CyberScrub Data Disk Drive Erasure Compliance- HIPAA SOX GLB FACTA

home > resources library

CyberScrub Network Products


Articles	Audiocasts/Podcasts		Government Reports
RSS Feeds
Compliance Solution Advisors Gramm-Leach-Bliley Sarbanes-Oxley		Regulatory Compliance SEC Rule 17A-4 HIPAA

This library offers a collection of information and resources specifically focused on computer security, data destruction, document life-cycle solutions, compliance and password management. All resources are available to post and distribute on your website, forums, blogs and other compilations, with the strict stipulation that these works must be published in their entirety, with full credit and notice given to their origin and copyright. You may also link directly to these items. Please contact us if you have any questions regarding re-publication or distribution.

Our goal is to develop a comprehensive security portal. We welcome your suggestions and will work hard to include information you may require. This project is in constant development, and your suggestions for additional content are very much appreciated.

We invite relevant, on-topic submissions for inclusion. If you are interested in submitting papers, audiocasts or other media, please contact us. We will also consider the exchange of links as applicable.

Articles

Legal Requirements to Delete EU Personal Data by James M. Jordan
This paper, prepared by the former Chief Privacy Leader and Senior Counsel for E-Commerce & Information Technology of General Electric Company is required reading for those assigned the stewardship of European-based personal data and records.

Data Destruction and Document Life Cycle Policies:
Considerations for Compliance with Federal Mandates and Acts
A perspective on issues relating to Electronic Data Retention and how this relates to compliance with federal and state regulations such as Sarbanes-Oxley (SOX), HIPAA, FACTA, Gramm-Leach-Bliley (GBL) and other.

The Seven Sins of Degaussing
Degaussing a hard drive is a procedure that utilizes a machine to produce strong electromagnetic fields that destroy magnetic data on a disk. While many are initially impressed with the speed of this process, there are serious disadvantages to degaussing.

Security Issues with Decommissioning Magnetic Media
This document describes practical considerations of taking magnetic media out of useful service of transferring such media to other departments of organizations. After raising awareness of the security, business and legal concerns, the document evaluates different techniques for the reader to be able to assess his options. Finally, the cyberCide™ product is presented as a cost-effective solution to address these risks.

Legal and Regulatory Violations Caused by Not Destroying Data Before Discarding
A comprehensive chart referencing various types of data and the acts and regulations they are subject to. An essential resource for compliance.

Practical Uses of CyberScrub Technology to Ensure the Secure Deletion of Data
This paper will touch briefly on the practical applications of deploying CyberScrub products and technology to 1) wipe free and slack space on hard drives and 2) affect the transparent secure erasure of selected files and folders through standard keyboard interaction.

^back to top

Audiocasts/Podcasts

AUDIOCAST/PODCAST
Listen to this informative talk by noted attorney and Ziff Davis Security Virtual Tradeshow panelist Jon Neiditz. Topics include the implications of data destruction in reference to federal compliance acts and policies.

^back to top

Government Reports

PRIVACY: Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE
An astounding number ( >40%) of health insurance contractors and state Medicaid agencies experienced a breach of PHI and other privileged health information within the last 24 months, according to a new Government Accounting Office report.

^back to top

Compliance Solution Advisors Headlines

^back to top

Gramm-Leach-Bliley Act Headlines

LogRhythm and GLBA Compliance
The Gramm-Leach-Bliley Act (GLBA), also known as The Financial Modernization Act of 1999, was enacted to ensure protection over customer's records and information. Authorization to implement this act was given to The Federal Trade Commission (FTC) with an effective date for compliance set on May 23, 2003. GLBA consists of three primary parts; the Financial Privacy Rule, Safeguards Rule, and Pretexting provisions.

Harmonizing Controls to Reduce Your Cost of Compliance
Mounting regulations across the globe have increased the cost and burden on organizations. The high cost is especially felt by organizations which must adhere to multiple requirements - 75 percent of organizations must comply with two or more regulations and corresponding audits and more than 40 percent must comply with three or more regulations. Audit preparation typically occurs in functional silos, with different project teams focused on addressing an individual compliance initiative, resulting in significant operational inefficiencies and higher costs to demonstrate compliance. This webinar examines the Unified Compliance Framework and how it can be leveraged to harmonize controls across multiple regulations such as PCI, SOX, HIPAA, NERC and many others. Learn how to eliminate overlapping control requirements and ensure a more efficient and less costly approach to compliance.

