Regulatory Compliance & Governance
Recent events highlighting corporate misconduct combined with current and emerging legislation such as Sarbanes-Oxley, California SB 1386, State Breach Acts, Gramm-Leach-Bliley (GLB), and the Health Insurance Portability and Accountability Act (HIPAA), have company executives rethinking their approach to organizational governance. Increasingly, shareholders and government agencies are demanding greater regulatory accountability and management transparency.
In response, businesses are examining the implications of their overall corporate governance strategy, realizing that information security is not just a technical issue to be addressed by the Information Security Officer (ISO), but rather it is an enterprise wide issue that must be acted upon by Executive Management, the Board, and General Counsel and then implemented and enforced across all levels of the organization. Allegheny Digital professionals understand that having strong governance and controls over your critical business processes and data is essential to protect your brand and market reputation. Further, information security and compliance weaknesses are also governance weaknesses that may lead to increased business risk and unintended exposure. This understanding provides A|D consultants with the opportunity to collaboratively assist our clients in identifying, implementing, and maintaining defensible controls to effectively manage corporate governance and strategic risk.
Allegheny Digital offers a number of regulatory compliance and governance services to meet key industry requirements or specific security challenges, we have deep experience in developing and implementing regulatory conformant programs specific to:
- Health Insurance Portability and Accountability Act (HIPAA) - Companies and others who use health care information should be prepared to deal with substantive changes for health care privacy and security in the years ahead. Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act dramatically modifies the applicability of the security and privacy regulations that govern health-related information, as previously promulgated under HIPAA. Allegheny Digital can assist health care organizations with assessing and implementing administrative, physical and technical controls to govern protected healthcare information (PHI), meeting the regulatory specifications of HIPAA and protecting sensitive patient and customer data.
- Gramm-Leach-Bliley Act (GLBA) -GLBA addresses the security and protection of non-public financial information (NPI) and applies to domestic banking, securities, and financial services organizations. Covered institutions must comply with the security and privacy safeguard provisions described in the GLB Act, requiring financial entities to document their security plan, perform risk assessments, implement reasonable and appropriate safeguards, and regularly report progress and governance to key stakeholders. A|D helps our clients achieve GLBA conformance by assessing implemented GLB practices, conducting technical and physical security reviews of the controls governing NPI, evaluating incident response procedures, and assessing management's accountability.
- Critical Infrastructure Protection (CIP) - Critical infrastructures are the complex and highly interdependent systems, networks, and assets that provide the essential services that our society depends on, yet quite often, largely ignores – but not A|D. Our security professionals can help you address Homeland Security, Department of Energy (DOE) and NERC driven cyber security risks, helping your organization understand the interrelated technology, infrastructure, and governance challenges to control system and operations security.
- Red Flags Rule - In effect since January 1, 2008, the Red Flags Rule requires covered institutions to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, employ controls to prevent the crime, and mitigate the damage inflicted should an exposure occur. The Federal Trade Commission (FTC) has delayed enforcing the Red Flag Rules until May 1, 2009, is your organization adequately prepared? Allegheny Digital can help you create and implement an identity theft Red Flag conformant prevention program to enhance your existing control posture while meeting compliance demands.
- Payment Card Industry, Data Security Standards (PCI-DSS) - Card holder data and sensitive information theft continues to plague organizations large and small. PCI DSS compliance represents a prudent measure in the data protection lifecycle, but it should not be an organizations only line of defense. Allegheny Digital has experience working with and developing world-class regulatory and data driven compliance programs, we understand what constitutes defensible information protection and risk based governance, regardless of the legislative acronym. Our team can help you develop and maintain a PCI DSS conformant security program, one that provides demonstrable compliance while instilling confidence in existing stakeholders, prospective clients, business partners and customers.
- Information Security Governance Program Development - Vendor supply chains are often comprised of domestic and multi-national based organizations fulfilling point in time needs yet potentially exposing the business to a myriad of global regulations. As such, companies are looking for governance solutions that are internationally recognized and supported. The ISO/IEC 27000 family of standards is acknowledged as the ‘de facto’ framework for building an effective information security management program. ISO/IEC 27001:2005 certification demonstrates comprehensive and verifiable information security management to corporate executives, customers, and supply chain partners. Our team of certified professionals has the knowledge, skills, experience, tools and techniques to design and implement an information security management system (ISMS) that can be put forward for formal certification in accordance with ISO/IEC criteria, or simply deployed as a best practice methodology to evaluate, implement, maintain and manage information security governance.
- Unified IT Compliance - Far too often, corporate compliance and governance initiatives occur in ‘silos’ with limited inter-organization communication and executive visibility. A|D assists our clients with creating a harmonized control framework that links various, often disparate IT compliance initiatives, providing management with the insight they need to more effectively implement, monitor, and optimize existing control environments.
- Vendor Management - Utilizing external vendors to perform business functions can benefit organizations in a wide range of ways, including improved efficiency and cost reductions. However, providing third party access to confidential information can lead to substantial risks and potential liability exposure. We can assist you with building a consistent control framework and testing program to manage, assess, and monitor third party risks to the confidentiality, integrity and availability of sensitive information – developing a sustainable program that leverages automated safeguards to enforce security and privacy obligations and prevent the unauthorized disclosure, misuse, alteration, or destruction of confidential data.
A|D recognizes that compliance requirements can range from domestic legislation such as HIPAA and GLBA to international regulatory demands driven by the EU Data Protection Directive, PIPEDA, and others. Whether your information security compliance and governance objectives are based on ISO/IEC, ITIL, NIST, Common Criteria, or your own proprietary methodology we are here to help you conform to industry-specific regulations and protect your critical information assets.
If you would like to learn more about how our Regulatory Compliance and Governance Services can help your organization, please .
Return to top »