By Ken North
Sarbanes-Oxley (SOX) and other regulatory requirements are no surprise to the IT community but a recent survey found there's been more talk than actual progress on compliance monitoring. The November 2006 survey by the Oracle Application User Group (OAUG) and Unisphere Research progress has been slow and many organizations still rely mainly on manual techniques for compliance management. The survey included responses from more than 200 IT managers and professionals.
Fast, reliable data access for ODBC, JDBC, ADO.NET and XML
Besides the reliance on manual methods for compliance management, the survey also found
- 40% of the organizations surveyed are planning or implementing SOX compliance solutions
- 64% of respondents tracking SOX compliance found deficiencies in their database environments
- 80% of respondents' organizations with more than 5000 employees are using four full-time employees for database monitoring and compliance reporting
- 65% indicated automated monitoring would reduce expense of compliance management.
- 75% of respondents' organizations use other DBMS platforms in addition to Oracle.
|Survey respondents also provided information about their organization's efforts to comply with SOX, the Payment Card Industry (PCI) Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).
The Public Company Accounting Reform and Investor Protection Act of 2002 is more commonly known as SOX or Sarbanes-Oxley. SOX compliance, mandated for US companies, provides a framework for corporate governance and it's intended to ensure the accuracy of financial reports. Because of SOX, auditors are looking not only at numbers, but the process that produces the numbers. SOX affects any part of an organization that contributes to its financial success or failure.
Regarding SOX compliance audits, the survey found:
- 26% of respondents reported they are 'Ready'
- 34% of respondents are 'Not sure or Not affected'
- 40% are 'Planning or Implementing' compliance solutions.
In May 2005, Pillsbury Winthrop Shaw Pittman LLP estimated $35 billion has been spent on SOX Section 404 compliance. AMR Research estimated SOX compliance spending for 2005 was $6.1 billion.
Because HIPAA compliance requirements are not new, the findings about HIPAA compliance are particularly puzzling. When HIPAA became law (Public Law 104-191, 1996), it required the US Department of Health and Human Services (HHS) to implement standards for electronic health care transactions.
Survey responses show a decade after HIPAA became law that only a minority of organizations are compliant and ready for an audit:
- 23% of respondents reported they are 'Ready'
- 58% are 'Not Sure or Not Affected'
- 17% are 'Planning or Implementing' compliance solutions.
The fact that so few organizations are compliant is surprising because penalties are stiff. Failure to comply with the HIPAA-mandated electronic data, security or privacy standards can result in monetary penalties, up to $25,000 per year for each standard violated. The penalty for violating the privacy provisions for commercial or malicious purposes is punishable by one to ten years in prison, plus fines of $50,000 to $250,000 in fines.
The Payment Card Industry adopted a data security standard with 12 specific requirements to ensure the integrity of payment card transactions and protect the privacy of cardholder information. Because complying with the standard mitigates threats and attacks by Internet hackers have been pervasive, the lack of progress is disappointing. Only a small percentage of the respondents' organizations would pass a PCI compliance audit:
- 7% of respondents are 'Ready'
- 71% are 'Not Sure or Not Affected'
- 19% are 'Planning or Implementing' solutions.
Fines for non-compliance, up to $500,000 per incident, are determined by the individual credit card associations.
FISMA was enacted into U.S. law as part of Electronic Government Act of 2002. It assigns responsibilities to the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to strengthen information system security. The security requirements apply to government agencies and organizations that handle Federal data, such as government contractors. With respect to FISMA compliance, the survey respondents reported:
- 8% of respondents are 'Ready'
- 74% are 'Not Sure or Not Affected'
- 16% are' Planning or Implementing' compliance solutions.
Besides requirements defined by SOX, FISMA, HIPAA and the PCI standard, organizations and their database administrators must also be concerned whether they are within the jurisdiction of governments with privacy laws. The European Union, for example, has strict privacy laws and the State of California has passed laws governing database security breaches and personal data encryption.
On the Web
US Dept. HHS Office for Civil Rights (Medical Privacy Standards)
PCI Data Security Standard 1.1
© 2006, North Summit Media. All rights reserved.