Research

Compliance Research Group's research activities have included user needs analysis in the compliance and risk management areas, compliance mapping research activities, and numerous consulting engagements for security consortia, and compliance and security vendors and consulting organizations.

Compliance Research Group has experience working with numerous regulations and standards, including ISO17799, PCI DSS, GLBA, HIPAA, FISMA, and numerous state data privacy laws.

GLBA
The Gramm Leach Bliley Act seeks to provide protection for consumer’s “non-public personal information”, or NPI. In terms of how it impacts IT security, GLBA includes two primary provisions, the Financial Privacy Rule, and the Safeguards Rule.  The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices.
The GLBA Safeguards rule is where most of the impacts on IT security arise. The language and provisions found in the GLBA Safeguards rule are too general and insufficient to use as the basis for a measurable security program. In order to add the required level of detail, a cross-agency group of financial industry regulators called the Federal Financial Industry Examiners Council (FFIEC) developed a set of more detailed requirements known as the Interagency Guidelines. The InterAgency Guidelines are much more specific as to the security program requirements, and the detailed security measures that must be put in place.

Regulatory oversight and enforcement of GLBA and the Interagency Guidelines depends upon the kind of financial firm:
Banks- Office of Comptroller of Currency, Federal Reserve
Savings & Loans- Office of Thrift Supervision
Credit Unions- NCUA
Securities firms- SEC
Other financial institutions- Federal Trade Commission (mortgage issuers, brokers insurance companies, tax firms)

In the financial industry, the impact of failing to adequately protect the private financial data of customers and consumers is significant. Possible consequences of failure include fines from regulators, brand damage and loss of confidence among customers, lost business, and loss of market value.

PCI DSS
The credit card industry developed the Payment Card Industry Data Security Standard to attempt to protect personal financial information associated with credit card use. PCI DSS applies to firms throughout the payment card industry, from the smallest retailers, to very large credit card processing agencies. PCI DSS contains twelve high level requirements, each of which has many more detailed sub-requirements.
PCI DSS applies to all participants in the credit card processing industry, however the level of scrutiny and evaluation of compliance status varies based upon the size of the participant.
The consequences of failing to adhere to PCI DSS are considerable, and can include losing the ability to accept credit cards for payment.