Under GLBA, banks and financial institutions have a mandate to secure private customer data. They must implement a comprehensive, written information security program with administrative, technical and physical safeguards for customer information. In addition, the institution's board of directors or an appropriate committee of the board must approve the security program and oversee its development. Individual actions to enforce the regulations may reach $1,000, and damages for a class of individuals is available up to $500,000. Beyond that, GLBA regulations link information security safeguards to the overall safety and soundness of an institution and give overseeing agencies, such as the FDIC and the Treasury Department, wide latitude to address unsafe and unsound conditions in institutions under their jurisdiction.
Under HIPAA, enterprises in the health sector must guard PHI (protected health information) and implement policies and procedures to safeguard it in any format, paper or electronic. And as with GLBA, covered entities under HIPAA must identify an official responsible for developing and implementing these privacy and security policies and procedures.
Sarbox holds corporate officers accountable for their financial reporting systems. It requires the management teams of public companies to establish and maintain adequate internal controls and assess the effectiveness of those controls. It even creates a nonprofit organization (Public Company Accounting Oversight Board) to oversee the audit activities of public companies.
In light of recent corporate scandals, you're likely thinking, "Better late than never." But Sarbox is not the SEC's first foray into this regulatory arena: As early as 1979 the agency proposed rules requiring public companies to disclose certain information about their internal accounting controls. For example, the rules required management to state its opinion on whether access to corporate assets and transactions were executed and recorded in accordance with their authorization. But the SEC abandoned its rulemaking, deciding to let voluntary, private-sector initiatives continue to develop. Then came Enron.
Fast forward to today: Industry self-regulation is being replaced with law and government regulation. But though GLBA, HIPAA and Sarbox require corporate accountability in handling transactions, security and data on networks, they do not provide a detailed road map of the hardware and software you'll need to comply. Rather, each provides broad objectives and suggests implementation strategies for compliance (see "Law vs. Regulation,"). This leaves a lot for IT to interpret.
Regulatory standards are not linked to specific technologies: Standards address all aspects of security and scale to many types and sizes of organizations. Enterprises are free to implement a program they find appropriate. But you must know what's going on in your network. Ignorance is no defense. For example, a small clinic that maintains all patient data on a standalone PC won't need to go so far as, say, an identity-management package, but it should implement secure password-management practices and control physical access to the machine.