Online Compliance and Government Regulation
Online Compliance and Government Regulation by Stephen Richards
With business being conducted more and more so online and the use of the Internet having primary relevance in today's society comes the need for regulation and protection in a way never needed before. As new ways of doing business online grow so do the dangers and attacks on vulnerable users. We are not only seeing encryption technology and certificate authority but government rules and regulations imposed upon businesses to protect their customers and information.
With all the regulations set either by government or credit card companies to help protect the consumer, the business or the government, it's easy to get confused as to who is doing what. So here are just some of the protections put into place:
1. Payment Card Industry Data Security Standard (PCI DSS) Identity theft has been on the rise with the ease of stealing credit card information. Of the approximately 650,000 complaints about fraud that the U.S. Federal Trade Commission received each year in the period 2004 to 2006, identity theft was the subject a consistent 35% to 36% of the time.
In 2005, the world's biggest credit card issuers including MasterCard, Visa, American Express, Discover, and the JCB International Credit Card Company formed a consortium for the purpose of establishing adequate and consistent data security measures that must be used by all merchants, banks, and service providers that store, process, or transmit cardholder data.
These requirements apply not only to data in motion but also data at rest in databases, Web servers, and applications that store and/or process credit card data. PCI DSS also requires that crypto keys and their transmissions and storage be effectively managed. While not mandated by the standard, it is also recommended that organizations provide visibility into the SSL traffic to detect threats and employ Web gateway solutions that offer SSL scanning and policy enforcement for encrypted traffic.
All merchants and service providers must perform a quarterly network scan. The penalties for violators are severe. They may face higher processing fees or, in more severe cases, can even be barred from using or processing PCI member credit cards at all. In extreme cases, credit card companies issue substantial fines. Visa, for example, levies penalties of up to $500,000 for each instance of non-compliance while American Express fines merchants up to $15,000 per day.
2. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which affects all health-related organizations in the United States, was originally intended to protect health insurance information when workers changed or lost their jobs. In 2005, HIPAA expanded its charter and adopted a new set of standards for the electronic maintenance and transmission of protected health information (PHI) - information about the health status, provision of health care, or payment for health care that can be linked to a specific individual. To assure the security of patient-related data, HIPAA regulations require health plan administrators, healthcare clearinghouses, and healthcare providers to protect and secure any individually-identifiable health-related information including that which is stored or transmitted electronically. To ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), HIPAA provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. Specifically, health care organizations are required to ensure the confidentiality, integrity, and availability of all electronic protected health care information; to protect against threats to the security or integrity of such information and against unauthorized disclosure or use of protected health care information; and to educate the entire workforce on achieving compliance.
The penalties for violating HIPAA requirements can be quite severe, for example: * Each instance of unauthorized disclosure by a health care provider is punishable by fines ranging from $10,000 to $25,000 * Each instance of intentional unauthorized disclosure is punishable by fines ranging from $100,000 to $250,000 and possible jail time * Although certainly not part of HIPAA itself, the most severe penalty of all might be exposure to lawsuits from the individual whose private medical information is revealed in violation of HIPPA requirements
3. Sarbanes-Oxley The Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as "Sarbanes-Oxley" or "SOX", was enacted in response to the flood of headline- dominating financial transgressions by companies such as Enron, Arthur Andersen, and Worldcom that led not only to their downfall but to a serious decline in stock markets and the economic health of the United States. In a nutshell, it was too easy for a company to "cook the books" and for executives to line their pockets at the expense of shareholders while claiming ignorance. SOX greatly tightened restrictions on methods companies can use for maintaining and reporting financial data, and on their financial processes generally. SOX is enforced by the U.S. Securities and Exchange Commission (SEC). While SOX does not specifically mandate the use of encryption in maintaining or transmitting information, it does require that institutions maintain tight control over access to their sensitive financial data.
The Information Technology Governance Institute (ITGI), a group created to assist companies with IT governance, has created a set of security-related recommendations for helping with SOX compliance. One of them is to employ SSL or similar encryption to secure IP connections whenever passwords or other sensitive data may traverse the link.
Another is to use digital certificates whenever financial information is moved between systems.
One of the provisions of SOX as an embezzlement preventative is that no single individual in a company should be in position to both make and receive any given payment--a so-called segregation of duties requirement. Therefore it is very important for companies to be able to prove the identity of the author of key communications such as emails that have to do with making or receiving payments, and to be able to state with certainty that they have not been tampered with. Digital signatures are ideal for this purpose.
SOX compliance is a major issue for virtually any publicly traded firm and is the subject of untold numbers of hours spent in company meetings. Its provisions are still not completely understood by many firms, but everyone involved does understand one thing: SOX is very serious business and a breach can lead to detrimental consequences. Penalties include large fines and jail terms, in addition to damaged public images for them, their employers, and the brand. With consequences this severe and so much ill-defined, many companies are going beyond the letter of the law and incorporating technologies such as strong encryption--such as that offered by SGC technology--that clearly can help demonstrate compliance with the spirit of the law.
4. FISMA The Federal Information Security Management Act of 2002 (FISMA) is a U.S. federal government law intended to bolster computer and network security within the government and affiliated parties such as government contractors by mandating yearly audits. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information management systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The information contained on RFID tags, which sometimes contains sensitive data, is one major application area.
The International Organization for Standardization (ISO) and International Electro- technical Commission (IEC) have issued a series of standards collectively known as "ISO27K" that provide best practice guidance on Information Security Management Sys- tems (ISMS) for protection of confidential information, including the use of encryption. As a set of voluntary international standards, ISO27K recommendations are not enforceable and therefore compliance with the standards themselves is not required. However, they make a number of recommendations on achieving compliance with laws, regulations, contractual obligations, and internal or external security requirements.
5. Gramm-Leach-Bliley Act The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley (GLB) Act," is intended to protect consumers' personal financial information held by financial institutions including banks, securities firms, insurance companies, credit card agencies and other companies that provide services such as lending, brokering, or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; and collecting consumer debts. It covers organizations issuing such personal information as well as those receiving it.
The FFIEC also has power to investigate institutions and enforce compliance with GLB Act rules, and it expects its recommendations to be followed. If an institution employs weak or no encryption, it carries the burden of demonstrating to the FFIEC that it is nonetheless fulfilling its information safeguarding obligations.
6. Department of Defense Directive 8100.2 The Department of Defense Directive 8100.2, in effect since 2004, defines mandatory security policies for the use of wireless technologies within the DoD Global Information Grid. Its main purpose is to protect DoD computer networks from the security vulnerabilities introduced via wireless networks. The directive applies to all DoD employees as well as visitors to DoD facilities. It also applies to contractors and others who have access to DoD information.
The directive requires that all data sent to or from wireless devices, as well as all VoIP packets, be encrypted. It also requires that the encryption technology comply with FIPS 140-2 Level 1 or Level 2--which do not specify a particular encryption strength. In addition it specifies that all DoD components ensure that robust, standards-based, FIPS 140-validated authentication and encryption are used in their wireless infrastructure and security technology--including new technologies that emerge in the future.
About the Author
Stephen J. Richards has 25 years experience in Data Management and Information Technology. This information is provided as a public service by Neon Enterprise Software, a leading provider of IMS outsourcing. For more information, please visit http://www.neonesoft.com.
