information Age
  • Once the use of desktops, laptops, the Internet, and EDI became ubiquitous in the mid-to-late 1990’s we begin to see a lot more legislative activity.
  • Recently there has been an explosion of new security and privacy regulations. Still missing is a US Data Privacy Act that would apply to all industries. Future trends should show a slow down of new national legislation, but additional state & local laws and revisions of existing regulations. Europe, Canada, and Australia are all discussing their own versions of Sarbanes-Oxley as well.
  • FFIEC, Federal Financial Institutions Examination Council. Provides oversight and audits financial institutions
  • FDA, Food and Drug Administration. Regulates processes of various companies including pharmaceutical, beverage, food manufacturing, cosmetics, etc.  Includes records management and retention, training, problem/change management and audit assurance
  • FERC/NRC, Federal Energy Regulatory Commission / Nuclear Regulatory Commissions. Regulates companies involved with sales of electricity, natural gas, hydroelectric and oil, as well as nuclear materials and nuclear facilities
  • HIPAA – Health Insurance Portability & Accountability Act includes Privacy Rule & Security Rule
  • FDA 21 CFR Part 11 – security regulations for electronic filing of paperwork with the FDA. Affects Pharmacy, Biotech, & Medical Equipment Mfg
  • USA PATRIOT – Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
  • Sarbanes-Oxley – US corporate governance reform. SOX, Sarbanes-Oxley Act, Oversees, regulates, inspects and disciplines accounting firms in their roles as auditors of public companies. Also covers auditor independence, corporate governance, internal control assessment and financial disclosure.
  • PCI, Payment Card Industry. Security standards established to protect payment account data security. Various State Privacy Laws State laws that address data privacy and security of personally identifiable information, including rules for public disclosures of when a security breach occurs.  European Payment Council (EPC).
  • NERC – North American Electric Reliability Council establishes security requirements for the energy industry
  • IRS1075, Provides guidance in ensuring that the policies, practices,controls, and safeguards employed by recipient agencies or agents and contractors adequately protect the confidentiality of the information they receive from the IRS.
  • ITAR, International Traffic in Arms Regulations, Regulations that control the export and import of defense-related articles and services
  • FERPA, Family Education Rights and Privacy Act, The regulations provide that educational agencies and institutions that receive funding under a program administered by the U. S. Department of Education must provide students with access to their education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records.
  • FISMA – Federal Information Systems Management Act applies only to non-defense systems of US goverment agencies
  • GLBA – Gramm-Leach-Bliley Act deregulated the financial services industry, but added privacy & security requirements. AKA the Financial Services Modernization Act of 1999, The Gramm-Leach-Bliley Act allows commercial banks, investment banks, securities firms and insurance companies to consolidate.
  • European Unity, European information privacy law
  • Basel II – EU banking reform, incorporates IT risk management in to gold reserves calculation
  • CLERP 9 – Corporate Law Economic Reform Program in Australia
  • Canadian Privacy Law
  • C6 (a.k.a. PIPEDA – Personal Information Protection & Electronic Documents Act) – Canadian privacy law
  • CAN SPAM – Controlling the Assault of Non-Solicited Pornography and Marketing Act
  • CIPA 2002 – Children’s Internet Protection Act
  • COPPA – Child’s Online Privacy Protection Act.  Applies to the online collection of personal information from children under 13.
  • PIPEDA, Personal Information and Protection and Electronic Documents Act
  •  FISA, or the Foreign Intelligence Surveillance Act, is a bill that was enacted on October 25, 1978. The initial intent of the bill was to outline the powers of domestic spy agencies when collecting information, both physical and digital, on foreign powers. The bill limited the power of spy agencies to collect information on Americans, but all of that changed with the Patriot Act of 2001 and the Protect America Act of 2007.

Here we see the primary regulations mapped out by industry. Financial Services is clearly hardest hit by regulatory requirements. Retail organizations must deal with Credit Card vendor requirements for their merchants that are not technically regulations, but have effectively the same impact. No matter your industry you need to develop a compliance program that can meet the requirements of multiple regulations.

Very few specific requirements are laid out within the regulations themselves, so that they can remain robust and relevant over time to a broad range of organizations. In order to understand the regulatory requirements, you must identify the underlying guidance associated with that regulation. This guidance may come from industry best practices such as ISO2700x, CobiT, or COSO or it may come from the associated regulatory agency (SEC, FFIEC, HHS, CMS, etc.). In pretty much all cases, there is a standard set of information security best practices that will enable you to meet all of the existing regulations.

Commonly referred to as the GLBA Data Protection Rule, Section 501 is intended to ensure the confidentiality and security of customer data against internal and external threats.  The rules require a written security plan that describes their protection program for customer information which is defined as any record paper or electronic which contains non public personal information about a customer.

Stipulates:  Board of Directors involvement in plan development, implementation, and maintenance.  Continually audited for compliance, as well as progress and improvement.

Independent assessment of Any and All third party vendors and service providers and requires review and monitoring by institutions to ensure their own compliance. A “program” means documented policies and successful tests (including improvements).  We are hearing requests for SAS 70 (Statement of Auditing Standards).

Sarbanes Oxley has 11 parts and 66 sections.  Of primary importance for us today are the following which directly impact both IT departments at our target set of customers and those units within SunGard who sell to them.

  • 302 – CEO’s due to prospect of civil and CRIMINAL prosecution – are getting CFO’s to sign as well as themselves for their financial statuses.
  • The SEC requires within Section 404 a statement of management’s responsibility for internal controls and their assessment of how effective they are

Requirements:

  • Well defined “internal controls” over financial reporting
  • Management accountability as to effectiveness of controls
  • Auditor sign-off

Section 404, requiring the Commission to adopt rules requiring a company’s management to present an internal control report in the company’s annual report containing: (1) a statement of the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s internal control structure and procedures for financial reporting. Section 404 also requires the company’s registered public accounting firm25 to attest to, and report on, management’s assessment.

  • Section 409 is now a  4 day turn around

As we saw earlier, organizations today are facing many different regulations. It is inefficient to develop compliance programs for each regulation. Instead, you must understand the total requirements from all regulations your organization must comply with.

Others to consider:

AR 335–15, Management Information Control System

DA Pam 25–1–1, Information Technology Support and Services

DODD 5015.2, Department of Defense Records Management Program

Title 18 –communications, computers, fraud, Title 18 allows a company to monitor its networks and systems to protect them

USA Patriot Act –extends crimes, streamlines criminal investigation, and increases penalties