Category: Compliance Programs

What Is Your Scope of Compliance?

Unified Compliance Framework  put together this list of compliance requirement and regulatory schemes that may need to be part of your compliance program.

Below is a long list of regulatory schemes that may need to be part of your compliance framework:

Sarbanes Oxley Guidance

  • Sarbanes-Oxley Act (SOX)
  • PCAOB Auditing Standard No. 2
  • AICPA SAS 94
  • AICPA/CICA Privacy Framework
  • AICPA Suitable Trust Services Criteria
  • Retention of Audit and Review Records, SEC 17 CFR 210.2-06
  • Controls and Procedures, SEC 17 CFR 240.15d-15
  • Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3
  • COSO Enterprise Risk Management (ERM) Framework
  • OMB Circular A-123 Management’s Responsibility for Internal Control
  • Securities Exchange Act of 1934
  • Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control
  • PCAOB Audit Standard No. 3
  • PCAOB Audit Standard No. 5
  • SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
  • SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Banking and Finance Guidance

  • Basel II: International Convergence of Capital Measurement and Capital Standards – A Revised Framework
  • BIS Sound Practices for the Management and Supervision of Operational Risk
  • Gramm-Leach-Bliley Act (GLB)
  • Standards for Safeguarding Customer Information, FTC 16 CFR 314
  • Privacy of Consumer Financial Information, FTC 16 CFR 313
  • Safety and Soundness Standards, Appendix of OCC 12 CFR 30
  • FFIEC IT Examination Handbook – Information Security
  • FFIEC IT Examination Handbook  – Development and Acquisition
  • FFIEC IT Examination Handbook   – Business Continuity Planning
  • FFIEC IT Examination Handbook   – Audit
  • FFIEC IT Examination Handbook   – Management
  • FFIEC IT Examination Handbook   – Operations
  • ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58
  • Bank Secrecy Act (aka Currency and Foreign Transaction Reporting Act)
  • Check 21 (Check Clearing for the 21st Century) Act
  • FCRA (Fair Credit Reporting Act)
  • FDIC and FFIEC Guidance on Authentication in an Internet Banking Environment
  • FFIEC IT Examination Handbook – Outsourcing Technology Services
  • FFIEC IT Examination Handbook – Supervision of Technology Service Providers
  • FFIEC IT Examination Handbook – Wholesale Payment Systems
  • FFIEC IT Examination Handbook – Retail Payment Systems
  • FFIEC IT Examination Handbook – E-Banking

NASD NYSE Guidance

  • NASD Manual
  • Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1
  • Records to be made by certain exchange members SEC 17 CFR 240.17a-3
  • Records to be preserved by certain exchange members SEC 17 CFR 240.17a-4
  • Recordkeeping SEC 17 CFR 240.17Ad-6
  • Record retention SEC 17 CFR 240.17Ad-7
  • NYSE Listed Company Manual
  • Securities Act of 1933
  • Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management’s Report on Internal Control Over Financial Reporting; Final Rule

Healthcare and Life Science Guidance

  • HIPAA (Health Insurance Portability and Accountability Act)
  • HIPAA HCFA Internet Security Policy
  • Introductory Resource Guide for HIPAA NIST (800-66)
  • CMS Core Security Requirements (CSR)
  • CMS Information Security Acceptable Risk Safeguards (ARS)
  • SYSTEM SECURITY PLANS (SSP) METHODOLOGY
  • CMS Info Security Business Risk Assessment
  • CMS Business Partners Systems Security Manual
  • FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1

Energy Guidance

  • FERC Security Program for Hydropower Projects
  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards

