Compliance and Your Business
| Achieve Compliance for Your Business | |
| Gramm-Leach-Bliley Act | Requires financial institutions to protect the confidentiality and integrity of customer records. |
| FTC Consent Order | Requires affected firms to engage independent third party assessors to perform security assessments of existing programs intended to safeguard personal information collected about consumers, on an initial and biennial basis for a specified period. |
| HIPAA | Requires healthcare organizations to improve the security of online data. |
| FDA 21 CFR Pt 11 | Reinforces FDA regulations on electronic record keeping and the use of electronic signatures. |
| NERC CyberSecurity | Safeguards the reliability of utilities delivering bulk electricity to the electrical grid. |
| California SB 1386 | Requires notification of anyone whose information is in a database that suffered a security breach. |
| Sarbanes-Oxley Section 404 | Details IT safeguards that must be built into financial reporting. |
| ISO 27002 | An internationally-recognized standard that provides the foundation of a solid information security program. |
| COBIT | A generally applicable standard for IT security and control. |
| NIST | A source of best-practice IT security information and guidelines. |
| FFIEC | Authorized to mandate uniform standards, principles, and report forms to be used in federal inspection of banks and other financial institutions. |
| Credit Card Security | PCI: Visa CISP, MasterCard SDP program, and American Express standards to to safeguard customer accounts. |
| Learn More | o talk with us about security and your business, call 650-426-5310 or submit your inquiry online. Or, see Enterprise Compliance Assessments and Security Certification Program for how we can help you. |
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization act, requires financial institutions such as banks, insurance companies, and brokerage firms, to establish administrative, technological, and physical safeguards to protect the confidentiality and integrity of customer records.
To comply with GLBA, you must identify and assess risks, plan and implement solutions to protect sensitive information, and establish measures to continuously monitor security.
We help financial institutions to assess the existing security architecture and to develop and implement an information security program that is consistent with section 3.14.
Learn about:
- Enterprise Compliance Assessments
- Security Certification Program
- Financial Institutions Success Story
- Security Solutions to Support Compliance With the Gramm-Leach-Bliley Act
FTC Consent Order
Over the last few years, there have been several data breaches in the news resulting in the United States Federal Trade Commission (FTC) requiring comprehensive security assessments for organizations that fail to take reasonable care in securing consumer data. Generally, the resultant FTC consent order requires affected firms to engage independent third party assessors to perform security assessments of existing programs intended to safeguard personal information collected about consumers, on an initial and biennial basis for a specified period.
VeriSign has developed an approach to performing this assessment which uses a selection of controls/safeguards grounded in the language of the FTC order, and further informed by ISO27001 and 16 CFR 314, Standards for Safeguarding Customer Information promulgated under the Gramm Leach Bliley Act (GLBA), as the baseline in evaluating the security program.
VeriSign is able to certify our assessment results such that the Order recipient’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period. VeriSign consultants also hold the requisite security certifications specified by the FTC.
Learn about:
The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 2002 in reaction to the growing trend in the healthcare industry to move information online. Improving business processes and communications has great potential to improve patient care and lower costs. It may also put electronic data at risk. HIPAA is designed to address that risk.
Certain portions of HIPAA require all healthcare organizations to make a thorough IT risk assessment. The development and implementation of a plan for improving security and maintaining that security are also required.
We’re experts in healthcare compliance and can lead both the risk assessment and its implementation. Learn about:
- Enterprise Compliance Assessments
- Security Certification Program
- Healthcare Success Story
- Security Solutions to Support Your Compliance With HIPAA
FDA 21 CFR Pt 11 was passed in reaction to the trend among pharmaceutical companies and medical device manufacturers to use the Internet to speed up communications and share data such as trial results. The business benefits are clear, but so are the risks. FDA 21 CFR Pt 11 reinforces FDA regulations on electronic record keeping and the use of electronic signatures.
To comply, you’re required to conduct a risk analysis and implement improved methods of handling electronic records and signatures.
We can conduct the risk analysis. We can also implement procedures relating to the handling of electronic records and signatures to help you meet the requirements.
Learn about:
- Enterprise Compliance Assessments
- Security Certification Program
- Life Sciences Success Story
- Security Solutions to Support Compliance With FDA 21 CFR Pt 11
The CyberSecurity standard doesn’t have the force of law in the sense that, say, HIPAA does. Compliance is essential, however, because a utility that doesn’t meet the standard won’t be able to do business. The CyberSecurity standard was initiated by the North American Electricity Reliability Council (NERC). The goal is to safeguard the reliability of utilities delivering bulk electricity to the electrical grid.
Starting in the first quarter of 2004 and into the foreseeable future, all utilities delivering bulk electricity are required to identify and protect critical cyber assets.
The identification and protection of critical cyber assets means that your IT system requires a risk assessment and the implementation of higher standards of security. The required goals are defined in Section 1201 of the standard. We can design an information protection system that meets these goals.
