Compliance Frameworks

Organizations struggle to ensure that their business technology infrastructures are secure and compliant with regulations and with industry and company policies. And for many, panic breaks when a major threat or regulatory audit looms. You can ensure continuous compliance with internal policy and regulatory mandates with the right partner.

InfoSight's Regulatory Framework Compliance Review can assist you in determining your compliance prior to the arrival of auditors and examiners. This assessment is conducted against the frameworks your organization is required to comply with, and can vary from engagement to engagement. The security tests performed during the Regulatory Framework Compliance Review may include the following types of tests:

Understanding Compliance

  • GLBA

    The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is aimed at financial institutions and is enforced by eight separate federal agencies and the states. Gramm-Leach-Bliley (GLBA) provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.

    With rapid changes in technology, such as advances in mobile and Web 2.0 solutions, protecting customer information continues to be a challenge. For example, GLBA compliance requires us to analyze the risks before moving customer information into emerging technology models such as voice over IP (VoIP) systems or cloud computing. Clearly, organizations would be well served to invest time and effort early in the process to identify and assess observable risks in any new technology that processes customer data. This is where InfoSight can help.

    Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) contains important provisions aimed at the protection of information including data in both electronic and non-electronic formats. Protecting information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution. The primary goals of a GLBA Compliance Assessment are:

    • To ensure the security and confidentiality of customer records and information.
    • To determine that the Bank has established an adequate written Information Security Program.
    • To assess the quality of the Banks' compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the Bank tells consumers in its notices about its policies and practices and what it actually does.
  • PCI

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). The payment brands and acquirers are responsible for enforcing compliance, not the PCI council. Recent accounts of highly-publicized data breaches occurring in companies that are seemingly PCI compliant, begs the question, "does PCI compliance equal security?" The answer is, "not necessarily."

    The PCI Security Standards Council's goal in forming the standards was to create a unified outline of the minimum security necessary to transmit, process and store cardholder information. Payment card information is a high-profile target and the tactics of cybercriminals are becoming more and more sophisticated. No organization is ever entirely secure; but with proper defenses, businesses can mitigate their risk and make it more difficult for cybercriminals to breach their private network. Organizations of all sizes should blend compliance into ongoing operations. Security, by definition, involves safeguarding confidential information, protecting against fraud, ensuring systems are available so you can generate revenue, and making sure there are no errors in the stack. When you do all these things, you inherently wind up fulfilling the intent of all major regulatory and industry compliance regulations. Going a bit above and beyond the periodic audits and network scanning required by PCI standards can yield a lot more value to an organization and, in most cases, does not add as much additional expense as may be perceived.

    InfoSight provides a variety of tools, guidance, training resources and other IT security services to assist organizations seeking to achieve PCI compliance. We can help you build and maintain a high security posture, help you understand what is involved in PCI compliance, and assist in developing policies and practices that best fit your needs. PCI compliance standards will continue to evolve over time.

  • CFPB/Dodd-Frank Act

    The Dodd-Frank Wall Street Reform and Consumer Protection Act, at over 2,000 pages, resulted from the financial crisis of 2007-2011, and brings the most sweeping changes to financial regulation in the United States since the Great Depression. The Act represents a paradigm shift in the American financial regulatory environment impacting all Federal financial regulatory agencies and affecting almost every aspect of the nation's financial services industry. The Act was signed into law on July 21, 2010 and is named after the two politicians who proposed it: Chris Dodd and Barney Frank.

    While much of the Act applies to only very large banks, there are many provisions that apply to community banks. For example, with the creation of a new consumer financial protection agency (CFPB), we can expect to see many new consumer protection regulations during the next few years.

    The underlying purpose of the Dodd-Frank Act is to enhance consumer protections and "de-risk" the financial system by constraining individual institutions' risk-taking activities and capturing a broader set of institutions in the regulatory net.

    Many of the new regulations will increase compliance costs for institutions or limit the fees they can charge. Community banks may find it more difficult than larger institutions to absorb the increased compliance costs and reduction in income. There are many other provisions that affect community bankers. Find out which provisions and exemptions would alter the competitive playing field for your institution.

  • BSA/AML

    The Bank Secrecy Act (BSA) is the primary U.S. anti-money laundering (AML) law and has been amended to include certain provisions of Title III of the USA PATRIOT Act to detect, deter and disrupt terrorist financing networks.

    This regulation requires every national bank and savings association to have a written, board approved program that is reasonably designed to assure and monitor compliance with the BSA.

  • HIPAA

    HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; reduces health care fraud and abuse; mandates industry-wide standards for health care information on electronic billing and other processes; and requires the protection and confidential handling of protected health information.

