Business of ITUnderstanding Regulatory Compliance
Tony Noblett
In the last few years, governments the world over have taken up the job of protecting consumers and companies against poor management of sensitive information. Unfortunately, this has led to a steady stream of confusing laws and regulations coming from all directions. In this column I'll look at these laws, go into depth on a few of them, and discuss how you, as an IT pro charged with making your company compliant, can approach the issue.
Laws and Regulations
Depending on the industry you're in, your organization may be used to regulations or completely new to them. The late 1990s and early 2000s ushered in the era of laws governing information security, privacy, and accountability, thanks in part to companies like Enron and in part due to the sheer volume of personal and sensitive information stored in and transmitted though vulnerable channels.
At the heart of most regulations is the intention of protecting the confidentiality, integrity, and availability of information that impacts a corporation's stakeholders. These laws can be distilled down to their essential goals:
- Establish and implement controls
- Maintain, protect, and assess compliance issues
- Identify and remediate vulnerabilities and deviations
- Provide reporting that can prove your organization's compliance
So let's take a quick look at the laws and regulations that have immediate impact on IT pros, in just enough detail to understand what each law is about. But don't assume this list represents all of the laws and regulations that may apply to your business. There are a number of others both in the United States and across the globe you may or may not need to deal with, depending on your situation.
New Laws and Regulations Affecting IT Pros
Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 (SOX) was a response to corporate scandals. Its most prominent aspect, from an IT perspective, is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. Section 404 also requires that the company's independent auditors attest to, and report on, this assessment. The assessment of financial controls has been extended into the IT space by the opinion of the Public Company Accounting Oversight Board (PCAOB), a private-sector, non-profit entity created by SOX to oversee the auditors of public companies. This extension of financial controls into the IT space provides most of the current impetus for IT controls.
Gramm-Leach-Bliley Act The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records. Recommendations for audit were produced by the Federal Financial Institutions Examination Council (FFIEC), an interagency group comprised of five of the eight major financial regulatory agencies.
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) includes, among its various components, privacy and security rules. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers. The privacy and security rules are detailed and prescriptive. Although the regulation focuses on the healthcare industry, other companies can be impacted if they engage in certain activities, such as the management of employee group health plans, or if they provide services to companies that are directly impacted by the regulation.
European Union Data Protection Directive The European Union Data Protection Directive (EUDPD) standardizes the protection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all EU member states must achieve in national regulations. The EUDPD has a strong influence on international regulations due to the limitations it puts on sending EU citizens' personal information outside of the European Union to areas that are deemed to have less than adequate standards for data security. Example of specific laws in countries representing EU member states are the Finnish Personal Data Act (523/1999) and Amendment (986/2000), the Danish Act on Processing of Personal Data (Act No. 429) of May 31, 2000, and the Austrian Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000 - DSG 2000). The EUDPD, member state transpositions of the Directive, and the regulations enacted pursuant to it impact companies that do business in the EU or that handle the data of EU citizens.
Bank Secrecy Act The Bank Secrecy Act (BSA), is one of the oldest laws on this list, having been passed into law by the United States in 1970. The BSA is sometimes referred to as an Anti Money-Laundering law (AML) or as BSA/AML. Several anti-money-laundering acts, including provisions of the USA PATRIOT Act, were subsequently enacted to amend the BSA. (See 31 USC 5311–5330 and 31 CFR 103.) The BSA requires banks and other financial institutions to report certain transactions to government agencies and to withhold from clients that such reports were filed about them. These transactions include deposits or withdrawals of more than $10,000 in cash in a day, or purchase of monetary instruments (money orders, cashier's checks, traveler's checks) worth more than $3,000. For such transactions, banks must supply information about the person doing the transaction, such as address and occupation, to the Internal Revenue Service in a currency transaction report (CTR). If it appears the person is in any way attempting to circumvent the report, the Bank must file a suspicious activity report (SAR) with the Financial Crimes Enforcement Network (FINCEN). There are stiff penalties for individuals and institutions that fail to file CTRs, or SARs, or that disclose to a client that it has filed a SAR about the client. Very complex monitoring of accounts has grown up around this law, which also illustrates that compliance is not new.
USA PATRIOT Act The USA PATRIOT Act (Public Law 107–56) is federal legislation in the U.S. Passed soon after the September 11, 2001 terrorist attacks, the Act expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the U.S. and abroad. This expanded legal authority is also used to detect and prosecute other alleged crimes. The portion of the Act that relates to IT is called the Financial Anti-Terrorism Act and deals with money laundering. This item works in conjunction with the BSA/AML just mentioned.
