Home

About Us

Consulting Services

Compliance Regulations and Marketing

News and Activities

Contact Us

Chaos to Compliance Blog

Compliance Regulations & Marketing

Creating compelling marketing content and credible messages requires an in-depth understanding of compliance regulations and the vertical markets they impact. Buyers expect more than a simple claim that “our product helps you comply SOX, HIPAA, GLBA, PCI. The challenge for security product marketers is to move away from broad, general claims to specific descriptions of how your product addresses individual requirements. Depending on the regulation and the vertical market, there may be additional guidance as to how to implement the regulation, and there may be different regulating agencies. Mapping your product’s capabilities to these additional guidelines is key to establishing a credible compliance story. And training your salesforce to talk about compliance using appropriate terms is equally important.

Consider two important compliance regulations, GLBA and PCI:

GLBA

The Gramm Leach Bliley Act seeks to provide protection for consumer’s “non-public personal information”, or NPI. In terms of how it impacts IT security, GLBA includes two primary provisions, the Financial Privacy Rule, and the Safeguards Rule.  The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices.

The GLBA Safeguards rule is where most of the impacts on IT security arise. The language and provisions found in the GLBA Safeguards rule are too general and insufficient to use as the basis for a measurable security program. In order to add the required level of detail, a cross-agency group of financial industry regulators called the Federal Financial Industry Examiners Council (FFIEC) developed a set of more detailed requirements known as the Interagency Guidelines. The InterAgency Guidelines are much more specific as to the security program requirements, and the detailed security measures that must be put in place.

Regulatory oversight and enforcement of GLBA and the Interagency Guidelines depends upon the kind of financial firm:

Banks- Office of Comptroller of Currency, Federal Reserve

Savings & Loans- Office of Thrift Supervision

Credit Unions- NCUA

Securities firms- SEC

Other financial institutions- Federal Trade Commission (mortgage issuers, brokers insurance companies, tax firms)

In the financial industry, the impact of failing to adequately protect the private financial data of customers and consumers is significant. Possible consequences of failure include fines from regulators, brand damage and loss of confidence among customers, lost business, and loss of market value.

PCI DSS

The credit card industry developed the Payment Card Industry Data Security Standard to attempt to protect personal financial information associated with credit card use. PCI DSS applies to firms throughout the payment card industry, from the smallest retailers, to very large credit card processing agencies. PCI DSS contains twelve high level requirements, each of which has many more detailed sub-requirements.

PCI DSS applies to all participants in the credit card processing industry, however the level of scrutiny and evaluation of compliance status varies based upon the size of the participant.

The consequences of failing to adhere to PCI DSS are considerable, and can include losing the ability to accept credit cards for payment.

Compliance Marketing Group provides a unique blend of security and compliance subject matter expertise, coupled with results-oriented marketing capabilities.

Copyright 2007 Compliance Marketing Group. All rights reserved.