Risk is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative). Risk management can therefore be considered as the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Every organization has a mission. In this digital era, as organizations use network systems to transmit their information for better support of their missions, IT risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk. As a result, laws and regulations were enacted are the result of pressures on lawmakers to do something to combat the countless compromises of sensitive data such as credit cards, Social Security numbers, and bank account information we hear about every day. Such laws and regulations provide clear guidance on how personal data must be protected and who is ultimately responsible for its protection.
Regulatory risk
Regulatory risk, a term describing the problems arising from new or existing regulations, is now one of the greatest threats to business, according to a global survey of 230 senior risk managers by the Economist Intelligence Unit.
Your organization may be faced with having to comply with one or more of the following regulations that impact your Information Technology:
Sarbanes Oxley (SOX):
The SOX Act mandates rules and standards for corporate governance, disclosure, and reporting for all U.S. public company boards, management and public accounting firms.
SOX requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support the storing, transmitting and processing of financial data and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX.
The consequences for non-compliance are fines, imprisonment, or both.
HIPAA/HITECH:
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule. The Privacy Rule was effective on April 14, 2003, for most health care providers, health plans, and health care clearinghouses.
Payment Card Industry Data Security Standard (PCI DSS):
PCI DSS is a worldwide information security standard for enhancing payment account data security, assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
Gramm-Leach-Bliley Act (GLBA):
The Gramm-Leach-Bliley Act (GLBA) was enacted in enacted November 12, 1999) and it includes provisions to protect consumers' personal financial information held by financial institutions. Major components put into place to govern the collection, disclosure, and protection of consumers' non-public personal information; or personally identifiable information.
These include:
The Financial Privacy Rule
The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.
The Safeguards Rule
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information. This plan must include:
- Denoting at least one employee to manage the safeguards,
- Constructing a thorough [risk management] on each department handling the nonpublic information,
- Develop, monitor, and test a program to secure the information, and
- Change the safeguards as needed with the changes in how information is collected, stored, and used.
This rule is intended to do what most businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes.
The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC.
Federal Financial Institutions Examinations Council (FFIEC)
The Federal Financial Institutions Examinations Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
FFIEC issues guidelines and rules for any regulated financial institution, including explicit guidelines for data security and technology risk management. The FFIEC Information Technology Examination Handbook spells what steps banks and credit unions should take to achieve compliance for GLBA and other IT-related mandates.
The Federal Information Security Management Act (FISMA) of 2002:
FISM Act (section 3544(b)(2)(D)(iii)) recognizes the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency. FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency or by a contractor or other organization on behalf of a federal agency.
Defense Information Systems Agency (DISA):
DISA ensures that information is accessible to the joint forces, while protecting the network -and the information on it - from being accessed by our adversaries. In order to achieve mission assurance and promote safe information sharing, DISA makes data ubiquitously accessible while simultaneously restricting access, promotes the safe sharing of information, prevents attacks by having network protections in place and detects, diagnoses, and reacts to attacks quickly. The DISA Security Technical Implementation Guides (STIG) and associated check lists provide configuration guidelines to meet or exceed security requirements of Department of Defense systems.
Food and Drug Administration (FDA) - CFR 21 Part 11
In August, 1997, the Food and Drug Administration (FDA) gave the Industry the set of rules for electronic signatures and electronic records. The FDA requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing and transmitting electronic data that are (a) required to be maintained by the FDA predicate rules or (b) used to demonstrate compliance to a predicate rule.
Conclusion:
It is important for organizations to recognize that the time and expense in complying with applicable laws protecting data and systems will produce benefits over time, reducing the likelihood of compromise while at the same time avoiding costly non-compliance penalties. The release of personal data -- whether through human error or criminal activities -- is both disruptive and costly and can be disastrous for customers and the organizations that serve them.
