Month: December 2008

What Is Your Scope of Compliance?

Unified Compliance Framework  put together this list of compliance requirement and regulatory schemes that may need to be part of your compliance program.

Below is a long list of regulatory schemes that may need to be part of your compliance framework:

Sarbanes Oxley Guidance

  • Sarbanes-Oxley Act (SOX)
  • PCAOB Auditing Standard No. 2
  • AICPA SAS 94
  • AICPA/CICA Privacy Framework
  • AICPA Suitable Trust Services Criteria
  • Retention of Audit and Review Records, SEC 17 CFR 210.2-06
  • Controls and Procedures, SEC 17 CFR 240.15d-15
  • Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3
  • COSO Enterprise Risk Management (ERM) Framework
  • OMB Circular A-123 Management’s Responsibility for Internal Control
  • Securities Exchange Act of 1934
  • Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control
  • PCAOB Audit Standard No. 3
  • PCAOB Audit Standard No. 5
  • SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
  • SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Banking and Finance Guidance

  • Basel II: International Convergence of Capital Measurement and Capital Standards – A Revised Framework
  • BIS Sound Practices for the Management and Supervision of Operational Risk
  • Gramm-Leach-Bliley Act (GLB)
  • Standards for Safeguarding Customer Information, FTC 16 CFR 314
  • Privacy of Consumer Financial Information, FTC 16 CFR 313
  • Safety and Soundness Standards, Appendix of OCC 12 CFR 30
  • FFIEC IT Examination Handbook – Information Security
  • FFIEC IT Examination Handbook  – Development and Acquisition
  • FFIEC IT Examination Handbook   – Business Continuity Planning
  • FFIEC IT Examination Handbook   – Audit
  • FFIEC IT Examination Handbook   – Management
  • FFIEC IT Examination Handbook   – Operations
  • ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58
  • Bank Secrecy Act (aka Currency and Foreign Transaction Reporting Act)
  • Check 21 (Check Clearing for the 21st Century) Act
  • FCRA (Fair Credit Reporting Act)
  • FDIC and FFIEC Guidance on Authentication in an Internet Banking Environment
  • FFIEC IT Examination Handbook – Outsourcing Technology Services
  • FFIEC IT Examination Handbook – Supervision of Technology Service Providers
  • FFIEC IT Examination Handbook – Wholesale Payment Systems
  • FFIEC IT Examination Handbook – Retail Payment Systems
  • FFIEC IT Examination Handbook – E-Banking

NASD NYSE Guidance

  • NASD Manual
  • Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1
  • Records to be made by certain exchange members SEC 17 CFR 240.17a-3
  • Records to be preserved by certain exchange members SEC 17 CFR 240.17a-4
  • Recordkeeping SEC 17 CFR 240.17Ad-6
  • Record retention SEC 17 CFR 240.17Ad-7
  • NYSE Listed Company Manual
  • Securities Act of 1933
  • Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management’s Report on Internal Control Over Financial Reporting; Final Rule

Healthcare and Life Science Guidance

  • HIPAA (Health Insurance Portability and Accountability Act)
  • HIPAA HCFA Internet Security Policy
  • Introductory Resource Guide for HIPAA NIST (800-66)
  • CMS Core Security Requirements (CSR)
  • CMS Information Security Acceptable Risk Safeguards (ARS)
  • SYSTEM SECURITY PLANS (SSP) METHODOLOGY
  • CMS Info Security Business Risk Assessment
  • CMS Business Partners Systems Security Manual
  • FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1

Energy Guidance

  • FERC Security Program for Hydropower Projects
  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards

Payment Card Guidance

  • PCI DSS (Payment Card Industry Data Security Standard) 1.1 [Redacted: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Security Audit Procedures 1.1 [Redacted: Q3 08]
  • Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 [Released: Q4 08]
  • PCI DSS Security Scanning Procedures [Released: Q3 07]
  • Payment Card Industry (PCI) Payment Application Data Security Standard 1.1 [Redacted: Q3 08]
  • MasterCard Wireless LANs – Security Risks and Guidelines [Released: Q3 07]
  • Payment Card Industry Self-Assessment Questionnaire A [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire B [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire C [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire D [Released: Q4 07]
  • VISA CISP: What to Do If Compromised [Released: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 [Released: Q4 08]
  • VISA Incident Response Procedure for Account Compromise [Released: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
  • Visa Payment Application Best Practices (PABP) [Redacted: Q4 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
  • VISA E-Commerce Merchants Guide to Risk Management [Released: Q3 08]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 [Released: Q4 08]
  • MasterCard Electronic Commerce Security Architecture Best Practices [Released: Q3 07]
  • American Express Data Security Standard (DSS) [Released: Q3 07]
  • BBB Online Code of Business Practices [Released: Q3 07]

US Federal Security Guidance

  • FTC Electronic Signatures in Global and National Commerce Act (ESIGN) [Released: Release 1]
  • Uniform Electronic Transactions Act (UETA) [Released: Release 1]
  • FISMA (Federal Information Security Management Act) [Released: Release 1]
  • FISCAM (Federal Information System Controls Audit Manual) [Released: Release 1]
  • FIPS 140-2, Security Requirements for Cryptographic Modules [Released: Release 1]
  • FIPS 191, Guideline for the Analysis of LAN Security [Released: Release 1]
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems [Released: Release 1]
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems [Released: Q3 07]
  • Clinger-Cohen Act (Information Technology Management Reform Act) [Released: Release 1]
  • DoD 5220.22-M, National Industrial Security Program Operating Manual [Released: Q3 07]
  • The National Strategy to Secure Cyberspace [Released: Release 1]
  • GAO Financial Audit Manual [Released: Release 1]
  • Standard for Electronic Records Management Software, DOD 5015.2 [Released: Release 1]
  • Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives [Released: Release 1]
  • CISWG Information Security Program Elements [Released: Q3 07]
  • Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources [Released: Release 1]
  • NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 [Released: Release 1]
  • CT-PAT Best Practices Guide [Released: Q4 07]
  • US Export Administration Regulations [Released: Q4 07]
  • US The International Traffic in Arms Regulations [Released: Q4 07]

US Internal Revenue Guidance

  • IRS Revenue Procedure: Retention of books and records, 97-22 [Released: Release 1]
  • IRS Revenue Procedure: Record retention: automatic data processing, 98-25 [Released: Release 1]
  • IRS Internal Revenue Code Section 501(c)(3) [Released: Release 1]

Records Management Guidance

  • Federal Rules of Civil Procedure [Released: Release 1]
  • Uniform Rules of Evidence [Released: Release 1]
  • ISO 15489-1, Information and Documentation: Records management: General [Released: Release 1]
  • ISO 15489-2, Information and Documentation: Records management: Guidelines [Released: Release 1]
  • The DIRKS Manual: A Strategic Approach to Managing Business Information [Released: Release 1]
  • The Sedona Principles Addressing Electronic Document Production [Released: Release 1]
  • 16 CFR Part 682 Disposal of consumer report information and records [Released: Q3 08]