    What is HITECH?
    HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act that was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the U.S. Healthcare providers are offered financial incentives for demonstrating meaningful use of electronic health records (EHR). Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use.

    What is Meaningful Use?
    Meaningful Use is a term coined by HITECH. Meaningful use regulations require doctors and hospitals to comply with core objectives to improve quality, safety, and efficiency of health care delivery, reduce health care disparities, engage patients and families, improve care coordination, improve population and public health, and ensure adequate privacy and security protections for personal health information. Testing and certification will be performed to ensure the objectives are properly implemented.

    InfoSight provides straightforward, highly-robust, and affordable solutions to these challenges. We have a broad portfolio of IT infrastructure and security and compliance solutions designed to solve information technology challenges unique to the health care industry.

    Specifically, we'll help you:

    1. Choose the "right" EHR solution - We understand the challenges of EHR adoption. Rather than improve efficiency and productivity, some EHRs have generated so much frustration that physicians are looking for a better solution. The right EHR solution can make your organization more competitive by minimizing the costs of implementation and maintenance, uncovering and banking new incentive revenue and removing the burden of clinical paperwork starting on day one. We'll help you get to the heart of the matter andhelp you choose the "right" solution.
    2. Secure your data - Safeguarding the confidentiality of patient information is at the heart of HIPAA compliance. Patient privacy and security is an important consideration in implementing EHR solutions. InfoSight can help health care providers "on the edge" (who don't have readily available resources) catch the HIT wave and help ensure the privacy and security of individually identifiable health information.
    3. Implement an efficient IT Infrastructure - Every health care organization must have effective systems in place to ensure security and to uphold important, morphing-and-often-complex regulations, such as HIPAA. We'll help you create a more cost-effective and scalable IT infrastructure and reduce the complexity, inefficiency and inflexibility of your existing environment.
    4. Train your employees - Training is the first line of protection your organization can have in place to protect its valuable corporate assets and to protect information from being compromised. InfoSight has been training the employees of organizations in regulated industries for more than 10 years through onsite classes and educational webinars. Visit our Knowledge Center, a comprehensive online training portal that includes a wide range of industry-specific courses.

  • ISO 27001

    ISO 27001 certification is an international standard for the management and protection of information assets. Published in Oct 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it defines requirements for an Information Security Management System (ISMS). Although ISO 27001 takes a very broad approach to information security, its objective is to bring information security under explicit management control and provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS). It also enables enterprises to evaluate risk and develop adequate treatment measures based on both the organization's security needs and the security measures already in place. Organizations that claim to have adopted ISO 27001 can be formally audited and certified according to the standard.

    As with all management processes, an Information Security Management System (ISMS) must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. InfoSight will provide guidance on designing, implementing and operating your information security management system.

    ISO 27001 certification requires that management:

    • Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts
    • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
    • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis

    It is important to understand that ISO 27001 certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.

    Let InfoSight help you:

    • Define, plan and implement your organization's ISMS
    • Establish a procedure to control & protect ISMS documents
    • Identify and evaluate risk treatment options and actions
    • Implement security procedures & controls
    • Review and update your information security plans
    • Identify the resources needed to ensure that you will be able to improve the effectiveness of your ISMS when required to do so
  • SOX

    The Sarbanes-Oxley Act (SOX) was signed into law on 30th July 2002 to strengthen corporate governance and restore investor confidence. Following a series of very high-profile scandals, such as Enron, the Act introduced highly-significant legislative changes to financial practice and corporate governance regulation. SOX itself is organized into eleven titles, although sections 302, 404, 401, 409, 802 and 906 are the most significant with respect to compliance and internal control. SOX makes CEO's and CFO's personally responsible not only for financial statements that accurately reflect the financial condition of the organization, but also makes them responsible for setting up and maintaining systems that ensure that they actually know the truth about what is going on in the organization.

    Sarbanes-Oxley (SOX) is a rather complicated act that attempts to prevent corporate fraud. To that end, SOX compliance requires attention to many different clauses in the Act. Section 404 seems to cause the most concern and states that publicly traded companies must have policies and controls in place to secure, document, and process material information dealing with their financial results. It also states that documentation, testing and support must be audited and reported on. While most provisions of the SOX Act focus on financial records, they were clearly not meant to stop there. For example, during an investigation, discovery requests can be submitted to IT departments. In addition, such requests could require access to all email communication. As such, SOX compliance requires that strict records retention policies and procedures must be in place, as well as quick data retrieval.

    Ignorance is no longer an excuse. Penalties for non-compliance include substantial fines and significant prison terms for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation. SOX compliance can seem like an overwhelming task, but InfoSight can help you understand your obligations under the Act, navigate Section 404, and walk you through the implementation process quickly and easily.

