Policy

= **__1. Policies.__** = = //What to use, what not to use, who to use, who not to use.// = //Rules greatly impact how many organizations and IT have to operate.// Acceptable policies are crucial for the success and sustainment of organizations. Information and communications technologies (ICT) are used both strategically and operationally at almost every organization. Organizations should be able to control usage and security of ICT means under their responsibilities.

Policies should be taught to the members of the organization. Everybody in the organization should be notified of the policy and notification should be signed. Notification document that has signatures of members of organization should be kept updated in one of the departments.

Shortly, organizations should have policies that are compatible with laws and regulations to protect their privacy and to secure their sensitive data. Organizations should be able to control ICT activities in the organization since they are accountable for any legal, privacy and security issues violated by their members. Policies are indispensible tools to use ICT means properly. //Ch 8 Compliance and Controls//


 * Sarbanes-Oxley ||  **Sarbanes-Oxley** Act requires companies to have an adequate internal control structure and procedures for financial reporting and contain an auditing mechanism that assesses the effectiveness of internal control structure and procedures.

 The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise.  The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." __Sec. 802(a)(1) "Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review work papers for a period of__ **__5 years__** __from the end of the fiscal period in which the audit or review was concluded.__" . In 2002, Senator Paul S. Sarbanes and Representative Michael G. Oxley sponsored the Public Company Accounting Reform and Investor Protection Act. Now known as the Sarbanes-Oxley Act, it is considered by some government leaders as the most significant change to US securities law since the 1930’s.

The Sabranes-Oxley act: · Enforces a form of checks and balances to **enhance financial disclosures** · Ensures the integrity of financial statements · Requires companies to establish and maintain financial reporting procedures

The SOX act mandates ethical **independent auditing activities** to combat corporate fraud. In order for auditing activities to become more transparent, corporations must maintain:

· Annual assessment on the effectiveness of the reporting procedures · Section 404 assessment auditing compliance procedures · Mandatory rotation of Certified Public Accountants

The Sarbanes-Oxley (SOX) act has not been popular with IT staff. IT has been significantly impacted by the strict securities regulations. In fact, non-compliance and financial misstatements can lead to jail/fine for executives. In order to enforce **corporate responsibility** for financial reports, executives must:

· Disclose auditory procedures in periodic reports · Enhance reviews of issuer disclosures · Manage assessments of internal controls || H ealth I nsurance P ortability and A ccountability A ct ||   **HIPAA** regulates privacy and security of medical reports. It covers three basic entities;  - Health plans  - Health care providers  - Healthcare clearinghouses
 * HIPAA

 It also effects some other organizations such as schools, companies etc. For example, school managements have to secure medical records of handicapped students. They cannot share any information regarding medical issues of students with third parties. Companies cannot share any medical information of their employees. Companies have to make sure that they are complying with the regulations while processing employee health benefits.

 Required for security and privacy issues. It should be signed by employees every year. Every material should be inventoried to users that are signed by users. //HIPAA: Schools are included.//

· Has regulations promoting the privacy and security of medical records · Regulations cover three groups of individual or corporate entities o Health plans(insurance and medical plans from employee, private and public Carriers   o Healthcare Providers (like hospitals, Dr. etc)   o Healthcare clearinghouses (billing services, processor of health info, etc)   · Can effect inside AND outside of the medical industry, (non-medical industry employers would want to make sure that they are compliant)   · HIPAA security rule is designed to assure confidentiality of Protected Health Info (PFI)   o PFI includes identifiable or even reasonably identifiable info.   o Privacy Rule of HIPAA is intended to protect the privacy of all Individually Identifiable Health Info (IIHI)   o Protected info can be electronic or paper || **U niting **  **S trengthening **  **A merica by **  **P roviding **  **A ppropriate **  **T ools **  **R equired to **  **I ntercept & **  **O bstruct **  **T errorism ** || **Patriot Act** is one of the basic regulations to control financial resources, paths and addresses. They have to check lists of terrorist organizations announced by US Government before fulfilling the requests of their customers. It passed in the wake of September 11 to fight effectively against terrorism.
 * Patriot Act

After the terrorist attacks of 9/11, the passed United States Government passed the PATRIOT act of 2001. The Patriot Act allows law enforcement to use many of the same techniques that were already in service to investigate organized crime. The Patriot act allows MORE communication about citizens between various law enforcement agencies in order to fight crime and terror. The patriot act enables:

· Security agencies to use sophisticated surveillance techniques · Law enforcement to conduct undetected investigations · Federal agents, such as the FBI and CIA are now able to subpoena business records for suspected terrorists more readily

New technology procedures are now more clearly defined in the Patriot Act allowing law enforcement to fight terrorism more efficiently.

· Security agencies have far less red tape to get search warrants for suspected terrorists then before. · Victims of computer trespassing can seek the assistance of enforcement agencies to monitor computer hackers. · Penalties for terrorist crimes have increased significantly with enhanced maximum penalties. · Conspiracy penalties and statues of limitations have been adjusted accordingly.

The private sector has felt the impact of these changes as well. ID requirements have tightened across the nation.

· Original birth certificate abstracts are required when Americans move between states. · Passports are now required to enter Canada · Financial institutions and airports face stricter ID requirements.

Financial Institutions are now under the obligation to make steps to verify customer Identification more closely. When opening new accounts, institutions must document attempts to determine whether the customer appears on any list of terrorist suspects. ||