Compliance Management Tool Kit - Defines Best Practices

PCI-DSS, Sarbanes-Oxley, HIPAA, GDPR,CCPA, GLAB, COBIT,
and ISO 28000 Compliance Tools

Order Compliance Management Kit  Download Selected Pages

Compliance Management KitNumerous laws and regulatory mandates focus on corporate governance and accountability around sensitive information (specifically financial, non-public information and protected health care information). This has significantly impacted the underlying IT systems that support the applications and repositories holding this sensitive information.

Organizations are continuously looking for help in preventing fraud and protecting sensitive information. The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations. Additionally, there are other internal cost-containment requirements that can be effectively met by defining and implementing a sound auditing and compliance methodology. Most corporations agree that compliance leads to better corporate governance and management.

Compliance Process

Compliance Management Toolkit Versions

Janco offers a full range of tools to help enterprises of all sizes to address these issues. The Compliance Management kit provides necessary the infrastructure governance tools.

Compliance Management Governance

In addition to the Compliance Management White Paper we provided the The Compliance Management tool kit in three (3) versions: Silver, Gold, and Platinum.

Compliance Management White Paper

Order

Compliance Management White Paper
  • Compliance Management White Paper - Summarizes mandated compliance requirements and provides a summary level work plan for how to implement Compliance Management policies and procedures.

    White Paper contains a table of manadated record retention periods and a list of all of the states and US possessions with their mandated notification requirements. Updated to include GDPR and CCPA requirement discussion

Compliance Management - Silver Edition

Order

Compliance Management White Paper  Secuirty Audit Program  Secuirty Audit Program  Supply Chain Audit Program  PCI Audit Program  Compliance Job Descriptions
  • Compliance Management White Paper
  • HIPAA Audit Program
  • Security Audit Program - fully editable -- Comes in MS EXCEL and PDF formats -- Meets ISO 27001, 27002, Sarbanes-Oxley, PCI-DSS and HIPAA requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 39 separate task groupings including BYOD.
  • Supply Chain ISO 28000 Audit Program -- Comes in MS EXCEL and PDF formats -- Meets ISO mandates
  • PCI Audit Program - Word and PDF
  • Compliance Management Job Descriptions (25 key positions) - Word Format - fully editable and PDF- Chief Compliance Officer (CCO), Chief Data Officer, Chief Mobility Officer, Chief Security Officer, Data Protection Officer, Director Electronic Commerce, Director IT Management and Controls, Director Sarbanes-Oxley Compliance, Manager Blockchain Architecture, Manager BYOD Support, Manager Compliance, Manager E-Commerce, Manager Enterprise Architecture, Manager Internet Systems, Manager Record Administration, Manager Transaction Processing, Manager Video and Website Content, Manager Web Content, Manager Wireless Systems, PCI-DSS Administrator, System Administrators - Linux, System Administrators - Windows, System Administrators - UNIX, Webmaster, and WiFi Network Administrator

Compliance Management - Gold Edition

Order

Compliance Management White Paper  Secuirty Audit Program  Secuirty Audit Program  Supply Chain Audit Pogram  PCI Audit Program  Compliance Job Descriptions  Record Management Policy  Privacy Compliance Policy
  • Compliance Management White Paper
  • HIPAA Audit Program
  • Security Audit Program
  • Supply Chain ISO 28000 Audit Program
  • PCI Audit Program
  • Compliance Management Job Descriptions (25 key positions)
  • Record Classification and Management Policy - Word - Policy which complies with mandated US, EU, and ISO requirements
  • Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act

Compliance Management - Platinum Edition

Order

Compliance Management White Paper  Secuirty Audit Program  Secuirty Audit Program  Supply Chain Audit Program  PCI Audit Program  Compliance Job Descriptions  Record Management Policy  Privacy Compliance Policy  Security Manual
  • Compliance Management White Paper
  • HIPAA Audit Program
  • Security Audit Program
  • Supply Chain ISO 28000 Audit Program
  • PCI Audit Program
  • Compliance Management Job Descriptions (25 key positions)
  • Record Classification and Management
  • Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act
  • Security Manual Template - Word - 240 plus packed pages which are usable as is. Over 3,000 companies worldwide have chosen this as the basis for their best practices to meet mandated US, EU and ISO requirements

Federal and state government regulations (see state compliance requirements) can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.