The Federal Information Security Management Act The Federal Information Security Management Act of 2002 (FISMA) was enacted to bolster computer and network security within the U.S. federal government and affiliated parties (such as government contractors) by mandating yearly audits. FISMA has brought attention within the federal government to the previously neglected area of cyber security. At the time of this writing, however, many government agencies have received extremely poor marks in this area on their official report cards. The average grade of 67.3 percent for 2004 was an improvement of only 2.3 percentage points over 2003, and experts warn that this average must increase for the federal government to truly protect itself and its citizens.
Payment Card Industry Data Security Standard The Cardholder Information Security Program (CISP) was instituted by Visa USA and MasterCard International. Mandated since June 2001, the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard. Using the Payment Card Industry (PCI) Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard consists of 12 basic requirements supported by more detailed subconditions.
California Senate Bill 1386 (CA SB 1386) was introduced in July 2003 as a first attempt by a state legislature to address the problem of identity theft. In short, the bill introduces stiff disclosure requirements for businesses and government agencies that experience security breaches that might endanger the personal information of California residents. It is expected that many organizations in the Unites States are subject to these requirements. In addition, many other states since have, or are planning to, enact similar legislation.
International Convergence of Capital Measurement and Capital Standards—A Revised Framework is also called Basel II or the New Accord and it represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision for revising the international standards for measuring the adequacy of a bank's capital. This agreement was created in order to promote greater consistency in the way that banks and regulators approach risk management across national borders.
Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal regulation that governs the collection, use, and disclosure of personally identifiable information in the course of commercial transactions. The act was created in response to European Union data protection directives that limit trade with nations whose privacy protection does not meet EU standards. PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association's Model Privacy Code of 1995. The act covers all of Canada except those provinces that have "substantially similar" legislation (namely British Columbia, Alberta, and Québec) and covers all inter-provincial trade.
Making Your Organization Compliant
For better or worse, IT is in the spotlight with regard to compliance. Suddenly, IT departments everywhere have been charged by the CEO, CFO, and Audit Committee with making the company compliant, because many of the laws carry personal liability penalties for officers and directors of corporations. So where do you go to get the information and support you need? A whole host of software vendors have created point solutions for compliance issues, but sorting through the effectiveness of these offerings can be daunting.
To date, most of the interpretation surrounding compliance has been done by specialists in auditing and IT security. When it comes to complying with SOX in large enterprises, for example, the large accounting firms supply almost all of the expert opinion, while smaller organizations tend to use IT security consultants. Unfortunately, the two groups view the problem differently, so you'll have to choose the practices that work best for your organizations. The good news is that both groups agree that using best practices can provide a host of benefits to IT. Let's explore the available best practices, which, for convenience, can be divided into one of two orientations: process or technology. Figure 1 shows some best practices in compliance.
Figure 1 Best Practices
Practice | Orientation | Developed By | Description |
Turnbull Report | Process Guidance | Institute of Chartered Accountants of England and Wales | The combined code on corporate governance for the UK. (www.icaew.co.uk/internalcontrol) |
CobiT | Process Control and Management | Information Systems Audit and Control Association/ IT Governance Institute (ISACA/ITGI) | A process standard for Public Company Accounting Oversight Board (PCAOB). (www.isaca.org) |
COSO | Process Enterprise Risk Management | Committee of Sponsoring Organizations of the Treadway Commission | Used by the Public Company Accounting Oversight Board (PCAOB) as a guide for SOX. (www.coso.org) |
ITIL | IT Service Process | UK Office of Government Commerce | Detailed process-oriented approach to IT services management. (www.itil.co.uk) |
ISACA/ITGI Harmonization Document | Process and Technology Mapping | ISACA/ITGI | Maps CObiT to ITIL and ISO 17799. (www.isaca.org) |
ISO 17799 | Technology | ISO / BSA | Shows how to create an IT security program. (www.iso.org) |
NIST SP 800 Series | Technology | National Institute of Standards, U.S. Government | Detailed implementations by technology or process in IT security. Adopted by FISMA and the FIPS standards. (csrc.nist.gov) |
Common Criteria (ISO 15408) | Technology | ISO | Detailed technical best practice that has suffered from issues of enforcement and recognition. It is now being overseen by a group of nations to provide a more level interpretation. |
If, for example, your enterprise is embroiled in SOX compliance issues, the best approach would be to use a combination of CobiT and ISO 17799 as represented by the ISACA/ITGI Harmonization document. If your organization is a financial services enterprise trying to meet the requirements of BSA/AML, USA PATRIOT Act, and GLBA, a best approach would be to use ISO 17799 since the FFIEC audit criteria align most closely with it. If your company is working to comply with HIPAA, a blended approach would be the best, with elements of ISO 17799 and the direct requirements of the HIPAA Final Rule from the U.S. Office of Health and Human Services.
