The Sarbanes-Oxley act was enacted by the United States Congress in July 2002. It requires publicly traded companies to ensure that they are properly reporting financial information. One of the most critical sections is section 404, which requires internal control over the creation of financial reports, and mandates responsibility for access privileges. This section is crucial for IT organizations to understand and act on.
Companies are expected to prove the following to outside auditors:
- Users are reliably authenticated and authorized before they can access a system, and that it should be difficult to impersonate that user.
- Users can only perform actions for which they have authority.
- Actions are recorded in an indelible and auditable record.
- Management, specifically the principal officer and principal financial officer, take responsibility for reasonable access privileges and controls.
- Reporting on material changes in the condition and operations of the company are timely and up to date.
The Payment Card Industry Data Security Standard (PCI-DSS) is a brief, pragmatic and very reasonable set of standards intended to guide financial institutions, retailers and other data processors in protecting data about credit cards and their owners. This document describes how identity management and access governance products from Hitachi ID Systems can be used to help organizations comply with PCI-DSS.
Download Hitachi ID Systems documents about using the Hitachi ID Identity and Access Management Suite to comply with PCI-DSS
Hitachi ID Systems whitepaper
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines what is required of healthcare organizations to ensure the portability of healthcare coverage and the privacy of patient records. Among other things, HIPAA requires organizations involved in healthcare to:
- Designate one individual in the organization in charge of HIPPA compliance and implementation.
- Train employees to properly and effectively follow privacy measures.
- Take reasonable measures to limit the disclosure of patient health information, including securing electronic access to patient records.
FDA 21 CFR Part 11
Pharmaceutical and other biotech companies are subject to regulation by the food and drug administration (FDA). One of the FDA regulations, regarding electronic signatures and the integrity of electronic systems, is FDA 21 CFR 11. Requirements of 21 CFR Part 11 include:
- Controls over who has access to closed systems.
- Audit trails of access rights and actions.
- Run-time authorization over user access to key data and functions.
- Requirements for the use of electronic signatures, including passwords.
Download Hitachi ID Systems documents about using the Hitachi ID Identity and Access Management Suite to comply with 21 CFR Part 11
Hitachi ID Systems whitepaper
GLB - Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley act, signed in 1999, applies to financial institutions and securities firms. It requires them to implement strict regulations to protect the privacy of customer data. These include:
- Evaluation of current security programs and relationships to recognize risks, and upgrades where required.
- Establishment and enforcement of policies pertaining to user authentication and access control, for both customers and employees.
- Establishment of a program to assess risks to customer data and to protect against such threats.
Download Hitachi ID Systems documents about using the Hitachi ID Identity and Access Management Suite to comply with Gramm-Leach-Bliley
Hitachi ID Systems / GLB brochure
The Canadian Personal Information Protection and Electronics Document Act (PIPEDA), implemented in 2000, is intended to protect personal information collected over the course of conducting commerce electronically. This act governs the collection, use, retention and disclosure of personal information. It stipulates data security and limits use of personal data by corporations. Among other things, PIPEDA requires that organizations:
- Designate a person accountable for compliance with the act.
- Be held responsible for the information they controls.
- Ensure that personal information is accurate and up to date.
- Protect personal information.