Latest IT Compliance & Governance Resources
U.S. & Global IT Compliance and Governance Resources
PPM Associates has identified an excellent resource that provides the most up to date U.S. and Global IT Compliance/Governance information currently available.
A critical issue for all organizations and IT professionals who use the Web and other (online and offline) electronic resources, is Information technology (IT) Compliance/Governance regulations and requirements
A critical issue for all organizations and IT professionals who use the Web and other (online and offline) electronic resources, is Information technology (IT) Compliance/Governance regulations and requirements
For more information, please email us at info@ppma.com
This is an overview of the Compliance Market in which we work.
Regulations
Corporate Governance: Regulations mandating companies to implement internal controls to safeguard against corporate fraud and to improve financial reporting practices and corporate accountability; (US); (UK);
Privacy: Regulations dealing with protecting the privacy of personal information, such as health or financial information; (US); (EU); (Japan); (Canada); (AU); (UK);
Risk Management: Regulations aimed at improving risk-management practices and procedures; (Global)
Information Integrity: Regulations geared to ensuring the integrity of information used in the manufacturing of pharmaceuticals; (US); (EU);
Security Breach Notification: Regulations mandating that companies notify individuals when their personal information has been compromised through a security breach; (US)
Critical Infrastructure: Regulations intended to protect critical assets such as utilities or government infrastructure; (North America); (US);
National Security: US legislation that grants federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes; (US);
Standards: Industry and government standards regarding security of credit card information and encryption; (Global); (US);
Privacy: Regulations dealing with protecting the privacy of personal information, such as health or financial information; (US); (EU); (Japan); (Canada); (AU); (UK);
Risk Management: Regulations aimed at improving risk-management practices and procedures; (Global)
Information Integrity: Regulations geared to ensuring the integrity of information used in the manufacturing of pharmaceuticals; (US); (EU);
Security Breach Notification: Regulations mandating that companies notify individuals when their personal information has been compromised through a security breach; (US)
Critical Infrastructure: Regulations intended to protect critical assets such as utilities or government infrastructure; (North America); (US);
National Security: US legislation that grants federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes; (US);
Standards: Industry and government standards regarding security of credit card information and encryption; (Global); (US);
Corp. Governance
The Sarbanes-Oxley Act (SOX)
InfoSecurity Implications
SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 of SOX requires management to perform an assessment of internal controls over financial reporting and obtain attestation from external auditors, on an annual basis. IT systems are inextricably linked with financial reporting, and information security is essential in ensuring the reliability of these systems.
Who’s Impacted?
All companies publicly traded in the United States and regulated by the Securities and Exchange Commission (SEC), including US-based companies as well as all international companies that have shares traded on a US exchange.
Applicable Dates
• Companies with shares of more than $75 million, Nov. 15, 2004;
• For their fiscal year ending on or after this date, annual reports must include an assessment of internal controls as per Section 404;
• Companies with less than $75 million in shares, July 15, 2005
• For their fiscal year ending on or after this date, annual reports must include an assessment of internal controls as per Section 404;
• Companies with less than $75 million in shares, July 15, 2005
Region
UK
Corp. Governance
The Turnbull Guidance 1999
InfoSecurity Implications
Known as “Internal Control: Guidance for Directors on the Combined Code”, this regulation’s principal aim is to encourage companies to identify and manage internal and external risk within their organizations. IT security represents a major risk to business continuity. Security information management tools can help IT departments draw up reports demonstrating management of information security and business continuity risk.
Who’s Impacted?
All companies listed on the UK Stock Exchange must implement the findings
Applicable Dates
• Publicly listed companies in the UK have had to comply since December 2000;
• Updated guidance will be issued to directors to take effect for accounting periods commencing on or after 1 January 2006;
• Updated guidance will be issued to directors to take effect for accounting periods commencing on or after 1 January 2006;
Corp. Governance
The Companies Act 1985 Regulations 2005
InfoSecurity Implications
These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators. This set of regulations includes similar information security requirements as with the Turnbull Guidance; Information security measures are needed to manage risk by ensuring business continuity and protect IP rights. Requirements state that processes should also protect the data information used to create the reports provided to auditors and directors.