Payment Card Guidance

  • PCI DSS (Payment Card Industry Data Security Standard) 1.1 [Redacted: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Security Audit Procedures 1.1 [Redacted: Q3 08]
  • Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 [Released: Q4 08]
  • PCI DSS Security Scanning Procedures [Released: Q3 07]
  • Payment Card Industry (PCI) Payment Application Data Security Standard 1.1 [Redacted: Q3 08]
  • MasterCard Wireless LANs – Security Risks and Guidelines [Released: Q3 07]
  • Payment Card Industry Self-Assessment Questionnaire A [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire B [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire C [Released: Q4 07]
  • Payment Card Industry Self-Assessment Questionnaire D [Released: Q4 07]
  • VISA CISP: What to Do If Compromised [Released: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 [Released: Q4 08]
  • VISA Incident Response Procedure for Account Compromise [Released: Q3 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
  • Visa Payment Application Best Practices (PABP) [Redacted: Q4 07]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
  • VISA E-Commerce Merchants Guide to Risk Management [Released: Q3 08]
  • Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 [Released: Q4 08]
  • MasterCard Electronic Commerce Security Architecture Best Practices [Released: Q3 07]
  • American Express Data Security Standard (DSS) [Released: Q3 07]
  • BBB Online Code of Business Practices [Released: Q3 07]

US Federal Security Guidance

  • FTC Electronic Signatures in Global and National Commerce Act (ESIGN) [Released: Release 1]
  • Uniform Electronic Transactions Act (UETA) [Released: Release 1]
  • FISMA (Federal Information Security Management Act) [Released: Release 1]
  • FISCAM (Federal Information System Controls Audit Manual) [Released: Release 1]
  • FIPS 140-2, Security Requirements for Cryptographic Modules [Released: Release 1]
  • FIPS 191, Guideline for the Analysis of LAN Security [Released: Release 1]
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems [Released: Release 1]
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems [Released: Q3 07]
  • Clinger-Cohen Act (Information Technology Management Reform Act) [Released: Release 1]
  • DoD 5220.22-M, National Industrial Security Program Operating Manual [Released: Q3 07]
  • The National Strategy to Secure Cyberspace [Released: Release 1]
  • GAO Financial Audit Manual [Released: Release 1]
  • Standard for Electronic Records Management Software, DOD 5015.2 [Released: Release 1]
  • Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives [Released: Release 1]
  • CISWG Information Security Program Elements [Released: Q3 07]
  • Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources [Released: Release 1]
  • NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 [Released: Release 1]
  • CT-PAT Best Practices Guide [Released: Q4 07]
  • US Export Administration Regulations [Released: Q4 07]
  • US The International Traffic in Arms Regulations [Released: Q4 07]

US Internal Revenue Guidance

  • IRS Revenue Procedure: Retention of books and records, 97-22 [Released: Release 1]
  • IRS Revenue Procedure: Record retention: automatic data processing, 98-25 [Released: Release 1]
  • IRS Internal Revenue Code Section 501(c)(3) [Released: Release 1]

Records Management Guidance

  • Federal Rules of Civil Procedure [Released: Release 1]
  • Uniform Rules of Evidence [Released: Release 1]
  • ISO 15489-1, Information and Documentation: Records management: General [Released: Release 1]
  • ISO 15489-2, Information and Documentation: Records management: Guidelines [Released: Release 1]
  • The DIRKS Manual: A Strategic Approach to Managing Business Information [Released: Release 1]
  • The Sedona Principles Addressing Electronic Document Production [Released: Release 1]
  • 16 CFR Part 682 Disposal of consumer report information and records [Released: Q3 08]

NIST Guidance

  • Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 [Released: Release 1]
  • Developing Security Plans for Federal Information Systems, NIST SP 800-18 [Released: Release 1]
  • Security Self-Assessment Guide, NIST SP 800-26 [Released: Release 1]
  • Risk Management Guide, NIST SP 800- 30 [Released: Release 1]
  • Underlying Technical Models for Information Technology Security [Released: Release 1]
  • Contingency Planning Guide for Information Technology Systems, NIST SP 800-34 [Released: Release 1]
  • Creating a Patch and Vulnerability Management Program, NIST SP 800-40 [Released: Release 1]
  • Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 [Released: Release 1]
  • Recommended Security Controls for Federal Information Systems, NIST SP 800-53 [Released: Release 1]
  • Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 [Released: Release 1]
  • Computer Security Incident Handling Guide, NIST SP 800-61 [Released: Release 1]
  • Security Considerations in the Information System Development Life Cycle, NIST SP 800-64 [Released: Release 1]
  • Guide for Developing Performance Metrics for Information Security, NIST SP 800-80 [Released: Q4 07]
  • Security Metrics Guide for Information Technology Systems, NIST SP 800-55 [Released: Q4 07]
  • Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A [Released: Q3 08]
  • Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1 [Released: Q4 08]

