Compliance/Governance

Compliance/Governance

A web application must have adequate measures to guard itself against remote adversaries and a wide range of threats. There are many regulations which need to be adhered to by a company if it wants to have its application to achieve compliance.

The prominent ones are listed below:

GLBA

The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions. The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.

HIPAA

(Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs and provides standards for patient health, administrative and financial data interchange. HIPAA, developed by the Department of Health and Human Services, took effect in 2001 with compliance required in phases up to 2004.

SOX (Sarbanes-OXley Act)

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation's electronic records. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.

EU Data Protection Act

The EU Data Protection Act came into force in March 2000. The protection of individual privacy tops the list among its salient features. It insists that companies processing personal data must comply with eight data protection principles and it also gives individuals access to 5 fundamental rights to ensure that their privacy is not invaded in anyway.

Given below are some of the pre requisites to comply by this Act:

The Act-

  • Requires businesses to gain prior consent before sending unsolicited advertising e-mail to individuals.
  • Requires that the use of cookies or other tracking devices is clearly indicated and that people are given the opportunity to reject them.
  • Network operators and their partners must be able to provide subscription and advertising services based on location and traffic data to their customers. There is no restriction on the type of services that may be provided as long as subscribers give their consent and are informed of the data processing implications.
  • Ensure stronger rights for individuals to decide if they wish to be listed in subscriber directories. Clear information about the directory must also be given, e.g. whether further contact details can be obtained from just a telephone number or a name and address.
FISMA

The 2002 Federal Information Security Management Act (FISMA) was enacted to streamline—while at the same time strengthening—the requirements of its predecessor, the Government Information Security Reform Act (GISRA). FISMA requires federal agencies to improve the security of IT systems, applications, and databases. By presenting a baseline of requirements for government agencies, FISMA calls for risk and vulnerability measurement through information security best practices. This way, agencies can ensure the integrity, confidentiality, and availability of federal information systems.

Privacy Act

The Privacy Act mandates that each United States Government agency have in place an administrative and physical security system to prevent the unauthorized release of personal records.

In addition to these regulations there are region specific regulations which are specific to Asia.
RBI: Reserve Bank of India

ESCA: Elecronic Signatures and Certification Authorities

BNM: Bank Negara Malaysia

Case Study

Project - Holistic & Continual Security Management. The client is a fast-growing private sector retail bank. Ensuring security of banking transactions and customer privacy has been a norm for the bank since its inception.

View Case Study

Testimonial

“I was very pleased with the overall effort of the Paladion Networks team. They provided qualified..”
Bill Dziwura,
Executive Officer/CIO
Office of the Pardon Attorney
Department of Justice, USA

All Testimonials

Plynt

Paladion tests and certifies your application against security risks.300+ Organizations in 25 US States & 15 Nations worldwide benefit from Plynt Security testing program.

Visit Plynt site