For financial firms, numerous compliance requirements demand baseline controls

Financial organizations face a number of regulatory requirements. To name just a few, there's Federal Financial Institutions Examination Council (FFIEC), the Gramm-Leach Bliley Act (GLBA), state and federal privacy laws, Health Insurance Portability and Accountability Act (HIPAA) -- for insurance and other financial firms handling healthcare data -- and Payment Card Industry Data Security Standard (PCI DSS) for any organization that stores, transmits or processes payment card data.

While each regulation requires certain information be protected, fortunately the security principles and controls they rely on are remarkably consistent. A well-structured security and compliance program can capitalize on this consistency and save an organization from unnecessary complexity and overwhelming cost.

While each regulation has its peculiarities, all regulations require organizations to have a structure in place that addresses the following topics:

Understand the requirements
The first step of any compliance process is to understand the requirements involved, including the intent of the regulations, type of information that needs to be protected and risks affecting that information. HIPAA, PCI DSS, and GLBA all clearly specify the information that needs to be safeguarded. The Sarbanes-Oxley Act (SOX), on the other hand, leaves much open to interpretation -- even with guidance from the Public Company Accounting Oversight Board (PCAOB), which offers guidance to corporate auditors.

Understanding the risks to information in the context of your business is another matter. No standard document can do this for you. To that end, let's look at two examples of how a common approach to addressing requirements that span regulations can ensure more consistent controls and economies of process and technology.

Common requirement: Risk assessment and management
All regulations require organizations to have a risk assessment and

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance Financial services compliance best practices Red Flags Rule compliance Why financials should pay attention to NERC CIP The truth about vendor management Using virtualization for compliance efforts FFIEC releases risk management guidance for remote deposit capture Using an information security council Information security governance using a risk-based approach How I learned to stop worrying and love my compliance department Integrating ethics from top to bottom Partner data privacy: Issuing stricter guidelines FFIEC compliance Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 How AML compliance applies to remote deposit capture Swine flu: Pandemic planning wake-up call The truth about vendor management Industry reaction to FFIEC remote deposit capture guidance positive so far, says FDIC official Book chapter: Remote deposit capture risks Understanding the FFIEC remote deposit capture guidance FFIEC releases risk management guidance for remote deposit capture Using the FFIEC Examination handbooks to produce a harmonized audit guide

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary corporate governance  (SearchFinancialSecurity.com) subpoena  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

management process in place. The PCI DSS notes risks and threats in Requirement 12. Maintain an Information Security Policy. Requirement 12.1.2 specifies that organizations have an annual process that identifies threats and vulnerabilities, and which results in a formal risk assessment. This same section further requires risks and policies to be reviewed throughout the year.

HIPAA also requires a formal risk assessment and management process in Section 164.308(a)(1), Security Management Process. The regulation requires that organizations:

While the directive to conduct formal risk assessments is clear, financial organizations trying to comply are hard pressed to understand how to conduct formal risk assessments or implement a risk management program.

Financial organizations that use frameworks like ISO 27002 or COBIT to organize their security and compliance efforts will recognize the same requirements in those standards. Fortunately, the frameworks provide better guidance in implementing risk assessment and emphasize the importance of risk assessment and management in establishing and meeting overall security goals. It can also be helpful to look to a risk management framework like OCTAVE from Carnegie Mellon University as a model to meet the requirements of ISO 27002 and regulations like PCI DSS and HIPAA.

Common requirement: Identity management and access control
One of the guiding principles of all security, and certainly all regulations, is that you must know who has access to what information and what the justification is for that access.

The FFIEC Security Handbook requires financial organizations to have "effective access rights management." Similarly, the PCI DSS (Requirements 7, 8, and 9), HIPAA, and ISO 27002 all require organizations to have:

While the details described in each regulation differ, the basic principles are the same and correspond quite closely to the approach described in the common security frameworks.

The lesson here, as it is above, is that a common approach can help a financial organization become compliant with multiple regulations. The alternative of specific models and mechanisms applied in different compliance domains will not only complicate matters unnecessarily, but it will also be more costly and prone to error.

Compliance programs can address requirements from multiple regulations
Each passing year seems to bring with it additional regulatory requirements. However, most requirements can be met more easily by organizations with good security fundamentals. Recognizing this, financial organizations should structure their security and compliance programs to capitalize on common regulatory requirements approaches. By instituting critical processes like risk management, policy management and training, financial organizations can more easily position themselves to deal with new regulations. Good processes also allow financial organizations to take advantage of tools like identity management, vulnerability management and change control to address compliance requirements across the board.

About the author:
Richard E. "Dick" Mackey is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA, and SOX. He has also provided guidance to a wide range of companies on enterprise security architecture, identity and access management, and security policy and governance.