Laws and Regulations
At the heart of most regulations is the intention of protecting the confidentiality, integrity, and availability of information that impacts a corporation's stakeholders. These laws can be distilled down to their essential goals:
- Establish and implement controls
- Maintain, protect, and assess compliance issues
- Identify and remediate vulnerabilities and deviations
- Provide reporting that can prove your organization's compliance
New Laws and Regulations Affecting IT Pros
Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 (SOX) was a response to corporate scandals. Its most prominent aspect, from an IT perspective, is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. Section 404 also requires that the company's independent auditors attest to, and report on, this assessment.
Gramm-Leach-Bliley Act
The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) includes, among its various components, privacy and security rules. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers.
Bank Secrecy Act
The Bank Secrecy Act (BSA), having been passed into law by the United States in 1970. The BSA is sometimes referred to as an Anti Money-Laundering law (AML) or as BSA/AML. Several anti-money-laundering acts, including provisions of the USA PATRIOT Act, were subsequently enacted to amend the BSA. (See 31 USC 5311–5330 and 31 CFR 103.) The BSA requires banks and other financial institutions to report certain transactions to government agencies and to withhold from clients that such reports were filed about them.
USA PATRIOT Act The USA PATRIOT Act
(Public Law 107–56) is federal legislation in the U.S. Passed soon after the September 11, 2001 terrorist attacks, the Act expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the U.S. and abroad. This expanded legal authority is also used to detect and prosecute other alleged crimes. The portion of the Act that relates to IT is called the Financial Anti-Terrorism Act and deals with money laundering. This item works in conjunction with the BSA/AML just mentioned.
The Federal Information Security Management Act
The Federal Information Security Management Act of 2002 (FISMA) was enacted to bolster computer and network security within the U.S. federal government and affiliated parties (such as government contractors) by mandating yearly audits. FISMA has brought attention within the federal government to the previously neglected area of cyber security.
Payment Card Industry Data Security Standard
The Cardholder Information Security Program (CISP) was instituted by Visa USA and MasterCard International. Mandated since June 2001, the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
International Convergence of Capital Measurement and Capital Standards—A
Revised Framework is also called Basel II or the New Accord and it represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision for revising the international standards for measuring the adequacy of a bank's capital. This agreement was created in order to promote greater consistency in the way that banks and regulators approach risk management across national borders.
