Please enable JS

COMPLIANCE


COMPLIANCE

Compliance with global regulatory and process quality requirements continues to confound organizations and the groups, both internal and external, that support them. There is however hope in our efforts to comply with the myriad of global regulatory and quality requirements.

In today’s business climate, compliance is the single biggest factor affecting operational and financial performance. It is estimated that the cost of planning, implementing and maintaining compliance with global regulatory requirements will dwarf facility and payroll expenses which traditionally are among the top operational expenses.

The complexity and cost of implementing a framework and the risk of non-compliance is substantial.

Compliance with a global regulatory regime is daunting, even to the most sophisticated organizations. In the United States alone, the effort to interpret and comply with numerous regulations requires a dedicated team of regulatory experts. Add to this the requirement for most organizations to comply with multiple regulatory frameworks and many compliance efforts are doomed before they begin.

But compliance with what? Compliance with civil, statutory, regulatory and/or contractual obligations and each requirement imposed by them, many with conflicting or contradictory guidance. HIPAA, SOC, SOX, GLB, Basel II, 21-CFR-11, 95/46/EC (EU Data Protection Directive), PCI-DSS, Safe Harbor and the PIPED Act from our friends to the North are just a few.

Add to these, contractual obligations to comply with various quality standards and other requirements that may be stipulated by partners, suppliers and customers.

A huge challenge is that you may be required to comply with a regulation that you are not even aware of. One in particular is an “interesting” piece of legislation from California, Senate Bill 1386. SB 1386 is an example of local legislation with nationwide and even global impact. It requires that “any agency, person or business that conducts business in California and owns or licenses computerized ‘personal information’ to disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed”. This includes the loss of a device (i.e. laptop, cell phone, etc.) that contains personal information that was unencrypted.

The Bill provides for substantial monetary compensation to victims and stiff penalties for non-compliance. Assembly Bill 1298 amended SB 1386 to include medical and health insurance information to the definition of personal information.

The Common Theme

One common theme across all regulatory guidance is the requirement for a comprehensive security program and ISO 27001 is the most widely accepted standard for information security. ISO 27k will meet or exceed the security requirements of numerous regulations but as a framework, is one of the most difficult to implement, monitor and maintain. With 11 Domains, 39 Control objectives and 133 controls, it would appear that the reason they called it ISO 27k is that there are 27001 ways to interpret and implement the guidance and 27001 ways to implement it incorrectly.

How Can Michael Baylor Advisory Services Help?

We can simplify the interpretation and implementation of ISO 27001 in order to achieve compliance with multiple regulatory regimes. Our 27k R2I Methodology can get you on the road to compliance, effectively and efficiently.

SOC II

Service Organization Controls (SOC) provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SOC also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers.

The use of the SOC audit has migrated to be used in non-traditional ways. Companies in the financial services industry are being required to show adequate oversight of service providers such as obtaining a SOC review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements. Service organizations which provide services to healthcare companies are often asked by their clients to have a SOC audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.

There are two types of service auditor reports. A Type I service auditor’s report includes the auditor’s opinion on the fairness of the presentation of the service organizations description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I report and also includes the service auditor’s opinion on whether the specific controls were operating effectively during the period under review.

Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organization’s customers (i.e. user auditors) can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.

Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of companies. In some cases, these third parties are not intended users of the report, but still find value in using the report as third party independent verification that controls are in place and are operating effectively.

Type I audits are typically performed no more than once per year however there is no technical reason for this practice. In fact, many companies use the Type 1 audit as a primer and tend to move on to a Type II audit for the purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type II audit have made this a very common practice.

Type II audits are also typically performed once per year however, a small percentage of companies undergo multiple Type II audits during any 12 month period. There is no technical guidance that states, or even recommends, a Type II audit frequency requirement. It is generally expected that the frequency will be no less than once per year.

These and other types of audits type can be very expensive not only in terms of the cost of the audit but also the internal man-hours preparing for and facilitating the audit. Productivity is also significantly diminished in the time leading up to and throughout the course of the audit.

The question racing through your mind at this point should be “is there a way to avoid all this cost, risk and complexity?” Fortunately, the answer is yes!

