Compliance:
A Look at the Bigger Picture
Samuel
Warren
IS
461- Information Security Overview
Professor
Dan Morrill
February
16, 2011
Compliance: A Look at the Bigger Picture
Compliance: A Look at the Bigger Picture
When children are
young, their parents often ask them to do tasks. To adults, the request may
seem trivial, or even ridiculous, but they tend to see the bigger picture,
whereas children may not. Much is the same with compliance. Compliance is when
a group of people collaborate to set standards then request those associated
with them to meet said standards. Compliance garners as much criticism as it
does praise among programmers and managers. “It is just one more thing we have
to do,” is the common complaint. While this is true for some, the people who
request businesses to fall into compliance often see a bigger picture or even a
larger cost in the event compliance is not achieved. Many parents would not let
their children go play at the park un-supervised, let alone play on a busy
street. Why then do the children always want to play on the busy street? There
are numerous reasons why companies do not want to have to deal with compliance.
It may take extra time or money, both of which may be in deficit. In spite of
this, staying in compliance will not only save future headaches, but also will
actually improve business practices. There are several major groups or laws
requiring compliance to specific standards in order to transact with them. Payment
Card Industries (PCI), The Health Insurance Portability and Accountability Act
(HIPAA), the Sarbanes-Oxley Act (SOX) are among the compliance standards that
must be met. To put the pieces of the puzzle together, forming the bigger
picture, one needs to look at these different groups or laws. By looking into
the laws, one will discover why it is so important to be compliant to their
regulations and what happens if a business were not compliant.
PCI
Payment
Card Industry (PCI) is actually a group of credit card companies that share a
common goal: to protect their customers from credit card theft. In 2001, Visa instituted
a protection plan for their customers called Cardholder Information Security
Program (CISP). “Mandated since June 2001, CISP is intended to protect Visa
cardholder data–wherever it resides–ensuring that members, merchants, and
service providers maintain the highest information security standard”
(Visa.com, 2011). Creating a level of protection for their customers is what
undoubtedly encouraged MasterCard, American Express, Discover, The Diner’s
Club, and the Japan Credit Bureau to adopt the compliance standards and have a
hand in fashioning and refining them.
Being compliant to
PCI standards is a requirement to which everyone using technology to
electronically transmit credit or debit card information must adhere. While it
does not take the place of each individual company’s protection plans, it is an
agreed-upon middle ground and acceptable minimum requirement for those wishing
to do business with the Payment Card Industry. PCI compliance deals with quite
a few facets of a business, including: security policy and administration of
card information, information architecture, database protection, electronic
transmission, and penetration testing to determine system vulnerability. The
idea is to bring all electronic medium dealing with credit or debit card
information to an elevated level of protection while making it easy to transmit
data. A good example of being compliant would be using Secure Sockets Layer
(SSL) to protect transactions online. When a company does not meet the minimum
PCI requirements, the major credit card companies can fine those banks that
process the transactions and even terminate their relationship with them. For
example, if Bank of America did not meet PCI compliance, Visa could choose to
stop working with them and even fine them. It would be likely that MasterCard,
Discover, and American Express would decline to pick up the relationship as
well. Meaning that Bank of America customers would have to retrieve a cashiers
check, money order, or send a check for online purchases. Many customers would
see this as unfavorable and discontinue using Bank of America. For those
industries requiring transactions with PCI, taking the few extra steps will
undoubtedly save money in the long run, not to mention increased trust from
their customers who know their information is protected. Following the
scheduled testing protocols and standards to protect the data, while
inconvenient at times, is not something to be trifled with when compared to the
hours of customer service and potential loss of revenue.