NIST Guidance

  • Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 [Released: Release 1]
  • Developing Security Plans for Federal Information Systems, NIST SP 800-18 [Released: Release 1]
  • Security Self-Assessment Guide, NIST SP 800-26 [Released: Release 1]
  • Risk Management Guide, NIST SP 800- 30 [Released: Release 1]
  • Underlying Technical Models for Information Technology Security [Released: Release 1]
  • Contingency Planning Guide for Information Technology Systems, NIST SP 800-34 [Released: Release 1]
  • Creating a Patch and Vulnerability Management Program, NIST SP 800-40 [Released: Release 1]
  • Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 [Released: Release 1]
  • Recommended Security Controls for Federal Information Systems, NIST SP 800-53 [Released: Release 1]
  • Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 [Released: Release 1]
  • Computer Security Incident Handling Guide, NIST SP 800-61 [Released: Release 1]
  • Security Considerations in the Information System Development Life Cycle, NIST SP 800-64 [Released: Release 1]
  • Guide for Developing Performance Metrics for Information Security, NIST SP 800-80 [Released: Q4 07]
  • Security Metrics Guide for Information Technology Systems, NIST SP 800-55 [Released: Q4 07]
  • Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A [Released: Q3 08]
  • Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1 [Released: Q4 08]

ISO Guidance

  • ISO 73:2002, Risk Management – Vocabulary [Released: Release 1]
  • ISO 17799:2000, Code of Practice for Information Security Management [Released: Release 1]
  • ISO 17799:2005 Code of Practice for Information Security Management [Released: Q1 08]
  • ISO 27001:2005, Information Security Management Systems – Requirements [Released: Q1 08]
  • ISO/IEC 20000-12:2005 Information technology – Service Management Part 1 [Released: Release 1]
  • ISO/IEC 20000-2:2005 Information technology – Service Management Part 2 [Released: Release 1]
  • ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1 [Released: Q1 08]
  • ISO/IEC 15408-2:2005 Common Criteria for Information Technology Security Evaluation Part 2 [Released: Q1 08]
  • ISO/IEC 15408-3:2005 Common Criteria for Information Technology Security Evaluation Part 3 [Released: Q1 08]
  • ISO/IEC 27002-2005 Code of practice for information security management [Released: Q1 08]
  • ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3 [Released: Q3 08]
  • ISO 13335-1:2004, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management [Released: Q1 08]
  • ISO 13335-3:1998, Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security [Released: Q1 08]
  • ISO 13335-4:2000, Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards [Released: Q1 08]
  • ISO 13335-5:2001, Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security [Released: Q1 08]

ITIL Guidance

  • OGC ITIL: Planning to Implement Service Management [Released: Release 1]
  • OGC ITIL: ICT Infrastructure Management [Released: Release 1]
  • OGC ITIL: Service Delivery [Released: Release 1]
  • OGC ITIL: Service Support [Released: Release 1]
  • OGC ITIL: Application Management [Released: Release 1]
  • OGC ITIL: Security Management [Released: Release 1]
  • CobiT 3rd Edition [Redacted: Release 1]
  • CobiT 4.1 [Released: Release 1]
  • ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals [Released: Release 1]
  • Disaster / Emergency Management and Business Continuity, NFPA 1600 [Released: Release 1]
  • ISF Standard of Good Practice for Information Security [Redacted: Release 1]
  • ISF Security Audit of Networks [Released: Release 1]
  • A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM [Released: Release 1]
  • Business Continuity Institute (BCI) Good Practice Guidelines [Released: Release 1]
  • ISSA Generally Accepted Information Security Principles (GAISP) [Released: Release 1]
  • CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) [Released: Release 1]
  • The GAIT Methodology [Released: Release 1]
  • AICPA Incident Response Plan: Template for Breach of Personal Information [Released: Release 1]
  • IIA Global Technology Audit Guide (GTAG): Information Technology Controls [Released: Release 1]
  • The Standard of Good Practice for Information Security [Released: Q4 08]

