Article IndexBackNext

Government Control of Internet


Cutting off of Internet service stuck a blow to outsourcing and Internet portability

Government Control of Internet. With civil disturbances and the cutting off of Internet services in the Middle East many business continuity managers are starting to re-think their assumptions in the outsourcing and disaster planning processes. For example, HP was seriously impacted by Egyptian government's decision in that they delivered a broad portfolio of information technology outsourcing services to clients in the manufacturing, financial services, communications, transportation, and consumer and retail industries and to governments around the world. In 2009, Egypt cracked the list of the 30 top countries for outsourcing.

Compliance Management Kit The cutting off of Internet services by the government of Egypt struck a blow to the outsourcing industry. That added a new level of risk that enterprises must access and plan for when they outsource outside of major developed countries.

From a broader perspective Australia in recent years set up a "firewall" around its Internet, with the intention of blacklisting child pornography Web sites. But a list of the blocked sites showed that the Australian government was censoring more than porn: The blacklist contained religious and political Web sites.

In the US, the Protecting Cyberspace as a National Asset Act, which is being pushed hard by Senator Joe Lieberman, would hand absolute power to the federal government to close down networks, and block incoming Internet traffic under a declared national emergency.

Section 249: If the President determines there is a credible threat to exploit cyber vulnerabilities of the covered critical infrastructure, the President may declare a national cyber emergency, with notification to Congress and owners and operators of affected covered critical infrastructure. The notification must include the nature of the threat, the reason existing security measures are deficient, and the proposed emergency measures needed to address the threat. If the President exercises this authority, the Director of the NCCC will issue emergency measures necessary to preserve the reliable operation of covered critical infrastructure. Any emergency measures issued under this section will expire after 30 days unless the Director of the NCCC or the President affirms in writing that the threat still exists or the measures are still needed. . .

In addition, the Combating Online Infringement and Counterfeits Act (COICA) was introduced in Congress by Sen. Patrick Leahy (D-VT). It would have granted the federal government the power to block access to any Web domain that is found to host "copyrighted" material without permission. Opponents note that the powers given the government under the bill are very broad. It could
theoretically block access to all of YouTube, whether or not particular material being accessed infringes copyright.

Free speech advocates argue that Internet censorship laws are inevitably used for purposes other than the ones claimed by lawmakers.

Existing Legislation

Numerous laws and regulatory mandates focus on corporate governance and accountability around sensitive information (specifically financial, non-public information and protected health care information). This has significantly impacted the underlying IT systems that support the applications and repositories holding this sensitive information. Organizations are continuously looking for help in preventing fraud and protecting sensitive information. The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations. Additionally, there are other internal cost-containment requirements that can be effectively met by defining and implementing a sound auditing and compliance methodology. Most corporations agree that compliance leads to better corporate governance and management.

Federal and state government regulations (see state compliance requirements) can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.

Exposure for non-Compliance

Regulation

Penalty

Fine

GLBA

10 Years Prison

$1,000,000

HIPAA

10 Years Prison

$100 per occurrence maximum of $25,000 per year

SOX

10 Years Prison

$15,000,000

Sec Rule 17a-4

Suspension

$1,000,000

Gramm-Leach-Bliley Act (GLBA)

Financial services regulations on information security, initiated by the, require financial institutions in the United States to create an information security program to:

  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

Health Insurance Portability and Accountability Act (HIPAA)

Under the new American Recovery and Reinvestment Act of 2009, there are new rules that affect the health care industry and those entities that might handle process or maintain personal health information. The new rules revolve around two primary areas:

  • The mandated adoption of new electronic health record systems (and standards, controls and protections around that adoption)
  • The expansion of breach notification rules concerning personal health records. If is the Recovery Act raises any concerns, it is that these new rules outlined in the Act clearly must coexist with the 1996 HIPAA law.

HIPAA security rules did not address the security of Protected Health Information (PHI) by all entities that might handle or process protected health information; specifically, it did not address the electronic health records, aggregators, personal health record (PHR) vendors, and processors that are addressed by the Recovery Act. While the Recovery Act tries to recognize and address the boundaries between the Recovery Act and HIPAA, some in the industry express concern that the next steps are unclear and have doubts that the Recovery Act will be flexible enough to address the business structures that it will create.

SOX (Sarbanes - Oxley) and Other SEC rules

The Securities and Exchange Commission (SEC) has mandated requirements defined for broker-dealers to store required records in electronic form. Under the rule, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation clarifies that broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period.

SEC rules 17a-3 and 17a-4  specify the type of data records for securities transactions to be created and maintained by broker-dealers.

  • SEC Rule 17a-3 requires broker-dealers to make certain records, including trade blotters, asset and liability ledgers, income ledgers, customer account ledgers, securities records, order tickets, trade confirmations, trial balances and various employment related documents.
  • SEC Rule 17a-4 specifies the manner and length of time that the records maintained by broker-dealers must be preserved.