Endpoint Security Considerations for Achieving GLBA Compliance
Rebooting the global financial system may take years. The international move to new regulatory organizations will require financial institutions to change the way they do business. No one knows exactly how the system will change yet, but one thing is certain: financial institutions will be required to protect the security and confidentiality of customer information. The Gramm-Leach-Bliley Act (GLBA) of 1999 (P.L. 106-102) defines guidelines and standards for safeguarding customer information. These rules apply to all financial institutions doing business in the U.S. New laws and financial regulations for the coming reboot may change GLBA, but increasing threats to customer data will only guarantee tighter security requirements.

GLBA Compliance Requires That Leaks Be Sealed
Financial institutions must protect customer privacy and adhere to regulatory requirements. The Gramm-Leach-Bliley Act of 1999 (GLBA) restricts the sharing of private customer data; even the accidental loss of sensitive information can trigger profound consequences. Not just limited to banks, GLBA applies broadly to the financial community. It affects financial institutions such as non-bank mortgage lenders, insurance companies and investment advisors. In addition to formulating a privacy policy, financial institutions must implement "Administrative, technical and physical safeguards", according to the Federal Trade Commission.

Basel II Compliance With Tripwire: Configuration Control for Virtual and Physical Infrastructures
As if financial institutions did not have enough compliance worries, a new international standard - Basel II - now looms on the compliance horizon. Unlike other laws and standards affecting financial institutions in the US and overseas such as the Gramm-Leach-Bliley Act ("GLBA"), the EU Data Protection Directive and the PCI Data Security Standard, however, the ramifications of this law extend beyond protection of electronic consumer data. Instead, Basel II focuses on the institution's core functions of evaluating, planning for, and disclosing financial risk.

Achieving Federal Desktop Core Configuration Compliance (FDCC) with Lumension® Solutions
The Federal Desktop Core Configuration (FDCC) is an Office of Management and Budget (OMB) mandated security configuration set applicable within United States Federal Government agencies. Private enterprises may also choose to utilize this established framework as a foundation for their own security configuration baselines. All federal agencies that utilize or plan an upgrade to either Windows XP or Vista must report compliance, with FDCC reporting requirements dictated by the standard FISMA reporting guidance. The FDCC specific configuration requirements are generally based on the "Principle of Least Privilege" restricting user and machine rights. This whitepaper examines the FDCC requirements, the compliance challenges including vulnerability management, change control, and system security management and also highlights how Lumension's SCAP Validated FDCC scanner is integrated with a complete vulnerability management solution to effectively enable compliance with these standards.

Improve Performance, Reduce Data Growth Costs - Archiving ERP Applications
View this Webcast to find out from the experts how effective application archiving can help you effectively manage your production database, control data growth, and ultimately improve your bottom line. You'll learn to: Improve performance of the production environment Archive or purge inactive transactional data automatically to an online database or offline flat file Maintain complete application integrity Comply with data retention regulations Reduce application storage footprint Enable accessibility to archived data Further your bottom-line savings with application retirement Sponsored by:

Developing a Sustainable IT Compliance Program
Today's IT compliance environment is becoming increasingly complex, driven by pressures in both the legislative environment and in technology itself. The legislative environment around IT is extremely complicated and changing rapidly. Companies must now respond to legislation at the state, national, and international levels — nvironments which are complex and often ontradictory. At the same time, the legal penalties for non-compliance and data breaches are skyrocketing. New technology trends are simultaneously increasing the complexity of the computing environment, making compliance more difficult and issues more nebulous. Read this ExecBlueprint, featuring insights from three top compliance attorneys, to see why IT leaders must partner with their peers throughout the organization to create a complete compliance program that is robust and sensitive to the forces continually shaping the landscape.

Dynamic Warehousing for Banking Buyer's Guide: A comprehensive solution for leveraging data in today's financial industry
Most organizations realize that the key to success lies in how well they manage data—and the banking industry is no exception. From customer statistics to strategic plans to employee communications, financial institutions are constantly juggling endless types of information. Not only does this data provide the basis for major corporate moves, it also impacts business on a more granular level by helping to maintain customer loyalty and improve staff productivity. Simply put, a bank's information is its lifeline. That's why it's critical for financial institutions to be able to access relevant data when it's needed most.