US Federal Privacy Guidance

  • Cable Communications Privacy Act Title 47 § 551 [Released: Release 1]
  • Telemarketing Sales Rule (TSR), 16 CFR 310 [Released: Release 1]
  • CAN SPAM Act [Released: Release 1]
  • Children’s Online Privacy Protection Act (COPPA), 16 CFR 312 [Released: Release 1]
  • Driver’s Privacy Protection Act (DPPA), 18 USC 2721 [Released: Release 1]
  • Family Education Rights Privacy Act (FERPA), 20 USC 1232 [Released: Release 1]
  • Privacy Act of 1974, 5 USC 552a [Released: Release 1]
  • Video Privacy Protection Act (VPPA), 18 USC 2710 [Released: Release 1]
  • Specter-Leahy Personal Data Privacy and Security Act [Released: Release 1]
  • Amendments to the FTC Telemarketing Sales Rule [Released: Release 1]
  • Children’s Online Privacy Protection Act [Released: Release 1]
  • FACT Act (Fair and Accurate Credit Transactions Act of 2003) [Released: Q3 08]

US State Laws Guidance

  • Arkansas Personal Information Protection Act AR SB 1167 [Released: Release 1]
  • Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116 [Released: Release 1]
  • California Information Practice Act, CA SB 1386 [Released: Release 1]
  • California General Security Standard for Businesses CA AB 1950 [Released: Release 1]
  • California Public Records Military Veteran Discharge Documents, CA AB 1798 [Released: Release 1]
  • California OPP Recommended Practices on Notification of Security Breach [Released: Release 1]
  • Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 1134 [Released: Release 1]
  • Colorado Consumer Credit Solicitation Protection, CO HB 1274 [Released: Release 1]
  • Colorado Prohibiting Inclusion of Social Security Number, CO HB 1311 [Released: Release 1]
  • Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650 [Released: Release 1]
  • Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184 [Released: Release 1]
  • Delaware Computer Security Breaches DE HB 116 [Released: Release 1]
  • Florida Personal Identification Information/Unlawful Use, FL HB 481 [Released: Release 1]
  • Georgia Consumer Reporting Agencies, GA SB 230 [Released: Release 1]
  • Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656 [Released: Release 1]
  • Hawaii Exempting disclosure of Social Security numbers HI HB 2674 [Released: Release 1]
  • Illinois Personal Information Protection Act IL HB 1633 [Released: Release 1]
  • Indiana Release of Social Security Number, Notice of Security Breach IN SB 503 [Released: Release 1]
  • Louisiana Database Security Breach Notification Law, LA SB 205 Act 499 [Released: Release 1]
  • Maine law To Protect Maine Citizens from Identity Theft, ME LD 1671 [Released: Release 1]
  • Minnesota Data Warehouses; Notice Required for Certain Disclosures, MN HF 2121 [Released: Release 1]
  • Missouri War on Terror Veteran Survivor Grants, MO HB 957 [Released: Release 1]
  • Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732 [Released: Release 1]
  • New Jersey Identity Theft Prevention Act, NJ A4001/S1914 [Released: Release 1]
  • New York Information Security Breach and Notification Act [Released: Release 1]
  • Nevada Security Breach Notification Law, NV SB 347 [Released: Release 1]
  • North Carolina Security Breach Notification Law (Identity Theft Protection Act) , NC SB 1048 [Released: Release 1]
  • North Dakota Personal Information Protection Act, ND SB 2251 [Released: Release 1]
  • Ohio Personal information – contact if unauthorized access, OH HB 104 [Released: Release 1]
  • Rhode Island Security Breach Notification Law, RI HB 6191 [Released: Release 1]
  • Tennessee Security Breach Notification, TN SB 2220 [Released: Release 1]
  • Texas Identity Theft Enforcement and Protection Act, TX SB 122 [Released: Release 1]
  • Vermont Relating to Identity Theft , VT HB 327 [Released: Release 1]
  • Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872 [Released: Release 1]
  • Washington Notice of a breach of the security, WA SB 6043 [Released: Release 1]
  • § 1724 California Civil Code [Released: Q3 07]
  • Texas Business and Commerce Code, secs. 48.102, 48.103 [Released: Q3 07]
  • Minnesota Plastic Card Security Act (H.F. 1758 [Released: Q3 07]
  • California Personal Information: Disclosure to Direct Marketers Act (SB 27) [Released: Q3 08]

