What regulatory compliance means for storage security
Besides securing corporate data, storage systems must also comply with the growing number of government regulations. With the start of 2004, you should extend your storage security plans to address various regulations.
There are multiple regulations by various states and countries that pertain to security and privacy of a variety of information. In this column, we outline some of the key regulations, their applicability and the required actions.
(Health Insurance Portability and Accountability Act) of 1996 was discussed in our column of February 2003
. Its compliance deadline is April 2005, while small health plans have until April 2006. Appendix A to Subpart C of Part 164 outlines the aspects of data security for covered information. A given safeguard may be "required" or "addressable." For example, documenting of security management process is "required", while implementation of encryption and encryption specifications is "addressable." You must implement the "required" safeguards. For "addressable" safeguards, you can document why the implementation is not appropriate to your circumstances and implement an equivalent measure.
The Financial Services Modernization Act 0f 1999, or the Gramm-Leach-Bliley Act
(GLBA) had the compliance date of July 1, 2002. It specifies the actions required for protecting the security and confidentiality of customers' non-public personal information. It applies to financial institutions.
The Sarbanes-Oxley Act
(SOX) was passed in 2002. Most public companies must comply by June 15, 2004; smaller U.S. businesses and foreign companies must comply by April 2005. This act addresses several aspects regarding security and controls of accounting and auditing processes. Examples include development of policies and practices for use of data integrity and confidentiality in handling complaints. The CEO and CFO are required to certify the accuracy of financial statements and make the related material available to public. In this case, security classification of certain stored information changes from company-confidential to public-use with the release of the financial statement.
Then there are other regulations such as California's Security Breach Information Act (SB 1386)
. This act came into effect in the state of California on July 1, 2003. It requires businesses to inform customers when their electronic data is compromised. To address this regulation, you may need to implement enhanced logging capabilities for your systems that contain personal information. SEC Rules 17a-3 and 17a-4 dictate the type of records that financial institutions must create and retain for certain periods of time.
Each regulation applies to different companies and different types of stored information. Sarbanes-Oxley applies to all public companies and accounting firms. HIPAA applies to healthcare insurance and health care providers. However, HIPAA also applies to the health-related employee information stored by any public company. The applicable stored-information may vary from customer's private information to corporate financial statement.
To implement compliance, there is no one technology or solution. For each regulation, you may want to undertake a review of your environment against the specific regulations. It would require implementation of technologies, processes or simply an explanation of why the existing controls address the requirements. By simply implementing confidentiality (data encryption), you may not necessarily address all regulations. Encrypting of stored data has associated issues such as key management for long-term data storage. At the same time, some regulations require a variety of controls and processes, while others may also require protecting of data integrity. A review of the applicable regulations may uncover simpler and low-cost alternatives.
This was first published in January 2004