Secunia

Community Login

Customer Login

Partner Login

Industry

Compliance

Technology

Integration

Avoid the operational and financial pitfalls of non-compliance

Address the complex regulatory requirements that directly affect your business

Whatever industry sector you operate in – whether Financial Services, Government/Private Sector, Energy & Utilities, Education, or Healthcare – no doubt you face a daily myriad of challenges such as maintaining security, managing risk, and navigating regulatory and compliance issues.

As an organisation, you must comply with privacy and data protection laws, regulations, and policies designed to protect confidential information, such as PCI DSS, Sarbanes-Oxley, FISMA, NERC, HIPAA, etc. This involves adopting and implementing a variety of costly activities related to processes and technology.

From an IT security perspective, juggling the daily fight against vulnerabilities while learning more about risk assessment frameworks and global regulations, and maintaining established compliance programs, is a responsibility that can often seem like a large mountain to climb.

Common pain points surrounding compliance audit and security audit requirements include keeping systems operational and up-to-date, resource constraints, responding to executive concern, data availability and integrity; and increasing market share, return on investment, and shareholder value.

Sarbanes-Oxley

Created in 2002, Sarbanes-Oxley (also known as SOX) is a set of mandatory regulations covering financial practice and corporate governance that all publically-traded companies, regardless of size, must comply with. The Act is named after its main architects: Senator Paul Sarbanes and Representative Michael Oxley.

The Sarbanes-Oxley Act comprises eleven sections. Security regulations, such as the need for organisations to establish a detailed, credible security policy, form a main element of its compliance requirements. Non-compliance can result in the following consequences: loss of sensitive data, severe fines, revenue loss, damaged reputation, loss of trust from the marketplace and financial sector, loss of consumer confidence, and litigation.

PCI DSS

It is in the news every day. Cybercriminals gain access to sensitive information. Customer records are stolen. No business, of any size or type, is immune to credit card theft, back-end hacking, and network, account, and intrusion attacks. As security threats increase and regulatory requirements grow more complex, security and PCI compliance are business-critical priorities.

The Payment Card Industry Data Security Standard (PCI DSS) is a global security program designed to increase industry confidence and reduce risks to PCI members, merchants, service providers, and consumers. It was originally established by Visa and MasterCard in 1999 after numerous data breaches resulted in unwanted media attention. Since then it has been adopted by other payment card providers. It is applicable regardless of transaction volume or method of transaction.

Non-compliance can result in the following consequences: loss of confidential data, severe fines, revenue loss, damaged reputation, loss of trust from the marketplace and financial sector, and litigation if private information is exposed. Secunia can help you comply with PCI DSS. For example, Requirement 6 and its sub-sections: vulnerabilities to be ranked and prioritized according to risk.

NERC

The Reliability Standards set forth by the North American Electric Reliability Corporation (NERC), cover planning and operational processes and are designed to help bulk power systems achieve operational excellence. Its standards help identify and resolve potentially-critical issues before they happen and work to improve the industry as a whole.

NERC operates under the U.S. Department of Homeland Security and Public Safety Canada and gathers information about security-related threats and incidents, which is then communicated to government authorities. Infrastructure security is therefore a key element of NERC compliance, designed to protect the industry’s critical infrastructure from physical and cyber threats. Non-compliance can result in the following consequences: loss of sensitive data, severe fines, revenue loss, damaged reputation, loss of trust from the marketplace, financial sector, and general public; and litigation.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 in the U.S to protect the health insurance of its citizens and establish national standards for electronic health care transactions. The standards created by HIPAA are designed to improve its healthcare system’s efficiency and effectiveness.

A primary element of HIPAA addresses the security and privacy of health data. This element comprises two complementary rules: the Privacy Rule refers to all paper- and electronic-based healthcare information, and the Security Rule specifically covers all healthcare information that is electronically protected, stored, or transmitted. The Security Rule has three security standards required for compliance: administrative safeguards, physical safeguards, and technical safeguards.

Non-compliance can result in the following consequences: loss of confidential data, identity theft, severe fines, revenue loss, damaged reputation, loss of patient, employee, and industry trust, and litigation.

FISMA

The Federal Information Security Management Act (FISMA) was established in 2002 and is a United States Federal Law. Information security, specifically its importance to U.S. economic and national security, is the foundation of FISMA.

As cybersecurity is identified by FISMA as a main policy focus for risk management and effective security, the Act requires that federal agencies implement a fully developed and documented information security process agency-wide. Key agency officials are therefore required to conduct annual reviews of the agency’s information security programs and report the results to the Office of Management and Budget (OMB).

Non-compliance can result in the following consequences: loss of highly confidential and classified information, identity theft and fraud, severe fines, revenue loss, damaged reputation nation-wide and globally, loss of trust from the marketplace, financial sector, and general public; and litigation.