EU Guidance

  • EU Directive on Privacy and Electronic Communications, 2002/58/EC [Released: Release 1]
  • EU Directive on Data Protection, 95/46/EC [Released: Release 1]
  • US Department of Commerce EU Safe Harbor Privacy Principles [Released: Release 1]
  • Consumer Interests in the Telecommunications Market, Act No. 661 [Released: Release 1]
  • OECD / World Bank Technology Risk Checklist [Released: Release 1]
  • OECD Guidelines on Privacy and Transborder Flows of Personal Data [Released: Release 1]
  • UN Guidelines for the Regulation of Computerized Personal Data Files (1990) [Released: Release 1]
  • ISACA Cross-Border Privacy Impact Assessment [Released: Release 1]
  • Information Technology Security Evaluation Manual (ITSEM) [Released: Release 1]
  • Information Technology Security Evaluation Criteria (ITSEC) [Released: Release 1]
  • Directive 2003/4/EC Of The European Parliament [Released: Release 1]
  • EU 8th Directive (European SOX) [Released: Q4 08]
  • OECD Principles of Corporate Governance [Released: Q4 08]

UK and Canadian Guidance

  • Financial Reporting Council, Combined Code on Corporate Governance [Released: Q4 08]
  • Turnbull Guidance on Internal Control, UK FRC [Released: Release 1]
  • Smith Guidance on Audit Committees, UK FRC [Released: Release 1]
  • UK Data Protection Act of 1998 [Released: Release 1]
  • IT Service Management Standard , BS 15000-1 [Released: Release 1]
  • IT Service Management Standard – Code of Practice, BS 15000-2 [Released: Release 1]
  • British Standards Institute PAS 56, Guide to Business Continuity Management [Released: Release 1]
  • Canada Keeping the Promise for a Strong Economy Act, Bill 198 [Released: Release 1]
  • Canada Personal Information Protection Electronic Documents Act (PIPEDA) [Released: Release 1]
  • Canada Privacy Policy and Principles [Released: Release 1]
  • Canadian Marketing Association Code of Ethics and Standards of Practice [Released: Q4 08]

Other European and African Guidance

  • Austria Data Protection Act [Released: Release 1]
  • Austria Telecommunications Act [Released: Release 1]
  • Bosnia Law on Protection of Personal Data [Released: Release 1]
  • Czech Republic Personal Data Protection Act [Released: Release 1]
  • Denmark Act on Competitive Conditions and Consumer Interests [Released: Release 1]
  • Finland Personal Data Protection Act [Released: Release 1]
  • Finland act on the amendment of the Personal Data Act (986/2000) [Released: Release 1]
  • France Data Protection Act [Released: Release 1]
  • German Federal Data Protection Act [Released: Release 1]
  • IT Baseline Protection Manual Germany [Released: Release 1]
  • Greece Law on the Protection of Individuals with Regard to the Processing of Personal Data [Released: Release 1]
  • Hungary Protection of Personal Data and Disclosure of Data of Public Interest [Released: Release 1]
  • Iceland Protection of Privacy as regards the Processing of Personal Data [Released: Release 1]
  • Ireland Data Protection Act of 1988 [Released: Release 1]
  • Ireland Data Protection Amendment 2003 [Released: Release 1]
  • Italy Personal Data Protection Code [Released: Release 1]
  • Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data [Released: Release 1]
  • Lithuania Law on Legal Protection of Personal Data [Released: Release 1]
  • Luxembourg Data Protection Law [Released: Release 1]
  • Netherlands Personal Data Protection Act [Released: Release 1]
  • Poland Protection of Personal Data Act [Released: Release 1]
  • Slovak Republic Protection of Personal Data in Information Systems [Released: Release 1]
  • Personal Data Protection Act of the Republic of Slovenia of 2004 [Released: Release 1]
  • South Africa Promotion of Access to Information Act [Released: Release 1]
  • ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data [Released: Release 1]
  • Sweden Personal Data Act [Released: Release 1]
  • Switzerland Federal Act on Data Protection [Released: Release 1]
  • German Corporate Governance Code (“The Code”) [Released: Q4 08]
  • The Dutch corporate governance code, Principles of good corporate governance and best practice provisions [Released: Q4 08]
  • The King Committee on Corporate Governance, Executive Summary of the King Report 2002 [Released: Q4 08]
  • Swedish Code of Corporate Governance; A Proposal by the Code Group [Released: Q4 08]