Privilege Access Control For Compliance with Gramm-Leach-Bliley Act (GLBA)
Symark PowerBroker enables IT compliance with the Gramm-Leach-Bliley Act protecting consumers' non-public personal information on UNIX & Linux systems. Gartner's paper on the importance of controlling UNIX superuser privileges is reviewed to explain the security gap between UNIX operating system design and GLBA compliance. PowerBroker bridges that gap--securing private consumer information through privilege delegation, encryption, and accountability.

Passing Compliance Audits in Heterogeneous UNIX/Linux Datacenters
Lack of access controls in native UNIX/Linux operating systems prevents them from passing today's compliance audits. Security issues surrounding the practice of sharing access to privileged accounts and the absence of least-privilege access control makes accountability a near impossibility. Symark Software's PowerBroker enables IT departments to bring these systems into compliance with multiple mandates such as PCI DSS, SOX, HIPAA and GLBA. PowerBroker creates RBAC-like access control that simplifies and lowers the costs security administration across heterogeneous platforms.

Getting in Compliance with Government Data Regulations by Leveraging Online Security Technology
Concerned your site is not in compliance with serious data regulations? Be sure to stay on top of regulations such as PCI, HIPAA, Sarbanes-Oxley, FISMA and others which help keep your customers safe. Learn about these regulations and how to comply with them when you read this free white paper, "Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology."

iSeminar: Meeting the Challenges of Compliance
This Internet seminar explores the compliance issues facing midsize organizations and how Oracle solutions can resolve them affordably and efficiently.

Identity Management for Midsize Businesses: Reducing Costs, Securing Data and Ensuring Compliance
This whitepaper highlights the unique needs of midsize businesses and explores the factors driving them toward stronger identity management platforms, such as Oracle Identity Management.

How to Manage Compliance Requirements Across Your Emerging or Midsize Organization
Companies need a systemic way to manage compliance requirements across the organization. Oracle's unified approach is more sustainable, cost-effective, and adaptable than ad-hoc approaches to governance and compliance.

^back to top

Sarbanes-Oxley Headlines

Sarbanes Oxley and How It Affects Information Technology
While Sarbanes Oxley does not directly regulate technology it does regulate business practices, which include manual and electronic (IT) processes and the implementation of internal controls. The SEC defines internal control over financial reporting as a process designed by, or under the supervision of the company's principal executive and financial officers, or persons performing similar functions, and implemented by the board of directors, management, and other personnel to provide a reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements for external use in accordance with generally accepted accounting principles and includes policies and procedures that pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer.

Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes
The passage and implementation of the Sarbanes-Oxley Act of 2002 was the most significant landmark legislation in securities regulation and corporate governance in the US since the SEC Act of 1934. In particular, Section 404 of the act requiring management assessment and assertion on the effectiveness of internal controls along with the requirement that the auditor attest to the assertion, has greatly impacted actuarial work processes for many actuaries. This paper discusses the implications of the Act for actuaries based on analysis of actuarial functions within insurance companies. Also discussed are the observed impacts within the industry to date. Based on these observations and experiences, an overview of a typical internal control framework is introduced.

Electronic Evidence & the Sarbanes-Oxley Act of 2002
In response to the recent series of highly publicized business scandals, Congress passed the Sarbanes-Oxley Act. President Bush signed the Act into law on July 30, 2002. The legislation aims to strengthen accounting oversight and corporate accountability by enhancing disclosure requirements, increasing accounting and auditor regulation, creating new federal crimes, and increasing penalties for existing federal crimes. Similar to other areas of the law, Sarbanes-Oxley embraces the issues developing around the proliferation of electronic evidence. With 93% of all business documents created electronically and only 30% ever printed to paper, corporations in the last few years have been compelled to address the retention of and potential liability associated with electronic documents and communication.

Using Automated Tools to Improve Sarbanes-Oxley Implementations
Sarbanes-Oxley has not changed the way Internal Auditors must carry out their duties. It has strengthened their position and independence. There is no need to change the Internal Audit approach if it was diligently implemented in the past. But there is a need to improve the documentation of the field work performed. Internal Auditors used to be free of the strict documentation requirements to which external auditors were subject to, for evidencing their work in the case of litigation. Some major companies had implemented a peer-review system, for which field audit work must be documented to such level that it allows work paper review. However, such an approach remains voluntary within the industry.

