Today's SMB owners are more than ever affected by governmental and organizational regulations regarding data monitoring, records management, and data security data. Like it or not, small-to-medium businesses must evaluate their compliance with these regulations and follow their provisions to the letter. An IT management firm can be vital in performing this risk assessment and expertly advising practical steps that your business can take to avoid being penalized or worse by the government.
The Public Company Accounting Reform and Investor Protection Act of 2002, known as Sarbanes-Oxley after the senators who sponsored the bill, is a measure passed by Congress in response to the accounting scandals at major corporations like Enron, WorldCom, and others. However, courts have determined that all businesses, not just major corporations, must follow the regulations. SMB owners and their IT managers are directly affected by more stringent accounting of finances required by the act, since most if not all companies rely on electronic data management. In order to comply with the independent audits required by the Act, businesses must be aware on a daily basis of tracking customer records, financial statements and balances, as well as any modifications to servers or software that contain these records.
The Health Insurance Portability and Accountability Act was created by Congress in 1996 in part to safeguard the way that businesses implement and maintain health insurance policies and employee policy information. As a result of the regulation, companies who offer health insurance to their employees must follow strict regulations governing security of health-related transactions and storage and access to data. Ten years from the date of implementation, in 2006, a final enforcement rule went into effect, making a non-compliant business subject to penalties and legal sanctions. If you deal with health and healthcare data of any kind, including if you have a health insurance plan for your employees, your business must comply with HIPAA guidelines!
The Payment Card Industry or PCI is a data security standard (DSS) whose purpose is to regulate the protection of credit card data during transmission or storage, a regulation that naturally affects any business that deals with credit card information. The standard consists of a series of requirements that the company must put in place involving encryption, data storage and creation of a policy for testing and monitoring, as well as validation of compliance by an approved auditor. The guideline was developed through the collaboration of the major credit card companies in order to protect the best interests of consumers. Though not a governmental regulation, compliance with these regulations is mandatory for your business to be able to process payments from any major credit card.
Many resources are available to the SMB to assist in assessment of compliance efforts for SOX, HIPAA and the PCI DSS. For Sarbanes-Oxley, the IT Governance Institute has published a comprehensive document, IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition, that covers both the regulations and how company IT resources should approach management in light of them. HIPAA regulations can be explored in detail on the U.S. Department of Health and Human Services web site. For the PCI Data Security Standard, the PCI Security Standards Council has provided a host of supporting documentation designed to help businesses understand how they might be affected by the PCI standard.
The most efficient way to ensure compliance with SOX and PCI DSS regulations is to enlist the experience and services of a quality IT management firm that has put in place the processes and documentation required by the governing bodies. Just fill out our free form and get in touch with an IT consultant in your area!