Legal
and Regulatory Consulting
A Gap
Analysis provides a comprehensive analysis and benchmarking against
a commonly accepted standard or regulatory mandate. The
Critical
Defence Risk Management Group identifies your organization’s
deficiencies against a standard while providing a roadmap for
remediation to bring the organization compliant with the standard.
Critical
Defence provides meaningful gap analyses and
consulting services for numerous legal, regulatory and industry
specific mandates and standards including but not limited to the
following:
-
HIPAA
The HIPAA Act of 1996 (Health Insurance Portability and
Accountability Act of 1996) was designed to “amend the Internal
Revenue Code of 1986 to improve portability and continuity of health
insurance coverage in the group and individual markets, to combat
waste, fraud, and abuse in health insurance and health care
delivery, to promote the use of medical savings accounts, to improve
access to long-term care services and coverage, to simplify the
administration of health insurance, and for other purposes.” HIPAA is
very complex and so are the privacy and security initiatives that
must occur to reach and maintain HIPAA compliance.
http://bphc.hrsa.gov/hipaa/default.htm
-
NERC
All entities responsible for planning,
operating, and using the bulk electric system must comply with NERC
reliability standards. Under the present system for maintaining
reliability, industry compliance is mandatory but it is not yet
enforceable; thus NERC has largely been limited to conducting
compliance reviews. The law contains provisions that will make
compliance with NERC standards mandatory and enforceable. NERC is
now working with industry and government to implement the
reliability provisions of that law.
http://www.nerc.com
-
ISO-27K (International Standard Organization Standard 27K) is
a series of leading IT security standards which have been adopted across
numerous vertical markets. The ISO-27K standards, Code of Practice for
Information Security Management, is an international standard that
provides a best practices framework for implementing security
controls and provides recommendations for information security
management for use by those who are responsible for initiating,
documenting, implementing or maintaining security with their
organization.
http://www.iso.org
-
BS7799
(British Standard 7799) is a leading IT security standard in
Europe and was the original standard that ISO-17799 and the latest ISO-27K series of standards were created
from. BS7799 has also been adopted across numerous verticals. The
British Standard 7799, BS7799, is one of the most widely recognized
security standards in the world. BS7799 (ISO17799) is comprehensive
in its coverage of security issues. It contains a significant number
of control requirements, some extremely complex. Compliance with
BS7799 is consequently a far from trivial task, even for the most
security conscious of organizations. Full certification can be even
more daunting.
http://www.riskserver.co.uk/bs7799
-
FFIEC/FDIC/OCC/NCUA/FRB
(Financial Institutions Examination Council) The FFIEC is a
financial services specific governing inter-agency that was
established on March 10, 1979, pursuant to title X of the Financial
Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA),
Public Law 95-630. In 1989, title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established
The Appraisal Subcommittee (ASC) within the Examination Council. The
Council is a formal interagency body empowered to prescribe uniform
principles, standards, and report forms for the federal examination
of financial institutions by the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation
(FDIC), the National Credit Union Administration (NCUA), the Office
of the Comptroller of the Currency (OCC), and the Office of Thrift
Supervision (OTS) and to make recommendations to promote uniformity
in the supervision of financial institutions.
http://www.ffiec.gov
-
PCI
(Payment Card Industry Standard) Is the Credit Card Industry
Standard. In order to reduce the risks of credit card theft and
fraud, both VISA and MasterCard have set forth proactive account
data security programs involving extensive security audits of select
Merchants, Payment Service Providers (PSPs) and Processors. These
ongoing security review programs recognize that security is a
process, not a static implementation. They aim to better understand
the trends and evolutions of IT risks while minimizing the risk of
account data compromise. The Payment Card Industry Data Security
Standard, introduced in January 2005, incorporates 12 core security
requirements drawn from Visa's Cardholder Information Security
Program and the scanning requirements from MasterCard’s Site Data
Protection Program.
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
-
FERPA
(Family Education Rights and Privacy Act) is an education
specific regulatory mandate. The Family Educational Rights and
Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal
law that protects the privacy of student education records. The law
applies to all schools that receive funds under an applicable
program of the U.S. Department of Education. FERPA gives parents
certain rights with respect to their children's education records.
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
-
Basel
II The new Basel Capital Accord gives banks the opportunity to
reduce their economic capital and regulatory capital through
efficient data management and reporting. Basel II also provides a
unique opportunity for banks to modernize and upgrade their risk
practices, policies and technology so that they can manage their
credit risk, market risk and operational risk in a holistic fashion.
http://www.bis.org/publ/bcbs107.htm
-
GLBA
(Graham Leach Bliley) Sensitive private data, including bank
balances and account numbers is regularly bought and sold by banks,
credit card companies, and other financial institutions. The Gramm-Leach-Bliley
Act (GLBA), which is also known as the Financial Services
Modernization Act of 1999, provides limited privacy protections
against the sale of your private financial information.