New Sarbanes-Oxley Rules Make Document Retention Dizzying
It is no secret that public corporations across the country are feeling the effects of the landmark Sarbanes-Oxley legislation signed into law last July. Aimed at strengthening accounting oversight and corporate accountability, the legislation enhances disclosure requirements, increases accounting and auditor regulation, creates new federal crimes, and increases penalties for existing federal crimes. In addition, similar to other areas of the law the Sarbanes-Oxley Act compels corporate America to embrace the e-information age now more than ever. With more than 93% of all business documents created electronically and only 30% ever printed to paper, corporations in the last few years have been compelled to address the retention of and potential liability associated with electronic documents and communication.

Compliance With Sarbanes-Oxley Requires Formal Ethics Training: Are You Doing It?
This paper focuses on the business environment post Sarbanes-Oxley Act of 2002 (SOX). The premise of this paper is that after decades of an eroding of regulations to prevent corporate and personal self-serving behavior, the legislation of the Sarbanes-Oxley Act of 2002 (SOX) is not enough to prevent unethical behavior. Kohlberg's moral development theory states that cognitive ethical reasoning becomes more complex as one matures and gains cognitive processes. This paper assumes anyone with lower-order ethical reasoning is not able to process higher-order ethical reasoning. The theory is another indication that high ethical standards exhibited today do not guarantee the same standards tomorrow.

Going-Private Decisions and the Sarbanes-Oxley Act of 2002: A Cross-Country Analysis
This paper investigates whether the regulatory regime created by the Sarbanes-Oxley Act of 2002 (SOX) has driven firms in general, and small firms in particular, out of the public capital market. Previous attempts to address this question have had difficulty controlling for other factors that could have affected exit decisions around the enactment of SOX. To address this difficulty, the authors examine the post-SOX change in the propensity of public American target firms to be bought by private acquirers rather than public ones with the corresponding change for foreign target firms, which were outside the purview of SOX. The findings are consistent with the hypothesis that SOX induced small firms to exit the public capital market during the first year of its enactment.

The Sarbanes-Oxley Act and Firms' Going-Private Decisions
This paper investigates firms' going-private decisions in response to the passage of the Sarbanes-Oxley Act of 2002 (SOX). The Act has the potential to bring both benefits, in terms of more transparent disclosure and improvement in corporate governance, and costs, in terms of complying with the new regulation. It argues that firms go private in response to SOX only if the SOX-imposed costs to the firm exceed the SOX-induced benefits to shareholders, and this difference swamps the net benefit of being a public firm prior to the passage of SOX.

What Does Sarbanes-Oxley Mean for Ore Reserve Reporting
The United States Congress signed the Sarbanes Oxley Act (SOX) into law on July 30, 2002, "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes." SOX was in response to accounting and corporate governance scandals in the United States and was the most comprehensive federal securities legislation in recent history and the most comprehensive ever for corporate governance. SOX is intended to improve the quality and reliability of financial information in the United States through more oversight and compliance in the financial process.

Easing Sarbanes-Oxley Compliance by Giving Business Users Control Over Their Data
The Sarbanes-Oxley Act (SOX) of 2002 is one of the top priorities at US-based public companies today. In companies that have implemented SAP, one of the most common open SOX audit issues is that users in the IT departments have very broad access to production data in SAP. Therefore, companies are finding that they have to take many data access privileges away from IT users. This has severely limited the ability of IT support staff to assist in routine data maintenance activities. Thus, there is a pressing need at many companies for business users to be responsible for their own production data maintenance activities. This paper describes how companies can give the business users control of their own data, and ease their compliance to the SOX.

Information Control With Sarbanes-Oxley: Is Your Business Compliant?
This white paper discusses the role of security and record retention within the context of the Sarbanes-Oxley Act, and the steps businesses must consider to ensure compliance. The sections of the Act relevant to security and record retention are reviewed, followed by company interpretations and their actions related to compliance.

The Effects of Sarbanes-Oxley on the Public Accounting Industry
The Sarbanes-Oxley Act of 2002 was intended to improve corporate governance and increase the transparency of financial audits. The legislation also could have significant effects on the public accounting industry. This study finds evidence of higher audit fees across all firms resulting from compliance with the law. However, after accounting for self-selection of auditors, the authors do not find evidence that the size of the audit firm affects the magnitude of the audit fee increase.