ISO Guidance

  • ISO 73:2002, Risk Management – Vocabulary [Released: Release 1]
  • ISO 17799:2000, Code of Practice for Information Security Management [Released: Release 1]
  • ISO 17799:2005 Code of Practice for Information Security Management [Released: Q1 08]
  • ISO 27001:2005, Information Security Management Systems – Requirements [Released: Q1 08]
  • ISO/IEC 20000-12:2005 Information technology – Service Management Part 1 [Released: Release 1]
  • ISO/IEC 20000-2:2005 Information technology – Service Management Part 2 [Released: Release 1]
  • ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1 [Released: Q1 08]
  • ISO/IEC 15408-2:2005 Common Criteria for Information Technology Security Evaluation Part 2 [Released: Q1 08]
  • ISO/IEC 15408-3:2005 Common Criteria for Information Technology Security Evaluation Part 3 [Released: Q1 08]
  • ISO/IEC 27002-2005 Code of practice for information security management [Released: Q1 08]
  • ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3 [Released: Q3 08]
  • ISO 13335-1:2004, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management [Released: Q1 08]
  • ISO 13335-3:1998, Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security [Released: Q1 08]
  • ISO 13335-4:2000, Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards [Released: Q1 08]
  • ISO 13335-5:2001, Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security [Released: Q1 08]

ITIL Guidance

  • OGC ITIL: Planning to Implement Service Management [Released: Release 1]
  • OGC ITIL: ICT Infrastructure Management [Released: Release 1]
  • OGC ITIL: Service Delivery [Released: Release 1]
  • OGC ITIL: Service Support [Released: Release 1]
  • OGC ITIL: Application Management [Released: Release 1]
  • OGC ITIL: Security Management [Released: Release 1]
  • CobiT 3rd Edition [Redacted: Release 1]
  • CobiT 4.1 [Released: Release 1]
  • ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals [Released: Release 1]
  • Disaster / Emergency Management and Business Continuity, NFPA 1600 [Released: Release 1]
  • ISF Standard of Good Practice for Information Security [Redacted: Release 1]
  • ISF Security Audit of Networks [Released: Release 1]
  • A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM [Released: Release 1]
  • Business Continuity Institute (BCI) Good Practice Guidelines [Released: Release 1]
  • ISSA Generally Accepted Information Security Principles (GAISP) [Released: Release 1]
  • CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) [Released: Release 1]
  • The GAIT Methodology [Released: Release 1]
  • AICPA Incident Response Plan: Template for Breach of Personal Information [Released: Release 1]
  • IIA Global Technology Audit Guide (GTAG): Information Technology Controls [Released: Release 1]
  • The Standard of Good Practice for Information Security [Released: Q4 08]

US Federal Privacy Guidance

  • Cable Communications Privacy Act Title 47 § 551 [Released: Release 1]
  • Telemarketing Sales Rule (TSR), 16 CFR 310 [Released: Release 1]
  • CAN SPAM Act [Released: Release 1]
  • Children’s Online Privacy Protection Act (COPPA), 16 CFR 312 [Released: Release 1]
  • Driver’s Privacy Protection Act (DPPA), 18 USC 2721 [Released: Release 1]
  • Family Education Rights Privacy Act (FERPA), 20 USC 1232 [Released: Release 1]
  • Privacy Act of 1974, 5 USC 552a [Released: Release 1]
  • Video Privacy Protection Act (VPPA), 18 USC 2710 [Released: Release 1]
  • Specter-Leahy Personal Data Privacy and Security Act [Released: Release 1]
  • Amendments to the FTC Telemarketing Sales Rule [Released: Release 1]
  • Children’s Online Privacy Protection Act [Released: Release 1]
  • FACT Act (Fair and Accurate Credit Transactions Act of 2003) [Released: Q3 08]

