Compliance and Regulatory Primer
We have all heard of the high-profile corporate scandals and data breaches plaguing North America in recent years and the ensuing regulatory requirements put forth by governments on both sides of the border.
Safeguarding sensitive consumer, business and employee data has become a pressing concern for organizations as they face growing pressure from financial markets, customers, employees and shareholders to attain full regulatory compliance. As much as this can be an expensive and onerous task, the risk of non-compliance can be even greater with the threat of lost business, monetary penalties, negative publicity and even prosecution causing a company’s reputation or share price to fall dramatically.
Leading organizations are taking strong security measures to manage and protect their data and are looking to companies they do business with to share the burden of regulatory compliance.
CICA 5970 and SAS 70 (Type 2)
- Both are similar audits used by independent auditors to assess the internal controls of service organizations
- These programs have specific requirements for service providers managing customer data and focus heavily on the areas of compliance, security, and access
- CICA 5970 is a Canadian standard administered by the Canadian Institute of Chartered Accountants while SAS 70 is essentially the US-based equivalent developed by the American Institute of Certified Public Accountants.
- Fusepoint has been audited by the firm Grant Thorton LLP in both since 2005
PCI DSS (Payment Card Industry Security Standard)
- A data protection standard created by the payment card industry that aims to secure credit cardholder information wherever it resides
- Founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, it applies to organizations that store, process or transmit cardholder information,
and outlines steps that merchants and service providers must take to achieve compliance
- Noncompliance can be costly and companies that do not meet PCI’s requirements
run the risk of not being able to conduct business with leading credit card companies including Visa, MasterCard and American Express
- Fusepoint has recently achieved the highest level of PCI compliance for service providers supporting Tier 1 merchants (retailers that process over six million transactions per year) and we are one of the few managed hosting providers in Canada to be approved
SOX (Sarbanes-Oxley Act)
- Introduced in the U.S. in 2002 to restore investor confidence in the markets by defining significantly tighter personal responsibility of corporate top management for the accuracy of reported financial statements
- Effective in 2006, all publicly-traded U.S. companies and non-U.S. companies with a U.S. presence are required to submit an annual report of the effectiveness of their internal accounting controls to the SEC
- For SOX compliance, organizations are concerned with the security and availability of their financial reporting processes
- Fusepoint’s Business Continuity and Disaster Recovery solutions help companies mitigate their overall risk and effectively address these compliance issues
PIPEDA (Personal Information Protection and Electronic Documents Act)
- Canadian federal act governing the collection, use and disclosure of personally identifiable information in the course of commercial transactions
- Covers traditional, paper-based and on-line business
- Data stored on computers must be secured by passwords, encryption and/or firewalls, backed up regularly, and securely stored off-site to guard against loss by fire or theft
- Fusepoint’s security policies help Canadian companies with PEPIDA compliance by delivering high availability for mission-critical applications
|