Learn about:
- Enterprise Compliance Assessments
- Security Certification Program
- Security Solutions to Support Compliance with the NERC Standards
California SB 1386 requires that any person or organization operating an electronic database that stores the personal or confidential information of an individual residing in California immediately notify the individual in the event of a security breach of the database. The notification requirement applies even if there is no indication the information was stolen or misused. Most experts think this law will rapidly be duplicated in other states.
Because reporting the breach, whether online or by letter, is difficult, expensive, and could harm your reputation, it’s important to eliminate most breaches and effectively defend against the rest.
We can help by providing a detailed plan to upgrade your information security and by helping you carry out and maintain that plan.
Learn about:
- Enterprise Compliance Assessments
- Security Certification Program
- Security Solutions to Minimize Risks of Breaches Under California SB 1386
The Communications Assistance for Law Enforcement Act (CALEA) defines the obligations of telecommunications carriers to assist law enforcement in lawful electronic surveillance. The Do-Not-Call Registry requires telephone solicitors to take customers off their call lists at the customer’s request and requires carriers to make sure the solicitors honor their commitment.
You should be ready to aid law enforcement agencies in a timely manner, and to make sure that Do-Not-Call requests are honored. You must also ensure network safety so that surveillance efforts do not backfire. We can analyze your existing network to see where risks are and also define and implement a network that helps reduce those risks.
Learn about:
ISO 27002 Information Technology – Security Techniques – Code of Practice for Information Security Management is one of the most widely recognized and accepted standards being used as the basis for information security programs worldwide. ISO 27002 covers:
- Security Policy
- Organization of Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development, and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Compliance
Compliance with ISO27002 can be the foundation of a solid information security program for your business. Compliance requires being able to demonstrate that you have met each of the ISO27002 objectives, as applicable to your organization.
VeriSign’s Global Security Consulting organization has the knowledge and experience to help you meet the ISO27002 requirements. We can perform a complete assessment of your information security program - including people, processes, and technology. In addition to assessing your program, we can assist in development and implementation, such as security program strategy, security policy development, incident response, security awareness and training program development, and business continuity and disaster recovery planning, to name a few. VeriSign’s iDefense Security Intelligence Service and Managed Security Services also offer solutions to help your organization achieve compliance with ISO 27002.
Learn about:
- ISO 27002 Assessments and Compliance (PDF)
- Enterprise Compliance Assessments
- Security Certification Program
COBIT, developed and maintained by the IT Governance Institute, aims to be a generally applicable standard for IT security and control. It has wide US and international acceptance, and is quick to develop methodologies for new challenges such as Sarbanes-Oxley.
You aren’t required to comply with COBIT. Rather, it’s a methodology that’s designed to help companies maintain IT security in a uniform way. By meeting COBIT standards, the goal is that you’ll approach IT security in a systematic way, in line with accepted industry standards.
We can help you decide if COBIT is the best compliance vehicle for you business. We’ll then use its standardized rules as the basis for our risk assessment of your infrastructure. We’ll also incorporate its guidelines for the implementation of IT safeguards in our recommendations.
Learn about:
The National Institute of Standards and Technology (NIST), founded by the government in 1901, is a non-regulatory agency that sets standards for product quality, building safety, and a wide range of other industrial and scientific activities. Despite its age, NIST has continued to grow with technology. The Computer Security Division was launched in 1987, primarily to provide guidelines to Federal IT departments, but also to work with industry.
Because NIST is non-regulatory, there are no specific compliance standards. However, NIST is an excellent source of best-practice IT security information and guidelines.
Although NIST is non-regulatory, bringing your IT department into line with NIST standards can prepare you for the requirements you may be subject to under certain regulations such as HIPAA and Sarbanes-Oxley. We’re fully conversant with NIST guidelines. We can use those guidelines to provide a risk assessment of your current network, and to design and implement a stronger IT system.
Learn about:
The Federal Financial Institutions Examinations Council (FFIEC) is a Federal interagency body with the authority to apply uniform standards, principles, and report forms to be used in federal inspection of banks and other financial institutions. These institutions are subject to FFIEC regulations by the Board of Governors of the Federal Reserve Bank, the Federal Deposit Insurance Corporation, National Credit Union Administration, the Office of the Comptroller of the Currency, or the Office of Thrift Supervision.
Because the FFIEC has the full power of the government behind it, and because your institution may be subject to inspection from a number of different angles, it is essential that you understand what the FFIEC requires and are prepared to adhere to those requirements.
FFIEC is highly specialized - and we maintain a high level of expertise in the field. We provide an assessment of your current network and show you how to remodel it to bring it line with required standards and principles. We also show you how to upgrade your reporting forms as the FFIEC demands. If that documentation requires changes from your current system, we develop a plan to integrate it into your working setup so as to minimize disruption.
Learn about:
The major credit card companies, Visa, MasterCard, and American Express, have all initiated security programs to safeguard customer accounts and to make using their cards online safer.
VeriSign is an authorized assessor and scanning provider for Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP) program. Our assessments also include the information security standards published by American Express.
VeriSign can provide credit card security assessment and certification for your organization.
Learn about:
