Compliance management is emerging as the #1 challenge for both executives and IT organizations. Regardless of your organizations size or geographic location, you more than likely have some compliance requirements and concerns for your business. Whether it be industry regulations such as Sarbanes-Oxley, HIPPA, PCI DSS, 201 CMR 17.00 or any number of state and federal laws, your organization is responsible for its own compliance.
- The Situation
Compliance is not one-size-fits-all. The regulations that apply to a given company depend on factors such as the industry in which it operates, whether it is a public or private entity, whether it is national or multinational in scope, and so on. The best known and most ballyhooed regulation is the Sarbanes-Oxley Act See SOX. (SOX), a grab-bag of provisions governing public accounting firms, corporate boards, whistleblowers, financial statements, insider trades, internal controls, changes in operations, and records falsification or destruction. SOX applies to all publicly traded companies publicly traded company in the United States United States, and to foreign companies that list on U.S. stock exchanges.
Beyond SOX, other regulations apply to specific industries. The Health Information Portability and Accountability Act applies to all health plans, healthcare providers, prescription drug card sponsors, and others who handle individually identifiable health information. Its provisions cover patient privacy but also include requirements for the integrity and availability of electronic patient data. In pharmaceuticals, 21 CFR is a set of requirements governing the use of electronic records and signatures.
For financial services, SEC 17a-4 governs records required to be made by stock exchange members, brokers, and dealers regarding client records and communications. In multinational banking, Basel II specifies that banks that implement “advanced methodologies” can reduce the reserve amount for loans. Basel II spells out 25 “Core Principles for Effective Banking Supervision,” one of which is that adequate records enable supervisors to have a fair view of a bank’s financial condition.
The common thread in diverse regulations is information and how it is handled. Rarely, if ever will a regulation or law tell how to accomplish compliance; the intention is that methods remain flexible and appropriate to the size and resources of the compiler.
Compliance is a moving target. Important changes occur after a law first appears, usually in the form of final rules and enforcement guidelines that can clarify how given agencies will interpret the regulations. Regulations also change over time based on public comment and refinements, and compliance deadlines may change as well—as they have several times for small company compliance with SOX. Eventually, most laws will have test cases that provide further enlightenment by showing what the regulator considers a violation.
While necessary to protect sensitive data, compliance with these regulations, statutes, and internal policies can be daunting. For good reason, most companies are focused on their core business—not security and compliance issues. They understandably do not have the security expertise required to identify deficiencies or address them in a timely manner. Furthermore, violation can result in steep financial fines, impact top-line revenue, garner negative press and even jail time.
- TBG Solutions
Our Compliance Services practice delivers a full range of assessment, remediation, implementation, certification and education services to help organizations of all sizes establish and improve compliance. TBG Security works closely with customers to help determine if they are in compliance with the regulations and standards, document that compliance and improve security best practices. TBG Security’s deep experience in information security and the compliance requirements allows us to be a Trusted Security Advisor, providing ongoing support for all your compliance initiatives.