How Do Compliance Issues Affect your Network?
What is Network Compliance?
The term network compliance is a broad one, and can have many meanings. The word compliance means "the state or act or conforming with or agreeing to do something, often in response to legislation, rules or regulations or court order." Complying with all the rules, laws and orders in effect in the U.S. and other jurisdictions can be a tall order. Within the industry, the term is usually used to refer to one of the following:
- Compliance with copyright laws in regard to software and other intellectual property.
- Compliance with IT security and privacy regulations governing specific industries.
In this article, we'll be focusing on the second type of compliance issues. If you work in a regulated industry such as health care or financial services, or if your company is publicly traded and required to file financial statements with the Securities and Exchange Commission (SEC), your IT infrastructure must meet certain standards mandated by the government.
Note: It's important to note that these are complex Acts that regulate much more than just IT practices, but we will focus on the IT-related parts of the legislation in this article.
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 imposes national standards for securing and maintaining the privacy of medical data involved in electronic health care transactions. The Act affects the computer networks of doctors' offices, hospitals, health insurance companies, public health organizations, employers, and just about any organization that deals with medical records and health care information pertaining to individual patients that is stored or transferred in electronic form.
The Act requires that companies appoint an Information Security Official (ISO) to be in charge of HIPAA compliance within the organization. HIPAA requires every regulated organization to document its compliance with 54 standards governing how it handles electronic Protected Health Information (ePHI).
The deadline for complying with the HIPAA security rule was April 20, 2005.
The Gramm-Leach-Bliley Act (GLB)
The Financial Modernization Act of 1999 is more commonly known as the Gramm-Leach-Bliley (GLB) Act, after the names of its sponsors, Senator Phil Gramm and Representatives Jim Leach and Thomas Bliley. It applies to financial institutions and organizations that work with OPM (Other People's Money) such as banks, brokerage firms, consumer credit reporting agencies and credit counseling services, debt collection agencies, real estate transaction settlement services and even income tax preparers. If you work in the IT department of any of these companies, you're required to comply with GLB's information security requirements.
There are three parts to GLB. The one that most affects IT professionals is the Safeguards Rules. This section governs the collection and disclosure of customers' personal financial information. In a nutshell, it requires that regulated companies do the following:
- Specify a person or group of people to be responsible for GLB compliance.
- Identify security risks involving customer information
- Assess existing safeguards for protecting the privacy of customer information.
- Implement any additional safeguards that are needed.
- Monitor the effectiveness of safeguards.
- Ensure that service providers are able to meet the GLB requirements.
- Upgrade the organization's security program as necessary due to changing circumstances.
The Act also requires financial institutions to send privacy notifications to their customers that explain the institution's policies on sharing of customer information. You've probably received such notices from your bank and other financial institutions with which you do business.
The GLB Act has been in effect for several years; the compliance deadline was in 2001.
The Sarbanes-Oxley Act (SOX)
The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 is often referred to as the Sarbanes-Oxley Act after the names of Senator Paul Sarbanes and Representative Michael Oxley, who authored the bill. It is more informally called SOX. The law was proposed and passed in response to the slew of accounting scandals involving large corporations such as Enron, WorldCom and Tyco. The purpose is to enforce standards that ensure accuracy of financial statements filed by publicly traded companies.
Sections 302 and 404 are the portions of the Act that most affect the IT departments of those companies. All companies registered or with a pending registration under the Securities Act of 1993 must comply. This includes foreign companies that are registered on the U.S. stock exchanges. These sections require yearly certification of internal controls, as verified by an independent auditor. Lack of security of financial data that could result in financial misrepresentation is a violation of the Act and could subject the company to fines and, even more importantly, can subject those responsible to imprisonment - even if there is no intent to misrepresent.
This makes the security of this type of data of utmost importance. Companies are required to establish an infrastructure that will keep the data safe from any unauthorized access or alteration, damage or loss. In practice, this means establishing (and documenting) strong security measures such as those discussed in the section titled "How to Comply"
The deadline for compliance with SOX was November 15, 2004 for major corporations (market capitalization of more than $75 million) and April 15, 2005 for all other public companies.
How to Comply
Each Act includes detailed compliance standards that must be met. See the "More Information" section for links to Web sites where you can read more about each Act. In general, however, compliance with the IT security requirements for each of the Acts includes several common (and common sense) steps that you need to take and document. These are the same steps that you would take to protect sensitive or confidential electronic data in any organization, even when not required to do so by law. For example:
- Authentication and access policies that protect against unauthorized access to stored files containing regulated data (strong password policies, file permissions, file encryption, properly configured firewalls).
- Policies and implementation of technologies to protect regulated data when it's transferred across the network (IP Security, wireless security).
- Account policies that strictly define who has access to and control of regulated data (role based administration, delegation of administrative responsibilities).
- Audit policies that track who accesses regulated data and keeps logs that provide details regarding when, how and by whom such data was accessed.
- A disaster recovery plan that ensures that regulated data won't be lost.
- A data protection plan that protects against viruses, Trojans, worms, spyware and other malicious software.
- An incident response plan for detecting and responding to security breaches that might compromise regulated data.
- Physical security measures to protect regulated data (locked server rooms, locks on file cabinets where paper copies of regulated information are kept, policies requiring workstations be locked down when left alone, disabling of USB ports, floppy drives and other means of copying regulated data to removable media).
- Due diligence in hiring of employees and contractors who will have access to regulated data (reference checks, background investigations, requirement that employees sign a confidentiality agreement).
- Training of employees and contractors who have access to regulated data.
Some other general tips that will help you to comply with privacy regulations include:
- If at all possible, store regulated data on computers that do not have a connection to the Internet.
- If you must collect or disseminate regulated data across the Internet, use protective mechanisms such as Secure Sockets Layer (SSL), VPN or other secure connection technology.
- If at all possible, never transmit regulated data via e-mail. If you must, use e-mail encryption to protect the confidentiality of the information and ensure the authenticity and integrity of the transmission.
- When disposing of hard disks or other media containing regulated data, physically destroy the media via shredding, pulverization, incineration or other means that ensures the data cannot be recovered. Maintain an accurate inventory of all hardware components.
National Institute of Standards and Technology (NIST): Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf.
Federal Trade Commission (FTC): Financial Institutions and Customer Data:Complying with the GLB Act Safeguards Rule: http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm
The Practical Guide to Sarbanes-Oxley Compliance: http://www.ecora.com/ecora/whitepapers/register/IDRS_soxCompliance.asp