Asia and Pacific Rim Guidance

  • Australia Better Practice Guide – Business Continuity Management [Released: Release 1]
  • Australia Spam Act [Released: Release 1]
  • Australia Spam Act 2003: A practical guide for business [Released: Release 1]
  • Australia Privacy Act [Released: Release 1]
  • Australia Telecommunications Act [Released: Release 1]
  • Hong Kong Personal Data (Privacy) Ordinance [Released: Release 1]
  • Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) [Released: Release 1]
  • Japan Handbook Concerning Protection Of Personal Data [Released: Release 1]
  • Japan Personal Information Protection Act (Law No. 57 of 2003) [Released: Release 1]
  • Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etc [Released: Release 1]
  • Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994 [Released: Release 1]
  • Korea Act Relating to Use and Protection of Credit Information [Released: Release 1]
  • New Zealand Privacy Act 1993 [Released: Release 1]
  • Taiwan Computer-Processed Personal Data Protection Law 1995 [Released: Release 1]
  • India Information Technology Act (ITA-2000) [Released: Release 1]
  • Australian Government ICT Security Manual (ACSI 33) [Released: Q3 08]
  • Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 [Released: Q4 08]
  • Corporate Governance in listed Companies – Clause 49 of the Listing Agreement [Released: Q4 08]
  • CODE OF CORPORATE GOVERNANCE 2005 [Released: Q4 08]
  • Argentina Personal Data Protection Act [Released: Release 1]
  • Mexico Federal Personal Data Protection Law [Released: Release 1]

System Configuration Guidance

  • CI Security Persistent Identifiers [Released: Q3 07]
  • CI Security Solaris Benchmark v2.1 [Released: Q3 07]
  • CI Security Solaris Benchmark v1.3 [Released: Q3 07]
  • CI Security HP-UX Benchmark v1.3 [Released: Q3 07]
  • CI Security Red Hat Enterprise Linux Benchmark v1.0 [Released: Q3 07]
  • CI Security Red Hat Enterprise Linux Benchmark v1.0.5 [Released: Q3 07]
  • CI Security SuSE Linux Enterprise Server Benchmark v1.0 [Released: Q3 07]
  • CI Security Slackware Linux Benchmark v1.1 [Released: Q3 07]
  • CI Security AIX Benchmark v1.0 [Released: Q3 07]
  • CI Security FreeBSD Benchmark v1.0 [Released: Q3 07]
  • Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2 [Released: Q4 07]
  • Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 5 Release 1 [Released: Q4 07]
  • CI Security Windows XP Professional SP1/SP2 [Released: Q3 07]
  • Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 [Released: Q4 07]
  • NSA Guide to Security Microsoft Windows XP [Released: Q4 07]
  • CI Security Windows 2000 Professional [Released: Q4 07]
  • DISA Windows XP Security Checklist Version 6 [Released: Q1 08]
  • CI Security Windows 2000 Server [Released: Q3 07]
  • CI Security Windows Server 2003 [Released: Q4 07]
  • CI Security Windows 2000 [Released: Q4 07]
  • CI Security Windows NT [Released: Q4 07]
  • DISA Windows VISTA Security Checklist Version 6 [Released: Q1 08]
  • NSA Guide to Securing Microsoft Windows 2000 Group Policy [Released: Q4 07]
  • Center for Internet Security Mac OS X Tiger Level I Security Benchmark
  • Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings
  • Mac OS X Security Configuration for version 10.4 or later, second edition]
  • Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings
  • DISA Windows Server 2003 Security Checklist Version 6
    DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 1.2
  • DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2

Guidance Concerning the National Security Review Conducted by the Committee on Foreign Investment in the United States

On December 8, the Committee on Committee on Foreign Investment in the United States published a notice in the Federal Register of that provides guidance to U.S. businesses and foreign persons that are parties to transactions that are covered by section 721 of the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007, and the regulations at 31 CFR part 800.

