Applied G2

You are here: Home » Governance & Compliance

Goverance & Compliance

E-mail Print PDF

Regulatory compliance is tough to achieve and maintain for most organizations.  Regulations are frequently written in vague terms with only limited information on “what” must be done and in most cases even less guidance on “how” to actually demonstrate compliance.  The penalties and sanctions for non-compliance are often the only explicit sections of many government directives.  Government regulations at state and local levels may also make setting corporate wide policies a bit more tricky.  If you organization operates in more than one country you have to take local laws into consideration.


Three other major contributing factors make compliance a difficult task to achieve.  Industry regulations like the Payment Card Industry Data Security Standard (PCI-DSS) for customers that take payment via credit cards is just one of many cross industry regulators that introduce requirements in order to keep the orders and supplies flowing smoothly.  As the physical location of your data migrates from devices you own and control into SaaS (Software as a Service) and storage in “the cloud,” command and control over the users and legitimate business use of certain assets a bit more abstract.  The final aspect that you should consider related to your compliance program is how you contracts and administrative procedures need to evolve to clearly assign rules, responsibilities and accountability on the users and custodians of your data and other assets.


Compliance is certainly one of many considerations for implementing a comprehensive security program.   AppliedG2 can be part of your team to weigh in on the best way to implement the ever elusive “how” to achieve the right balance of investment and risk reduction to meet the matrix of compliance demands your organization has to balance.


Here are some plain language explanations of just some of the most common regulations that impact many of the industries our clients represent:

 

PCI-DSS The major credit card issuing companies (e.g. Visa, MasterCard, Amex, etc..) got together to provide a unified set of security standards for handling sensitive information needed to complete transactions. It is a multi-tiered program for the institutions that take and process credit card information.  It provides a graduated set of minimum standards security standards based on the number of annual transactions processed by an organization. There are three main parts to the program.
1)    The Standard itself found at  http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
2)    The People who are qualified to certify an organizations as being PCI compliant are called QSA (Qualified Security Assessors)
3)    The tools that have been approved to inspect an organization’s system for compliance to the standards are known as ASV (Approved Scanning Vendors)


SOX – The Sarbanes-Oxley (SOX) Act of 2002 was originally drafted to try to reestablish confidence for individual and institutional investors after a number of corporate scandals involving account irregularities. The Act addresses issues such as auditor independence, corporate governance and specific financial disclosure requirements. It added significant penalties for violations and made it clear that senior executives had to understand be accountable for accurate financial reporting to the public.

 

GLBA – The Gramm-Leach Bliley Act placed specific responsibility for protecting personal financial information and limiting the disclosure of this information to other institutions.  It regulated the privacy of Personally Identifiable Information (PII) to non-affiliated third parties.

 

HIPAA – The Health Insurance & Accountability Act (HIPAA) was originally designed to streamline reporting, reduce administrative cost and enhance fraud detection associated with healthcare.  It also brought to the forefront the need to protect Protected Health Information (PHI) aka Personally Identifiable Information (PII) which is information that can be used to personally link a specific healthcare related activity to you as an individual.  It has been updated with a complemented piece of legislation know as the HITECH Act that outlined specific PII protection requirements and disclosure requirements if a healthcare provider mishandled your PII.

 


FERPA – The Family Educational Rights and Privacy Act was put in place to protect the privacy, accuracy and access of student records.  It applies to all schools that receive funds under an applicable program of the U.S. Dept of Education.

 

FERC/NERC - The Federal Energy Regulatory Commission (FERC) is supported by an enforcement agency known at North American Electric Reliability Corporation (NERC).  Regional entities across the country are responsible for maintaining the reliability of many of the USA’s critical utility components and grids. The Energy Policy Act of 2005 provides the backbone for the current standards designed to ensure that the country’s infrastructure remains viable and resilient against man-made & natural disasters.