Financial Institutions Face Tight Compliance Requirements in 2007
In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
The new PCAOB standard is designed to focus auditors on the most important matters, increasing the likelihood that material weaknesses will be found before they lead to inaccurate financial statements.
Over the last two years, compliance with the section 404 provisions has required greater effort and resulted in higher costs than expected. The PCAOB concluded that auditors should perform internal control audits as efficiently as possible. The new standard is intended to eliminate unnecessary auditing procedures and focus on those that bolster the integrity of financial reporting.
â€œThe goal has been to create an auditing standard that preserves the intended benefits without resulting in unnecessary effort and costs," said PCAOB chairman Mark Olson. "We believe the new standard will result in audits that are more efficient, risk-based and scaled to the size and complexity of each company."
IT departments are scrambling to comply with a maze of laws and regulations around data security and privacy. These laws include both proactive components (having an information security policy, implementing access control technology) and reactive components (disclosure of security breaches). IT security needs to understand the meaning of legal terms such as material weakness, and translate them into actionable policies.
At least 33 states have enacted laws regarding data breaches with varying requirements and definitions. This legal patchwork makes compliance costly and inefficient. For the past ten years, governments and industry groups have enacted and published regulations in an effort to curb corporate financial malfeasance, identity theft and inappropriate access to personal data. Now, large and small companies around the world are grappling with mandates to comply with those regulations.
Financial institutions must often comply with multiple regulations, and do so in the context of other business objectivesâ€”such as reducing costs, improving customer service and employee productivity and increasing revenue.
Added to the challenge is that IT environments are constantly changing and new regulations are being added to the compliance mix. CIOs and IT departments are discovering that a comprehensive approach to information security based on best practices is often the key to supporting regularity compliance initiatives on an on-going basis.
Companies are faced with ever changing environmentsâ€”both in terms of their own IT infrastructure as well as the overall regulatory environment. The number of laws and regulations affecting IT security is proliferating. In Congress alone, there have been 25 bills focusing on cybersecurity, 130 bills focusing on the security of personal information, 57 bills focusing on information security, and 12 bills focusing on data security. In addition, most states have enacted laws modeled after California's data privacy law, which mandates disclosure of any security breach involving personal information.
Compliance alone is not sufficient to safeguard personal data; CardSystems was apparently in compliance with the PCI standard when it experienced a breach leading to the compromise of 40 million payment card accounts. Compliance is a form of risk mitigation; it should be weighted against the probability that a security episode will lead to economic losses.
Implementing an effective compliance program starts with establishing who is who in an online world. This requires the development of authentication mechanisms that go well beyond simple passwords in order to establish a trusted identity for individuals within an organization. Only after authentication policies have been set and communicated can an organization be sure that they will be uniformly and effectively implemented and maintained.
Enhancing and enforcing authentication processes is the first step in the identity and access management process. Institutions need to develop and document a comprehensive authentication policy which dictates the use of mechanisms to validate user identity per system and/or application. All authentication techniques used should be governed by policy (e.g., password policy, remote access policy, certificate policy).