Federal regulations establish broad requirements that impact IT systems and infrastructures that many IT managers find difficult to translate into real world actions...but that excuse will not save you in court. Almost all IT organizations are impacted by these regulations and you need to understand which ones affect you and what you can do about it.
Under the Gramm-Leach-Bliley Act (GLBA), financial institutions of any size must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. If the institution is found to violate that notice, the institution is subject to fines of $100,000 for each such violation and the officers and directors of the financial institution are also on the hook for civil penalties of $10,000. If a customer data is compromised, and information not secured property, each customer record could be considered a violation. In that scenario, the penalties can escalate into the millions.
Sarbanes-Oxley (SOX) sets standards for all public companies in the U.S. including management, external boards, and their public accounting firms. One of the biggest impacts of SOX for IT organizations is section 404. Because of the impact of not complying with SOX, many CIOs are directly involved in ensuring their IT organizations comply with the requirements. Criminal penalties for violating SOX can include fines and imprisonment for those who knowingly violate the act.
SOX requires the usage of an internal control framework or set of best practices such as COBIT or ITIL that will enable specific application transaction processing management procedures. While SOX focuses on financial application transactions such as payroll, general ledger, accounts payable, and other ???key??? systems, because of the strict penalties for violation, most companies take a broad approach to ensuring control mechanism for every IT element that may somehow affect the balance sheet. IT. Application transaction controls and access controls are both critical for compliance. This includes not only the applications themselves, but also supporting systems, such as networks, operating systems and databases.
Health care organizations of all sizes must content with HIPAA, the act requiring controlling access to protected health information. HIPAA mandates that computer systems and electronic communications containing private health care information transmitted electronically over open networks can't be intercepted by anyone other than the intended recipient. If organizations violate HIPAA, the also can face civil penalties, fines and legislative hearings.
Any organization that stores, transmits or processes credit cards is also subject to the Payment Card Industry (PCI) standard. If they don???t comply, they can loose the privilege of processing cards. While some requirements such as installing and maintaining a firewall and not using vendor-supplied defaults for system passwords and other security parameters are straight forward, other requirements such as maintaining a policy that addresses information security and restricting access to data by the business can be more challenging to achieve. Over a dozen requirements that also tracking and monitoring all access to network resources and cardholder data as well as regular testing will likely involve a suite of tools from various vendors to accomplish the disperse set of tasks. These include anti-virus software, configuration management products, host-based security products, data protection appliances, and more robust password policy software.