Over thirty U.S. states have adopted individual consumer privacy legislation with varying requirements. Regulatory mandates such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on healthcare information privacy, the Gramm-Leach-Bliley Act of 1999 (GLBA), and Sarbanes Oxley Act of 2002 (SOX) affecting financial services, and many other existing or anticipated regulations are of concern to companies trafficing in such information, and to the regulators charged with their oversight. Industry guidelines and standards such as the Payment Card Industry (PCI) Data Security Standard require specific security controls be put in place to provide protection for consumer credit card data or otherwise meet partner and/or industry approval. Determining where and how an organization is storing private financial data or other personally identifiable private information and ensuring that adequate controls are in place to protect this information are significant challenges for organizations of all sizes, in all industries.
In addition to their own compliance, companies are also grappling with assessing and managing risk from third-party service providers and vendors. This problem is particularly acute in the financial industry, where outsourcing and other forms of exposure to liability through information sharing with third parties are prevalent, and regulators are aggressively requiring financial institutions to manage the added risk of poor or non-compliance by their service providers. To help ease the pain of third-party risk assessments for financial institutions and service providers, BITS, a financial industry organization has developed third-party assessment standards as part of its Shared Assessments program.
The BITS Shared Assessment Program, propagated by a financial industry forum, is a relatively new process for financial institutions to evaluate the security controls of their IT service providers. The BITS program is directed to providing efficiencies and cost savings to financial institutions and service providers and helping financial institutions align service provider testing with industry regulations. It depends on agreed upon procedures and a standardized information gathering questionnaire. There are reported to be more than 50 member companies, including 15 major financial institutions, which confirms the need for greater efficiencies in this area. A BITS Product Certification Program tests technology products including software used to deliver financial services, against minimum-security criteria established by the financial services industry.
The recent international “meltdown” of Wall Street and the mortgage and credit markets, blamed at least in part on lax regulatory requirements and oversight, will inevitably result in further national and international regulatory changes and evolving industry standards applicable to a wider range of organizations. Compliance requirements and assessments of international treaties, individual governments and agencies, industries, and market leaders will become an even greater burden, risk, and cost concern for ever more organizations in the years ahead.
The complexity of an individual assessment project increases due to a number of factors: the number of people—“touchpoints”; the diversity in responsibilities of the people; the geographic dispersion of the people; the breath of the assessment questionnaire; and the time period to respond and compile the results. Reductions in the complexity of assessment project directly correlate to the workflow and productivity improvements that an enterprise assessment management solution can provide.
Various schemes have been developed to bring some degree of efficiency to the compliance monitoring and management process. Tables and mapping schemes have been developed to cross reference lists of regulations to a set of questions, so that the answer to one question may be informative with respect to compliance with multiple regulations. However, it should be readily apparent that processes having a many-to-many relationship between questions and regulations exposes a complicated set of relationships that are brittle, and difficult from both use and maintenance perspectives. This approach is of limited utility with respect to an industry-wide solution, due to the widely varying regulations, operations, and questions that would have to be associated to satisfy the needs of all users.