An Unfair Burden or Economic Darwinism?: The Impact of Sarbanes-Oxley Section 404 on Smaller Public Companies
The crumbling of Enron from within severely damaged investor confidence in US Capital Markets. The Sarbanes-Oxley Act (SOX) tightened the regulation of publicly traded companies in an effort to restore investor confidence. Signed into law in July 2002, SOX motivated both managers and auditors to do more work to ensure that the information contained in financial statements is accurate. As a consequence, managers have to reevaluate their accounting practices before subjecting those practices to the additional scrutiny required by SOX. Specifically, Section 404 of the Sarbanes-Oxley Act (SOX) has required publicly-held companies to incur substantial costs documenting and testing the mechanisms they employ to prevent, detect and correct accounting errors (whether they are intentional or unintentional) before these errors appear in published financial statements.

Sarbanes-Oxley and Incentive Compensation Management
The Sarbanes-Oxley Act (better known as SOX, but officially known as the Public Company Accounting Reform and Investor Protection Act of 2002) requires companies to establish and maintain internal financial controls. One of the major provisions of SOX is that systems need to provide an archive or audit trail - which is something that spreadsheets simply weren't designed to do. As a result, companies that still use Excel for their sales compensation management functions face major financial and legal exposure.

Automating Sarbanes-Oxley Compliance Testing for SAP Applications
The Sarbanes-Oxley Act of 2002 changed the way publicly held companies manage and, more importantly, control their business. For most companies, the most costly aspect of the legislation is Section 404, which includes the requirement for both internal management and an external auditor to report on the adequacy of the companies' internal controls over financial reporting. This paper provides an overview of the compliance automation opportunity, how to validate the time and cost savings associated with this approach and the process for implementing an optimal automated compliance environment.

^back to top

Regulatory Compliance Headlines

^back to top

SEC Rule 17A-4

Compliance: SEC 17a-4/NASD 3010/3110
In the wake of the 1928 stock market crash and the uncovering of widespread securities fraud, the U.S. Congress enacted the Securities Exchange Act of 1934. The Act seeks to protect investors from fraudulent or misleading claims in the securities industry and requires extensive record keeping, reviewing, and auditing by independent auditors, and administration of financial transaction records. NASD 3010/3110 are part of comprehensive regulations enacted and enforced by the National Association of Securities Dealers on behalf of more than 5,000 registered financial institutions and investment funds. All aspects of the SEC and NASD regulations are effective today.

The Case for Document Management
Are you asking how to avoid court-imposed sanctions? Are you wondering how to keep the escalating costs of electronic and paper discovery to a minimum? Whether the objective is to handle litigation, deliver new contracts, or projects, companies today need solutions that promote teamwork. However, common bottlenecks inhibit many organizations from achieving their peak performance: Risk imposed by compliance regulations and corporate guidelines Quality problems and delivery delays caused by inefficient processes Lack of coordination between external partners, vendors, parties and clients Difficulties in capturing, finding, and leveraging organizational knowledge The ViewWise Document Management Solution can help your organization address compliancy and eDiscovery efforts. Computhink's ViewWise was created to assist organizations by helping eliminate the content burden that surrounds most offices today. ViewWise does this by helping organizations with access, archiving, storage, security, workflow and tracking of Electronic Content, while providing simple options for scanning, integrating, importing, and classifying.

Getting ahead of security issues, compliance regulations and IT processes
It can be difficult to ensure the confidentiality and integrity of your critical data with customers demanding 24/7 secure access to their data and regulators applying pressure on your business. In this Risk, Compliance and Security e-Kit for Financial Institutions, you'll learn about IBM security solutions that proactively protect against worms, viruses and other threats. There is a Tower Group white paper on the need for stronger consumer banking authentication, a study about innovative solutions for identifying, measuring, and optimizing operational risks and an ISS case study about staying on top of new vulnerabilities. Plus, six other reports on preventive solutions to security.

CIO Strategies for the Retention and Deletion of Email
With new regulations and the recent changes to the Federal Rules of Civil Procedure, legal departments are turning to IT leadership to manage retention, deletion, search and recovery of email and other Electronically Stored Information (ESI). CIOs must track billions of email messages, database records and desktop files, know where they are, ensure they are secure, delete them on schedule, and be able to produce them as required. How does an organization ensure a successful retention strategy? This whitepaper provides CIOs with useful information about litigation issues surrounding email and ESI as well as information on how to define and implement a retention and deletion strategy. Also included is an overview of MessageOne's on-demand EMS Email Archive - service, the first SaaS archiving solution capable of painlessly solving email retention, deletion, search and e-Discovery challenges.