US State Laws Guidance

  • Arkansas Personal Information Protection Act AR SB 1167 [Released: Release 1]
  • Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116 [Released: Release 1]
  • California Information Practice Act, CA SB 1386 [Released: Release 1]
  • California General Security Standard for Businesses CA AB 1950 [Released: Release 1]
  • California Public Records Military Veteran Discharge Documents, CA AB 1798 [Released: Release 1]
  • California OPP Recommended Practices on Notification of Security Breach [Released: Release 1]
  • Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 1134 [Released: Release 1]
  • Colorado Consumer Credit Solicitation Protection, CO HB 1274 [Released: Release 1]
  • Colorado Prohibiting Inclusion of Social Security Number, CO HB 1311 [Released: Release 1]
  • Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650 [Released: Release 1]
  • Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184 [Released: Release 1]
  • Delaware Computer Security Breaches DE HB 116 [Released: Release 1]
  • Florida Personal Identification Information/Unlawful Use, FL HB 481 [Released: Release 1]
  • Georgia Consumer Reporting Agencies, GA SB 230 [Released: Release 1]
  • Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656 [Released: Release 1]
  • Hawaii Exempting disclosure of Social Security numbers HI HB 2674 [Released: Release 1]
  • Illinois Personal Information Protection Act IL HB 1633 [Released: Release 1]
  • Indiana Release of Social Security Number, Notice of Security Breach IN SB 503 [Released: Release 1]
  • Louisiana Database Security Breach Notification Law, LA SB 205 Act 499 [Released: Release 1]
  • Maine law To Protect Maine Citizens from Identity Theft, ME LD 1671 [Released: Release 1]
  • Minnesota Data Warehouses; Notice Required for Certain Disclosures, MN HF 2121 [Released: Release 1]
  • Missouri War on Terror Veteran Survivor Grants, MO HB 957 [Released: Release 1]
  • Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732 [Released: Release 1]
  • New Jersey Identity Theft Prevention Act, NJ A4001/S1914 [Released: Release 1]
  • New York Information Security Breach and Notification Act [Released: Release 1]
  • Nevada Security Breach Notification Law, NV SB 347 [Released: Release 1]
  • North Carolina Security Breach Notification Law (Identity Theft Protection Act) , NC SB 1048 [Released: Release 1]
  • North Dakota Personal Information Protection Act, ND SB 2251 [Released: Release 1]
  • Ohio Personal information – contact if unauthorized access, OH HB 104 [Released: Release 1]
  • Rhode Island Security Breach Notification Law, RI HB 6191 [Released: Release 1]
  • Tennessee Security Breach Notification, TN SB 2220 [Released: Release 1]
  • Texas Identity Theft Enforcement and Protection Act, TX SB 122 [Released: Release 1]
  • Vermont Relating to Identity Theft , VT HB 327 [Released: Release 1]
  • Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872 [Released: Release 1]
  • Washington Notice of a breach of the security, WA SB 6043 [Released: Release 1]
  • § 1724 California Civil Code [Released: Q3 07]
  • Texas Business and Commerce Code, secs. 48.102, 48.103 [Released: Q3 07]
  • Minnesota Plastic Card Security Act (H.F. 1758 [Released: Q3 07]
  • California Personal Information: Disclosure to Direct Marketers Act (SB 27) [Released: Q3 08]

