Regulations: The Impact of Compliance on IT
The Wall Street Journal on Dec. 9 reported that Sarbanes-Oxley and other rules aimed at fighting fraud are creating a market for software. Microsoft, Computer Associates, Symantec and many other vendors have solutions specifically targeted at the regulatory compliance market. This is also creating opportunities for IT professionals who understand the legislation that impacts the financial and health care sectors, as well as government agencies. There are several leading legislative requirements that impact many industries, and numerous frameworks are available for organizations to follow to guide compliance projects and initiatives.
The Sarbanes-Oxley Act of 2002, officially the U.S. Public Company Accounting Reform and Investor Protection Act of 2002 and also referenced as SarbOx or SOX, is having an impact on IT, especially security systems, practices and controls. SOX governs how public companies handle financial reporting.
SOX does not specifically address information-security requirements. However, security has emerged as a key component for SOX compliance. Enterprises require mechanisms to ensure the confidentiality, integrity and availability of their vital information. IT professionals should be knowledgeable about this legislation and its impact on technology requirements for the enterprise infrastructure.
Many in the industry consider Section 404 to be the most critical part of SOX. Section 404 requires an internal control report, which must state the management’s responsibility to establish and maintain an adequate internal control structure and state procedures for financial reporting. The report also must assess the effectiveness of the internal control structure and the procedures for financial reporting.
Under Section 404, organizations must receive an annual certification of internal controls and have an independent accountant attest to the report and quarterly reviews for updates and changes required. This requires producing a new report that validates the internal controls over the financial reporting process.
Because of SOX Section 404, organizations are investing in infrastructures that ensure the confidentiality, integrity and availability of information, which requires an information security system. Section 404 also is having an impact on business processes, such as data submission, financial consolidation and financial statement generation; purchase requisition to vendor payment; sales order to customer remittance; asset acquisition to disposal/write-off; project initiation to revenue recognition; inter-company transaction processing; and currency translation in financial reporting.
New technology solutions will need to provide information, such as sources for information that is presented in reports; identification information that binds an individual who changed, entered or modified data; classification of information; assurance that tampering has not occurred; processes the information has gone through to reach the report; and roles and authorities of individuals who have had access to the information.
Health Insurance Portability and Accountability Act (HIPAA)
The health care industry accounts for 15 percent of the GDP of the United States and is the largest segment of the U.S. economy. The Health Insurance Portability and Accountability Act (HIPAA) is comprehensive legislation that includes the Administrative Simplification Title. It is this title that sets specific requirements for transactions and code sets, identifiers, privacy and security. Tied into these legislative requirements are compliance dates and penalties for violations.
The HIPAA Security Rule identifies standards and implementation specifications that organizations must meet to be compliant. All covered entities must maintain compliance. Failing to comply can result in severe civil and criminal penalties. Health care service providers, insurance companies and government agencies need to ensure their employees are trained and understand the HIPAA privacy and security regulations.
Many organizations are just beginning to address these requirements. Compliance and IT professionals need to understand the regulations to be able to design solutions that meet legislative requirements.
Health care today is about on-demand access to a patient’s entire medical history. Without the correct information infrastructure, it is difficult to securely deliver critical patient information wherever, whenever. The HIPAA Security Rule is about best practices for health care security. As a result, there has been a significant deployment of security technology in the health care industry.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) is Title III of the E-Government Act. FISMA requires each U.S. federal agency to develop, document and implement an agency-wide program to provide information security for the systems that support its operations and assets. Further, the Homeland Security Presidential Directive 12 specifies identity management and access control practices for government employees and contractors. FISMA and HSPD-12 are leading organizations to take a risk-based, cost-effective approach to securing sensitive information and systems.
The FISMA legislation is about protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. According to the legislation, this protection provides confidentiality, integrity and availability. For confidentiality, the legislation implies guarding against improper information, modification or destruction, and including means for protecting personal privacy and proprietary information. For integrity, the legislation implies guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. And for availability, it implies ensuring timely and reliable access to and use of information.
The National Institute of Standards and Technology (NIST) has a critical role to play in enabling federal agencies to comply with FISMA. The NIST’s FISMA-related responsibilities include development of standards, guidelines and associated methods for information systems.
Food and Drug Administration’s Title 21 CFR
The Food and Drug Administration published a set of rules in 1997 called the Code of Federal Regulations to facilitate electronic record keeping in the industries it regulates. Under Title 21 in these rules, the FDA seeks to ensure that information in electronic forms is secure. The rules also encourage the use of digital signatures. In 2003 the FDA issued a guidance that introduced the concept of risk analysis and promoted the formal process of risk assessment.
The FDA’s 21 CFR Part 11 and HIPAA impose serious consequences on pharmaceutical companies that fail to protect information stored in electronic databases. Part 11 has the most serious impact on the industry. This rule was designed to prevent fraud while encouraging the use of electronic documents and electronic signatures to reduce the cost and streamline the process of developing, testing and manufacturing new life-saving and life-enhancing drugs.
Part 11 requires security controls to ensure authenticity, integrity, confidentiality, non-repudiation, authorization, accuracy and reliability and audit trails.
The Basel Committee on Banking Supervision established Basel II as a framework to encourage the use of best practice risk management as a means of compliance. The Basel framework is based on three pillars: minimum capital requirements, supervisory review process and market discipline.
Operation risks and internal controls a