If an organization wants to do business in a country where privacy rules are strict or with high confidentiality standard clients, they must play by the rules and bring their security up to the required level such as regulations like HIPAA and SOX and standards like PCI-DSS or ISO: 27001. They outline very specific security criteria that a business must meet to be deemed compliant. IT Compliance is the process of meeting a third party’s requirements for the purpose of digital security with enabling business operations with a particular customer.
Compliance is executed to satisfy external requirements and facilitate business operations. It is driven by business needs rather than technical needs and “done” with the approval of third party. If a business focuses on meeting compliance standards that don’t require these critical functions, they would be leaving the door wide open to attackers.
It will also help to identify any gaps in the present IS program which might not have been identified outside the compliance audit. Additionally, compliance helps organizations to have a standardized security program, as opposed to one where controls may be chosen at the whim of the administrator.
Compliance establishes a comprehensive baseline for an organization’s security posture, and diligent security practices build on that baseline to ensure that the business is covered from every angle.
The protection is mandated in most have specific regulation and protection of information embedded to guard privacy, prevent fraud, provide security, and protect identities through standardization, mandates, and accountability.
Duties of Compliance department may include:
• Risk identification • Implementing risk controls • Reporting on the effectiveness of controls • Resolving compliance problems • Providing regulatory advisement to the business
Most well-known Regulatory Compliance Standards affecting IT compliance include:
The Sarbanes -Oxley Act (SOX) of 2002 is considered as a sweeping statute to regulate financial transparency as well as reporting. It was a direct response to the Enron and WorldCom misconduct performed by Congress. The act was passed in response to major financial scandals, such as Enron, Tyco, and WorldCom. Section 404 is important for IT in the area of financial reporting controls. Sarbanes-Oxley Act maintains financial records for seven years and is required for the boards of U.S. Company, management personnel and accounting firms. The regulations are basically used to prevent incident like Enron scandal, which hinged on fraudulent/illegal bookkeeping. The SOX is passed by US government in 2012 to protect shareholders from inaccurate financial reporting and accounting errors from public companies. The rules apply to U.S. public company boards, management, and public accountants. SOX is also referred to as “Corporate and Auditing Accountability, Responsibility, and Transparency Act' and 'Public Company Accounting Reform and Investor Protection Act'. All public companies must comply with SOX on the financial side and on the IT side. The way in which corporate electronic records are stored by IT departments changed as a result of SOX.
Gramm-Leach-Bliley Act (GLBA) of 1999 also known as Financial Modernization Act. To ensure the confidentiality and security of customers (nonpublic personal information), the GLBA requires that financial institutions. Nonpublic personal information includes Social Security numbers, credit card and bank card account numbers, contact numbers, home or company addresses, names, and all the other personal customer information received by a financial institution that is not public. For providing customers written privacy notices that explain their information-sharing practices, the Act also requires financial institutions. The three sections of this Act include: • The Financial Privacy Rule: This Rule regulates the collection and disclosure of private financial information. • The Safeguards Rule: This rule specifies that financial institutions must implement security programs for the protection of such information. • The Pretexting provisions: This rule prohibits the practice of pretexting.
Health Insurance Portability and Accountability Act’s (HIPAA) of 1996: HIPPA consists of series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI) for regulating information by insurers, medical providers, and employers who provide health care insurance. A HIPPA Compliance is supervised by Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR) regulates. The HIPPA privacy rule initiates a national set of security standards for the protection of specific health information that is held in electronic form. Companies that deal with protected health information (PHI) must have physical, network, and process security measures and follow those measures to ensure HIPAA Compliance.
Requirement for HIPPA Compliance:
• Self-Audits • Incident Management • Business Associate Management • Documentation • Remediation Plans • Policies, Procedures, Employee Training
A HIPAA violation is any kind of breach in an organization’s compliance program that compromises the integrity of PHI or ePHI. The Payment Card Industry Data Security Standard of 2001 (PCI DSS) is an information security standard for organizations that handle branded credit cards such as MasterCard, Visa. The Payment Card Industry Data Security Standard is a set of regulations which are meant to reduce fraud through protecting customer credit card information. This compliance and security is required for all companies handling credit card information. PCI-DSS is designed to protect customers and it focuses on merchants, financial institutions, and payment solution providers. The implications/involvement of PCI compliance is huge, because retail point-of-sale systems are the first target for hackers.
Compliance Audits and Reports:
Audits are a method for determining compliance which can determine whether a company is adhering to the applicable laws by a systematic review of policies, procedures, operations, and controls. As an IT organization has wide reach, audit is usually done across numerous departments. The scope of an IT compliance audit identifies the laws and requirements, assesses how specific laws, requirements, or standards are being met, and accordingly it provides recommendations and remedies for non-compliance. The two major steps are involved in planning of IT audit: 1) To gather information and do some planning 2) To gain an understanding of the existing internal control structure Compliance reports are required during audits to provide a correlated data that contains evidence of compliance. A balanced scorecard is a method for the measurement of your compliance strategy, whether it is being executed successfully or not.
In Information gathering step, IT auditor needs to identify five items:
• Knowledge of Industry & business • Audit results of prior years • Updated financial information • Regulatory statutes • Inherent risk assessments
There are different frameworks that exist to assist with governance. These include:
• Information Technology Infrastructure Library (ITIL) • The International Organization for Standardization (ISO) • ISO 27001 • COBIT
Objectives of an IT audit:
• Review IT organizational structure • Review IT policies and procedures • Review IT standards • Review IT documentation • Review the organization’s BIA • Interview the appropriate personnel • Observe the processes and employee performance • Examination which comprised by necessity, the testing of controls, and then includes the results of the tests.
Whatingredients involved in Planning of an IT audit?
• Appreciation of the IT environment, • Understanding the IT risks • Pinpointing the resources required to carry out the work. We will cover each in turn. The initial research work involves a high level review of the IT procedures and control environment to focus on the basic principles of IT security such as Confidentiality, Integrity and Availability. The areas covered at this stage would be: • Change Management: Changing of controls around software and hardware updates to critical systems. • Access Security: The access controls enforced to enter the systems internally and externally. • Business Continuity and Disaster recovery: Ability of an enterprise to safeguard information assets from unexpected threats/disasters and how to quickly recover from them. It will enable the IT auditor to plan out their work efficiently and effectively.