How Can Michael Baylor Advisory Services Help?

We have developed Rapid Readiness Assessment and modeling techniques that facilitate the identification of applicable global regulatory and quality requirements and the development of a technology independent SOC Compliance Framework that is easily implemented across multiple business functions.

Our comprehensive understanding of the process and practical approach can assist even the most complex organizations achieve compliance, rapidly and painlessly.

ISO 27001

ISO 27001 is an international security standard that suggests four primary phases towards achieving compliance. They are as follows:

    • Plan: Define requirements, assess risks, decide which controls are applicable;
    • Do: Implement and operate the compliance program;
    • Check: Monitor and review the compliance program;
    • Act: Maintain and continuously improve the compliance program;

It also specifies certain specific documents that are required and that must be controlled, and states that records must be generated and controlled to prove the operation of the program (e.g. certification audit purposes)

Compliance costs and risks are heavily weighted in 2 primary activities, Assessment (Plan) and Maintenance (Act).

The Assessment (Plan) activities are of significant risk to an organization. At this stage you will be defining requirements, identifying risks and the procedural, physical and technical controls to put in place throughout the organization. The result is most often slanted either towards overly restrictive (identifying too many risks/controls) or overly relaxed (not identifying risks/controls).

An overly restrictive requirements specification will result in a highly complex and expensive Implementation (Do) phase and the Maintenance (Act) phase costs will skyrocket.

The risk of total program failure is significantly higher also. An overly relaxed requirements specification will be costly as the entire exercise will need to be repeated and the wasted man-hours will be significant.

An overly relaxed program will also most likely result in the need for multiple compliance audits and the attendant cost and wasted man-hours.

The Assessment (Plan) phase should be based upon a comprehensive business modeling exercise where each process (formal and informal) and associated risks/vulnerabilities should be accurately identified. This exercise can be expensive and time consuming in many organizations due to the significant number of informal (undocumented) processes that often exist and are critical to the daily operations of the business.

Assessment also includes the interpretation of the guidance and the appropriate application of controls within the enterprise based upon your specific use-cases and regulatory requirements. The process of identifying specific risks and the appropriate control objectives is highly subjective. Different regulatory experts may see the requirements entirely different based upon their orientation, background and experience. Auditors may also see things differently than the regulatory experts.

The Maintenance (Act) activities are also of significant risk. Loss of momentum and a casual attitude towards the program after it is implemented is a common risk factor that can result in the security program becoming obsolete and ineffective and worst of all, out of compliance with regulatory or contractual requirements. This oftentimes happens after the “honeymoon” stage when other projects begin to push their way past the security program in terms of “glamour and excitement”.

Maintenance also involves the “re-qualification” of a system or application anytime the configuration changes. One configuration item in an Exchange or Sharepoint implementation can trigger a “non-compliance” event that requires the complete recertification of the system.

How Can Michael Baylor Advisory Services Help?

We have developed Rapid Readiness Assessment and modeling techniques that facilitate the identification of applicable global regulatory and quality requirements and the development of a technology independent ISO 27001 Compliance Framework that is easily implemented across multiple business functions.

Our comprehensive understanding of the process and practical approach can assist even the most complex organizations achieve compliance, rapidly and painlessly.

SB 1386 / AB 1298

With information security threats proliferating daily and new legislation holding companies accountable for the security of their employee and customer data, managing information security has become essential for an organization to fulfill its responsibility to the individuals that trust it with safeguarding their personal information.

Compliance with local, national and global regulations has become the single biggest factor affecting operational and financial performance and every stakeholder is scrutinizing the risk assessment and treatment plans of organizations, large and small.

In July 2003, the California Senate passed a Bill 1386 regarding Personal Information Privacy. Senate Bill 1386 requires all companies who have employees or customers in California to notify them each time there has been a security breach that may have resulted in the unauthorized access to personal information. The Bill also provides for unlimited monetary damages for failure to disclose a breach.

California legislation AB 1298, signed into law in October, 2007, added medical information and health insurance information to the definition of personal information defined in SB 1386.