EU Guidance

  • EU Directive on Privacy and Electronic Communications, 2002/58/EC [Released: Release 1]
  • EU Directive on Data Protection, 95/46/EC [Released: Release 1]
  • US Department of Commerce EU Safe Harbor Privacy Principles [Released: Release 1]
  • Consumer Interests in the Telecommunications Market, Act No. 661 [Released: Release 1]
  • OECD / World Bank Technology Risk Checklist [Released: Release 1]
  • OECD Guidelines on Privacy and Transborder Flows of Personal Data [Released: Release 1]
  • UN Guidelines for the Regulation of Computerized Personal Data Files (1990) [Released: Release 1]
  • ISACA Cross-Border Privacy Impact Assessment [Released: Release 1]
  • Information Technology Security Evaluation Manual (ITSEM) [Released: Release 1]
  • Information Technology Security Evaluation Criteria (ITSEC) [Released: Release 1]
  • Directive 2003/4/EC Of The European Parliament [Released: Release 1]
  • EU 8th Directive (European SOX) [Released: Q4 08]
  • OECD Principles of Corporate Governance [Released: Q4 08]

UK and Canadian Guidance

  • Financial Reporting Council, Combined Code on Corporate Governance [Released: Q4 08]
  • Turnbull Guidance on Internal Control, UK FRC [Released: Release 1]
  • Smith Guidance on Audit Committees, UK FRC [Released: Release 1]
  • UK Data Protection Act of 1998 [Released: Release 1]
  • IT Service Management Standard , BS 15000-1 [Released: Release 1]
  • IT Service Management Standard – Code of Practice, BS 15000-2 [Released: Release 1]
  • British Standards Institute PAS 56, Guide to Business Continuity Management [Released: Release 1]
  • Canada Keeping the Promise for a Strong Economy Act, Bill 198 [Released: Release 1]
  • Canada Personal Information Protection Electronic Documents Act (PIPEDA) [Released: Release 1]
  • Canada Privacy Policy and Principles [Released: Release 1]
  • Canadian Marketing Association Code of Ethics and Standards of Practice [Released: Q4 08]

Other European and African Guidance

  • Austria Data Protection Act [Released: Release 1]
  • Austria Telecommunications Act [Released: Release 1]
  • Bosnia Law on Protection of Personal Data [Released: Release 1]
  • Czech Republic Personal Data Protection Act [Released: Release 1]
  • Denmark Act on Competitive Conditions and Consumer Interests [Released: Release 1]
  • Finland Personal Data Protection Act [Released: Release 1]
  • Finland act on the amendment of the Personal Data Act (986/2000) [Released: Release 1]
  • France Data Protection Act [Released: Release 1]
  • German Federal Data Protection Act [Released: Release 1]
  • IT Baseline Protection Manual Germany [Released: Release 1]
  • Greece Law on the Protection of Individuals with Regard to the Processing of Personal Data [Released: Release 1]
  • Hungary Protection of Personal Data and Disclosure of Data of Public Interest [Released: Release 1]
  • Iceland Protection of Privacy as regards the Processing of Personal Data [Released: Release 1]
  • Ireland Data Protection Act of 1988 [Released: Release 1]
  • Ireland Data Protection Amendment 2003 [Released: Release 1]
  • Italy Personal Data Protection Code [Released: Release 1]
  • Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data [Released: Release 1]
  • Lithuania Law on Legal Protection of Personal Data [Released: Release 1]
  • Luxembourg Data Protection Law [Released: Release 1]
  • Netherlands Personal Data Protection Act [Released: Release 1]
  • Poland Protection of Personal Data Act [Released: Release 1]
  • Slovak Republic Protection of Personal Data in Information Systems [Released: Release 1]
  • Personal Data Protection Act of the Republic of Slovenia of 2004 [Released: Release 1]
  • South Africa Promotion of Access to Information Act [Released: Release 1]
  • ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data [Released: Release 1]
  • Sweden Personal Data Act [Released: Release 1]
  • Switzerland Federal Act on Data Protection [Released: Release 1]
  • German Corporate Governance Code (“The Code”) [Released: Q4 08]
  • The Dutch corporate governance code, Principles of good corporate governance and best practice provisions [Released: Q4 08]
  • The King Committee on Corporate Governance, Executive Summary of the King Report 2002 [Released: Q4 08]
  • Swedish Code of Corporate Governance; A Proposal by the Code Group [Released: Q4 08]