What Can 2007 Teach Us About 2008?
2007 was a tumultuous year for U.S. businesses and employees, filled with extreme highs and disappointing lows. Private equity garnered nearly $400 billion in mega deals in merely six months, and news of multiple billion-dollar acquisitions (Chrysler, Alltel and CKX) illustrated a trend of public companies going private. However, financial markets soon shifted and companies felt the backlash. Lenders scrutinized borrowers with tougher standards, limiting access to capital. After several months of market volatility, market direction remains unclear. We face a Catch-22: business leaders are conservative in making projections as they look for a cue from the markets, and the markets look for a cue from business leaders regarding new initiatives. Each month, Tatum, LLC surveys its financial and technology executives regarding current business conditions and economic trends. With nearly 1,000 executives serving companies of all sizes across a broad base of industries in every geographic region of the United States, the Tatum Survey of Business Conditions takes a representative pulse of business activity. This document contains results and analysis from Tatum's Survey of Business Conditions from May through December 2007. Survey topics include private equity, M&A, regulatory compliance and reporting, and financial executive pressures.

Trust and Competitive Advantage: An Integrated Approach to Governance, Risk Management and Compliance
Burned by Enronesque accounting scandals, investors and governments are imposing rigorous reporting requirements to keep companies on the straight and narrow. These reactions are a symptom of a fundamental force in the economy: a crisis of trust among stakeholders of corporations. Stakeholders are not only a company's shareholders, but also customers, employees, business partners and communities, and in recent years their trust has been profoundly shaken. Naturally, they are now trying to protect themselves, often via legislation.

Data Quality, Compliance, and Risk for Financial Institutions
Poor data quality is endemic in most financial institutions, with risk managers frequently citing a lack of clean, high-quality data as the biggest inhibitor to achieving their risk management and regulatory compliance objectives. To combat the problem, Informatica offers data quality scorecarding capabilities -- a metrics-driven approach to measuring, tracking, and reporting on data quality defects. Read this informative white paper to learn more about it.

An Integrated Approach to Managing Governance, Risk, and Compliance
Given today's highly regulated environment, how can you control risk, drive performance, and inspire greater stakeholder confidence? To address these requirements, forward-thinking organizations are moving toward an integrated program of governance, risk, and compliance (GRC) management. Download this SAP white paper to learn about a GRC approach that can help you confidently address all regulatory- and business-related risks while lowering your overall cost of compliance.

Realtime Publishers: Understanding how privacy and government regulations affect email compliance
Email compliance is just one instance of the regulatory impact on IT operations. There are a number of privacy and corporate governance regulations that apply to email services, and the list of such laws is likely to grow. Fortunately, many regulatory requirements coincide with business requirements for security, business continuity, and operations management. Sound email management driven by business needs can go a long way toward compliance as well. This article examines some of the more well-known regulations that have an impact on email management practices, then explores the most effective way to comply with these regulations.

Policy and IT Controls Compliance Challenges and Solutions
Achieving compliance requires a set of methodologies and disciplines that give executives a better picture of the security of their enterprise and help them improve it. Written by Richard LeVine of Accenture, this white paper describes the benefits of compliance, the depth of work required to achieve it, and some powerful tools that increase the effectiveness of compliance efforts.

Webcast: Optimizing the Role of Compliance in IT Governance Efforts
In addition to addressing the growing number of internal and external regulations, compliance can play a key role in identifying risks and demonstrating the efficiency and effectiveness of IT. View this on-demand IBM Webcast to see examples of common control objective areas that are not only important for regulatory reporting, but for the optimization of IT governance efforts. Learn how Tivoli solutions can turn managing compliance requirements from a reactive burden to a strategic advantage.

Streamline to Success: The Real Mid-Market Experience: Banking
Community financial institutions, including retail and commercial banks, savings & loans, and credit unions, along with larger institutions and other commercial enterprises, continue to face increasing information security threats. Compounding these threats is an ever increasing regulatory burden and focus from initiatives like Sarbanes-Oxley, Gramm-Leach-Bliley, U.S. Patriot Act, PCI, etc. However, IBM is helping community financial institutions proactively defend against and respond to these various threats.

