Comparison of eight Governance Risk Control (GRC) Regulatory Compliances
Comparison of eight Governance Risk Control (GRC) Regulatory Compliances from Health Insurance Portability and Accountability Act (HIPAA), European Union Data Protection Directive (EUDPD), AICPA Generally Accepted Privacy Principles (GAPP), Payment Card Industry Data Security Standard (PCI DSS, ISO 27002 Code of Practice for Information Security Management, COBIT, The Sarbanes-Oxley Act of 2002 (SOX), Gramm-Leach-Bliley Act (GLBA)
1. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA includes among its components privacy and security rules for the handling of personal and medical information within the health care industry. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) that result from efforts to streamline the health care system in the United States and mandate the standardization of electronic transactions, code sets, and identifiers. The privacy and security rules for this act are detailed and prescriptive. Although the regulation focuses on organizations in the U.S. health care industry, it can extend to other organizations if they engage in certain activities, such as managing employee group health plans, or providing services to organizations that this regulation directly affects. If your organization is in the United States and maintains a health plan for its employees, HIPAA most likely applies to the collected and stored information. The U.S. Health and Human Services department (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.
2. European Union Data Protection Directive (EUDPD)
EUDPD provides baseline requirements that all European Union (EU) member states must achieve through national regulations to standardize the protection of data privacy for citizens throughout the EU. It is important to understand that EUDPD drives additional regulation at the country/region (member state) level. Interpretation and language differences have resulted in differing control requirements in member states. The directive has a strong influence on international regulations because of the limitations it places on sharing personal information about EU citizens outside of the EU in areas deemed to have less than adequate data security standards. Examples of specific laws in countries/regions that represent EU member states include:
- Act on Processing of Personal Data (Act No. 429 of 31 May 2000) (Denmark)
- Federal Act Concerning the Protection of Personal Data (Datenschutzgesetz 2000 - DSG 2000) (Austria)
EUDPD and its pursuant regulations affect organizations that do business in the EU or handle the data of EU citizens. If the organization handling EU data is located within the United States, that organization may either voluntarily conduct an internal audit and submit an attestation of security practices to the United States Government in the form of a Safe Harbor membership application, or include data privacy and protection language to any business contract involving EU data. This language is boilerplate, and is approved by the EUDPD. Various regulatory agencies of EU member states enforce the various national privacy regulations based on EUDPD. See also the following section (AICPA GAPP).
3. AICPA Generally Accepted Privacy Principles (GAPP)
Developed by the Canadian Institute of Chartered Accountants (CICA), the American Institute of Certified Public Accountants (AICPA), and the IT Governance Institute, the Generally Accepted Privacy Principles (GAPP) encapsulate requirements of sound privacy practices and policies based in part on the EUDPD standards. The GAPP standard was developed in an effort to consolidate requirements within privacy laws and regulations that apply to organizations. Application of GAPP can enable entities in non-EU member nations to satisfy EUDPD requirements. Although GAPP implementation will aid organizations in matters of information privacy and protection, it is not a guarantee of compliance with any specific regulation, rule, or requirement of an applicable governing body. Consult your GRC subject matter expert for advice on how GAPP can help create information privacy and security policy that is equivalent with EUDPD standards within your organization.
4. Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standards (PCI DSS) are the result of a collaborative effort between credit card merchants Visa, MasterCard, American Express, Discover, and the JCB International Credit Card Co., Ltd. The individual credit card companies each addressed customer data privacy and security requirements with separate programs that were merged so that the industry could address the need with a unified standard. PCI DSS sets requirements that apply to the business and technical operations of credit card processing vendors and data handlers. The standard dictates GRC requirements that apply to the network, credit card data, vulnerability management, access control measures, audit mechanisms, and documented security policy. PCI DSS is applicable to any entity that accepts, processes, transmits, or stores credit card transaction data and certain metadata. Vendors who do not abide by this standard might have their vendor status suspended or revoked, can be fined for noncompliance, and could lose their ability to process credit card transactions.
5. ISO 27002 Code of Practice for Information Security Management
ISO 27002 is a comprehensive information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These organizations derived this new standard from BS 7799 in the United Kingdom to provide an information security management framework. ISO 27002, formerly ISO 17799, takes a very broad approach to information security for electronic files, paper documents, recordings, and all types of communications. Although ISO 27002 is a standard and not a regulation, some regulations recommend it as the appropriate way to manage security within an organization. Many organizations also include its terminology and processes in security agreements for its vendors.
The Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI) publish and maintain a single volume of IT practices labeled Control Objectives for Information and related Technology (COBIT 4.1). COBIT provides a structure to plan, organize, acquire, implement, deliver, support, monitor, and evaluate IT infrastructure. COBIT provides generic management principles that can be applied across a range of IT frameworks and compliance requirements. Therefore, it complements other authority documents in this document. COBIT and MOF share IT focus, and can leverage each other when managing and implementing GRC solutions within an organization.
7. The Sarbanes-Oxley Act of 2002 (SOX)
SOX was enacted in the United States in response to a lack of corporate financial governance controls that resulted in questionable accounting practices. From an IT and internal control perspective, the most prominent part of SOX is Section 404 as enforced by the Public Company Accounting Oversight Board (PCAOB). This section of the act requires publicly traded companies to establish internal controls for financial reporting that result in a less than remote probability of a material financial misstatement. Section 404 also requires publicly traded companies to engage independent auditors who must attest to the effectiveness of internal controls. The U.S. Securities and Exchange Commission (SEC) enforce public issuer compliance with SOX and the PCAOB enforces related audit standards.
8. Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) was enacted by the United States government in 1999. GLBA, also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. The privacy component of this act requires financial institutions to provide customers with an annual notice of their privacy practices, and to provide them the option to direct financial institutions not to share such information. The safeguards component of the regulation requires financial institutions to establish a comprehensive security program to protect the confidentiality, integrity and availability of the private financial information in their records. Availability might refer to who can access the information, or the availability of a service or function. Consult your GRC subject matter expert for clarification. A number of U.S. federal agencies, including the Office of Thrift Supervision (OTS) and the Office of the Comptroller of the Currency (OCC), enforce GLBA.