Compliance

The Criminal Justice Information System (CJIS) provides state, local, and federal law enforcement and criminal justice agencies with access to centralized information such as fingerprint records, criminal histories, and sex offender registrations. In order to prevent unauthorized access to this extremely sensitive information warehoused in the CJIS, a Security Policy was enacted on January 1, 2011 that set forth minimum requirements for securing access to CJIS data. The policy requires “Advanced Authentication”, or multi-factor authentication, to be used by all users accessing CJIS data from a remote location. The deadline for compliance is September 30, 2013.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

The PCI DSS requirements explicitly require two-factor authentication for remote access to the merchant’s network as defined in requirement 8.3. The requirement states that merchants must implement two-factor authentication for remote access to the network by employees, administrators, and third parties.

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. In 2001, the FFIEC issued a guidance entitled Authentication in an Electronic Banking Environment, which was subsequently updated in 2005 as Authentication in an Internet Banking Environment. The guidance took a strong stance in support of the deployment of stronger authentication methods, as well as fraud detection techniques, to protect customer identities and information during online banking transactions.

Created by the U.S. Department of Treasury (DoT) and the Federal Trade Commission (FTC), the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires financial institutions, banks or creditors that stores consumer accounts to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The legislation was enacted in November 2007 and its deadline for compliance with the Red Flag Rules was November, 2008.

The Health Insurance Portability and Accountability Act was enacted by the United States Congress and signed by President Bill Clinton in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

The Technical Safeguards section requires covered entities to control access to computer systems and to protect communications containing Electronic Protected Health Information (EPHI) transmitted electronically over open networks (i.e. remote access) from being intercepted by anyone other than the intended recipient.

It is generally recognized that strong authentication is required for remote access to systems and networks containing health data.

The Sarbanes Oxley Act of 2002, also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act', and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms.

Under Section 404 of the Act, management is required to produce an "internal control report" as part of each annual Exchange Act report. The report must affirm "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting". The report must also "contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." To do this, managers are generally adopting an internal control framework such as that described in COSO.

The reality of the Sarbanes-Oxley Act is that each public company needs to develop an individualized approach to reporting and compliance.

Deepnet security solutions can be used to help close a number of common gaps identified on the path to Sarbanes-Oxley Section 404 compliance.

• Secure Identity Management
• Identity provisioning
• Policy-based access control
• Strong authentication
• Data Protection & Integrity