Access Archived Data in the Blink of an Eye
Are you faced with overloaded primary storage, long backup times, data retention mandates, and/or costly, time-consuming retrieval of archived data? This web presentation discusses the emerging need for active archiving and present a unique network attached archival solution for addressing new archival requirements. Topics covered include: How archival storage requirements are changing. Differences among current alternatives for archiving. The business case for a dedicated archival tier to keep fixed content. Benefits of an archival storage tier, e.g. freeing up primary storage. How an all-in-one appliance can provide permanence, accessibility, portability, and protection for archival data.

Protected, Portable, Price/Performance for Permanent Online Archive
"One of the major reasons that companies are implementing disk-based archives is to lower their storage costs but still keep archive data online and easily accessible. However, moving data from disk to disk does not necessarily create a leap in lowering capital costs. PowerFile offers an interesting alternative approach to digital archiving worth evaluating....The PowerFile PSA actually provides customers with four tiers, including high performance NAS-based disk storage (Tier One), in-library DVD for lower cost online storage (Tier Two), onsite vaulted DVD (Tier Three) and offsite vaulted DVD for long term archival (Tier Four). The combination provides a compelling blend of price/performance, permanence, protection and portability." Read more....

Redefining the Data Archive: The Case for Active Archiving
Today, a certain category of data is growing in prominence, content that is fixed and historical, not dynamic, yet requiring online access as well as safe, permanent storage. For this type of content, hard disks are a costly option even if the purchase price was zero and tapes are too cumbersome for rapid retrieval. Read more...

^back to top

HIPAA

HIPAA and Sarbanes-Oxley Compliance With Sawmill
The Sarbanes-Oxley Act of 2002 (SOX) contains many provisions in response to recent corporate malfeasance. The CEOs and CFOs now must certify financial reports and provide independent annual audits to prove that internal controls are maintained for financial reporting. In particular, the Public Company Accounting Oversight Board (PCAOB) has made many requirements of a public company, in the use of internal hardware and software, including information about how transactions are being made, who performs them and who has access to them.

Which Hospitals Are Complying With HIPAA: An Empirical Investigation of US Hospitals
Since the passage of HIPAA regulation, US hospitals have gone on a high gear by investing organizational resources on HIPAA policy and procedures, information technologies, and information privacy & security safeguards to achieve compliance status by the enforcement dates. Yet, recent industry report, conducted post HIPAA enforcement deadlines, presents a bleak picture of HIPAA compliance, raising concerns for the privacy and security of patient data, as well transactional efficiency of hospitals. Drawing from organizational sociology and organizational behavior literature the paper examines propensity of hospitals being fully compliant with privacy, security and transaction rules of HIPAA.

HIPAA Compliance: An Examination of Institutional and Market Forces
One would think that the enactment of the HIPAA, with its mandates on data security and privacy, would have brought a major shift in the security management practices within the US healthcare. Unfortunately, recent industry reports indicate low levels of regulatory compliance, thus raising security concerns for the US health IT infrastructure. This research develops a regulatory compliance model by drawing insights from the institutional theory literature to identify the key drivers influencing HIPAA compliance, both institutional and market forces (e.g., variability in state-level privacy laws comprehensiveness, interdependency between privacy and security rules, pressure from compliance leaders in the region, compliance officer's functional background, and the consumer concern for privacy).

Novell Case Study: Enloe Medical Center
Enloe Medical Center is a 391-bed hospital serving more than 400,000 residents in a six-county region in Northern California. Physicians and clinicians at Enloe Medical Center were frustrated by having to remember multiple passwords to access patient care applications. The center implemented Novell SecureLogin to provide single sign-on access, reducing passwords by 85 percent and login times by 60 percent. The medical center also improved its ability to comply with increasingly stringent HIPAA requirements.

Protecting Patient Health Information in the HITECH Era: Security Challenges for Adopting Health Information Technology to Comply With HIPAA and the HITECH Act
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Signed into law by President Barack Obama in February 2009, the HITECH Act is part of the American Recovery and Reinvestment Act. It is also part of the broader healthcare reform initiative championed by President Obama. That agenda includes a push for the adoption of interoperable data capture, storage and transmission protocols in healthcare systems. New health information technology is considered to be a vital step in the drive to reduce costs, gain efficiencies, and ultimately to improve patient care.

