How CoreVault Addresses Compliance Requirements
Regulations and IT Compliances Requirements
The table below illustrates the most common regulations and standards with which organizations are most likely to seek compliance. Refer to this table if you are interested in understanding what a particular regulation enacts as well as the IT compliance requirements related to it.
| Regulation / Standard | What does it mean? | IT Compliance Requirements |
| HIPAA (Health Insurance Portability and Accountability Act) | HIPAA seeks to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. | 1. Make data backups 2. Establish access controls based on job responsibilities 3. Log successful access attempts to mission-critical resources 4. Limit unsuccessful user ID login attempts after consecutive unsuccessful tries 5. Require authentication 6. Enable system events (logging) 7. Encrypt information 8. Keep data physically and electronically secure from unauthorized access (implement security tools to prevent malicious attacks or detect intrusions, restrict internet access to DMZ) |
| FDA Part 11 | Part 11, as it is commonly called, deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. It requires drug makers, medical device manufacturers, biotech companies, biologics developers and other FDA-regulated industries to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data. | |
| EU Annex 11 | EU Annex 11 is the European equivalent of FDA's Part 11. Defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records. | |
| The Gramm-Leach Bliley Act | The GLB Act is the Financial Modernization Act of 1999. It includes provisions to protect consumers' personal financial information held by financial institutions. | |
| PCI DSS | The PCI Security Standards Council's mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. | |
| CA Assembly Bill No. 1950 | This bill requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure including data destruction and data protection. Since A.B. 1950 does not further define these reasonableness standards, it leaves businesses struggling to understand their scope and to implement business practices sufficient to avoid liability under A.B. 1950. Thus, in order to avoid liability that might arise from failure to provide "reasonable security" under A.B. 1950, businesses should consider using HIPAA and GLBA as guidelines for their own security practices and procedures. | |
| Sarbanes-Oxley Act | SOX or Sarbox, is designed to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws." Section 302 of the Sarbanes-Oxley Act on corporate responsibility for financial reporting requires certification of financial statements by both the CEO and CFO. This means that all financial reports must be thoroughly verified by management with more acuity than ever before. IT departments supporting financial systems will also have to ensure the accuracy of these records. | 1. Establish access controls based on job responsibilities 2. Log successful access attempts to mission-critical resources 3. Require authentication 4. Enable system events (logging) 5. Keep data physically and electronically secure from unauthorized access 6. Data retention: 7 years retention for audit reports and related materials 7. Immunabilty: Prevent the alteration, destruction, mutilation, concealment, falsification, of any record/document*. * SOX implies the need for encryption to protect the integrity and confidentiality of financial information. |
| EU Data Protection Directive (EUDPD) | The EUDPD declares that data protection is a fundamental human right. It standardizes protection of data privacy for EU citizens. | 1. Make data backups 2. Establish access controls based on job responsibilities 3. Require authentication 4. Enable system events (logging) 5. Encrypt personal information |
| Basel II Capital Accord | Requires that banks put in place Business Continuity and Disaster Recovery plans to ensure continuous operation and to limit losses. | 1. Make data backups 2. Archiving, retrieval and restoration capabilities should be in place 3. Data retention of 3 - 7 years of data history |
| MA 201 CMR 17 | Requires any business that collects personal information about a resident of Massachusetts to encrypt all portable devices, wireless transmissions and public networks. This means that if you have data on a resident of Massachusetts on your hard drive, for example, you still must encrypt the data even if you do not send it via e-mail or over the internet. | 1. Data encryption |
| Canada's Personal Information Protection & Electronic Data Act (PIPEDA) | This law requires organizations to obtain consent with they collect, use or disclose their personal information. It also declares that organizations should supply an individual with a service or product even if they refuse to consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction. It also enacts that information should be collected by fair and lawful means; and personal information policies must be clear, understandable and readily available. | 1. Make data backups 2. Establish access controls based on job responsibilities 3. Require authentication 4. Enable system events (logging) 5. Encrypt personal information |
| Health Information Technology for Economic and Clinical Health Act (HITECH) | The HITECH Act includes measures designed to broaden the scope and increase the rigor of HIPAA compliance. In terms of management and protection of Protected Health Information (PHI) data, three key areas are especially important: a) Expansion of HIPAA rules to business associates b) Stricter requirements for breach notifications c) Encryption as a recognized methodology of protecting PHI |
1. Data destruction 2. Data encryption |
| Federal Information Security Management Act (FISMA) | The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and access against natural or manmade threats. | The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA: 1. Categorize the information to be protected 2. Select minimum baseline controls 3. Refine controls using a rise assessment procedure 4. Document the controls in the system security plan 5. Implement security controls in appropriate information systems 6. Assess the effectiveness of the security controls once they have been implemented 7. Determine agency-level risk to the mission or business case 8. Authorize the information system for processing 9. Monitor the security controls on a continuous basis |
| Expedited Funds Availability Act (EFA) | Enacted in 1987 by the United States Congress, the Expedited Funds Availability Act's (EFA or EFAA) purpose is to standardize hold periods on deposits made to commercial banks and to regulate institutions' use of deposit holds. Requires federally chartered financial institutions to have a demonstrable business continuity plan to ensure prompt availability of funds. | 1. Business continuity 2. Disaster recovery plans |
| Federal Energy Regulatory Commission (FERC) | The Federal Energy Regulatory Commission, or FERC, is an independent agency that regulates the interstate transmission of electricity, natural gas, and oil. Mandates recovery plans for utilities. | |
| Financial Industry Regulatory Authority (FINRA) | Formed by consolidating redundant rules under NASD (Rule 3510) and NYSE (Rule 446). Under NASD 3510, members are required to maintain business continuity and contingency plans to satisfy obligations to clients in the event of an emergency or outage. It requires members to create, test, and update business continuity plans to satisfy obligations to clients in the event of an emergency or outage. | |
| Securities and Exchange Commission (SEC) 17-a 3, 4 | In combination, Rules 17a-3 and 17a-4 require broker-dealers to create, and preserve in an easily accessible manner, a comprehensive record of each securities transaction they affect and of their securities business in general Rule 17a-4 defines that term as "any digital storage medium or system." Paragraph (f)(2)(ii)(A) of Rule 17a-4 requires that the electronic storage media preserve the records exclusively in a non-rewritable and non-erasable format. Retention is required for a specific period of time. | 1. Make data backups 2. Data encryption 3. Data retention |