HIPAA
The
Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996
by the United States Congress to protect and secure patient healthcare
information. With the HIPAA law enacted, congress was in essence pushing some
standards out to all the different groups in the health industry. They
standardized billing and claims while simplifying the administration process. Unfortunately,
standardizing these processes made more information available to would-be
thieves. So in 2001, Congress stretched its reach with this law to add more
safeguards and limit who could actually view health information. “These
safeguards dictate that only authorized individuals have access to patient
information and only to the information necessary to support a given task” (Snedaker,
2007). It also restricted how health professionals could interact via telephone,
voicemail, and printed material. Part of the compliance requirement is giving
every patient a waiver stating how standards are met. Additionally, signatures
are required from patients to state they received the waiver. While the Health
and Human Services department can impose fines, according to Snedaker’s 2007
book, they have yet to do so. Falling out of compliance with HIPAA seems to not
have too much in the realm of consequences, but certainly, it would be in the
best interest of the healthcare facilities to maintain these standards for the
protection of their patients. There is also a possibility that by not meeting
the standards, a doctor, or medical practitioner, could lose credibility, face
fines, or prosecution from the government.
SOX
The
Sarbanes-Oxley Act of 2002 got its start from tragedy. Thousands of investors were
swindled by large corporations that were not accountable because they had the
idea that lying to their investors was more profitable. However, investment has
a much broader reaching influence than just a single company, it affects a
nation. With so many people looking at the stock market and trading based on
tips and leads, they need to be able to trust what they are seeing. Dishonesty
with investors in such ways causes the market to bloat and become unstable. In
the end, selfishness got the better of executives from Enron and Worldcom, who instead
of acting responsibly and keeping their companies in check, chose to manipulate
and lie their way through the problems they faced. The SOX act was created foster
trust with investors.
SOX is designed to
reassure shareholders that their investments are being protected from scandal
and deception. To this end, the Act sets forth guidelines that compel companies
to provide investors with all of the information that they require to make
sound investing decisions. The damaging
effects of cheating investors in the past can be rectified in the minds of
current investors only if companies portray a consistent and unified commitment
to honesty and fairness. SOX was written in the spirit of three key principles:
integrity, accuracy, and accountability. (Anand, 2007)
While the SOX act
seems far less stringent on compliance standards, it is a needed confidence
booster to know that the business one chooses to invest in is honest,
accountable, and keeps their books open. According to Anand, failure to comply with
these standards is where the rubber meets the road. Not only are the
consequences for failing to comply leveled solely on the executive officers of
the organization, but they also carry with them fines up to $1 million and up
to 10 years in prison. That does not include potential lawsuits from investors
that would also fall directly onto the executive officers. While SOX standards seem
to be easy to comply with, non-compliance in regards to the SOX act could be
devastating to those who lead the companies.
Conclusion
As
discussed, compliance is a concept of adhering to a set of policies or rules
set forth. When a business adheres to such standards, there are great benefits.
Conversely, falling outside acceptable range also carries great risks. When a
company is in adherence to PCI, HIPAA, and SOX standards, they provide some of
the very best protection for the consumers of the affected fields, thus also
building a bridge of trust between the consumers and themselves. Furthermore,
the threat of fines and other lawsuits, not to mention loss of business, makes
failure to comply a potential death sentence for that business. When executives
get too caught up in making money, they tend to forget that their number one
concern should be caring for their customers, those who got them there in the
first place. It is because of scandals in the past, high rates of theft, and
the increasing use of electronic mediums that these measures were enacted in
the first place. The bigger picture painted reveals the necessity to comply and
the negatives of non-compliance, but the real winner is not the business or the
group setting the standards; it is the people whose information is protected
from would be criminals.
References
Anand,
S. ( © 2007). Essentials of sarbanes-oxley.[Books24x7 version] Available
from http://common.books24x7.com.proxy.cityu.edu/book/id_18058/book.asp
Risk
Management, Card-holder Information Security Program. (2011). CISP Overview
[Fact sheet]. Retrieved February 15,
2011, from http://usa.visa.com/merchants/risk_management/cisp_overview.html
Snedaker,
S. (2007). The best damn it security management book
period. [Books24x7 version] Available from http://common.books24x7.com.proxy.cityu.edu/book/id_25442/book.asp.
No comments:
Post a Comment