Asia and Pacific Rim Guidance

  • Australia Better Practice Guide – Business Continuity Management [Released: Release 1]
  • Australia Spam Act [Released: Release 1]
  • Australia Spam Act 2003: A practical guide for business [Released: Release 1]
  • Australia Privacy Act [Released: Release 1]
  • Australia Telecommunications Act [Released: Release 1]
  • Hong Kong Personal Data (Privacy) Ordinance [Released: Release 1]
  • Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) [Released: Release 1]
  • Japan Handbook Concerning Protection Of Personal Data [Released: Release 1]
  • Japan Personal Information Protection Act (Law No. 57 of 2003) [Released: Release 1]
  • Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etc [Released: Release 1]
  • Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994 [Released: Release 1]
  • Korea Act Relating to Use and Protection of Credit Information [Released: Release 1]
  • New Zealand Privacy Act 1993 [Released: Release 1]
  • Taiwan Computer-Processed Personal Data Protection Law 1995 [Released: Release 1]
  • India Information Technology Act (ITA-2000) [Released: Release 1]
  • Australian Government ICT Security Manual (ACSI 33) [Released: Q3 08]
  • Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 [Released: Q4 08]
  • Corporate Governance in listed Companies – Clause 49 of the Listing Agreement [Released: Q4 08]
  • CODE OF CORPORATE GOVERNANCE 2005 [Released: Q4 08]
  • Argentina Personal Data Protection Act [Released: Release 1]
  • Mexico Federal Personal Data Protection Law [Released: Release 1]

System Configuration Guidance

  • CI Security Persistent Identifiers [Released: Q3 07]
  • CI Security Solaris Benchmark v2.1 [Released: Q3 07]
  • CI Security Solaris Benchmark v1.3 [Released: Q3 07]
  • CI Security HP-UX Benchmark v1.3 [Released: Q3 07]
  • CI Security Red Hat Enterprise Linux Benchmark v1.0 [Released: Q3 07]
  • CI Security Red Hat Enterprise Linux Benchmark v1.0.5 [Released: Q3 07]
  • CI Security SuSE Linux Enterprise Server Benchmark v1.0 [Released: Q3 07]
  • CI Security Slackware Linux Benchmark v1.1 [Released: Q3 07]
  • CI Security AIX Benchmark v1.0 [Released: Q3 07]
  • CI Security FreeBSD Benchmark v1.0 [Released: Q3 07]
  • Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2 [Released: Q4 07]
  • Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 5 Release 1 [Released: Q4 07]
  • CI Security Windows XP Professional SP1/SP2 [Released: Q3 07]
  • Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 [Released: Q4 07]
  • NSA Guide to Security Microsoft Windows XP [Released: Q4 07]
  • CI Security Windows 2000 Professional [Released: Q4 07]
  • DISA Windows XP Security Checklist Version 6 [Released: Q1 08]
  • CI Security Windows 2000 Server [Released: Q3 07]
  • CI Security Windows Server 2003 [Released: Q4 07]
  • CI Security Windows 2000 [Released: Q4 07]
  • CI Security Windows NT [Released: Q4 07]
  • DISA Windows VISTA Security Checklist Version 6 [Released: Q1 08]
  • NSA Guide to Securing Microsoft Windows 2000 Group Policy [Released: Q4 07]
  • Center for Internet Security Mac OS X Tiger Level I Security Benchmark
  • Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings
  • Mac OS X Security Configuration for version 10.4 or later, second edition]
  • Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings
  • DISA Windows Server 2003 Security Checklist Version 6
    DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 1.2
  • DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2

Researching the Federal Securities Law

sec-sealThe SEC has put together a collection of Researching the Federal Securities Laws Through the SEC Website.

This guide provides an overview of how to research the securities law through the SEC website and is provided as a service to investors and members of the public. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule you should consult with an attorney who specializes in securities law. This guide does not address primary and secondary sources available in print or through other websites, other than those to which the SEC website links. The guide is organized by providing suggestions for the research of:

  • Statutes (the Securities Laws)
  • SEC Rules and Regulations
  • SEC Concept Releases
  • SEC Interpretive Releases
  • SEC Staff Interpretations

In general, you should conduct your research on the federal securities laws in the order prescribed above. This is because while the federal statutes and the SEC rules and regulations have the force of law, other SEC-issued documents vary in the degree to which they carry the force of law.