Exposure for non-Compliance

Regulation

Penalty

Fine

GLBA

10 Years Prison

$1,000,000

HIPAA

10 Years Prison

$100 per occurrence maximum of $25,000 per year

SOX 10 Years Prison $15,000,000

Sec Rule 17a-4

Suspension

$1,000,000

GDPR

none

€10 million, or 2% of the worldwide annual revenue
to
€20 million, or 4% of the worldwide annual revenue

CCPA

none

$7,500 per record no cap

State Notification Laws

The graphic clearly depicts the magnitude of the current situation and the table provided by The National Conference of State Legislatures includes links to the individual states.The Security Manual Template address each of these mandate requirements.

Regulation

Gramm-Leach-Bliley Act (GLBA)

Financial services regulations on information security, initiated by the, require financial institutions in the United States to create an information security program to:

  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

Health Insurance Portability and Accountability Act (HIPAA)

Under the new American Recovery and Reinvestment Act of 2009, there are new rules that affect the health care industry and those entities that might handle process or maintain personal health information. The new rules revolve around two primary areas:

  • The mandated adoption of new electronic health record systems (and standards, controls and protections around that adoption)
  • The expansion of breach notification rules concerning personal health records. If is the Recovery Act raises any concerns, it is that these new rules outlined in the Act clearly must coexist with the 1996 HIPAA law.

HIPAA security rules did not address the security of Protected Health Information (PHI) by all entities that might handle or process protected health information; specifically, it did not address the electronic health records, aggregators, personal health record (PHR) vendors, and processors that are addressed by the Recovery Act. While the Recovery Act tries to recognize and address the boundaries between the Recovery Act and HIPAA, some in the industry express concern that the next steps are unclear and have doubts that the Recovery Act will be flexible enough to address the business structures that it will create.

SOX (Sarbanes - Oxley) and Other SEC rules

The Securities and Exchange Commission (SEC) has mandated requirements defined for broker-dealers to store required records in electronic form. Under the rule, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation clarifies that broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period.

SEC rules 17a-3 and 17a-4  specify the type of data records for securities transactions to be created and maintained by broker-dealers.

  • SEC Rule 17a-3 requires broker-dealers to make certain records, including trade blotters, asset and liability ledgers, income ledgers, customer account ledgers, securities records, order tickets, trade confirmations, trial balances and various employment related documents.
  • SEC Rule 17a-4 specifies the manner and length of time that the records maintained by broker-dealers must be preserved.

Together, these rules require

  • Written and enforceable retention policies
  • Storage of data on indelible, non-rewriteable media
  • Searchable index of all stored data
  • Readily retrievable and viewable data
  • Storage of data off site

The Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The PCI DSS was developed to help facilitate the broad adoption of consistent data security measures on a global basis. This comprehensive standard is intended to help enterprises pro actively protect customer account data, and will be continually enhanced as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks.

PCI DSS applies to all enterprises that store, process or transmit cardholder data, and provides guidance for software developrs and manufacturers of applications and devices used in those transactions. The PCI Security Standards Council is responsible for managing the security standards, while compliance with the PCI is enforced by the founding members of the Council -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

While the PCI DSS is specific to applications and systems that store, process, or transmit payment card data, the standard is derived from industry best practices applicable to many regulations and industry standards. Consequently, many enterprises may find benefit in implementing the controls required to achieve compliance with PCI DSS in areas outside of their payment card environment. By establishing an enterprise-wide framework and standards for implementing controls, organizations will benefit by attaining compliance in other areas of their business where they are subject to regulation or wish to meet industry standards.

PCI DSS applies to any organization that accepts, stores or processes payment cards of any type and is a comprehensive checklist of actions these organizations must take to improve the security of global payment systems. Although the adoption of PCI DSS by an organization will most likely improve its security posture, being compliant with the PCI DSS does not ensure the organization is secure.

See Also Government Control of Internet

Order Compliance Management Kit  Download Selected Pages