Regulations & Compliance
Audit and IT Compliance
Companies may need to comply with a number of initiatives and regulations, depending on their industry and the nature of their business, and undergo audits are done to certify compliance. Two major frameworks can provide the specific guidance necessary both for the IT organizations and for the internal and external auditors.
Responding to financial fraud scandals, the US Senate created The Sarbanes-Oxley Act of 2002, which was quickly nicknamed “SOX”. This legislation introduced requirements for transparency and integrity in financial reporting. Other countries have followed with similar legislation. Japan, the European Union, Australia and the UK, among them. The banking industry has responded to fraud with the international Basel Accord. Since a company’s financial records often come from computers, many of the mandates are focused on IT governance.
Identity Theft/Credit Card Fraud
PCI DSS The Payment Card Industry Security Standards Council is an independent council that was originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide andVisa International on Sept. 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.
The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
Red Flag: The Federal Trade Commission (FTC)
The federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
Safe Harbor: The European Commission’s Directive on Data Protection (October 1998) prohibits the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. While the U.S. and the European Union share the goal of enhancing privacy protection for their citizens, the US takes a different approach to privacy from that taken by the European Union.
To bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” framework and this website to provide the information an organization should need to evaluate – and then join – the Safe Harbor.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. There are two lines of defense – protecting information from threats from outsiders and from insiders. Outside threats are addressed with anti-malware software, firewalls and locked doors. Inside threats are more difficult. Some access has to be allowed in order for business to function – so the task becomes one of identifying who should be able to do what, and where.
PRC makes an important contribution to “inside” IT security.
GENERAL AUDIT SAS/70, IT Audit