Managing Ethics and Compliance During a Recession

LRN hosted a webinar on Managing Ethics and Compliance During a Recession.

The panel consisted of:

  • Marjorie Doyle, Practice Leader, Solutions Management at LRN
  • David Greenberg, Executive Vice President of Knowledge at LRN
  • Debra Hennelly, President and Senior Adviser at Compliance & Ethics Solutions LLC
  • Adam Turteltaub, VP of Membership Development at The Society of Corporate Compliance and Ethics.

An ERC survey found that 60% of employees who feel pressured to do misconduct said “keeping their job” was a reason. As the economy sours, there seems more pressure to perform and to take shortcuts to achieve that performance. In times of economic stress, it is better to over-inform rather than under-inform.

How do you enlist support in your ethics and compliance program?

  • Make management aware that bad things happen more often when there is economic stress on the company.
  • First question a prosecutor will ask is: “What steps have you taken?” You do not want the answer to be: “We cut programs.”
  • Government is increasing pursuit of corporate wrong-doing. They just hired two new deputy chiefs.
  • People feel pressure to cut corners and make the numbers.

It is important to let people know the consequences of bad behavior. There are concrete remedies for badness. Also celebrate good behavior.

Highlight the non-retaliation policy. People are not going to make the call if they think they may lose their jobs. Silence is not good.

Obviously, compliance is not a profit center, so you need to be concerned when there are declining profits.

General Counsel as the Chief Ethics and Compliance Officer

Over at the Society of Corporate Compliance and Ethics bulletin boards there was a great deal of discussion about whether the CECO should hold a concurrent role as general counsel or whether the positions should be split. Here are a collection of reasons:

  • In some industries, including healthcare, the government has specifically stated that it does not believe that the compliance officer and general counsel roles should be filled by the same person or that the compliance officer should report to the general counsel.  This position occurs in “compliance program guidance” issued by the HHS Office of Inspector General. Daniel Roach
  • The role of compliance is to unearth issues and potential issues while they are still inchoate – not necessarily the same as the GC who is generally reactive and then not beyond the specific question presented. Emil Moschella
  • I think the joint role could affect the integrity of the attorney-client privilege.  If the roles are separate then I think the privilege is less assailable on the grounds that the hat being worn at the time the alleged protected information was received that the individual was wearing the hat of the compliance officer and not that of the GC. Emil Moschella
  • Many of the processes that the Compliance Officer (CO) may wish to review, may have been previously blessed by the office of the GC so that they may not get the fresh look of the compliance office would give it.  Independence of the compliance review is questioned. Emil Moschella
  • The compliance and ethics function is not the business of giving legal advice.  It is a management function that calls for good project management skills. It calls for a focus on ethics and compliance, when often lawyers focus on just the law.  Joseph Murphy

IT for GRC: Improving Information Quality

Carole Switzer, President of OCEG and Lee Dittmar, principal of Deloitte Consulting LLP presented this webinar.

There is an imperative to improve governance, risk management and compliance processes to better manage risk, address increasing regulatory requirements, increased executive accountability and the fragmentation of information. It is about getting the right information, to the right person, at the right time. (Isn’t that knowledge management too? )

What is the information problem?

  • Managers need to know, anticipate and respond quickly and correctly
  • Stakeholders expect reliable and transparent reporting
  • Time and resources are spent searching for data
  • Data overload
  • DINK – Data Is Not Knowledge

It is not about “check the box” compliance it is about improving your business.

Lee thinks governance, risk and compliance should be viewed comprehensively and leverage common systems. Integrated systems can help overcome silos. The key is a single source of the truth.

The goal is to get GRC embedded in the core processes. To be “in the flow” instead of “above the flow.”

