SkyView Partners - OS/400 Security Compliance Handbook

• Home
• Products
  • SkyView Policy Minder
  • SkyView Risk Assessor
  • Complimentary Products
• Services
  • Security Check-up
  • Remediation Services
• Downloads
  • Login
  • Download Registration
• Support
  • Login
• Information
  • Security Information
  • Laws and Regulations
• About Us
  • Business Partners
  • Mission Statement
  • Privacy Policy
  • Contact Us
• Contact Us

OS/400 Security Compliance Handbook

Week 2 - Compliance with What?

Last week we talked about the general definition of compliance and why laws and regulations mandating compliance are required. This week I’d like to discuss some details of the laws with which your company may need to comply.

Just because a law appears to target a specific industry, you cannot assume that it does not affect your company. Take the Health Insurance Portability and Accountability Act (HIPAA), for example. HIPAA appears to be targeted at the healthcare industry. But if you read the law you realize that retailers who provide in-house pharmacies or ophthalmology departments also fall under HIPAA. How do you know if a bill or requirement applies to your organization? Read the bill or requirements yourself and have your organization’s legal department do the same. Don’t take someone else’s word for it – including mine! The only way you can know for sure is to research the issue. That’s why we provide you with the links to many laws and requirements from the SkyView website – so you can have easy access to this type of information.

U.S. states – especially California – have jumped on the legislation bandwagon. California has at least three noteworthy laws that affect IT or application security designs:

• California notification law SB1386 requires that any company doing business in California notify California residents if their private information was breached or thought to have been breached. While at first glance it may appear that this law is limited to companies headquartered in California, that’s not the case. Any company that has a website that takes orders from a California resident and stores their private information (such as a credit card number) is subject to this law.
• Section 1798.85 in the California civil code defines the appropriate use of the social security number. While this law does apply only to California-based companies, it provides guidelines that all companies would be well-advised to follow.
• Section 226 of California labor code gives California companies until January 1, 2008 to only print the last four digits of their employee’s social security number on their pay stubs or other reports or else use a different identifier altogether.

Why pay attention to what’s happening in California? Because many California laws are introduced into the U.S. Congress for consideration. In fact, it would not be surprising to see a version of the California notification law passed by Congress this year or next.

Let’s turn our focus to the rest of the world for a moment. Canada has its own privacy legislation called PIPEDA – Personal Information Protection and Electronic Documents Act which is overseen by the Office of the Privacy Commissioner of Canada. PIPEDA went into full effect in January 2004. PIPEDA dictates how Canadian businesses collect, use and disclose personal information.

The UK has recently passed the “Companies Bill”. This Bill is very similar to SOX in that it was developed as a response to the Enron fiasco and addresses the requirement for companies to responsibly manage and accurately report on their financials. It is also similar to SOX in that it makes no direct references to IT Security, although the implications of being able to accurately report a company’s financials certainly imply the need. Since there are no data security specifications in SOX or the current version of The Companies Bill, it is up to the auditor to determine the exact IT security issues that must be addressed to be in SOX compliance. Experiences from our SkyView clients range from their SOX auditor totally ignoring IT to their SOX auditor crawling through every nook and cranny of the company’s IT environment, leaving no process or procedure unturned! Either method is allowed under SOX. If the auditor is willing to sign off on the auditor, SOX allows for this. However, since the UK has a rich history of auditors requiring standards-based IT security implementations, we are hoping that there will be a consistent set of IT Data Security items that auditors will use to measure compliance with the Companies Bill.

All of the laws and regulations we’ve discussed so far have come from governments; however, perhaps the most far-reaching requirements that we have seen are coming out of the payment card industry (PCI). To combat the cost and liability of identity theft from credit card information, the PCI (Visa, Visa International, MasterCard International, Discovery and American Express) has jointly issued a statement that retaining cardholder information requires that certain IT security criteria be met. While this may look like a compliance issue for the retailing sector, we believe these requirements may affect all sectors. Obviously, all retailers that accept credit cards are affected, but so is my chiropractor because they accept credit cards as does my health club, local utility company, hospital and many charitable organizations.

This discussion of laws and regulations may have left you feeling a bit “awash” in your compliance quest. So where do you start? And what can you do to pro-actively prepare your organization for the compliance issues – including the potential issues that may arrive in your SOX audit? How can you improve the change that your organization will be in compliance? I believe that the answer to these questions is to implement ‘IT security best practices’ throughout your IT organization. While there may be specific accommodations that you will have to make for specific laws or requirements, implementing a sound and solid security foundation based on best practices will allow you to comply with most if not all current legislation and requirements as well as position your organization to respond to new issues as they arise in the future.

The good news is that, of all the laws and regulations, I believe the Payment Card Industry clearly articulated their requirements (unlike SOX!) and offer a good definition of security ‘best practices.’ Over the next few weeks, we will be taking a closer look at these requirements along with a cross-section of the other laws and regulations and discuss what constitutes security best practices for OS/400.

Carol Woodbury is President and co-founder of SkyView Partners. Carol has over 15 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Click here to order Carol's second book, Experts' Guide to OS/400 and i5/OS Security.

Click here to request information on SkyView Partners products or services.

© SkyView Partners, Inc., 2004, 2008. All rights reserved.