"Companies have to transform their thinking from being only compliant with Sarbanes-Oxley to being compliant with all regulations that require information protection," says John Kirkwood, global information security officer at supermarket operator Royal Ahold and former chief information security officer at American Express.
For example, the Federal Financial Institutions Examination Council, a federal interagency group that prescribes uniform principles and standards for how the government examines financial institutions, has mandated that these companies implement more secure ways of letting customers log into financial accounts and conduct transactions. This requirement goes into effect Dec. 31.
Companies that handle credit card transactions, including banks, credit card companies, and merchants, need to start preparing to comply with version 1.1 of the Payment Card Industry's data security standard. It mandates that custom applications that companies use for these transactions be independently reviewed; this requirement goes into effect June 30, 2008. Those who don't follow it risk Visa and MasterCard not doing business with them.
Starting January 2008, financial institutions will have to comply with the Basel II Framework, an international agreement that places specific requirements on how banks compute the risks associated with their assets. The framework asks banks to identify the risks they face now and in the future, and to improve their ability to manage those risks.
About a quarter of all companies have to comply with an average of six to eight regulations, according to the Yankee Group. Larger financial services firms are subject to a dozen or more regulations, all with overlapping requirements. "We hear stories that it's common for companies like these to face 30 to 40 audits a year from regulators, partners, and customers," says Andrew Jaquith, an analyst at the research firm.
American Express must immediately respond to audits regarding the safeguarding of bank customer information, as mandated by the Gramm-Leach-Bliley Act, which protects consumers' personal information. To quickly collect information on assets that contain information on banking customers and employees who access that information, the company has deployed Archer Technologies' SmartSuite Framework, a customizable, content-independent infrastructure for managing risk and compliance processes.
American Express has built more than 100 applications with SmartSuite, says Steven Suther, director of information security management at American Express. Auditors get immediate access to compliance reports, Suther says, and American Express is using Archer's Training and Awareness Extension Module to manage security awareness training for more than 130,00 employees.