Compliance
Every industry has it own unique information security challenges brought about by consolidation, regulations and different business requirements. ProtectPoint understands the challenges of the increased regulation of business process-oriented laws such as Sarbanes-Oxley (SOX) Act of 2002, the Gramm Leach Bliley (GLB) Act of 1999, and the Health Insurance Portability and Accountability Act (HIPAA) of 1996/2003 imposes strict requirements on certain specific enterprises. These laws require specific industry and governmental sectors to establish or identify, document, test and monitor "internal control" processes. Most, if not all, of these processes are supported by increasingly sophisticated information technologies. Being unprepared can cost enterprises more than money - under Sarbanes-Oxley, jail time is possible for non-compliant executives. SOX, GLB, and HIPAA all have data privacy and protection in common. Each has varying requirements but all share the following common enterprise mandates:
  • Security Policies: Well-defined policies for data privacy and protection discourage the government from imposing their own standards-the least desirable of all situations.
  • Security Processes: Demonstrating policy in action with people using technology in a predictable manner to protect data from attackers.
  • Robust Audit Trail: The foundation of evolved process, where regulators require evidence of what happened to justify why events need not be reported.
  • Preventative Measures: Encryption, digital signing and real-time detection of attacks all serve to pre-empt attacks on data.
Although ProtectPoint services are important for all business sectors, we utilize our experience to deliver Managed Security Solutions tailored to the specific needs of companies and governmental agencies that must closely adhere to these business process-oriented laws.

Introduction to Sarbanes-Oxley

The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".
It also introduced a number of deadlines, the prime ones being:
  • - Most public companies must meet the financial reporting and certification mandates for any end of year financial statements filed after November 15th 2004 (amended from June 15th).
  • - Smaller companies and foreign companies must meet these mandates for any statements filed after 15th July 2005 (amended from April 15th).
The act is actually named after its main architects, Senator Paul Sarbanes and Representative Michael Oxley, and of course followed a series of very high profile scandals, such as Enron. It is also intended to "deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders" (Quote: President Bush).
The Sarbanes-Oxley Act itself is organized into eleven titles, although sections 302, 404, 401, 409, 802 and 906 are the most significant with respect to compliance (Sarbanes Oxley section 404 seems to cause most concern) and internal control. In addition, the Act also created a public company accounting board.
Perhaps one of the most remarkable aspects of this legislation however relates to its profile. It is very much in the public and media arena. The focus is certainly intense in this respect, creating yet another clear motivation for compliance. There is simply no escaping it!

Introduction to HIPAA

The Health Information Portability and Accountability Act (HIPAA) is a set of federal regulations intended to protect the exchange of healthcare data. Full compliance requires healthcare organizations to understand the threats to health information and to implement a variety of safeguards and security best practices to ensure its protection. Improving information security is always cheaper than reacting to a security breach. Understanding and controlling the threats to protected health information requires continuous risk management through regular independent security assessments.

For healthcare organizations, security monitoring and assessment is an essential tool in an IT manager's arsenal as new state and federal privacy and security regulations demand the protection of the confidential patient information contained in its databases. ProtectPoint managed security services provides healthcare companies with the monitoring and assessments needed to protect them from expensive penalties for breach of confidentiality that could be in excess of $250,000.

Introduction to GLBA

The Graham-Leach-Bliley Act (GLBA) breaks down regulatory barriers between banking, insurance, brokerage and other financial services companies. With banking regulations relaxed, financial institutions can benefit by expanding their business opportunities and offering their customers a broader range of services.

GLBA was authored with the understanding that businesses must change and adapt. As such, GLBA allows for security programs to be customized by the size and scope of the enterprise - and to be adjusted based upon changes to the business. Financial services companies have the freedom to design a program that complements their current needs and adjust their programs over time.

ProtectPoint provides unbiased advice and GLBA expertise that is based on best practice and experience. We work side-by-side with customers every day to spot security vulnerabilities. Our experience has taught us to recognize that every organization is unique, and one security solution does not fit all - but there is a best-fit solution for everyone.