Who’s Impacted?
• The requirements relating to an expanded directors' report relate to all companies other than small companies;
• The requirement for an OFR relates to UK quoted companies;
• The requirement for an OFR relates to UK quoted companies;
Applicable Dates
• Businesses must implement the principles of the Regulation on, or after, 1st April 2005;
• The Financial Reporting Review Panel will not commence its role until one year after the regulations come into effect on or after 1 April 2006);
• The Financial Reporting Review Panel will not commence its role until one year after the regulations come into effect on or after 1 April 2006);
Region
UK
Corp. Governance
The Companies Act 2004
InfoSecurity Implications
Known as the UK Companies (Audit, Investigations and Community Enterprise) Act 2004 it aims to improve the reliability of financial reporting and the independence of auditors while strengthening the role of the Financial Reporting Review Panel (FRRP) in enforcing good accounting and reporting, by giving it new powers to require necessary documents. Information security solutions can help maintain the integrity and availability of these pieces of information.
Who’s Impacted?
The Act affects all companies audited in the UK and their directors;
Applicable Dates
• The Act gives the FRRP its power as of April 6th 2005;
Corp. Governance
Money Laundering Regulations 2003 (MLR)
InfoSecurity Implications
Businesses must appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and maintain records of client identification and transactions for five years. Information security technologies and procedures are needed to ensure that records are not lost, corrupted or defaced in any way.
Who’s Impacted?
Financial services institutions as well as relevant professionals and other ‘relevant’ industries including estate agencies, insolvency practitioners, tax consultants, accountants, finance and real estate legal services professionals and organizations dealing in goods involving transactions of more than €15,000.
Applicable Dates
• The Money Laundering Regulations came into force on 1st March 2004;
Region
US
Corp. Governance
Gramm-Leach-Bliley (GLB)
InfoSecurity Implications
GLB includes provisions to establishing administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of consumer financial information.
Who’s Impacted?
GLB applies to financial institutions in the US, such as banks, securities firms, insurance companies, and other companies selling financial products.
Applicable Dates
• Compliance Dates: Federal Trade Commission's "16 CFR Part 314: Standards for Safeguarding Customer Information Final
Rule," May, 2003;
• Interagency Final Rules, "12 CFR Part 30," July 2001;
• Securities and Exchange Commission, "17 CFR Part 248:
Procedures to Safeguard Customer Records and Information," July 2001;
Rule," May, 2003;
• Interagency Final Rules, "12 CFR Part 30," July 2001;
• Securities and Exchange Commission, "17 CFR Part 248:
Procedures to Safeguard Customer Records and Information," July 2001;
Corp. Governance
Health Insurance Portability and Accountability Act (HIPAA)
InfoSecurity Implications
There are two rules in particular that affect information security: · The HIPAA Privacy Rule covers privacy rights, including uses and disclosures of Protected Health Information (PHI); · The HIPAA Privacy Rule requires that covered entities ensure the confidentiality, integrity, and availability of all electronic PHI and requires them to protect information against any reasonably anticipated threats, hazards, uses, or disclosures;
Who’s Impacted?
HIPAA applies to all healthcare providers, payers, and clearinghouses in the US
Applicable Dates
• Effective Date for the HIPAA Security Rule: April 21, 2003; Compliance Date: April 21, 2005;
• Effective Date for the HIPAA Privacy Rule: April 14, 2001; Compliance Date: April 14, 2003;
• Effective Date for the HIPAA Privacy Rule: April 14, 2001; Compliance Date: April 14, 2003;
Region
US
Corp. Governance
California Assembly Bill 1950 (AB 1950)
InfoSecurity Implications
California’s Assembly Bill 1950 expands on the privacy requirements of Senate Bill 1386 and requires that organizations take "reasonable precautions" to protect California residents’ personal data from modification, deletion, disclosure, and misuse rather than just report on its disclosure.
