Regulatory

Regulatory Checklist Regulation Industry Description Gramm-Leach-Bliley Act Financial Web Site Link & detailed description. Turnbull Report: Combined Code on Internal Controls in the UK (1999) Companies listed on London Stock Exchange Institute of Chartered Accountants in England and Wales code governing risk management and control processes, requiring annual review and documentation. Similar to regulations in the US with Board of Director involvement. Business contingency planning is referenced in the appendix. HCFA-0049-P Proposed Rule HIPAA regulations (scheduled for fall 2000) Healthcare including both caregivers and insurance Draft regulations covering electronic security and transmission of patient records. Documented, tested disaster recovery plan is required. ISO 9000, 9001, etc. (1994) Manufacturing Purpose is to determine elements of quality control systems, especially maintenance of records and verification standards. While business continuity planning is not required by statute, vendors report that records retention and data availability are issues with their customers, and that they are specifically asked about their plans. Paperwork Reduction Act (44 U.S.C. Chapter 35 1995) Federal Government Creates security plan for Information Resources requiring contingency planning Computer Security Act (1987) Federal Government Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality. FFIEC SR97-16 (SPE) (May 1997) Banking and any related service providers Sets objectives for Year 2000 projects with testing and contingency planning recommendations. Includes audit questions. FFIEC FIL-67-97; Stronger wording on client/server environment replacement for FFIEC FIL 82-96 Banking and any related service providers Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus. Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992) Cross-Industry Outlines Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale. FEMA FRPG 01-94 1994 Federal Government and associated contractors All department and agency heads must formally plan for continuity of essential operations. Foreign Corrupt Practices Act (1977) Cross-Industry Management accountability through record keeping Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC Banking Amended since original in 1983; requires banking institutions to develop and maintain Business Recovery Plans Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC - 1989, revised and made stronger 1997) Banking and any related service bureaus, includes credit unions Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks. Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC Banking Follows intent of BC-177 IRS Procedure 86-19 Cross-Industry Legal backup and recovery requirements for computer records containing tax data. Fair Credit Reporting Act Credit Reporting Agencies Ensure credit information is accurate and up-to-date and available. Clinical Laboratory Information Act (1988) Healthcare Require protection of critical laboratory data JCAHO Accreditation Manual for Hospitals (1997) Healthcare Guidelines for information management established by JCAHO Various State Dept. of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038) State Government Policies assigning responsibility for contingency planning within state agencies. BS7799 Section 9 Pan European Industry British Standard Institute Code of Practice for Information Security Management. Requires Business Continuity Planning. GAO/IMTEC-91-56 Financial Markets: Computer Security Controls Financial Guidelines for stock markets

Info

 

Copyright © 2005 - 2009 - Tucson PC Tech, LLC