Regulatory compliance has emerged as a major force shaping IT infrastructures. However, the majority of new rules and regulations aren't directed specifically at technology but rather at business processes such as records retention and retrieval, privacy, security, and the accuracy of data. Because most business information is managed electronically to comply with regulatory mandates, compliance will require many enterprises to rework their IT systems. How do you know how your IT infrastructure will be affected? Use the following two checklists to become familiar with the most significant sets of regulations and the core business processes that figure most prominently in compliance. The sidebar "Compliance Technology" offers an at-a-glance take on solutions that help businesses comply with regulatory requirements.
CHECKLIST 1: Major Regulations
The following acts and initiatives affect IT indirectly by levying stiff fines when companies don't comply in a timely fashion. Penalties that major US corporations have paid because of shortcomings in their IT systems include a total fine of $8.5 million in 2002 for five major brokerage houses for not retaining email communications as specified in SEC 17a regulations, and $16 million in January 2005 for Riggs National Bank of Washington, DC, for failing to report a suspicious transaction.
Sarbanes-Oxley Act (SOX). In 2002, Congress passed SOX in response to widespread corporate corruption. The legislation's goal is to improve public accountability in corporate America. Four sections of the act directly affect IT. Section 302, which went into effect in 2002, mandates that, by signing their company's financial statement, senior executives legally attest that the information accurately presents the financial condition of the company and no material information is omitted. Section 404, which had an initial implementation deadline in November 2004, calls for management to assess and report on the effectiveness of internal controls regarding a company's financial information. Section 409 requires the timely disclosure of material events affecting the financial condition of a company, including security breaches. Finally, Section 802 provides for criminal penalties for altering documents.
Health Insurance Portability and Accountability Act (HIPAA). Passed by Congress in 1996, HIPAA's goal is to reform the health insurance industry and facilitate the exchange of electronic information in health care. The act establishes standards in several areas, including the exchange of electronic medical records and the length of time that records must be retained. In 2002, HIPAA required that enterprises subject to the act must have a disaster recovery plan in place. Most significantly, HIPAA's privacy rules, which came into effect in 2003, are the first comprehensive federal privacy protection for personal health information. Any company that offers a health care benefit to its employees must meet the HIPAA standards for privacy.
Graham-Leach-Bliley Act (GLBA). Passed in 1999 and in effect since 2001, GLBA is a major overhaul of the entire US financial system. Section 501(b) requires that financial institutions ensure the security and confidentiality of customer records and information, protect against anticipated threats to the integrity of those records, and prevent unauthorized access to the records that could result in harm to the customer. GLBA's reach extends well beyond traditional financial institutions. In 2003, the Federal Trade Commission (FTC) issued data-protection regulations that Section 501(b) of GLBA mandates. Known as 16 CFR Part 314, these rules include the requirement to develop a comprehensive written information-security program. When the regulations were issued, the FTC made it clear that the rules apply to any institution offering financial services: for example, educational institutions that participate in student loan programs.
Food and Drug Administration Article 21 CFR Part 11. In 1997, the US Food and Drug Administration (FDA) issued regulations that define record-retention policies and the use of electronic records and electronic signatures in all the industries that the FDA regulates, including food, drugs and pharmaceuticals, and biological products. The requirements include the need for computer-generated audit trails of operator entries or actions that create, modify, or delete electronic records. Electronic records must be readily available for review by the FDA, and any changes or overwritten information must be accessible for review. Many aspects of the FDA regulations are seen as models that can be applied to other highly regulated industries.
USA Patriot Act. Passed in 2001 in response to the September 11 attack on the World Trade Center, the Patriot Act is meant to strengthen the power of US law enforcement in the fight against terrorism. The act's antimoney-laundering regulations include the requirement that financial institutions have awareness not only about their customers but also their customers' customers, be able to identify and respond promptly to suspicious activity, and be able to produce information in a timely fashion.
Basel II: International Convergence of Capital Measurement and Capital Standards. In June 2004, the heads of the central banking institutions in the world's 10 major industrial countries endorsed the report known as the Basel II Framework, which establishes the details for adopting risk-sensitive minimum capital requirements for banking organizations worldwide. Basel II emphasizes the necessity of effective supervisory review of banks' internal assessments of their overall risks and of enhancing transparency in banks' public reporting. As regulations implementing the report's recommendations are developed, they will have a significant impact on IT infrastructures.
CHECKLIST 2: Core Business Processes Affected by Regulation
The impact of regulatory compliance on IT varies dramatically from law to law, industry to industry, and enterprise to enterprise. Nonetheless, certain core processes are touched upon by nearly all regulations.
Storage. Companies need to be able to store records so that the records can't be altered, and records must be retrievable within certain time limitations. The regulations cover a huge range of documents, ranging from business transactions to spreadsheets filled with financial data to email.
Change monitoring. Companies must be able to monitor changes that can affect regulated information. The mandate to monitor extends well beyond the need to track changes in database records. For example, if application software changes in a company subject to regulation, those changes must be monitored and recorded. As different people are granted access to various systems, those access changes must also be recorded. Companies need to be able to identify and track events that materially affect the operation of the enterprise.
Security. Companies must be able to secure their information. Many major regulations center on insuring the privacy of customer information. Privacy requires highly secure systems, from perimeter gateways to core data repositories.
Compliance. Many regulations demand that companies demonstrate they are in compliance. This requirement necessitates developing the capacity to audit IT operations and document that systems are functioning as they are intended to function.