Who’s Impacted?
State Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.
Applicable Dates
Effective Date: September 2004; Compliance Date: January 2005.
Corp. Governance
EU Data Protection Directive (EU DPD)
InfoSecurity Implications
The directive covers the processing of personal data, including automatically-processed data and manual data in a filing system. Conditions include the confidentiality and security of processing as well as provisions for transfer to a third country. Organizations must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access. The US Safe Harbor Arrangement is a streamlined process for US companies to comply with the Directive, developed by the US Department of Commerce in consultation with EU.
Who’s Impacted?
The 95/46/EU Data Protection Directive applies to member countries within the EU and other countries that conduct business with member countries.
Applicable Dates
• Effective Date: October 1995. All member states were expected to implement their own laws, regulations, and administrative provisions by 1998. Various countries have implemented the directive including the UK (2000), Germany, Netherlands, Belgium (2001), and Luxembourg (2002).
Region
EU
Corp. Governance
EC Privacy and Electronic Communication Regulations
(EC Directive) – 2003
(EC Directive) – 2003
InfoSecurity Implications
The legislation protects the public from electronic marketing practices that cause nuisance, offence and invasion of privacy. IT security solutions and processes should be put in place to ensure that electronic marketing records are both available and correct. Electronic service providers need both business continuity measures to maintain system and network uptime as well as measures put in place for more general data protection issues relating to customer data sets.
Who’s Impacted?
• Organizations that use email marketing must comply with the regulations;
• Additionally telecom companies and ISPs must implement security technologies and practices to safeguard their services;
• Additionally telecom companies and ISPs must implement security technologies and practices to safeguard their services;
Applicable Dates
The Regulations came into force as of December 11th 2003.
Corp. Governance
Japan Personal Information Protection Act 2003 (PIP)
InfoSecurity Implications
It states responsibilities of the national government and local governments and the obligations of private companies in handling personal information. This directive is expected to be followed by specific legislation for healthcare, finance, and telecom industries. Requirements include the ability to safeguard personal data and protect it against loss, unauthorized access and disclosure.
Who’s Impacted?
The Personal Information Protection Act applies to government or private entities that collect, handle, or use personal information. It does not apply to persons and companies who handle the personal information of less than 5,000 individuals and also excludes media and writers.
Applicable Dates
Effective Date: May 2003; Compliance date May 2005. The parts of the Act affecting the private sector are effective as of April 1, 2005..
Corp. Governance
Personal Information Protection and Electronic Document Act (PIPEDA) – Canada
InfoSecurity Implications
PIPEDA establishes rules for the collection, use, and disclosure of personal information by organizations during commercial activities. PIPEDA contains a set of 10 "Fair Information Principles:" Accountability; Identifying purposes; Consent; Limiting collection; Limiting use, disclosure, and retention; Accuracy; Safeguards; Openness, Individual access; and Challenging compliance.
Who’s Impacted?
PIPEDA applies to all organizations in Canada including associations, partnerships, persons, and trade unions ("Brick-and-mortar" and e-commerce businesses)
Applicable Dates
Effective Date: April 2000; Compliance Date: January 2004..
Region
AU
Corp. Governance
The Federal Privacy Act (Privacy Act 1988) – Australia
InfoSecurity Implications
The Privacy Act makes provisions to protect the privacy of individuals, and related purposes. The Act contains eleven Information Privacy Principles (IPPs) which apply to Commonwealth and ACT (Australian Capital Territory) government agencies. It also has ten National Privacy Principles (NPPs) which apply to parts of the private sector and all health service providers. Part IIIA of the Privacy Act regulates credit providers and credit reporting agencies.
Who’s Impacted?
