Compliance and Governance
Web-based applications must guard against worldwide adversaries now posing a wide range of threats that can originate from internal or external sources such as employees, customers, foreign operatives, terror organizations, business partners, and so forth. Accordingly, it is imperative that access to web-based applications be strictly monitored and controlled, while they also adhere to a host of regulations. Compliance to regulations, as well as the controls, where applicable, are evaluated by NCS security, compliance, and governance services. Some regulatory examples follow:
The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control how financial institutions deal with the private information of individuals. The Act consists of three sections: (1) The Financial Privacy Rule, (2) The Safeguards Rule, and (3) The Pretexting Provisions. The GLB Act requires financial institutions to give customers written privacy notices that explain their information-sharing practices.
The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, (HIPAA), also known as the "Kennedy-Kassebaum Act," is a U.S. law that protects employees' health insurance coverage when they change or lose their jobs and provides standards for patient health, administrative and financial data interchange. HIPAA, developed by the Department of Health and Human Services, took effect in 2001.
The Sarbanes-Oxley Act of 2002 (SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store electronic corporate records. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements set forth by the legislation.
EU Data Protection Act
The EU Data Protection Act came into force in March 2000. The protection of individual privacy tops the list among its salient features. It insists that companies processing personal data must comply with eight data protection principles and it also gives individuals access to five fundamental rights to ensure that their privacy is not invaded in anyway.
Given below are some of the prerequisites for compliance to this Act:
- Requires businesses to gain prior consent before sending unsolicited advertising e-mail to individuals.
- Network operators and their partners must be able to provide subscription and advertising services based on location and traffic data to their customers. There is no restriction on the type of services that may be provided as long as subscribers give their consent and are informed of the data processing implications.
- Ensure stronger rights for individuals to decide if they wish to be listed in subscriber directories. Clear information about the directory must also be given. e.g. whether further contact details can be obtained from just a telephone number or a name and address.
The 2002 Federal Information Security Management Act (FISMA) was enacted to streamline — while at the same time strengthen — the requirements of its predecessor, the Government Information Security Reform Act (GISRA). FISMA requires federal agencies to improve the security of IT systems, applications, and databases. By presenting a baseline of requirements for government agencies, FISMA calls for risk and vulnerability measurement through information security best practices. This way, agencies can ensure the integrity, confidentiality, and availability of federal information systems.
The Privacy Act mandates that each United States Government agency have in place an administrative and physical security system to prevent the unauthorized release of personal records.
In addition to these regulations there are region-specific regulations for Asia, including but not limited to the following:
- RBI: Reserve Bank of India
- ESCA: Electronic Signatures and Certification Authorities
- BNM: Bank Negara Malaysia
For More Information
Contact us at (855) 879-2373 to learn about our security services, or request more information by submitting the form below.