Sunday, June 23, 2013

The Alphabet Soup of Security Regulations (SOX, GLBA, PCI-DSS, HIPAA)

The alphabet soup of security regulations (SOX, GLBA, PCI-DSS, HIPAA) is evidence of the growing concern of security issues with every organization, government agency, corporation, and military unit. Organizations need to protect their market share, customers, bottom line, follow the regulations, and still maintain their competitive edge. It pays to be familiar with the all the various security regulations because they provide guidelines to protect the public and help corporation be socially responsible. Here is a list of some of the regulations and their descriptions.


SOX is short for Sarbanes-Oxley Act of 2002. After the collapse of the fruadulent Enron and WorldCom, Senators Sarbanes and Oxley helped passed this securities law to protect investors. This bill affects IT because corporations that reports to the Securities Exchange Commission often use information technology and information systems to complete the company's financial accounting and reporting. SOX ensures that corporate have internal controls in place ensure the propare recording of accounting information and to mitigate the risk of fraud.


GLBA is short for Gramm-Leach-Bliley Act of 1999. The regulation requires that financial institutions to develop privacy notices and give their customers the option to restrict financial institutions from sharing their information with nonaffiliated third parties. There should be a written security policy in place the explains how customers information is being kept confidential.

PCI-DSS stands for Payment Card Industry Data Security Standard. This standard applies to all businesses that process, transmit, store, and accepts credit card data. There are 12 core requirements to follow which I may write about in future blogs.


Health Insurance Portability and Accountability Act (HIPPA) is a federal regulation enacted to standardize the handling of medical information by medical professionals and organizations. HIPPA provides the necessary framework and guidelines to ensure security, integrity, and privacy of patient's information. Fines for violation of this regulation can as much as $50,000 and one year in prison. The amount can go up to $250,000 and ten years in prison if the violation was do willingly and intentionally under false pretenses.

This is just a quick overview of the some of the major information security regulations and standards but the many more. I think every information security practitioner needs to become familiar with the laws, directives, and regulations in computer and information security to be able better serve their clients.  On my next post, I will talk about the various certifications that are available for information security practitioners.

No comments:

Post a Comment