The Integrity News
Vol. XII No. 30
November 18, 2003
November 12, 2003
"The Gramm-Leach-Bliley Act (GLBA) requires
companies in the broadly defined financial services
sector to safeguard customer privacy by protecting
HOWEVER, what all companies are really
grappling with is the "broader climate" of
privacy-related regulations covering both
customers AND EMPLOYEES such as:
Health Insurance Portability and Accountability Act (HIPAA)
California Breach Notification Act (SB 1386)
The Sarbanes-Oxley Act
The Homeland Security Act
The Patriot Act
Visa's Cardholder Information Security Program (VISA CISP)
BS 7799 (Britian)
The Basel Capital Accord II (Europe) ISO 17799
"The bad news for companies is that the whole list is
quite long, and each one of these regulations can have
significant implications for companies including penalties
up to criminal penalties. The worse news is that companies
can have obligations under several of these regulations
at the same time."
On the other hand, the techniques used to meet one
regulation will help when tackling others.
"There is a burden to be informed, a burden to be
aware." Companies need to perform frequent network
self-assessments and use security testing techniques.
It is a company's responsibility to know if it's information
is secure and being properly used.
"The giant killer requirement is that some of the new
laws require that information security control must be
visible beginning at the Board of Directors level."
"Regulators like to see well-documented security
programs." They also like to see that the personnel
involved in handling the information are well documented.
However, many companies really don't have their
programs committed to writing, and they do not address
both the physical and administrative safeguards.
That is a GLBA No-No."
Some good news is that companies have the latitude
to assess risk in the way that they choose. However,
they must assess risk. To help get there, the article
recommends the following steps as a place to start.
Put access controls on customer information systems.
Put access restrictions at physical locations that contain
Encrypt electronic customer information.
Have written procedures for modifications to systems
containing customer information.
Consider dual control procedures.
Segregate employees' duties.
Do employee Background Checks.
Monitor systems to detect actual/attempted attacks.
Have a systematic response program for any events related
to the misuse of customer information.
Take measures to protect against environmental hazards
that would make the company liable for information leaks.
The reality of the Information Age is that you can lose
your privacy at the speed of light. These new laws are
meant to force organizations to spend the resources
necessary to protect people's information.
Smaller organizations must realize that they are not
immune from these new laws. Even if a smaller company
thinks that it is under the regulator's or examiner's
radar, it must realize that it's larger clients are being
examined, and as suppliers, the smaller organizations
will likely have to supply information to complete the
compliance picture for their larger clients.
We suggest that you call The Integrity Center, Inc.
(972) 484-6140 to discuss our online Employee File
offerings. We have made the investment in a fully
integrated online HR Information System (HRIS) so
that our clients don't have to spend the time and money.
The system is easy to use, you can import your files at
any time, and the cost is very low to maintain employee
files and generate required reports. We launched the
HRIS portion of our client interface several years ago
when we took a national survey and found that companies
with up to 1,000 employees were often still using
paper-based personnel files. Their costs to generate
the newly required reports is astronomical.
With our system, you can still have your paper-based
files because the system quickly prints both individual
and group reports. Having all your employee information
online makes it easy for you to check on anything in the
files, at any time, from anywhere. Being able to quickly
and easily generate reports, will greatly increase your
productivity and decrease your reporting response times.