| FACTA
– (Fair & Accurate
Credit Transactions Act) |
Effective June 2005, this law requires businesses
that collect customer information to ensure that the information
is protected from "unauthorized access or use."
In addition, the Disposal Rule requires that when such information
is discarded, by shredding, burning or pulverizing, it must
be appropriately destroyed. The federal government's website
states that "although the Disposal Rule applies to
consumer reports and the information derived from consumer
reports, the Federal Trade Commission encourages those who
dispose of any records containing a consumer's
personal or financial information to take
similar protective measures."pa/2005
/06/disposal.htm
| FISMA–
(Federal Information Security Management Act) |
The Federal Information Security Management
Act (FISMA) is designed to ensure appropriate security controls
for government information and is governed by the National
Institute of Standards and Technology (NIST), which is responsible
for all standards and guidelines with respect to the regulation.
Enacted in the United States in 2002, it provides a framework
to protect federal information and assets. The Act focuses
on bolstering computer and network security within the federal
government and government contractors by mandating annual
audits.
Objectives
to Meet FISMA Compliance
FISMA requires that all federal
government systems comply with its regulations. Government
systems subject to more strict security measures, such as
those governing information on national security, are considered
in compliance. The Act emphasizes the need for organizations
to develop, document and implement an organization-wide
program to provide information security for the information
systems that support its operations and assets. This rule
requires strong monitoring systems within government agencies
and companies that do business with the government. Security
information and event management (SIEM) is required for,
and plays a vital role in, FISMA compliance. Using the technical
guidance set forth by the NIST, RSA has mapped reports to
help covered entities comply with FISMA.
To address FISMA requirements, companies must
be able to address the following objectives:
| • |
Access Control monitors attempts
to access the company’s financial reporting system
or the data that feeds the system. |
| • |
Configuration Control monitors the configuration,
policies and software installed on systems covered by
Sarbanes-Oxley and all systems with access to that system.
|
| • |
Malicious software detection capabilities
collect and report malicious activities caused by viruses
or other malicious code from a wide variety of sources
with centralized analysis. |
| • |
Policy Enforcement verifies that all
users are complying with regulations to reduce the chance
of accidental exposure of sensitive information. |
| • |
User Monitoring and Management creates
a complete audit of the activities of non-employees
with access to private data and takes steps to minimize
the risk from compromised accounts. |
| • |
Environment & transmission security
involves the ongoing monitoring of the environment to
ensure that security threats are detected and corrected
as quickly as possible through proactive measure such
as VA scans. Additional monitoring is required to ensure
that the transmission of sensitive data is secured and
done with the proper encryption levels. |
| HIPAA
– (Health Insurance
-Portability and Accountability Act) |
This 1996 law and the accompanying 2002 regulation
known as the Privacy Rule restrict how health care providers
may handle and disclose patient health information. In general,
health care entities must ensure that only approved personnel
handle protected health information and then only for purposes
specified in the law and regulation. Tru-Recovery can help
your business comply with these requirements by:
| • |
Storing protected health
information in a secure commercial records center |
| • |
Storing electronic files on our secure
servers |
| • |
Signing a business associate agreement
with your medical practice to limit your liability for
stored health information |
| • |
Destroying inactive medical records in
accord with state medical society guidance and in compliance
with HIPAA regulations |
| • |
Converting paper medical files to encrypted
electronic files. |
| 1. |
Save office space |
| 2. |
Provide easy access to records |
| 3. |
Limit access only to individuals you
provide with designated passwords and encryption software.
|
Signed into law on November 12, 1999 the GLBA
mandates that financial institutions are to establish appropriate
administrative, technical and physical safeguards for customer
records and information. Section III.C.1 of the Guidelines
requires financial institutions to adopt measures to protect
customer information. If a financial institution is found
to be non-compliant with the rules, or to have deficiencies
in its administrative, technical or physical safeguards,
the regulatory agencies have the responsibility and authority
to take enforcement measures. Enforcement measures range
from corrective actions to fines or other penalties.Tru-Recovery
can help your business comply with this law by:
| • |
Storing sensitive hard copy
information in our secure commercial records center. |
| • |
Limiting access to sensitive information
only to individuals you approve in advance. |
| • |
Shredding and recycling discarded documents
including sensitive paper documents and electronic media
to prevent identity theft. |
The Sarbanes-Oxley Act requires management
to enact "disclosure controls and security procedures"
to ensure reporting of material information affecting the
company.
This 2002 legislation creates new requirements
for businesses and accountants to maintain corporate audit
records or review working papers for five years beyond the
year in which an audit is concluded. The new law also creates
penalties for destroying or altering documents that are
relevant to contemplated or ongoing investigations or official
actions. Tru-Recovery can help businesses and accounting
firms and their clients comply with the law by:
| • |
Establishing a retention
and destruction schedule for audit documents that complys
with federal law |
| • |
Storing audit records off site to limit
the potential for tampering or inappropriate destruction |
| • |
Creating electronic versions of paper
records to provide "back ups" of original
documents in the event the originals are inadvertently
lost, altered, or destroyed. |
In what will be a major technological
change for the banking industry, President Bush signed into
law in 2003, the Check 21 bill, which allows banks to substitute
electronic check images for paper checks for the clearance
and settlement process. The bill paves the way for the industry
to save billions of dollars and speed the processing of
checks.
The law calls for the use of "Image
Replacement Documents" (IRD) to be implemented within
a year. Bank IT managers say the success of such systems,
which will include branch-based scanning systems, data repositories
and automated processing applications, will depend largely
on changing customer attitudes. |
