Wednesday, April 25, 2012

Compliance: A Look at the Bigger Picture










Compliance: A Look at the Bigger Picture
Samuel Warren
IS 461- Information Security Overview
Professor Dan Morrill
February 16, 2011
Compliance: A Look at the Bigger Picture
When children are young, their parents often ask them to do tasks. To adults, the request may seem trivial, or even ridiculous, but they tend to see the bigger picture, whereas children may not. Much is the same with compliance. Compliance is when a group of people collaborate to set standards then request those associated with them to meet said standards. Compliance garners as much criticism as it does praise among programmers and managers. “It is just one more thing we have to do,” is the common complaint. While this is true for some, the people who request businesses to fall into compliance often see a bigger picture or even a larger cost in the event compliance is not achieved. Many parents would not let their children go play at the park un-supervised, let alone play on a busy street. Why then do the children always want to play on the busy street? There are numerous reasons why companies do not want to have to deal with compliance. It may take extra time or money, both of which may be in deficit. In spite of this, staying in compliance will not only save future headaches, but also will actually improve business practices. There are several major groups or laws requiring compliance to specific standards in order to transact with them. Payment Card Industries (PCI), The Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX) are among the compliance standards that must be met. To put the pieces of the puzzle together, forming the bigger picture, one needs to look at these different groups or laws. By looking into the laws, one will discover why it is so important to be compliant to their regulations and what happens if a business were not compliant.
PCI
            Payment Card Industry (PCI) is actually a group of credit card companies that share a common goal: to protect their customers from credit card theft. In 2001, Visa instituted a protection plan for their customers called Cardholder Information Security Program (CISP). “Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard” (Visa.com, 2011). Creating a level of protection for their customers is what undoubtedly encouraged MasterCard, American Express, Discover, The Diner’s Club, and the Japan Credit Bureau to adopt the compliance standards and have a hand in fashioning and refining them.
Being compliant to PCI standards is a requirement to which everyone using technology to electronically transmit credit or debit card information must adhere. While it does not take the place of each individual company’s protection plans, it is an agreed-upon middle ground and acceptable minimum requirement for those wishing to do business with the Payment Card Industry. PCI compliance deals with quite a few facets of a business, including: security policy and administration of card information, information architecture, database protection, electronic transmission, and penetration testing to determine system vulnerability. The idea is to bring all electronic medium dealing with credit or debit card information to an elevated level of protection while making it easy to transmit data. A good example of being compliant would be using Secure Sockets Layer (SSL) to protect transactions online. When a company does not meet the minimum PCI requirements, the major credit card companies can fine those banks that process the transactions and even terminate their relationship with them. For example, if Bank of America did not meet PCI compliance, Visa could choose to stop working with them and even fine them. It would be likely that MasterCard, Discover, and American Express would decline to pick up the relationship as well. Meaning that Bank of America customers would have to retrieve a cashiers check, money order, or send a check for online purchases. Many customers would see this as unfavorable and discontinue using Bank of America. For those industries requiring transactions with PCI, taking the few extra steps will undoubtedly save money in the long run, not to mention increased trust from their customers who know their information is protected. Following the scheduled testing protocols and standards to protect the data, while inconvenient at times, is not something to be trifled with when compared to the hours of customer service and potential loss of revenue.
HIPAA
            The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 by the United States Congress to protect and secure patient healthcare information. With the HIPAA law enacted, congress was in essence pushing some standards out to all the different groups in the health industry. They standardized billing and claims while simplifying the administration process. Unfortunately, standardizing these processes made more information available to would-be thieves. So in 2001, Congress stretched its reach with this law to add more safeguards and limit who could actually view health information. “These safeguards dictate that only authorized individuals have access to patient information and only to the information necessary to support a given task” (Snedaker, 2007). It also restricted how health professionals could interact via telephone, voicemail, and printed material. Part of the compliance requirement is giving every patient a waiver stating how standards are met. Additionally, signatures are required from patients to state they received the waiver. While the Health and Human Services department can impose fines, according to Snedaker’s 2007 book, they have yet to do so. Falling out of compliance with HIPAA seems to not have too much in the realm of consequences, but certainly, it would be in the best interest of the healthcare facilities to maintain these standards for the protection of their patients. There is also a possibility that by not meeting the standards, a doctor, or medical practitioner, could lose credibility, face fines, or prosecution from the government.
SOX
            The Sarbanes-Oxley Act of 2002 got its start from tragedy. Thousands of investors were swindled by large corporations that were not accountable because they had the idea that lying to their investors was more profitable. However, investment has a much broader reaching influence than just a single company, it affects a nation. With so many people looking at the stock market and trading based on tips and leads, they need to be able to trust what they are seeing. Dishonesty with investors in such ways causes the market to bloat and become unstable. In the end, selfishness got the better of executives from Enron and Worldcom, who instead of acting responsibly and keeping their companies in check, chose to manipulate and lie their way through the problems they faced. The SOX act was created foster trust with investors.
SOX is designed to reassure shareholders that their investments are being protected from scandal and deception. To this end, the Act sets forth guidelines that compel companies to provide investors with all of the information that they require to make sound investing decisions. The damaging effects of cheating investors in the past can be rectified in the minds of current investors only if companies portray a consistent and unified commitment to honesty and fairness. SOX was written in the spirit of three key principles: integrity, accuracy, and accountability. (Anand, 2007)
While the SOX act seems far less stringent on compliance standards, it is a needed confidence booster to know that the business one chooses to invest in is honest, accountable, and keeps their books open. According to Anand, failure to comply with these standards is where the rubber meets the road. Not only are the consequences for failing to comply leveled solely on the executive officers of the organization, but they also carry with them fines up to $1 million and up to 10 years in prison. That does not include potential lawsuits from investors that would also fall directly onto the executive officers. While SOX standards seem to be easy to comply with, non-compliance in regards to the SOX act could be devastating to those who lead the companies.
Conclusion
            As discussed, compliance is a concept of adhering to a set of policies or rules set forth. When a business adheres to such standards, there are great benefits. Conversely, falling outside acceptable range also carries great risks. When a company is in adherence to PCI, HIPAA, and SOX standards, they provide some of the very best protection for the consumers of the affected fields, thus also building a bridge of trust between the consumers and themselves. Furthermore, the threat of fines and other lawsuits, not to mention loss of business, makes failure to comply a potential death sentence for that business. When executives get too caught up in making money, they tend to forget that their number one concern should be caring for their customers, those who got them there in the first place. It is because of scandals in the past, high rates of theft, and the increasing use of electronic mediums that these measures were enacted in the first place. The bigger picture painted reveals the necessity to comply and the negatives of non-compliance, but the real winner is not the business or the group setting the standards; it is the people whose information is protected from would be criminals.  

References
Anand, S. ( © 2007). Essentials of sarbanes-oxley.[Books24x7 version] Available from http://common.books24x7.com.proxy.cityu.edu/book/id_18058/book.asp
Risk Management, Card-holder Information Security Program. (2011). CISP Overview [Fact sheet].  Retrieved February 15, 2011, from http://usa.visa.com/merchants/risk_management/cisp_overview.html
Snedaker, S. (2007). The best damn it security management book period. [Books24x7 version] Available from http://common.books24x7.com.proxy.cityu.edu/book/id_25442/book.asp.

No comments:

Post a Comment