  • COBIT

    COBIT is the acronym for Control Objectives for Information and related Technology. The COBIT framework is a complete, internationally-accepted process for information technology (IT) management that supports business, IT executives and management in their definition and achievement of business and related IT goals by providing a comprehensive IT governance, management, control and assurance model. The COBIT framework was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. The COBIT framework provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. ISACA updates the COBIT framework about every 3 years.

    COBIT is perhaps the most widely-used information technology control framework, since it spans the gamut of IT. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities and performance metrics), and maturity models. Additionally, COBIT supports enterprise management in the development, implementation, and continuous improvement and monitoring of good IT-related practices.

    COBIT can be extremely complex and difficult to address and implement. By its very nature, it is detailed and comprehensive, and requires a great deal of effort; however, InfoSight can help you address and implement the COBIT framework and achieve COBIT's high standards. The COBIT framework consists of six components:

    • Executive Summary
    • Management Guidelines
    • Control Objectives
    • The COBIT Framework
    • Audit Guidelines
    • Implementation Toolset
  • NERC

    The North American Electric Reliability Corporation (NERC) is a nonprofit and self-regulatory organization created to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which ensure the protection of the Critical Cyber Assets (CCAs) that control or affect the reliability of North America's bulk electric systems. NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC approved the Security and Reliability Standards proposed by NERC, making the CIP Cyber Security Standards mandatory and enforceable across all users, owners and operators of the bulk-power system.

    • Where do we start implementing IT security controls? And in what order?
    • How do we build sustainable security controls that integrate into our daily IT operations?
    • How do we ensure continuous compliance with NERC?

    InfoSight can help you answer these questions, and more. We partner with utility providers to help you improve your security and compliance posture while reducing costs. We'll help you take the necessary steps to integrate IT security controls with IT production operations, to simultaneously achieve NERC compliance goals, as well as your IT operational and security goals. Many of our Managed Services align directly with the NERC CIP Cyber Security Standards, allowing you to easily meet and exceed the requirements they set forth. Our professional services team can audit your recovery plans and identify any gaps that need to be addressed. We'll conduct a two to three day on-site compliance assessment/audit to help you determine the extent to which you comply with the applicable NERC Standards. The assessment will provide you with a complete listing of your procedures and measures that address the NERC Standards and the areas where additional documentation is required.

    Let InfoSight help you manage NERC requirements. We'll also help you build sustainable security controls that integrate into your daily IT operational processes enabling you to respond more quickly to urgent business needs, and help provide you with stable, secure, and predictable IT services.

    Benefits of a secure data center:

    • Increased availability
    • Decreased time for recovery
    • A reduction in unplanned work
    • Higher performance
    • Decreased risk
    • Lessened time and effort for audits
    • Overall lower costs to deliver IT services

    Due to the importance of securing the North American power supply, financial penalties for NERC non-compliance are hefty: entities can be fined up to $1 million per day per infraction until they have brought themselves back into a compliant state.

  • USA Patriot Act

    The USA PATRIOT Act (commonly known as the "Patriot Act") is an Act of the U.S. Congress and signed into law by President George W. Bush on October 26, 2001, shortly after the terrorist attacks on Sept 11, 2001. The title of the Act is a contrived acronym, which stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. The Act gives federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes. It vests the Secretary of the Treasury with regulatory powers to combat corruption of U.S. financial institutions for foreign money laundering purposes. It seeks to further close our borders to foreign terrorists and to detain and remove those within our borders. It creates new crimes, new penalties, and new procedural efficiencies for use against domestic and international terrorists.

    Besides extending law enforcement's surveillance and investigative powers and easing restrictions on foreign intelligence gathering within the US, the USA PATRIOT Act also expanded the Secretary of the Treasury's authority to regulate financial transactions, particularly those involving foreign individuals and entities. One provision of the USA PATRIOT Act requires financial services companies to develop improved capabilities to identify customers and flag suspicious transactions, making businesses responsible for seeking, detecting, and reporting computer trespasses. Banks in particular are expected to identify, discover, gather, amass, investigate, and report on financial activity to a far greater degree and depth than was previously expected of them.

Whether it is Sarbanes-Oxley, GLBA, HIPAA, the US Patriot Act, or any in the list, integrating information in support of compliance is not a one-off proposition. Compliance requires ongoing and constant enforcement. It's never a matter of simply checking a box and then moving to another project.

This is where InfoSight can help. Regardless of how little or how much help you require, InfoSight's compliance experts will provide the support you need to ensure compliance.

Don’t face compliance issues alone. Contact us today.