Section 721 requires CFIUS to review covered transactions notified to it ‘‘to determine the effects of the transaction[s] on the national security of the United States,’’ but does not define ‘‘national security,’’ other than to note that the term includes issues relating to homeland security. Instead, section 721 provides an illustrative list of factors, listed below, for CFIUS to consider.

This notice provides examples and insight into what types of transaction could trigger a CFIUS review.

CFIUS notes that a just because a transaction presents national security considerations does not mean that CFIUS will necessarily determine that the transaction poses national security risk.

See:

Intel’s Social Media Guidelines

Intel has published their Social Media Guidelines.

I like their approach of giving users guidelines for they should and should not do. The context is to place the responsibility on the individual. It is that person who is creating the content. They are responsible for the content and the consequences. I think it is a great balance of encouraging people to interact with responsible behavior.

Intel could have added some specific recommendations for some high profile sites. Of course the sites are changing so often that it might be hard to keep the policy up-to-date.

I also like how Intel integrate these guidelines with other policies like the Intel Code of Conduct (.pdf) and the Intel Privacy Policy. This modularity avoids duplication and inconsitencies.

Building an Ethical Framework

Thomas R. Krause and Paul J. Voss put forth 10 questions to consider in encouraging an ethical corporate culture.

  1. What is the relationship between ethics and other performance metrics in the company?
  2. Have we, as required by the 2004 federal sentencing guidelines, offered ethics training for all of our employees? Does the training provide more than rote introduction of the company’s code of conduct?
  3. What is the relationship between exercising sound ethics and retaining great talent?
  4. Have we conducted a “risk assessment” to determine our exposure to major ethical damage? What is our potential Enron?
  5. How can we be proactive in the area of ethics, culture and corporate citizenship?
  6. What tone should executive leadership set regarding ethics, integrity and transparency?
  7. What does management need from the board of directors and senior leadership to enhance and buttress corporate ethics?
  8. Who is driving ethics and compliance in the company?
  9. Do we have consistency of message between and among the board, the CEO, the senior executive team and the associates in terms of ethics and culture?
  10. What roadblocks now discourage ethical conversations and the implementation of ethical practices, procedures and protocols?

Morrison and Foerster Privacy Library

Morrison & Foerster has put together a Privacy Library with links to the relevant statutes and regulations.  The library include each sate in the U.S., along with other countries and multilateral organizations.

The firm has also launched Summit Privacy, a subscription service that provides a searchable privacy database of global privacy laws.

Six States Now Require Social Security Number Protection Policies

Miriam Wugmeister, Nathan D. Taylor of Morrison & Foerester wrote the December Privacy and Data Security Update: Six States Now Require Social Security Number Protection Policies.

  • Connecticut – Ct. H.B. 5658.
  • Massachusetts – 201 Mass. Code Regs. §§ 17.01 – 17.04.
  • Michigan – Mich. Comp. Laws § 445.84.
  • New Mexico – N.M. Stat. §§ 57-12B-2 – 57-12B-3.
  • New York – N.Y. Gen. Bus. Law § 3990dd(4).
  • Texas – Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 – 501.053 (effective April 1, 2009).

