Resource Center Regulatory Compliance Specific Regulations

Specific Regulations

Sarbanes-Oxley

The Sarbanes-Oxley act was enacted by the United States Congress in July 2002. It requires publicly traded companies to ensure that they are properly reporting financial information. One of the most critical sections is section 404, which requires internal control over the creation of financial reports, and mandates responsibility for access privileges. This section is crucial for IT organizations to understand and act on.

Companies are expected to prove the following to outside auditors:

• Users are reliably authenticated and authorized before they can access a system, and that it should be difficult to impersonate that user.
• Users can only perform actions for which they have authority.
• Actions are recorded in an indelible and auditable record.
• Management, specifically the principal officer and principal financial officer, take responsibility for reasonable access privileges and controls.
• Reporting on material changes in the condition and operations of the company are timely and up to date.

Download Hitachi ID documents about using the Hitachi ID Management Suite® to comply with Sarbanes-Oxley
 Hitachi ID whitepaper
 Hitachi ID / SOX brochure

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines what is required of healthcare organizations to ensure the portability of healthcare coverage and the privacy of patient records. Among other things, HIPAA requires organizations involved in healthcare to:

• Designate one individual in the organization in charge of HIPPA compliance and implementation.
• Train employees to properly and effectively follow privacy measures.
• Take reasonable measures to limit the disclosure of patient health information, including securing electronic access to patient records.

Download Hitachi ID documents about using the Hitachi ID Management Suite to comply with HIPAA
 Hitachi ID whitepaper
 Hitachi ID / HIPAA brochure

FDA 21 CFR Part 11

Pharmaceutical and other biotech companies are subject to regulation by the food and drug administration (FDA). One of the FDA regulations, regarding electronic signatures and the integrity of electronic systems, is FDA 21 CFR 11. Requirements of 21 CFR Part 11 include:

• Controls over who has access to closed systems.
• Audit trails of access rights and actions.
• Run-time authorization over user access to key data and functions.
• Requirements for the use of electronic signatures, including passwords.

Download Hitachi ID documents about using the Hitachi ID Management Suite to comply with 21 CFR Part 11
 Hitachi ID whitepaper

GLB - Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley act, signed in 1999, applies to financial institutions and securities firms. It requires them to implement strict regulations to protect the privacy of customer data. These include:

• Evaluation of current security programs and relationships to recognize risks, and upgrades where required.
• Establishment and enforcement of policies pertaining to user authentication and access control, for both customers and employees.
• Establishment of a program to assess risks to customer data and to protect against such threats.

Download Hitachi ID documents about using the Hitachi ID Management Suite to comply with Gramm-Leach-Bliley
 Hitachi ID / GLB brochure

PIPEDA

The Canadian Personal Information Protection and Electronics Document Act (PIPEDA), implemented in 2000, is intended to protect personal information collected over the course of conducting commerce electronically. This act governs the collection, use, retention and disclosure of personal information. It stipulates data security and limits use of personal data by corporations. Among other things, PIPEDA requires that organizations:

• Designate a person accountable for compliance with the act.
• Be held responsible for the information they controls.
• Ensure that personal information is accurate and up to date.
• Protect personal information.

© Hitachi ID Systems, Inc. 2008. All rights reserved.