Supporting Compliance: A Network Approach
With the significant increase in compliance related mandates put upon IT organizations today, Enterasys has written this white paper to explain the approach to supporting compliance through advanced policy-driven networking. Regulatory compliance and governance mandates are new and daunting issues for any IT organization. These requirements for compliance can come from outside the organization in the form of government legislation, such as HIPAA or Sarbanes-Oxley. They can also come from the inside of the organization in the form of organizational governance edicts from executive management. In either case, the network infrastructure must play a role in supporting the often abstract requirements of compliance, while at the same time ensuring that the business objectives of the organization are still being met.

What Every CIO Needs to Know About HIPAA Compliance
Compliance with HIPAA is mandatory and violators face up to $250,000 in fines and jail time of up to 10 years. HIPAA regulations are intended to protect such data as a patient's medical records and personal healthcare information. HIPAA affects organizations that transmit protected health information in electronic form (e.g. health plans, healthcare clearinghouses and healthcare providers). The law maintains that healthcare organizations implement a wide variety of safeguards and security best practices in order to adequately protect customer data. Full compliance requires that these entities understand the threats and liabilities and take proactive measures to maintain reasonable and appropriate safeguards in three areas: administrative, physical and technical.

The HIPAA Effect: Considerations for Fundraising After the Health Insurance Portability and Accountability Act
Eight years after Congress passed the Health Insurance Portability and Accountability Act (HIPAA), professionals working in healthcare philanthropy have discovered that HIPAA was not the end of fundraising as one knew it. Initially, when HIPAA was enacted in 2000, there was great fear and uncertainty among healthcare providers and development officers. Reactions across the nation and among healthcare organizations varied widely: some predicted the end of healthcare fundraising, whereas other more rational people viewed it as a manageable challenge.

In the Labyrinth of Regulatory Compliance or How Not to Be Afraid of HIPAA
This whitepaper focuses on email security and retention considerations for the healthcare industry, focusing on the Health Insurance Portability and Accountability Act (HIPAA). It provides detailed information about the HIPAA rules as they relate to email transmission, as well as recommendations on how a healthcare organization can ensure that its messaging infrastructure is compliant with HIPAA.

LogRhythm and HIPAA Compliance
The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure that personal information stored, accessed, or processed adheres to a set of guidelines or "Security Rules". These rules outline security measures that should be implemented to adequately secure all Electronic Protected Health Information (EPHI). The Secretary of Health and Human Services enforces this law. Non-compliance can lead to civil monetary penalties and public distrust.

HIPAA Privacy & Security Laws: Corporate Privacy, Information Security, and Employee Development
The HIPAA law allows as workforce members to use patient information for treatment, payment or healthcare operations as defined by HIPAA and required by job responsibilities. The CHS Acceptable Use Policy IS.PHI 600.01 and Release/Review of PHI Policy PR.PHI 140.05 along with 22 other CHS policies present specific guidance for protecting all forms of patient information: electronic, written, and oral.

Privacy and Security of NPI
This paper provides an outline of the privacy issues raised by clinicians in sharing NPI information. While the National Provider Identifier is a HIPAA regulation, the privacy and security issues discussed in this white paper are not just dealing with HIPAA privacy and security. Concerns clinicians have raised about release of information are established as a pretext dealing with identity theft.

Meeting HIPAA Compliance With EventTracker
There are a number of steps a healthcare provider must undertake to meet the Technical Safeguards mandated in the Security Rules of Title II (Administrative Simplification) of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA calls for tightly controlling and monitoring access to confidential patient information, and specifically calls out event logs as an important vehicle to meet compliance. This Paper describes how EventTracker from Prism Microsystems, Inc. can be used as the key component for managing the collection, storage and analysis of enterprise event log data. With EventTracker a healthcare provider or related business can be confident they have the solution in place to help effectively meet audit requirements.

Erie County's Human Services Department Turns to ZixCorp
Erie County of Pennsylvania's Human Services Department needed email encryption to send Protected Health Information (PHI) and the other sensitive data pertaining to their constituents. Erie County deployed the ZixCorp's Email Encryption Service that was easy to install and maintain and HIPAA lexicon plus the ability to create own policies.

Protecting Patients' Personal Data
For more than 60 years, Robert Wood Johnson University Hospital Hamilton (RWJ Hamilton) has provided top-notch health care to communities within a five-county area of New Jersey. It needed email encryption to send Protected Health Information (PHI) and other sensitive data pertaining to their patients. University deployed ZixCorp's Email Encryption Service enabling HIPAA lexicon plus the ability to create own policies.

^back to top