If you're not an expert yourself, it isn't easy to figure out which best practice is right for you. That's where IT Security and Compliance specialists can help, by providing you with the least costly method for compliance. The cost reductions come from a deep understanding of all components of all best practices and how they match the requirements of the law or regulation you must comply with.
Just Give Me a Solution
Probably the most appealing approach is to acquire a ready-made solution. As part of a six-month long effort funded by Microsoft Security Solutions, a group of experts mapped the requirements of the laws to best practices and ultimately to solutions. The solutions were then grouped by function and Microsoft products and services were mapped to these groups. Unfortunately, this mapping has not yet been released, so you'll have to wait. Meanwhile, Figure 2 describes some of the more general business solutions that are available while Figure 3 lists security-related solutions.
Figure 3 Security Solutions
Name | Description | Examples |
Application Security Solutions | A combination of good development practices and specific software security solutions. | Radware, CSS |
Data Encryption and Transmission Solutions | Deals with protecting data that is at rest or in transmission. | Windows Server 2003, PGP |
Identity Management Solutions | Tools used to manage the digital identities of users and their digital entitlements. Controls the privileges assigned to both identities and resources. | MIIS, Oblix, Tivioli, Sun, BMC |
Network Security Solutions | Addresses the security of all parts of the network including firewalls, servers, clients, routers, switches, and access points. | Windows Server, SMS, MOM |
Security and Compliance Training Delivery | Provides the critical link between people, processes, and technologies that make a security program work. | Kronos, Contexxa, Ascentis |
Malicious Software Prevention | Antivirus, anti-spyware, anti-spam, and anti-rootkit solutions. | Microsoft Antispyware beta, WebRoot, Symantec |
Security Integration Solutions | The integration of security to data at rest or in transmission. | Consulting: HP, IBM, Microsoft, Avanade, Accenture |
Authentication, Authorization, and Access Control Solutions | User name and password, smart card, retina scan, voice recognition, or fingerprints. Access can be granted or denied based on a variety of criteria. | Windows XP, Windows Server 2003, IBM, Sun |
Physical Security Solutions | Provides solutions for physical access, control, and security of systems and workstations. | Consulting |
Figure 2 General Solutions
Name | Description | Examples |
Document Management Solutions | A combination of software and processes that help manage unstructured information in an enterprise. | SharePoint products, Documentum, FileNET |
Project Management Solutions | Tools used in the implementation, ongoing operation, and maintenance of compliance programs by providing control and feedback to project managers and teams. | Microsoft Office Project |
Change Management Solutions | A structured process that causes proposed changes to be reviewed for technical and business readiness in a consistent manner that can adjust to business needs. | SharePoint, SMS, Remedy, Serena |
Host Control Solutions | Solutions that control the OS in servers and workstations. | Windows Server 2003, Windows XP |
Vulnerability Identification Solutions | Tools for finding vulnerabilities within information systems. | ISS, Core Impact, Retina, GFI Languard |
Disaster Recovery and Failover | Application that brings enterprise information back to an operational state as quickly as possible. | Data Protection Manager |
Business Process Management Solutions | Applications that provide end-to-end visibility and control over all parts of a long-lived, multistep information requests or transactions. | BizTalk, SAP |
Risk Assessment Solutions | A systematic method for identifying the assets of an information-processing system, threats to those assets, and the vulnerability of the system to those threats. | Usually a consulting engagement combined with assessment tools |
E-Mail and Collaboration Solutions | Tools ranging from integrated document programs such as Microsoft Office, portals, instant messaging, online-presentation software, and peer-to-peer apps. | Exchange, SharePoint, Enterprise, Symantec |
Audit and Logging Solutions | Audit and logging solutions collect and audit logs that result from authentication and access to systems. | MOM, ACS, Novell, Tivoli, Altiris |
Incident Management and Trouble-Tracking | Systems that manage a specific business process from beginning to end, customized for incidents or trouble-tracking. | Intuit, SAP, many CRM vendors |
These solutions still require experienced implementation with firewalls and good network design and may require vulnerability assessment and intrusion detection applications to be complete. They also require complete and usable documentation that includes security policies and overall document management methods. My intention here is to suggest how these solutions can provide compliance coverage, not provide a specific solution.
One Final Note
The effects of regulatory compliance on the IT pro are complex, but you have to face them. You can save a lot of precious time and effort by becoming familiar with the laws and by bringing in specialists who can work the confluence of regulatory compliance and IT security. Most importantly, regulatory compliance translates into plain old good IT security practices.
Tony Noblett has spent the last five years consulting with enterprises on IT Security Compliance for GLBA, HIPAA, and Sarbanes-Oxley. Tony has over 20 years experience with process engineering, engineering management, technology marketing, and technical consulting. Tony holds an undergraduate degree in Metallurgical Engineering, an MBA, and an MS in IT as well as the CISSP and CISA certification. Reach him at tnoblett@socair.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.