No matter what an enterprise’s major market is, it is probably subject to regulatory compliance requirements, such as PCI, SOX, FISMA and HIPAA. PCI requirements in particular demand a high level of auditability and controls. What’s more, regulatory agencies are cracking down with stiff penalties. For example, the Department of Health and Human Services’ Office for Civil Rights has levied penalties in its six resolution agreements for 2015 totaling about $6 million.
This trend is unlikely to slow down or reverse, so it’s important to be aware of the primary threats that could undermine compliance efforts. The top three such issues are discussed below.
Privileged access management (PAM) will continue to be a compliance nightmare. In fact, privileged and logical access controls continue to cause the most audit infractions. One of the main reasons for this is the fact that more companies are outsourcing tech support, and more companies are employing remote workers. Both of these groups must be granted remote access to an organization’s production environment and highly sensitive information in order to do their jobs. This access also includes machines talking to other machines in an automated fashion.
Though third-party access is necessary within the enterprise, managing this access often comes as an afterthought in the organization’s overall security strategies and postures. The 2014 U.S. State of Cybercrime Survey revealed some dangerous trends on this topic:
- 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks
- Only 44 percent of enterprises put forth the effort to vet the security of third-party providers and others in their IT supply chain
Third-party and vendor contract agreements may help companies enforce better security and privacy controls, but these actions may not exclude organizations from accountability and responsibility as it relates to a security breach.
HIPAA/HITECH can be described as Sarbanes-Oxley (SOX-404) on steroids.Organizations may have to comply with PCI, FISMA, SOX, BASEL III or other regulations, but none of these are a match for the HIPAA/HITECH tidal wave in terms of severity. The U.S. federal government (Health and Human Services, Office for Civil rights) is more active than ever in enforcing this law and is levying harsher fines with greater frequency for noncompliance.
Auditors are concentrating their firepower on the areas that healthcare providers have failed at most often in the past and are levying massive fines for noncompliance. Targeted areas include:
Organizations will need to be cautious about ensuring that any business or market expansion into an area covered by HIPAA is adequately compliant to avoid being hit with heavy fines.
Sarbanes-Oxley (SOX) requires public companies in the U.S. as well as foreign companies listed on U.S. exchanges to assess their internal controls, have that assessment validated by an external auditor and report the assessment to the SEC. Information security professionals need to ensure that their organization complies with requirement in Section 302 and Section 404 of the legislation.
Sarbanes-Oxley (SOX-404) and internal controls remain the most critical on the financial industry compliance horizon. Financial industry compliance challenges include Annual Financial and SSAE-16 audit requirements.;