Together, these rules require

  • Written and enforceable retention policies
  • Storage of data on indelible, non-rewriteable media
  • Searchable index of all stored data
  • Readily retrievable and viewable data
  • Storage of data off site

The Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The PCI DSS was developed to help facilitate the broad adoption of consistent data security measures on a global basis. This comprehensive standard is intended to help enterprises pro actively protect customer account data, and will be continually enhanced as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks.

PCI DSS applies to all enterprises that store, process or transmit cardholder data, and provides guidance for software developrs and manufacturers of applications and devices used in those transactions. The PCI Security Standards Council is responsible for managing the security standards, while compliance with the PCI is enforced by the founding members of the Council -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

While the PCI DSS is specific to applications and systems that store, process, or transmit payment card data, the standard is derived from industry best practices applicable to many regulations and industry standards. Consequently, many enterprises may find benefit in implementing the controls required to achieve compliance with PCI DSS in areas outside of their payment card environment. By establishing an enterprise-wide framework and standards for implementing controls, organizations will benefit by attaining compliance in other areas of their business where they are subject to regulation or wish to meet industry standards.

PCI DSS applies to any organization that accepts, stores or processes payment cards of any type and is a comprehensive checklist of actions these organizations must take to improve the security of global payment systems. Although the adoption of PCI DSS by an organization will most likely improve its security posture, being compliant with the PCI DSS does not ensure the organization is secure.

Compliance Management Toolkit Versions

Janco offers a full range of tools to help enterprises of all sizes to address these issues. The Compliance Management kit provides the infrastructure tools necessary address these mandated requirements.

In addition to the Compliance Management White Paper we provided the The Compliance Management tool kit in three (3) versions: Silver, Gold, and Platinum.

Compliance Management White Paper

Order

Compliance Management White Paper
  • Compliance Management White Paper - Summarizes mandated compliance requirements and provides a summary level work plan for how to implement Compliance Management policies and procedures.

    White Paper contains a table of manadated record retention periods and a list of all of the states and US possessions with their mandated notification requirements. Updated to include GDPR and CCPA requirement discussion

Compliance Management - Silver Edition

Order

Compliance Management White Paper  Secuirty Audit Program  Secuirty Audit Program  Supply Chain Audit Program  PCI Audit Program  Compliance Job Descriptions
  • Compliance Management White Paper
  • HIPAA Audit Program
  • Security Audit Program - fully editable -- Comes in MS EXCEL and PDF formats -- Meets ISO 27001, 27002, Sarbanes-Oxley, PCI-DSS and HIPAA requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 39 separate task groupings including BYOD.
  • Supply Chain ISO 28000 Audit Program -- Comes in MS EXCEL and PDF formats -- Meets ISO mandates
  • PCI Audit Program - Word and PDF
  • Compliance Management Job Descriptions (25 key positions) - Word Format - fully editable and PDF- Chief Compliance Officer (CCO), Chief Data Officer, Chief Mobility Officer, Chief Security Officer, Data Protection Officer, Director Electronic Commerce, Director IT Management and Controls, Director Sarbanes-Oxley Compliance, Manager Blockchain Architecture, Manager BYOD Support, Manager Compliance, Manager E-Commerce, Manager Enterprise Architecture, Manager Internet Systems, Manager Record Administration, Manager Transaction Processing, Manager Video and Website Content, Manager Web Content, Manager Wireless Systems, PCI-DSS Administrator, System Administrators - Linux, System Administrators - Windows, System Administrators - UNIX, Webmaster, and WiFi Network Administrator

Compliance Management - Gold Edition

Order

Compliance Management White Paper  Secuirty Audit Program  Secuirty Audit Program  Supply Chain Audit Pogram  PCI Audit Program  Compliance Job Descriptions  Record Management Policy  Privacy Compliance Policy
  • Compliance Management White Paper
  • HIPAA Audit Program
  • Security Audit Program
  • Supply Chain ISO 28000 Audit Program
  • PCI Audit Program
  • Compliance Management Job Descriptions (25 key positions)
  • Record Classification and Management Policy - Word - Policy which complies with mandated US, EU, and ISO requirements
  • Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act

Compliance Management - Platinum Edition

Order

Compliance Management White Paper  Secuirty Audit Program  Secuirty Audit Program  Supply Chain Audit Program  PCI Audit Program  Compliance Job Descriptions  Record Management Policy  Privacy Compliance Policy  Security Manual
  • Compliance Management White Paper
  • HIPAA Audit Program
  • Security Audit Program
  • Supply Chain ISO 28000 Audit Program
  • PCI Audit Program
  • Compliance Management Job Descriptions (25 key positions)
  • Record Classification and Management
  • Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act
  • Security Manual Template - Word - 240 plus packed pages which are usable as is. Over 3,000 companies worldwide have chosen this as the basis for their best practices to meet mandated US, EU and ISO requirements

Order Compliance Management Kit  Download Selected Pages Compliance Kit