YOUR FEEDBACK
Immo Huneke wrote: A well written article, an ingenious solution to a real problem often encountere...
Jan. 6, 2009 08:14 AM
Cloud Computing Conference
March 30 - April 1, New York
Register Today and SAVE !..
Did you read today's front page stories & breaking news?
SYS-CON.TV: Cynergy Announcing RIA Development for Silverlight

SYS-CON.TV
SYS-CON.TV WEBCASTS
JACKBE The Big A(architecture in AJAX)
INSTANTIATIONS Eclipse Rich Internet Platform with Taylor and Milinkovich
YAHOO! Applying AJAX to Speed User's Journey
ENERJY WEBCAST Java Code Quality Management
APP SERVER SHOOT-OUT with Microsoft, IBM, JBoss, Sun, BEA, and Oracle
TODAY'S TOP SOA & WEBSERVICES LINKS


SoX & Compliance
Regulatory Compliance in Complex Heterogeneous Environments
The answer rests in extending Microsoft technology

By: Matt Peterson
Jun. 17, 2005 01:00 PM

In recent years the regulatory pressure on organizations to secure, document, and protect their data and systems has become increasingly difficult to ignore. There appears to be no lack of government regulations - both in the U.S. and abroad - that impose new laws requiring corporate accountability for controls placed on information and technology. Typically organizations implement controls by adding or replacing technology, processes, and staff. While the scope of the regulations reaches beyond Information Technology (IT) controls - covering many aspects of an organization's operations - IT departments seem to bear the brunt of the responsibility.

So what is causing this sudden onslaught of regulations? Often they are the result of public complaints of unacceptable business practices. While a review of the actual language of the regulations may be intimidating, the documentation essentially amounts to requiring long overdue "best practices" such as protecting confidential patient data as mandated by the Healthcare Information Portability and Accountability Act (HIPAA) or ensuring the financial integrity of earnings reported by public companies as in the Sarbanes-Oxley Act (SOX).

While some corporate officials may loathe them, the internal controls mandated by recent industry regulations aren't considered to be wholly unnecessary by all executives. On the contrary, protecting the individual privacy of consumers and preserving data integrity are at the forefront of most companies' IT strategies. For the vast majority of companies, the adoption of these newly mandated policies and practices are just part of a security update plan that makes good business sense. They focus on these issues not only to comply with new regulations but because they see that it helps them serve customers better, generate revenue, and hopefully turn a profit. At other organizations keeping business practices up-to-date with technology can, even with the best intentions, fall short of creating the level of accountability and security required - it's these companies that the regulations are specifically aimed at. However all companies, those with best practices and those without, are still equally accountable under these regulations.

Regardless of the motivation behind a given set of regulations, they generally require organizations to secure data, ensure the integrity of information, protect the privacy of individuals (employees, customers, clients, and partners), and preserve the availability of information for appropriate parties. From an IT perspective all regulations can be boiled down to three main strategies:

  • Ensure that data is protected from unauthorized access (either from within or without an organization)
  • Ensure that information is accurate (has integrity) and is available to those who are authorized to access it
  • Ensure that systems and processes are in place to satisfy the first two
Alphabet Soup
HIPAA, SOX, GLB, and other sets of regulatory governmental enactments can be difficult to digest and even more difficult to satisfy. In order for organizations to successfully comply with the myriad regulations they face, an understanding of the general requirements, penalties, intentions, and motivation for each regulation is useful.

Gramm-Leach Bliley Act (GLB)
Title V of the Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security, confidentiality, integrity, and protection of customer information. Boiled down to its very core, GLB Title V means that a financial institution must protect the customer information it holds from unauthorized access by those outside of the institution and must inform customers how personal information is used by the institution.

Technology solutions to aid in GLB compliance center on access control, identity and authentication management, and data security.

Health Care Information Portability and Accountability Act (HIPAA)
HIPAA is very similar to the privacy provisions of GLB except that it's focused on the healthcare industry. Under HIPAA, organizations that generate, maintain, or distribute a patient's personal healthcare information must ensure that that information is secure and private.

As with GLB, IT departments in organizations covered by HIPAA center their efforts on data security, access control, and identity and authentication.

Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley was passed by the U.S. Congress in 2002 in direct response to the corporate financial scandals of the time. SOX affects companies (both domestic and international) that have to file with SEC. The act contains a number of requirements centered on financial reporting and controls aimed at protecting investors by improving the accuracy and reliability of corporate disclosures to the SEC.

AMR Research estimates that U.S. companies spent more than $1 billion on technology in 2004 specifically to address SOX. But Gartner predicts that 80% of those technology solutions will be replaced by 2005 as companies improve their compliance and move from tactical to strategic initiatives.

Technology initiatives to address Sarbanes-Oxley should include authentication and password management to "establish and maintain an adequate internal control structure." Generally these efforts aim to raise the security surrounding data access for all systems in an enterprise.

Title 21 Code of Federal Regulations (21 CFR Part 11 FDA)
21 CFR Part 11 is legislation introduced by the Food and Drug Administration (FDA) that allows the use of electronic signatures, electronic records, and handwritten signatures on electronic records in lieu of handwritten signatures on paper in certain circumstances in the pharmaceutical industry. It includes directions on limiting system access to authorized individuals, the use of authority checks to ensure that only authorized individuals can access a system, and the adequacy of the documentation of system operations and maintenance.

Generally, organizations affected by 21 CFR Part 11 will need to include as part of their compliance remediation efforts a focus on technology initiatives tools to help manage the authentication and identity management of users and systems.

Published Jun. 17, 2005— Reads 10,006
Copyright © 2009 SYS-CON Media. All Rights Reserved.
Related Links
▪ Table 1
About Matt Peterson
Matt Peterson is chief technology officer of Vintela.

SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
Click Here

SYS-CON FEATURED WHITEPAPERS


MOST READ THIS WEEK
By Virtualization News Desk
By Robert Eve
By Serguei Beloussov
By Jeremy Geelan
By Maureen O'Gara
By David Fredh
By Virtualization News Desk
By Dror Gill
By Maureen O'Gara
By Maureen O'Gara
By Billy Marshall
By Nicole Schepker
ADS BY GOOGLE