Lee is seeing organizations adopting the business concepts of integrated GRC (even if they do not call it GRC).

Evolution of Compliance

I watched a recorded webinar presented Complinet: Compliance Evolution: Lessons Learned, Forgotten and Ignored. (March 13, 2008) Betsy Prout Lefler, the Deputy Director of Compliance at Piper Jaffray and Co. gave the presentation.

There are many different perspective on compliance and what compliance professionals do. In part because the role has changed very quickly.

At first is was only about procedures and monitoring designed to deter and deter violations of applicable laws and regulations. Now, compliance is involved in the CEO certification process, internal controls (SOX) and risk based reviews of company action.

Regulators originally gave little guidance on the role of compliance. Now compliance officers need to be involved in the SEC review process. Compliance officers need to understand not only the regulations, but also need to know the industry, the operations of the company and the products offered. CCO is not a risk manager and a strategist.

Betsy referred to the SIA 2005 Role of Compliance White Paper. This white paper tries to establish a model for compliance professionals thorughout the industry. She also notes that in 2003 the SEC began a formal approach to assessing a company’s culture of compliance.

What has caused evolution?

  • Regulatory changes – there are increasing number of regulations in the financial industry
  • Scandals – each scandal triggers more regulations and more concerns
  • Technology – more and more technology means more and more information

She things technology has made some of the biggest changes. Technology can be a compliance officer’s best friend. It is much easier to find and track issues and trends. Technology can help automate compliance. But technology can also be your worst enemy. There are lots of smoking gun emails. Technology can also automate non-compliance. Technology glitches can cause misstatements.

Don’t get stuck on “how we used to do it.” The role is evolving.

What are WIFs?

My notes from the EthicsPoint webinar on intake models and the value of web intake forms.  The presenter was Erin Watkinson a business solutions consultant at EthicsPoint.

A custom web intake form is a replacement for paper based forms. You can use the web to report on issues.

Reporting should encourage employees to first go to a supervisor and not go anonymously right away.

A custom WIF is a case intake mechanism for non-licensed users. Its a custom report form that you can brand and format as needed or desired. The WIF can eliminate the re-keying of data. The form dumps the information into a central database.  in a WIF you can have explanatory text, images, fields and/or links to other documentation. The WIF is mapped to fields in the EthicsPoint Event Manager. You can create custom print forms to match the look and feel of the WIF. All of the data elements are available for reporting and analytics. There is also branching logic available depending on how questions are answered.

Erin then showed an example of an HR Management report. This highlighted the branching features. Another demo was the Hospira HR system. They used the system for people to ask questions. The system tracks the questions and the answers given.

Investigating Suspected Financial Accounting Irregularities

I watched the webinar from EthicsPoint and Kroll on Investigating Suspected Financial Accounting Irregularities. Jed Davis is the Managing Director in the Business Intelligence and Investigations Division of Kroll and Dave Hess is the Managing Director of the Forensic Accounting and Litigation Consulting Division of Kroll.

Dave emphasized the need to have a plan in place to deal with an investigation.

In Planning the investigation:

  • Establish an independent team with required expertise:
  • Identify and preserve relevant documents and evidence
  • Determine the scope and timing of investigation
  • Develop work plan and approach
  • Establish internal communication protocol

Some key objectives and considerations are:

  • to ensure and maintain rigor and credibility of investigation
  • to work with outside counsel to establish and maintain procedures to protect attorney‐client privilege
  • communicate with the investigating parties and stakeholders.
  • Establish procedures to avoid “scope creep”
  • Determine if alleged misconduct was an isolated act or a systemic problem
  • Establish verifiable chronology of policies, decision‐making and actions in issue
  • Identify internal control deficiencies and make recommendations for improvements
  • Report investigation results to stakeholders

Presentation slides for Investigating Suspected Financial Accounting Irregularities.(.pdf)

Know Your Customer Podcasts

You can find a seried of FINRA Compliance Podcasts on their Compliance Podcast webpage and from iTunes.  Last summer they have a few on Customer Identification Programs and Anti-Money Laundering programs: