regulatory compliance

Does your organization do business in the United States? Are you compliant with legislated requirements? Are you familiar and compliant with new Canadian laws?

Regulatory compliance requires that an organization have the necessary safeguards and processes defined by the regulation in place. In addition, organizations must prove and certify their compliance through regular questionnaires and audits. Failure to comply and/or pass an audit can lead to fines and restrictions. It can also lead to lost business and loss of consumer confidence.

NCI can:

• Help you understand the requirements of the legislation and what you need to do to comply;
• Assist with self-assessment questionnaires and Network Scan validation actions;
• Educate you on what tools may be available to assist with the compliance process.

PIPEDA – Personal Information Protection and Electronic Documents Act is a Canadian law

PIPEDA protects personal information that is in the hands of private sector organizations. It provides guidelines for the collection, use and disclosure of that information in the course of commercial activity. NCI works with clients to understand how PIPEDA applies to them and what safeguards can be put into place. For example data encryption is one component of most PIPEDA compliance solutions as personal information must be stored securely.

SOX – Sarbanes Oxley Act: Financial reporting legislation for those companies who do business in the U.S.

Compliance to SOX has an impact on IT systems where they impact financial reporting, and involves (synopsis):

Risk Assessment:	IT management must assess ad understand any risks that may impact the completeness or validity of the company’s financial reports.
Control Environment:	Providing an environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns. Employees should cross train to better understand the entire technology lifecycle.
Control Activities:	Design, implementation and quality assurance testing teams need to be independent. The organization needs to document usage rules and create an audit trail for each system that contributes financial information.
Monitoring:	Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. Management must clearly understand and be held responsible for the outcome of these audits.
Information and Communication:	IT management must demonstrate to the company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there.

PCI – Payment Card Industry Data Security Standard

This requires businesses, online merchants, and Service Providers to protect credit cardholder information.  The standard was developed by the founding payment brands of the PCI Security Standards Council, including MasterCard, Visa, American Express, Discover and JCB, to help facilitate the broad adoption of consistent data security measures on a global basis.

To validate compliance, all merchants and service providers, regardless of credit card transaction volume, must complete:

• Network Scan – quarterly
• Self-Assessment Questionnaire – annually

Proof of compliance by both merchants and Service Providers must be documented and submitted to their supporting banks. Failure to comply can lead to fines, restrictions, or permanent expulsion from the card program. Compliance builds a sense of security that benefits all parties.