•The Information Privacy Principles (IPPs) apply to
Commonwealth and ACT government agencies and;
• The National Privacy Principles (NPPs) apply to parts of the private sector and all health service providers as well as credit providers and credit reporting agencies;
Commonwealth and ACT government agencies and;
• The National Privacy Principles (NPPs) apply to parts of the private sector and all health service providers as well as credit providers and credit reporting agencies;
Applicable Dates
Privacy Act 1988 and its amendments were made effective December 2001
Corp. Governance
UK Data Protection Act
InfoSecurity Implications
The Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. Good information security practice is implied in all eight, but explicitly in Principle 7, which relates to the prevention of unauthorized or unlawful processing, and of accidental loss or damage to data. Companies must ensure that both organizational as well as technical means must be used to protect personal information.
Who’s Impacted?
Any organization collecting personal data is covered by the Act;
Applicable Dates
The DPA came into effect in 2000, having been passed in 1998;
Region
UK
Corp. Governance
UK Data Protection Act
InfoSecurity Implications
The Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. Good information security practice is implied in all eight, but explicitly in Principle 7, which relates to the prevention of unauthorized or unlawful processing, and of accidental loss or damage to data. Companies must ensure that both organizational as well as technical means must be used to protect personal information.
Who’s Impacted?
Any organization collecting personal data is covered by the Act;
Applicable Dates
The DPA came into effect in 2000, having been passed in 1998;
Corp. Governance
The Freedom of Information Act 2000 – UK
InfoSecurity Implications
The Act states that public authority information cannot be altered, defaced or destroyed. Public authorities need to implement effective records and document management systems and IT security solutions are required to ensure the uptime of these systems and that both the information and the records kept on them are not altered or corrupted in any way.
Who’s Impacted?
The Act gives the general public access to information held by public authorities.
Applicable Dates
The Act was brought into force with full implementation from January 1, 2005.
Region
Global
Corp. Governance
Basel II
InfoSecurity Implications
The Basel II regulation intends to better align bank capital requirements with underlying risk. Banks will be required to monitor, mitigate, and disclose risk. The lower the operational risk, the lower the capital requirements.
Who’s Impacted?
Basel II applies to global financial services organizations, specifically internationally-active banks with assets greater than $250 billion or foreign exposures greater than $10 billion;
Applicable Dates
Compliance Date: (enforcement and penalties) is 2006.
Corp. Governance
Title 21 of the Federal Regulations Part 11 (21 CFR Part 11)
InfoSecurity Implications
21 CFR Part 11 outlines the US Food and Drug Administration’s requirements for electronic records and electronic signatures. It is designed to prevent fraud while permitting the widest possible use of electronic technology within the pharmaceutical industry. Organizations must implement controls to ensure authenticity, integrity, confidentiality, and non-repudiation of electronic records. In some cases, organizations must also implement measures such as encryption and digital signatures.
Who’s Impacted?
All organizations regulated by the FDA, which includes pharmaceutical, biotech, medical device, food, and cosmetic companies.
Applicable Dates
The original compliance deadline was set for 1997. However, the FDA released their Final Guidance for Industry in August 2003 which re-examined Part 11 and narrowed the scope, providing enforcement discretion for some provisions..
Region
EU
Corp. Governance
EU Annex 11, Computerized Systems
InfoSecurity Implications
The central consideration of this regulation is that "records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process”
Who’s Impacted?
Annex 11 applies to all pharmaceutical manufacturers in the EU using computerized systems in manufacturing, storage, distribution, and quality control of medicinal products.
Applicable Dates
Annex 11, Computerized Systems was added to EU Directives on Good Manufacturing Practices (GMP) in 1998.
Corp. Governance
California Information Practice Act or Senate Bill 1386
InfoSecurity Implications
This regulation requires organizations conducting business in California to disclose any security breach that occurs to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Since the law requires notification of security breaches involving "unencrypted" sensitive data, there is a safe harbor for those organizations which have encrypted the data.
Who’s Impacted?
State Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.
Applicable Dates
Effective Date: July 2003
Region
North America
Corp. Governance
North American Electric Reliability Council (NERC)
InfoSecurity Implications
The stated purpose is “to protect the critical cyber assets essential to the reliability of the bulk electric system.” The standard includes:
• additional detail to clarify technical requirements and compliance measures
• authorization requirements to place these measures into production
• access authorization process requirements
• generic account management requirements
• change control and configuration management requirements
• operating status monitoring tools
• backup and recovery requirements
• additional detail to clarify technical requirements and compliance measures
• authorization requirements to place these measures into production
• access authorization process requirements
• generic account management requirements
• change control and configuration management requirements
• operating status monitoring tools
• backup and recovery requirements
Who’s Impacted?
• All entities responsible for planning, operating, and using the bulk electric system must comply with NERC reliability standards;
• Industry compliance is mandatory but it is not enforceable;
• Industry compliance is mandatory but it is not enforceable;
Applicable Dates
NERC’s bulk electric system standards (CIP-002-1 – CIP-009-1) each take effect on October 1, 2005;
Corp. Governance
Federal Information Security Management Act (FISMA)
InfoSecurity Implications
FISMA requires federal agencies to develop, document, and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or contractors
Who’s Impacted?
Federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the United States
Applicable Dates
Effective Date: January, 2002; Compliance Date: May 2002.
Region
US
Corp. Governance
USA PATRIOT Act
InfoSecurity Implications
The Act gives federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes.
Who’s Impacted?
All US companies and companies conducting business in the US are affected by this regulation;
Applicable Dates
The law became effective immediately October 26, 2001.
Corp. Governance
Payment Card Industry (PCI) Data Security Standard
InfoSecurity Implications
This information security standard enables merchants and service providers to assess their security status by using a single set of security requirements for all payment organizations. 12 information security requirements:
1. Install and maintain a firewall configuration to protect data;
2. Do not use vendor-supplied defaults for system passwords and other security parameters;
3. Protect stored data;
4. Encrypt transmission of cardholder data and sensitive information across public networks;
5. Use and regularly update anti-virus software;
6. Develop and maintain secure systems and applications;
7. Restrict access to data by business need-to-know;
8. Assign a unique ID to each person with computer access;
9. Restrict physical access to cardholder data;
10. Track and monitor all access to network resources and cardholder data;
11. Regularly test security systems and processes;
12. Maintain a policy that addresses information security;
1. Install and maintain a firewall configuration to protect data;
2. Do not use vendor-supplied defaults for system passwords and other security parameters;
3. Protect stored data;
4. Encrypt transmission of cardholder data and sensitive information across public networks;
5. Use and regularly update anti-virus software;
6. Develop and maintain secure systems and applications;
7. Restrict access to data by business need-to-know;
8. Assign a unique ID to each person with computer access;
9. Restrict physical access to cardholder data;
10. Track and monitor all access to network resources and cardholder data;
11. Regularly test security systems and processes;
12. Maintain a policy that addresses information security;
Who’s Impacted?
The requirements apply to all members, merchants, and service providers that store, process, or transmit cardholder data;
Applicable Dates
• Validation for Merchant Level 1* and all service providers by September 20, 2004; for Merchant Levels 2-3*: June 30, 2005;
• Compliance is mandatory for Level 4* Merchants, validation is optional but strongly recommended.
• Compliance is mandatory for Level 4* Merchants, validation is optional but strongly recommended.
Corp. Governance
Federal Information Processing Standards (FIPS)
InfoSecurity Implications
For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been Federal Information Processing Standard (FIPS) 140 validated or Common Criteria (CC) validated, and most CC Protection Profiles rely on FIPS validation for cryptographic security.
Who’s Impacted?
The FIPS 140 requirement “. . . is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information including any organization selling products to U.S. and Canadian government agencies.
Applicable Dates
Compliance date was July 1, 2002.
