Home
 Hot Topics
 Alliances
 Events
 Resources
 Statistics
 News & Alerts
 Tools

Hot Topic

Compliance


The following information is excerpted from Secure Computing's free educational whitepaper, Effective Corporate E-Mail Compliance. Click here to download the entire whitepaper in PDF format.

Understanding Regulatory Compliance Requirements

While many state and local jurisdictions have implemented laws intended to curb the flow of confidential information, three primary information privacy and security regulations have been passed by the United States congress:
  • Health Insurance Portability and Accountability Act (HIPAA) - HIPAA was enacted to enable health insurance portability, fraud enforcement, and administrative simplification for the healthcare industry. Organizations that deal with confidential healthcare information must comply with the HIPAA regulations. This includes healthcare providers, health plans, healthcare clearinghouses and companies that provide group health insurance plans for employees. In addition, any business associates working on behalf of a covered entity such as accountants, auditors, attorneys, and consultants, must ensure that employee healthcare information is protected and kept completely confidential.
  • Gramm-Leach-Bliley Act (GLBA) - GLBA was enacted to enhance the privacy and security of non-public information (NPI) for consumers doing business with financial institutions such as banks, brokerage firms and other companies that maintain customer financial information.
  • Sarbanes-Oxley Act (SOX) - The most sweeping regulation of financial reporting for publicly traded companies since the establishment of the Securities and Exchange Commission, the Sarbanes-Oxley Act of 2002 was enacted to ensure the integrity of financial reporting. Enacted as a response to multiple highly visible instances of corporate fraud at companies such as Enron, the primary focus of SOX is requiring CEOs and CFOs to personally vouch for the accuracy of financial reports.
These three acts affect every business that communicates via e-mail, and provide stiff penalties for those organizations found to be out of compliance. Understanding these laws and the effects they have on your business communications is paramount to developing a successful corporate e-mail policy. Read more >>

Protecting Intellectual Property and Personal Information

While complying with regulations put forward by the Federal government is critical to a successful communications strategy, equally important is the need to safeguard company secrets such as competitive analyses, product information, customer lists and communication between employees and business partners. Leaking this information to a competitor can be lethal to an organization's future, as any perceived competitive advantage can be lost instantly should proprietary information end up in the wrong hands.

Companies must protect two types of sensitive information against information leaks. The first is private information, which includes customer data, patients' medical files and records, as well as employee information and records. The second is confidential corporate information, consisting of business and marketing documents, intellectual property and financial information. With the rise in value of information, especially proprietary intellectual property, the loss of confidential information can have a devastating impact on an enterprise's business (and stock price), and may severely damage its image and its customers' trust. Read more >>

Requirements for Effective E-Mail Compliance

Developing and enforcing a comprehensive corporate information security policy involves several steps, all of which must be followed to ensure that no protected information leaves the enterprise. From defining the policy to enforcing it and reporting on all non-compliant messages, a solution that skips any of the following steps will leave your organization open to potentially catastrophic violations:
  • Compliance Policy Definition - Now that the Federal policies surrounding information privacy and security are in place and strictly enforced, organizations must evaluate their current communications strategies to determine a) which laws apply to your particular business, and b) whether or not you are currently complying with the acts as they are written.
  • Detection of Regulated Material - Content scanning technologies are designed to identify protected information. Effective compliance solutions should contain regulation-specific, predefined dictionaries for HIPAA, GLBA and SOX. These dictionaries should be easily supplemented with additional terms supplied by compliance officers or e-mail administrators. Additionally, items that are considered sensitive information by an organization and normally expressed in a predetermined format, such as social security numbers, credit card numbers and phone numbers, or information in a format specific to an organization, such as patient identification data and account numbers, should be detected so that appropriate compliance enforcement actions can be taken.
  • Violation Prevention - While detecting compliance violations is an important first step to achieving compliance, detection alone is insufficient. Knowledge of a violation is essential, but stopping the violation before it ever leaves the gateway is imperative. To that end, any effective compliance solution should be deployed at the e-mail gateway, allowing compliance officers to rest assured that no messages will leave the organization without first passing through the compliance security solution. In addition, the solution must allow for automated handling of messages, whether the desired response is encryption, blocking, or queuing for review by an authorized compliance official. This ensures that the organization is not left exposed to employee error or malicious intent.
Read more >>

Reporting

Unfortunately, compliance is not just about detecting and controlling certain types of contents. Compliance also requires reporting and communication of compliance status and reporting of suspected compliance violations. Robust reporting capabilities allow administrators to easily access data in order to:
  • Analyze and improve the organization's compliance
  • Automatically deliver decision-making information to compliance officers in a timely manner
  • Easily generate instant reports for executives
Read more >>

Encryption

E-mail encryption can contribute to an organization's overall compliance efforts by applying e-mail policy at the gateway. Effective compliance solutions should be able to determine and use the appropriate type of encryption depending on the content and/or recipient of the message. By doing so, they overcome the complexity of public key encryption systems by making encryption transparent to end-users and automated for administrators. Compliance solutions that offer multiple options for encrypting e-mail ensure that business partners need not have a similar solution deployed. These solutions will allow policies to be set to require e-mail sent to partners be encrypted, and then specify the level of encryption, reducing the need for IT staffs to manage multiple products. While each vendor will offer a different set of options for e-mail encryption, whichever solution you choose for your organization should offer several encryption techniques, including VPN technologies and both "push" and "pull" encryption methods.
Read more >>
No Upcoming Events

© 2006 Secure Computing, Inc., All Rights Reserved.