Compliance and Your Business - Compliance and Your Business from VeriSign, Inc.

You Are Here:

US Home > Global Consulting Services > Global Security Consulting > About Global Security Consulting > Compliance and Your Business

Compliance and Your Business

Achieve Compliance for Your Business
Gramm-Leach-Bliley Act	Requires financial institutions to protect the confidentiality and integrity of customer records.
HIPAA	Requires healthcare organizations to improve the security of online data.
FDA 21 CFR Pt 11	Reinforces FDA regulations on electronic record keeping and the use of electronic signatures.
NERC CyberSecurity	Safeguards the reliability of utilities delivering bulk electricity to the electrical grid.
California SB 1386	Requires notification of anyone whose information is in a database that suffered a security breach.
Sarbanes-Oxley Section 404	Details IT safeguards that must be built into financial reporting.
CALEA	Defines the obligations of telecom carriers in lawful electronic surveillance. Governs the behavior of carriers and telephone solicitors.
ISO 27002	An internationally-recognized standard that provides the foundation of a solid information security program.
COBIT	A generally applicable standard for IT security and control.
NIST	A source of best-practice IT security information and guidelines.
FFIEC	Authorized to mandate uniform standards, principles, and report forms to be used in federal inspection of banks and other financial institutions.
Credit Card Security	PCI: Visa CISP, MasterCard SDP program, and American Express standards to to safeguard customer accounts.
Learn More	To talk to us about security and your business, call 650-426-5310 or submit your inquiry online. Or, see Enterprise Compliance Assessments and Security Certification Program for how we can help you.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization act, requires financial institutions such as banks, insurance companies, and brokerage firms, to establish administrative, technological, and physical safeguards to protect the confidentiality and integrity of customer records.

To comply with GLBA, you must identify and assess risks, plan and implement solutions to protect sensitive information, and establish measures to continuously monitor security.

We help financial institutions to assess the existing security architecture and to develop and implement an information security program that is consistent with section 3.14.

Learn about:

HIPAA

The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 2002 in reaction to the growing trend in the healthcare industry to move information online. Improving business processes and communications has great potential to improve patient care and lower costs. It may also put electronic data at risk. HIPAA is designed to address that risk.

Certain portions of HIPAA require all healthcare organizations to make a thorough IT risk assessment. The development and implementation of a plan for improving security and maintaining that security are also required.

We’re experts in healthcare compliance and can lead both the risk assessment and its implementation. Learn about:

FDA 21 CFR Pt 11

FDA 21 CFR Pt 11 was passed in reaction to the trend among pharmaceutical companies and medical device manufacturers to use the Internet to speed up communications and share data such as trial results. The business benefits are clear, but so are the risks. FDA 21 CFR Pt 11 reinforces FDA regulations on electronic record keeping and the use of electronic signatures.

To comply, you’re required to conduct a risk analysis and implement improved methods of handling electronic records and signatures.

We can conduct the risk analysis. We can also implement procedures relating to the handling of electronic records and signatures to help you meet the requirements.

Learn about:

NERC CyberSecurity Standard

The CyberSecurity standard doesn’t have the force of law in the sense that, say, HIPAA does. Compliance is essential, however, because a utility that doesn’t meet the standard won’t be able to do business. The CyberSecurity standard was initiated by the North American Electricity Reliability Council (NERC). The goal is to safeguard the reliability of utilities delivering bulk electricity to the electrical grid.

Starting in the first quarter of 2004 and into the foreseeable future, all utilities delivering bulk electricity are required to identify and protect critical cyber assets.

The identification and protection of critical cyber assets means that your IT system requires a risk assessment and the implementation of higher standards of security. The required goals are defined in Section 1201 of the standard. We can design an information protection system that meets these goals.

Learn about:

California SB 1386

California SB 1386 requires that any person or organization operating an electronic database that stores the personal or confidential information of an individual residing in California immediately notify the individual in the event of a security breach of the database. The notification requirement applies even if there is no indication the information was stolen or misused. Most experts think this law will rapidly be duplicated in other states.

Because reporting the breach, whether online or by letter, is difficult, expensive, and could harm your reputation, it’s important to eliminate most breaches and effectively defend against the rest.

We can help by providing a detailed plan to upgrade your information security and by helping you carry out and maintain that plan.

Learn about:

Sarbanes-Oxley Section 404

Sarbanes-Oxley (SOX), passed in 2002, implements new requirements for companies that are publicly traded. Section 404 specifically concerns itself with information management, detailing IT safeguards that must be built into financial reporting.

Section 404 sets specific guidelines for core financial reporting. You need to develop a reporting methodology that meets those guidelines and that has a high level of IT security and integrity.

Our compliance assessments include reviews that are designed to address the requirements in Section 404. We assess core financial reporting systems and recommend improvements in IT security and overall IT operational efficiency. We also help you develop training programs that aid IT staffers in meeting their new requirements.

Learn about:

CALEA Compliance and Do-Not-Call Registry

The Communications Assistance for Law Enforcement Act (CALEA) defines the obligations of telecommunications carriers to assist law enforcement in lawful electronic surveillance. The Do-Not-Call Registry requires telephone solicitors to take customers off their call lists at the customer’s request and requires carriers to make sure the solicitors honor their commitment.

You should be ready to aid law enforcement agencies in a timely manner, and to make sure that Do-Not-Call requests are honored. You must also ensure network safety so that surveillance efforts do not backfire. We can analyze your existing network to see where risks are and also define and implement a network that helps reduce those risks.

Learn about:

ISO 27002

ISO 27002 Information Technology – Security Techniques – Code of Practice for Information Security Management is one of the most widely recognized and accepted standards being used as the basis for information security programs worldwide. ISO 27002 covers:

Security Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development, and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance

Compliance with ISO27002 can be the foundation of a solid information security program for your business. Compliance requires being able to demonstrate that you have met each of the ISO27002 objectives, as applicable to your organization.

VeriSign’s Global Security Consulting organization has the knowledge and experience to help you meet the ISO27002 requirements. We can perform a complete assessment of your information security program - including people, processes, and technology. In addition to assessing your program, we can assist in development and implementation, such as security program strategy, security policy development, incident response, security awareness and training program development, and business continuity and disaster recovery planning, to name a few. VeriSign’s iDefense Security Intelligence Service and Managed Security Services also offer solutions to help your organization achieve compliance with ISO 27002.

Learn about:

COBIT

COBIT, developed and maintained by the IT Governance Institute, aims to be a generally applicable standard for IT security and control. It has wide US and international acceptance, and is quick to develop methodologies for new challenges such as Sarbanes-Oxley.

You aren’t required to comply with COBIT. Rather, it’s a methodology that’s designed to help companies maintain IT security in a uniform way. By meeting COBIT standards, the goal is that you’ll approach IT security in a systematic way, in line with accepted industry standards.

We can help you decide if COBIT is the best compliance vehicle for you business. We’ll then use its standardized rules as the basis for our risk assessment of your infrastructure. We’ll also incorporate its guidelines for the implementation of IT safeguards in our recommendations.

Learn about:

NIST

The National Institute of Standards and Technology (NIST), founded by the government in 1901, is a non-regulatory agency that sets standards for product quality, building safety, and a wide range of other industrial and scientific activities. Despite its age, NIST has continued to grow with technology. The Computer Security Division was launched in 1987, primarily to provide guidelines to Federal IT departments, but also to work with industry.

Because NIST is non-regulatory, there are no specific compliance standards. However, NIST is an excellent source of best-practice IT security information and guidelines.

Although NIST is non-regulatory, bringing your IT department into line with NIST standards can prepare you for the requirements you may be subject to under certain regulations such as HIPAA and Sarbanes-Oxley. We’re fully conversant with NIST guidelines. We can use those guidelines to provide a risk assessment of your current network, and to design and implement a stronger IT system.

Learn about:

FFIEC

The Federal Financial Institutions Examinations Council (FFIEC) is a Federal interagency body with the authority to apply uniform standards, principles, and report forms to be used in federal inspection of banks and other financial institutions. These institutions are subject to FFIEC regulations by the Board of Governors of the Federal Reserve Bank, the Federal Deposit Insurance Corporation, National Credit Union Administration, the Office of the Comptroller of the Currency, or the Office of Thrift Supervision.

Because the FFIEC has the full power of the government behind it, and because your institution may be subject to inspection from a number of different angles, it is essential that you understand what the FFIEC requires and are prepared to adhere to those requirements.

FFIEC is highly specialized - and we maintain a high level of expertise in the field. We provide an assessment of your current network and show you how to remodel it to bring it line with required standards and principles. We also show you how to upgrade your reporting forms as the FFIEC demands. If that documentation requires changes from your current system, we develop a plan to integrate it into your working setup so as to minimize disruption.

Learn about:

Credit Card Security

The major credit card companies, Visa, MasterCard, and American Express, have all initiated security programs to safeguard customer accounts and to make using their cards online safer.

VeriSign is an authorized assessor and scanning provider for Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP) program. Our assessments also include the information security standards published by American Express.

VeriSign can provide credit card security assessment and certification for your organization.

Learn about: