Regulatory Assessment Programs

Protecting data is no longer an option. Government regulations such as SOX, HIPAA, and GLBA require companies to develop, test, and monitor internal controls to protect their data and ensure its confidentiality, availability, and integrity. State regulations such as CA 1386 and WA 6043 require companies to not only protect consumer data, but to notify consumers if it has been compromised. In addition, new federal legislation has been introduced to Congress that would require consumers in all states to be notified of a breach in the security protecting their personal data. All of these laws contain severe civil and criminal penalties for noncompliance.

As part of its Regulatory Assessment Program, C5i has developed a detailed security assessment methodology based on federal standards and ISO/IEC 17799, the international standard for IT security, that can help commercial organizations comply with the myriad of federal and state data security regulations. This methodology provides a logical, comprehensive approach for ensuring that organizations comply with all applicable laws and guidelines and maintain adequate protection of their electronic data.

Examples of C5i's Regulatory Assessment Program evaluations that apply to specific industries and businesses include:

• GLBA
• HIPAA
• SOX
• SCADA
• CA 1386
• WA 6043
• Visa CISP and MasterCard SDP

Under C5i's Regulatory Assessment Program, not only will you receive an evaluation and easy-to-read scorecard of your current security posture relative to the applicable federal regulations and industry best practices, but you will also receive recommendations for closing any security gaps that are identified. C5i can help you select and even implement cost-effective security controls to mitigate any identified risk.

Gramm-Leach-Bliley Act (GLBA)

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" (GLBA), includes provisions in its Financial Privacy Rule and Safeguards Rule to protect consumers' financial information. GLBA mandates that all financial institutions establish appropriate security controls to protect customer data from internal and external threats and unauthorized access, especially occurring through online systems and networks due to the rapid increase in Internet banking. C5i's GLBA Regulatory Assessment Program provides a comprehensive assessment of the IT controls of financial institutions to ensure that they comply with GLBA rules as well as industry best practices for IT security.

Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Passed by Congress in 1996, HIPAA enacted sweeping reforms in the standardization and protection of electronic health information. HIPAA requires federal and private healthcare providers and any organization that creates, receives, maintains, or transmits electronic health information to protect that information against threats to its integrity, availability, and privacy.

C5i's HIPAA Regulatory Assessment Program provides a thorough examination of the IT security controls of those entities covered under HIPAA, especially its Security Rule and Privacy Rule. C5i will compare your organization's current security profile against HIPAA security standards, and provide a documented plan to eliminate any gaps.

Sarbanes-Oxley (SOX)

Even though the Sarbanes Oxley Act (SOX), signed into law in 2002, focuses on the accuracy of financial reporting data and does not directly address IT security, the requirement for data integrity means that companies must ensure that their data is adequately protected. Section 404 of SOX specifically concerns itself with information management, detailing IT safeguards that must be built into financial reporting.

C5i can assist organizations as they begin their Section 404 compliance projects in preparation for their yearly financial audit. C5i's SOX Regulatory Assessment Program provides an evaluation of an organization's IT security controls using a comprehensive framework, such as the COSO Integrated Framework on Internal Control, as well as industry best practices and standards.

SCADA

Supervisory Control and Data Acquisition (SCADA) systems and other similar control systems, which are used to monitor and control distributed systems from a master location, are widely used by utilities and other companies that run the nation's critical infrastructure. From the power grid to water treatment to transportation, SCADA systems are vital to the nation's functioning. However, these systems are more and more at risk because of their increased connectivity and reliance on vulnerable operating systems. SCADA systems used by today's utility companies were developed years ago, and so the need for online security measures within these systems was not anticipated.

Today, as more utility companies are adding new software and remote access points and relying on networked computer systems and infrastructure, SCADA systems are more vulnerable to attack than ever. In fact, online vulnerabilities may pose a greater risk for significant failures than a physical attack. C5i's SCADA Regulatory Assessment Program provides a comprehensive assessment of the IT controls of utilities and other companies who rely on SCADA systems to identify and mitigate the direct and indirect security exposures of these systems. C5i uses industry best practices, such as ISO 17799, as well as specific regulations and guidelines, such as the North American Electric Reliability Council's (NERC) Critical Infrastructure Protection (CIP) regulations for computer security for electric utilities and power generators.

California Senate Bill No. 1386 (CA 1386)

Signed into law in 2002, California Senate Bill No. 1386 mandated not just the protection of consumer data, but also the notification of consumers if their data was compromised or stolen. It was a significant breakthrough in consumer rights, and a new milestone in IT security. Since it was enacted, several companies have had to notify millions of consumers of the theft of their personal data due to hacking, social engineering, and other computer crimes.

C5i's CA 1386 Regulatory Assessment Program provides a thorough examination of the IT security controls of those companies and agencies required to conform to California Bill No. 1386. C5i's methodology provides a comprehensive assessment of IT controls to ensure that the controls comply with CA 1386 standards and that consumer data is adequately protected. C5i can also help organizations develop computer security incident reporting mechanisms and procedures in order to comply with incident reporting requirements.

Washington Substitute Senate Bill 6043 (WA 6043)

Like its predecessor, CA Bill 1386, the Washington Substitute Senate Bill 6043 (WA 6043) mandates not just the protection of consumer data, but also the notification of consumers if their data was compromised or stolen. And just like with the CA 1386 program, C5i's WA 6043 Regulatory Assessment Program provides a thorough examination of the IT security controls of those companies and agencies required to conform to Washington Substitute Senate Bill No. 6043. C5i's methodology provides a comprehensive assessment of IT controls to ensure that the controls comply with WA 6043 standards and that consumer data is adequately protected.

Visa CISP and MasterCard SDP/Payment Card Industry (PCI) Data Security Standard

Both Visa and MasterCard require merchants and service providers who store, process, or transmit cardholder data to adhere to the Payment Card Industry (PCI) Data Security Standard, which provides a single, comprehensive approach to safeguarding sensitive data for all card brands. The PCI Data Security Standard also requires all merchants and service providers to undergo quarterly scans and annual compliance reviews.

As part of C5i's PCI Regulatory Assessment Program, our security experts will perform a risk assessment and confirm that all PCI Data Security Standards are in place. Compliance will be validated according to the level of risk identified, which is based on the volume of transactions and potential threats. C5i's evaluation will help merchants and service providers identify and correct vulnerabilities and ensure that appropriate levels of information security are maintained.