GLBA is the Financial Services Modernization Act of 1999 designed to enhance competition in the financial services industry. The legal barriers that have traditionally separated mergers of the insurance, banking and securities industries have been substantially eliminated from federal law. While creating broader opportunities, financial institutions are now tasked with new consumer privacy safeguards and disclosure requirements. (Sections 501 and 505 of GLBA) The Federal Reserve has established guidelines for standards for safeguarding customer information. As a potential correlation to the business continuity arena, the guidelines are as follows: Each institution is required to implement a written information security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities.
|
|
|
Regulation
|
Industry
|
Description
|
|
Gramm-Leach-Bliley Act
|
Financial
|
Web Site Link & detailed description.
|
|
Turnbull Report: Combined Code on Internal Controls in the UK (1999)
|
Companies listed on London Stock Exchange
|
Institute of Chartered Accountants in England and Wales code governing risk management and control processes, requiring annual review and documentation. Similar to regulations in the US with Board of Director involvement. Business contingency planning is referenced in the appendix.
|
|
HCFA-0049-P Proposed Rule HIPAA regulations (scheduled for fall 2000)
|
Healthcare including both caregivers and insurance
|
Draft regulations covering electronic security and transmission of patient records. Documented, tested disaster recovery plan is required.
|
|
ISO 9000, 9001, etc. (1994)
|
Manufacturing
|
Purpose is to determine elements of quality control systems, especially maintenance of records and verification standards. While business continuity planning is not required by statute, vendors report that records retention and data availability are issues with their customers, and that they are specifically asked about their plans.
|
|
Paperwork Reduction Act (44 U.S.C. Chapter 35 1995)
|
Federal Government
|
Creates security plan for Information Resources requiring contingency planning
|
|
Computer Security Act (1987)
|
Federal Government
|
Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality.
|
|
FFIEC SR97-16 (SPE) (May 1997)
|
Banking and any related service providers
|
Sets objectives for Year 2000 projects with testing and contingency planning recommendations. Includes audit questions.
|
|
FFIEC FIL-67-97; Stronger wording on client/server environment replacement for FFIEC FIL 82-96
|
Banking and any related service providers
|
Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.
|
|
Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992)
|
Cross-Industry
|
Outlines Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale.
|
|
FEMA FRPG 01-94 1994
|
Federal Government and associated contractors
|
All department and agency heads must formally plan for continuity of essential operations.
|
|
Foreign Corrupt Practices Act (1977)
|
Cross-Industry
|
Management accountability through record keeping
|
|
Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC
|
Banking
|
Amended since original in 1983; requires banking institutions to develop and maintain Business Recovery Plans
|
|
Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC - 1989, revised and made stronger 1997)
|
Banking and any related service bureaus, includes credit unions
|
Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.
|
|
Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC
|
Banking
|
Follows intent of BC-177
|
|
IRS Procedure 86-19
|
Cross-Industry
|
Legal backup and recovery requirements for computer records containing tax data.
|
|
Fair Credit Reporting Act
|
Credit Reporting Agencies
|
Ensure credit information is accurate and up-to-date and available.
|
|
Clinical Laboratory Information Act (1988)
|
Healthcare
|
Require protection of critical laboratory data
|
|
JCAHO Accreditation Manual for Hospitals (1997)
|
Healthcare
|
Guidelines for information management established by JCAHO
|
|
Various State Dept. of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038)
|
State Government
|
Policies assigning responsibility for contingency planning within state agencies.
|
|
BS7799 Section 9
|
Pan European Industry
|
British Standard Institute Code of Practice for Information Security Management. Requires Business Continuity Planning.
|
|
GAO/IMTEC-91-56 Financial Markets: Computer Security Controls
|
Financial
|
Guidelines for stock markets
|
