Requirements

1. Systems Maintenance
Objective: Determine that all maintenance activity is performed and documented according to installation standards and procedures by reviewing documentation related to systems maintenance.

Audit steps
a. Determine whether standards have been established for the documentation of systems maintenance
b. Evaluate existing standards to determine whether they are comprehensive enough and cover issues such as compliance with International Standards Organization (ISO) 17799
c. Review a sample of existing documentation to determine whether it complies with installation standards
d. Ascertain whether systems maintenance documentation is maintained in a secure environment and protected against tampering

A Communication Decency Act (CDA) bans the making of “indecent” or “patently offensive” material available to minors through computer networks. An act imposes a fine of up to $250,000 and imprisonment for up to two years. A CDA does specifically exempt from liability any person who provides access or connection to or form a facility, system, or network that is not under the control of the person violating the act. Also, the CDA specifically states that an employer shall not be held liable for the actions of an employee unless the employee’s conduct is within the scope of his or her employment.

Although U.S. privacy laws, including SB 1386, are becoming more prevalent, some international privacy legislation is more stringent. Two such laws include the European Directive on the Protection of Personal Data and the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA).

European Directive on the Protection of Personal Data

In October 1995, the European Union passed the European Directive on the Protection of Personal Data. The directive governs personal information within all member countries of the EU and places minimum protection requirements on it. The directive also prohibits the transmission of information to entities in nonmember states with lesser information privacy protection requirements, including the United States. As with many laws that govern information privacy, the European directive requires entities that collect, transmit, process, or disclose personal information to use appropriate measures to protect such information. Some of the other directive requirements include

Until its final enactment on June 1, 2007, REACH (EC 1907/2006) was a matter not only of serious legislative debate, but also on the receiving end of bitter condemnation. And though it may still be grounds for all sorts of feelings, good and bad, the fact is that its regulations will force businesses around the world to make some excruciating decisions about tens of thousands of substances by June 2008, because that is the date of the first regulatory deadline set to affect existing chemical products. REACH, whose provisions will be phased-in over 11 years, now replaces 40 existing pieces of legislation in the European Union (EU). Companies can find explanations of REACH in the guidance documents, on the EU’s REACH web site (see Figure 12-1) and a number of help desks are available for consultation. The European Commission is slated to conduct a series of reviews of REACH Annexes until December 2008 (Annexes I, IV, V, XI, XIII).

What REACH says

The TSCA (which hasn’t been amended since its enactment over 30 years ago) is to REACH what a speck of dust is to the sun. The difference between them — to say nothing of both the immediate and long-term consequences of the latter — is enormous. Remember our discussion on the difference between substances and materials? Well, this is where those differences come into play even as they are obliterated. Forget materials. REACH forces companies to comply on the level of substances — an enormous task compared to complying with the TSCA.

The current registration process, in which you must register every product you make with the European Chemicals Agency (ECA), covers nearly 30,000 substances. Of these, 2,500 are likely to be hazardous to human health or the environment and will have to undergo continued testing to show that they can be used safely. Over the next dozen years, however, as many as 100,000 existing substances will be subject to REACH evaluation, authorization, and, in many cases, restriction. Ultimately, the ECA estimates that a total of 150,000 to 200,000 substances will be registered, though some authorities put that number much higher, going so far as to suggest that there will be half a million applications for approval.

The formal title of this law is the Financial Services Modernization Act. The act is more commonly known as the Gramm-Leach-Bliley Act or as the acronym GLBA. The act was directed primarily at allowing expanded functions and relationships among financial institutions. The law covers how and under what circumstances bank holding companies can undertake new affiliations and engage in previously restricted activities.

GLBA Requirements

From the perspective of an impact on internal controls, the GLBA Title V section provided a series of specific regulations governing how individual information for customers of financial institutions may be shared. GLBA requires that financial firms disclose to customers the institutions' privacy policies and practices. The law provides some limited control to customers about how the information retained by a financial institution may be retained via an "opt-out" option. On an annualized basis, the financial institution is required to reinform clients of the institutions' privacy policies.