Hot Topic - Achieving regulatory compliance
Today, it is safe to say that all large-scale organizations are totally dependent on their IT
systems – staying operational and staying in business involve the collection and archival of
enormous quantities of data. The benefits of data processing are well known; the dangers less so.
This is why, worldwide, laws and regulations applying to IT security are coming into force and
demanding strict compliance.
The paramount purpose of these laws and regulations is to protect the security and privacy of
customer information. In his in-depth research overview*, Mike Neuenschwander of the Burton Group
concludes that
"Enterprise organizations can no longer afford to ignore the issue of online privacy, as it is
becoming a subject of global importance. Government regulations, consumer backlash, and security
risks demand that information technology (IT) organizations place greater controls on the personal
information under their custodial control …"
He also points out that
"In calculating costs of data protection, the equation must also include the risks involved in
leaving personal information unprotected …"
These risks are considerable, as failure to meet legal requirements could be disastrous,
involving penalties ranging from fines to imprisonment, and causing irretrievable damage to an
enterprise's reputation. The enormous financial losses that may result from lost business, decline
in shareholder value or even litigation are a potential reality.
There is no single law or regulation that applies worldwide (the USA even having different
regulations for different areas of business), but many of the newly enacted rules and regulations
share a common set of requirements. Some of the most significant regulations are listed below.
*
Burton Group: Online Privacy and Regulatory Compliance: Improving Protection of Personal
Information, September 15, 2004
.
Some of the most important regulations:
|
Regulation |
Mandating Org. |
Affecting |
|
Sarbanes-Oxley (SOX) |
US Securities and Exchange Commission (SEC) |
Companies publicly traded on US exchanges |
|
Gramm-Leach-Bliley
|
US Office of the Comptroller of the Currency (OCC) |
All financial institutions regulated by the OCC |
|
HIPAA Security |
US Department of Health and Human Services (DHHS) |
Healthcare organizations in the US |
|
Basel II |
Basel Committee on Banking Supervision |
Global financial service organizations |
|
95/46/EC Data Protection Directive |
European Union (EU) |
Companies conducting business in EU member nations |
Achieving regulatory compliance
To achieve compliance with the laws and regulations affecting their operations, organizations
need to introduce a large number of measures in several different areas.
A main focus of these efforts is ensuring that employees, customers and business partners
receive precisely the access rights they need exactly when they need them. The procedures used to
grant these rights must ensure complete transparency and auditability.
A User Provisioning system such as
SAM Jupiter helps users to
meet these requirements. It provides a bundle of software solutions that are configured to meet
specific needs and, by meeting these needs, not only achieve regulatory compliance but also
considerably improve productivity.