Background

In 2002, hackers broke into the State of California payroll database and had access to the social security numbers, bank account information, home addresses and other personal information of 265,000 State employees.

As a result of this breach, the State enacted legislation effective July 1, 2003, that requires any business, agency or individual that collects, stores or processes information about California residents to provide prompt notification if personal information about them has been compromised due to a breach of any computer system that stores such information.

Who is Affected?

SB 1386 and AB 1298 covers any business, government entity, non-profit agency or individual that stores or licenses confidential personal information about California residents on their computers. This includes servers, personal computers, laptops, PDAs and Cell Phones.

SB 1386 and AB 1298 do not discriminate based on the size or type of business. If you operate a business in which you employ someone working in California, or sell to someone living in California, you are at risk if you use a computer to store confidential personal information about those persons. This bill applies to all companies doing business with California residents, regardless of whether they have physical offices in California.

What Do the Bills Cover?

The Bills cover instances of unauthorized access to personal data as well as unauthorized or improper distribution of personal data. In this context, unauthorized or improper use implies any access outside the initial purpose the personal data was obtained.

What is Defined as "Personal Data"?

Personal information is defined to mean:

    • First name OR first initial and last name in combination with one or more of the following:
    • Social security number,
    • Or driver's license number,
    • Or California identification number,
    • Or financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account,
    • Or medical information,
    • Or health insurance information.

The relevant California requirement defines medical information to mean any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and health insurance information to mean an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

What are the Financial Risks of the Bills?

The potential financial impacts of unauthorized disclosure under SB 1386 include:

    • Direct costs of informing those whose personal data has been breached;
    • Cost of defending against civil action and potential damages; and
    • Cost of damage to corporate image and reputation in the marketplace.
    • Civil Liability

The Bill does not limit the liability for damages. The excerpt from the bill below, provides the civil guidelines for compensatory damages:

1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.

What Should You Do?

The simplest solution is to encrypt personal data while at rest or in transit. There should also be clearly defined policies for the collection and use of personal data and a clear policy on which employees are authorized to access personal data and for what business reason.

Special care should be taken with mobile devices as the Bills cover unauthorized access to these as well.

If you have additional questions, please call or email us for confidential guidance.

How Can Michael Baylor Advisory Services Help?

We have developed a Rapid SB 1386 Assessment methodology that can quickly identify risks associated with non-compliance and also how to efficiently mitigate those risks.

GLB 501

Compliance with Section 501 of GLB requires, among other things, implementing a formal Information Security Program, conducting risk assessments, documenting policies, standards, and procedures, etc.

In many cases, documenting an information security infrastructure and its components is a formidable task due to the lack of definitive “how to” guidance” from the federal regulators, internal staff, and/or necessary skill sets.

The problem normally isn’t that an information security program is missing – it’s that the program hasn’t been formalized and documented. The program is typically evident in practice but not captured on paper.

Regulators are asking for documentation!

Michael Baylor Advisory Services approach: Fast Track Documentation

Fast Track documentation provides two key deliverables:

    • Security Manual
    • Recommendations

Security Manual

The Security Manual is a presentable stand-alone that:

    • Documents information security activities as they are currently practiced and the technical security environment.
    • Captures programmatic attributes, policies, and practices that have not yet been formally documented.
    • Collects information security related documents that have been created.
    • Organizes the material in a single document that can be presented as compliance evidence for GLB oriented queries.
    • Documents a guided, self-assessment of risk.

Recommendations

The Recommendations document provides systematic guidance for correcting information security deficiencies observed during data gathering. It can be used internally for initiating and tracking progress or it can be presented to show future remediation efforts.

Fast Track Limitations

By its nature, Fast Track is a high-level initiative designed to rapidly document GLB Section 501 compliance efforts. Within engagement constraints, Fast Track documents breadth of compliance then depth of implementation depending on program maturity.

Fast Track is a foundational initiative – a point solution from which to build. Documentation may not have sufficient depth to satisfy all examining teams.

How Can Michael Baylor Advisory Services Help?

We have developed a GLB 501 Fast Track methodology and other compliance, governance, security and privacy related solutions that are designed to effectively and efficiently mitigate compliance risks.

logo