© 2010 The PowerTech Group, Inc.
All Rights Reserved
There are a number of other regulations that may not have been as high profile as the ones already discussed in this guide, but nonetheless, have a serious impact on data security for Information Technology.
The Gramm-Leach-Bliley Act (GLBA), passed in 1999, was wide ranging legislation that covered the regulation of financial institutions in the United States. The act’s Privacy Rule requires financial institutions to insure the security and confidentiality of customer records and information. The Safeguards Rule, which is enforced by the Federal Trade Commission (FTC), requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. Many companies have already been prosecuted under the act, including ChoicePoint, which was fined a record $15 million as a result of a well publicized data security breach.
Read more:
http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm
http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm
The Basel II accord represents recommendations made by the Basel Committee on Banking Supervision, a regulator of banks worldwide, to revise the international standards for measuring the adequacy of a bank's capital. Its goal is to provide greater consistency in the way banks and banking regulators approach risk management across national borders. The accord requires banks to measure and control credit, market, and operational risks. Banks that can demonstrate a systematic approach to managing and controlling operational risk are allowed to maintain smaller capital reserves, which can be a key competitive advantage. Information Security is regarded as a significant component of operational risk for banks. Much like Sarbanes-Oxley compliance in the United States, banks need to demonstrate adequate controls over information systems that store and serve financial data.
In the words of the FTC: “Sound security for businesses means regular risk assessment, effective coordination and oversight, and prompt response to new developments.” Also, there is no “one size fits all” security plan.
Different companies have different needs depending on the size of the business and the sensitivity of the customer information that they keep. The regulations however are generally vague when it comes to the specifics of IT security plans. Legislators tend to avoid specifying solutions since the world of technology changes faster than they can update laws. Rather than having one information security plan for each regulation, organizations need to implement one overall security plan or policy that lets them comply with all regulations. Best practice plans are based on established IT governance frameworks like COBIT or ITIL, or security standards like ISO17799.
For those organizations that do not already have an information security policy, PowerTech has made available an open source security policy that provides best practices for implementing a data security program on the System i and AS/400 platform. PowerTech also provides a suite of security solutions that allow organizations to ensure the security, confidentiality and integrity of information stored on the IBM AS/400 and System i systems.
PowerTech Compliance Monitor allows banks and other companies to conduct regular risk and vulnerability assessment. Auditors, Examiners, and IT Staff get prompt notice of any exceptions that are identified to established security policy.
PowerTech Network Security ensures that adequate safeguards are in place to protect the confidentiality and integrity of customer information. Access across the network to AS/400 and System i is controlled according to rules and network activity is logged to secure journals.
PowerTech Authority Broker is used to enforce separation of duties on critical production systems. IT Staff and Programmers are only granted access to powerful user accounts (profiles) when they really need it.
© 2010 The PowerTech Group, Inc.
All Rights Reserved