Tuesday Oct 27, 2009

Identity Trend 7: Regulation and Compliance

This post is the seventh in a series of eleven posts I am writing about key trends in the Identity Management industry.

imageGovernment regulations have been enacted to address problems problems with fraud, governance, security and privacy arising in various industries.  For example, the Sarbanes-Oxley Act of 2002 (Sarbox) was intended to make corporate governance practices more transparent and to improve investor confidence. It addressed financial control and financial reporting issues raised by the corporate financial scandals, focusing primarily on two major areas: corporate governance and financial disclosure.

Government regulations tend to become more complex and far-reaching over time.  For example, to address the challenges of security and privacy, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to establish national standards for use of health care records. HIPAA provided a foundation upon which multiple regulations have been based to address issues with the administration and protection of sensitive medical records information.

Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), also known as the Health Information Technology for Economic and Clinical Health Act (HITECH) includes a section that expands the reach of HIPAA by introducing the first federally mandated data breach notification requirement and extending HIPAA privacy and security liability to business associates of "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions on behalf of individuals).

The current trend to more extensive government regulation of industry will likely continue or escalate, placing additional burden on enterprises to comply with increasingly complex compliance mandates.

imageA second source for industry regulations comes from industry itself.  For example, the Payment Card Industry (PCI) Data Security Standard (DSS) is a global security standard for safeguarding sensitive credit card data.  This standard was established by PCI Security Standards Council, an organization founded by industry leading enterprises: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

Identity and Access Management (IAM) is a critical enabler for compliance with government and industry regulations.  For example, Sarbox requirements for fraud reduction, policy enforcement, risk assessment and compliance auditing are supported directly by IAM technology and methods. By streamlining the management of user identities and access rights, automating enforcement of segregation of duties policies, and automating time-consuming audits and reports, IAM solutions can help support strong security policies across the enterprise while reducing the overall cost of compliance.

Similarly, IAM technology and processes, which control user access to data, applications, networks and other resources, can directly support HIPAA/HITECH requirements for privacy, security, auditing and notification.


Practical experience in the field gained as many enterprises have implemented IAM systems to support compliance efforts has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance.  The following list of best practices will be explored in more detail in a subsequent blog post:

  1. Understand regulatory requirements that apply to your enterprise.
  2. Recognize IT's critical role in the compliance process.

  3. Understand the role of IAM in supporting compliance.

  4. Think of compliance as a long-term program, not a single project.

  5. Establish compliance policies. principles should be documented as a foundation upon which to build policies, practices and strategies.

  6. Develop a business-driven, risk-based, and technology-enabled compliance strategy.

  7. Collaborate with your business partners and associates.

  8. Establish a governance process.

  9. Implement your strategy in phases.

  10. Follow established standards.

  11. Give real-time visibility into compliance status, progress and risks.

  12. Unify disparate compliance efforts.

  13. Assess progress and adjust as necessary.

Thursday Jan 29, 2009

Open Source, Open CTO, Open Government

Last week, BBC News reported that Scott McNealy, Chairman of Sun Microsystems, has been asked to prepare a paper for the new administration on the subject of how open source software can benefit government.   Commenting on this subject, Scott said:

"It's intuitively obvious open source is more cost effective and productive than proprietary software. Open source does not require you to pay a penny to Microsoft or IBM or Oracle or any proprietary vendor any money."

It will be interesting to read Scott's paper when it become available.  I would be delighted to find that our government would adopt practices that actually saved our precious tax money.

I also applaud Scott's comments about a suggested new cabinet-level post of Chief Technology Officer.  He said that new CTO should:

"Have veto power, the right to eliminate any hardware, software or networking product that touches the federal network. He or she would have real power, real oversight and employ real consequences for folk that don't realign with the architecture. It's what every business does that the government doesn't."

If such a CTO were appointed to lead the implementation of President Obama's "open" technology policy, we could call him or her the "Open CTO."

We at Sun often talk about how leading companies use information technology as a strategic weapon to gain competitive advantage.  President Obama certainly demonstrated the effectiveness of web technology as a competive weapon in his campaign. 

I think we should consider information technology to be a weapon for the American people to improve government.  It can help slash through the impermeable curtains of back-room dealmaking and obfuscating "spin" wherein political insiders try to deceive the public as they push their own agendas.   For example, having access on the web to emerging details of the "stimulus package" enabled each of us to evaluate its worth on its actual merits, rather than having selected information sifted through levels of political commentary before it reached us.

Information technology can make government more accessible, transparent and responsive for us citizens whom the government is supposed to serve.  Open source and and "Open CTO" could be two effective arrows in our arsenal to return the power government to the hands of the people.

Technorati Tags: , ,

Sunday Aug 31, 2008

Freedom Quotation: George Washington

"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master."

-George Washington, 1732-1799

Technorati Tags: , ,

Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« June 2016