Additionally, the GLBA codifies protections against pretexting, the
practice of obtaining personal information through false pretenses.
http://www.ftc.gov/privacy/glbact
-
SOX
(Sarbanes Oxley) is a regulatory standard that must be adopted
by any publicly held organization. SOX Section 404 is the IT
specific area of the standard. The Sarbanes-Oxley Act was signed
into law on 30th July 2002, and introduced highly significant
legislative changes to financial practice and corporate governance
regulation. It introduced stringent new rules with the stated
objective: ''to protect investors by improving the accuracy and
reliability of corporate disclosures made pursuant to the securities
laws''. The Sarbanes-Oxley Act itself is organized into eleven
titles, although sections 302, 404, 401, 409, 802 and 906 are the
most significant with respect to compliance, Sarbanes Oxley section
404 seems to cause the greatest amount of concern.
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
-
CIPA
The Childrens Internet Protection Act (CIPA) is a federal law
enacted by Congress in December 2000 to address concerns about
access to offensive content over the Internet on school and library
computers. CIPA imposes certain types of requirements on any school
or library that receives funding support for Internet access or
internal connections from the E-rate program a program that
makes certain technology more affordable for eligible schools and
libraries. In early 2001, the Federal Communications Commission
(FCC) issued rules implementing CIPA.
http://www.fcc.gov/cgb/consumerfacts/cipa.html
-
SAS 70
is the Statement on Auditing Standards (SAS) No. 70, Service
Organizations, is an internationally recognized auditing standard
developed by the American Institute of Certified Public Accountants
(AICPA). A SAS 70 audit or service auditor's examination is widely
recognized, because it represents that a service organization has
been through an in-depth audit of their control activities, which
generally include controls over information technology and related
processes. In today's global economy, service organizations or
service providers must demonstrate that they have adequate controls
and safeguards when they host or process data belonging to their
customers. In addition, the requirements of Section 404 of the
Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more
important to the process of reporting on effective internal controls
at service organizations.
http://www.sas70.com/index2.htm
-
COPPA
(Childrens Online Privacy and Protection Act) The primary
goal of the Childrens Online Privacy Protection Act (COPPA) is to
give parents control over what information is collected from their
children online and how such info may be used.
http://www.ftc.gov/privacy/privacyinitiatives/childrens.html
-
CIP
is the Critical Infrastructure Protection Program. Critical
infrastructures are the complex and highly interdependent systems,
networks, and assets that provide the services essential in our
daily life. They are currently organized into the following 17
critical infrastructure and key resource (CI/KR) sectors: Banking
and Finance; Chemical; Commercial Facilities; Commercial Nuclear
Reactors, Materials, and Waste; Dams; Defense Industrial Base;
Drinking Water and Wastewater Treatment Systems; Emergency Services;
Energy; Food and Agriculture; Government Facilities; Information
Technology; National Monuments and Icons; Postal and Shipping;
Public Health and Healthcare; Telecommunications; and Transportation
Systems.1 The Energy, Telecommunications, Transportation, and Water
Sectors represent just a few of the basic services that we
continually rely on day after day, services that enable us to heat
or cool our homes, talk to one another over the telephone, travel to
work, and even have clean water to drink. With our increasing
dependence upon critical infrastructure comes an unavoidable
expansion in complexity as these sectors seek to build upon their
already stretched capacity to provide new services and products to a
growing population.
http://cipp.gmu.edu/clib/pubChronology.php
-
FISMA
The Federal Information Security Management Act (FISMA) is a
United States federal law enacted in 2002 as Title III of the
E-Government Act of 2002. Its purpose is to bolster computer and
network security within the federal government and affiliated
parties (such as government contractors) by mandating yearly audits.
FISMA permanently authorized and strengthened the information
security program, evaluation, and reporting requirements that were
first introduced by the Government Information Security Reform Act
of 2000 (GISRA). Frustrated with the limited progress agencies were
making to comply with GISRA, Congress replaced it with FISMA. FISMA
does not address technical specifications, but rather senior
management responsibility, including the Chief Information Security
Officer (CISO) and the head of the agency. Agencies must show how
the overall information security strategy and budget fit in with the
general mission and goals of the agency.
http://csrc.nist.gov/sec-cert/index.html
-
FSA
The FSA has been the single regulator for financial services in
the UK since December 2001, when they were given statutory powers by
the Financial Services and Markets Act 2000 (FSMA). The FSA has a
wide range of rule-making, investigatory and enforcement powers to
enable us to meet four statutory objectives summarised as one
overall aim: to promote efficient, orderly and fair markets and to
help retail consumers achieve a fair deal.
http://www.fsa.gov.uk/Pages/about/index.shtml
-
EUD
The European Union Directive is a set of privacy requirements that
took effect in 1998 and ordered European member nations to enact
compliant legislation. It deals with the establishment of Data
Protection Authorities, people's rights to personal information and
enforcement.
www.cdt.org/privacy/eudirective/EU_Directive_.html
|
|
NERC