These state SSN protection policy requirements highlight the importance of maintaining up-to-date privacy policies that comply with the evolving requirements under applicable state laws.  To get started, an organization should consider taking the following steps:

  • determine if you collect or maintain SSNs;
  • review your policies and procedures that are employee-facing to determine if you have sufficient policies to meet the obligations under the various state laws;
  • update your policies and procedures as needed;
  • train employees on the new policies and procedures; and
  • audit your employees to ensure that they are complying with your policies and procedures.

Data Privacy Roundtable

Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.

Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”

The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations.  Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.

Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.

The panelists also brought up the concept of “data in motion” versus “data at rest.”  You need to look at how you are transmitting data as well as how it is stored.

What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.

Audience poll: How many have a team assembled to implement the new regulations:

  • 72% Yes
  • 24% No
  • 4%  Not sure

Audience poll: How many have read the new regulations and guidance:

  • 45% Yes
  • 55% No

Audience poll: How many have addressed whether to do selective encryption or selective protection:

  • 29% Yes
  • 62% No
  • 9% Not sure

Everyone who said yes has decided to use encryption.

The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.

You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.

On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.

Audience poll: How many have training programs on information security:

  • 30% Training for all employees
  • 13% Training for selected employees
  • 52% None
  • 5%  Not sure

The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.

In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge.  53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.

Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor.  59% of the audience had not identified vendors that handle personal data.

As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.

Data on Bribe Demands in China

An anonymous online survey by TRACE International found that, of those business people visiting China who were asked for more than one bribe, almost 20 percent reported that they had been solicited more than 100 times.

TRACE set up an online bribe-reporting system that allows people to file reports in different languages about bribe demands. The first report by its online system (called BRIBEline) covered data it collected in China from July 2007 to June 2008.

  • Eighty-five percent of the bribes were solicited by someone tied to the Chinese government. That includes
    • 11 percent requested by a Communist Party official
    • 11 percent by a police officer
    • 11 percent by someone in the court system and
    • 52 percent by officials from another government branch.
  • Seventy-three percent of people who reported being asked for a bribe in China said they were asked more than once.
  • The bribe requests ranged from less than $20 (3 percent) to more than $500,000 (6 percent), with 22 percent of them asking for more than $10,000. Some 12 percent asked for gifts, entertainment or hospitality, while 4 percent asked for more business, and 3 percent requested sex.
  • Fifty-four percent of the demands were to induce action to which the business was entitled, such as timely service or avoidance of some kind of trouble.

Market Reaction to Adoption of IFRS in Europe

Christopher S. Armstrong, Mary E. Barth, Alan D. Jagolinzer, and Edward J. Riedl published Market Reaction to Adoption of IFRS in Europe (.pdf)

This study examines the European stock market reaction to sixteen events associated with the
adoption of International Financial Reporting Standards (IFRS) in Europe. European IFRS
adoption represented a major milestone towards financial reporting convergence yet spurred
controversy reaching the highest levels of government. We find a more positive reaction for
firms with lower quality pre-adoption information, which is more pronounced in banks, and with
higher pre-adoption information asymmetry, consistent with investors expecting net information
quality benefits from IFRS adoption. We also find that the reaction is less positive for firms
domiciled in code law countries, consistent with investors’ concerns over enforcement of IFRS
in those countries. Finally, we find a positive reaction to IFRS adoption events for firms with
high quality pre-adoption information, consistent with investors expecting net convergence
benefits from IFRS adoption. Overall, the findings suggest that investors in European firms
perceived net benefits associated with IFRS adoption.

With IFRS coming to the US in a few years it is interesting to see the reaction to the new accounting standards.

The SEC proposes that implementation of the use of IFRS by U.S. issuers would be staggered into three phases based on the size of the reporting company. IFRS filings for large accelerated filers would begin for those filers with fiscal years ending on or after December 15, 2014, while IFRS filings for accelerated filers would be begin for those filers with fiscal years ending on or after December 15, 2015, and for non-accelerated filers and smaller reporting companies for those filers with fiscal years ending on or after December 15, 2016