Compliance Best Practices and Standards – CompTIA Security+ SY0-401: 2.6

The data in our organization may fall under some very important compliance regulations. In this video, you’ll learn about SOX, HIPAA, and GLBA compliance requirements.

<< Previous Video: Data Labeling, Handling, and DisposalNext: User Habits >>

There have been a number of new compliance regulations and security concerns wrapped round compliance in almost every part of every organization it seems. There are certainly compliance issues relating to health care, relating to finance, and relating to any company that is public or wants to be public certainly in the United States at least. If you are not compliant there can be fines and there can be jail time associated with these things. They are certainly not to be taken lightly.

A very common one the United States is SOX, the Sarbanes-Oxley Act. You’ll almost always see it abbreviated as SOX. This is the Public Company Accounting reform and investor Protection Act of 2002. And it creates some compliance requirements around how an organization deals with the finances, the assets, and how they run their books. This is a big problem for private companies and public companies in being able to maintain accounting reform and make sure that investors are protected in that.

If you’re health care you’ve certainly heard of HIPAA, which is the Health Insurance Portability and Accountability Act. These are standards for storing customer– in your case– health care information if you’re a hospital or an insurance company, how you use that data, even how you transmit that data across the network. There are particular requirements of how you keep that information safe and how people access that data.

There’s also the Gramm-Leach-Bliley Act of 1999, the GLBA. Privacy information becomes a concern. And if you have an insurance policy, if you have information about your car you may have noticed in the mail– at least in the United States– that you have a document that showed up and says we have your private information. And here’s how we’re using that. A lot of those requirements of notification of come from that GLBA to make sure that all of your private information stays private.

To give you a feel of just how important this is let me tell you what happens if you are not compliant with the health care HIPAA requirements. You could be fined up to $50,000, or a year in prison, or both. It is a Class 6 felony. If you’re doing this under false pretenses the fine goes up. And you stay in prison a lot longer. If your intent is to sell, transfer, or use that information for a commercial advantage, personal gain, or to be malicious $250,000 and 10 years in prison.

They’re also civil fines associated with this, not necessarily criminal. But your organization may have to pay out money, $100 for each violation, with the total amount not to exceed $25,000 for all violations of an identical requirement during a calendar year. And again, that’s a problem for organizations that are keeping this data. If you violate any of these there’s money going right out the door. And in some cases there may be people going to jail.

If your financial compliance is not up to snuff and you’ve violated the SOX requirements you could be knocked off of your Exchange. There could be a loss of liability insurance that your directors have. This is actually a pretty big deal. There could be multi-million dollar fines. There is imprisonment, a lack of investor confidence certainly, and if you’re the CEO or CFO that sends this information in and it is wrong, you could be fined up to $1 million personally. And you could be thrown in jail for 10 years. If you’re doing this willfully– that you’re trying to get around or make people think something that isn’t really true– $5 million. And your prison term can go up to 20 years.

So we’re talking about some very extensive penalties if you are not compliant with some of these requirements. And as a security professional one of the things you have to always keep in mind is what you’re doing internally and how it affects the compliance you have with some of these requirements.