HomeFederal Regulatory Compliance Consulting ServicesIT Security Consulting ServicesWhitepapersPartners
LinksNewsCareersAbout UsContact UsSite MapCareers

Federal Regulatory Compliance

Our Federal Regulatory Compliance Consultants have worked on both external audit teams and on internal management teams for many organizations. Through our extensive experience we know what it takes to comply with the various government regulations and the costs associated with compliance. The guidance we offer our clients has helped many companies meet their mandatory regulation requirements and deadlines, with minimum impact to the bottom line.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing various unrelated provisions of HIPAA.

HIPAA Health Insurance Reform
Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Visit this site to find out about pre-existing conditions and portability of health insurance coverage.

HIPAA Insurance Reform
HIPAA Administrative Simplification
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.

(GLBA) Gramm-Leach-Bliley

Summary of Provisions

TITLE I -- Facilitating Affiliation Among Banks, Securities Firms, And Insurance Companies
Title I defines exactly which organizations must comply with GLBA.

TITLE II -- Functional Regulation –This defines exemptions and clarifies the relationship to related federal laws, such as SEC Laws.

TITLE III – Insurance—Provides functional regulations on Insurance activities, but also limits the authority of state insurance laws that could conflict with GLBA.

TITLE IV -- Unitary Savings and Loan Holding Companies—Details special provision of GLBA specific to Thrift Supervision

TITLE V – Privacy—Goes into great detail on the required protection of customer privacy.

TITLE VI -- Federal Home Loan Bank System Modernization—Cleans up previously existing Federal Home Loan Bank laws.

TITLE VII -- Other Provisions—Updates this class of laws for relatively recent changes in banking such as the widespread use of ATMs.


These laws significantly increase regulator requirements for Publicly Traded Companies, including yearly financial audits, and quarterly reporting requirements. Substantial Information Technology Security issues related to Financial Information and Financial Accounting Software Application must be addressed in yearly audits and quarterly reviews. Experts in both finance and Information Technology Security are required to adequately address these regulations.

FISMA ( Federal Information Security Management Act )

The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government Act of 2002. It provides a framework to ensure comprehensive measures are taken to secure federal information and assets. While mandated for federal systems, FISMA compliance is impacting all those who interact with government systems such as agencies, contractors, and other organizations.

  • FISMA Sec.3505.(c )(1): The head of each agency shall develop and maintain an inventory of major information systems.
  • FISMA Sec.3544. (a)(1)(A)(i) & Sec.3547: The application should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information collected or maintained by the agency
  • FISMA Sec.3544. (a)(1)(A)(ii): The application should be protected against unauthorized access, use, disclosure, disruption, modification or destruction.
  • FISMA Sec.3544. (b): The application must be able to ensure the integrity, confidentiality, authenticity, availability, and non-repudiation of information and information systems supporting agency operations and assets.
  • FISMA Sec.3544. (b)(2)(C): Each agency shall develop, document, and implement an agency-wide information security program.
  • FISMA Sec.3544. (b)(2)(D): Each agency shall develop, document, and implement an agency-wide information security program, that includes periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented.


"In April of 2002, hackers entered the California state government system and accessed personal information over 200,000 state employees ranging from the governor to janitors. Worse yet, the government did not notify the employees until weeks after the incident occurred." - Kinley Levack (EContent)

Due to the identity theft concerns regarding this intrusion, the Security Breach Notification Act passed into law in California July 1, 2003 to address privacy notification concerns of the public. This is a state law, but has wide reaching impact for a majority of businesses across the nation which now must comply with this state law. The act mandates any business that releases accidental or otherwise, "personal information" of any resident of California must disclose such within a reasonable period. Due to the nature of the wording, any company conducting business with any California resident is required to comply with the law. The Security Breach Notification Act addresses the following:

  • Companies, Agencies, or persons conducting business in California must disclose any breach to California residents
  • Timely disclosure must occur for all occurrences
  • Companies may not share information with affiliates without consumer approval
  • "The disclosure shall be made in the most expedient time possible and without unreasonable delay" - (Sec. (2)(a) The intention of this law is to ensure consumers are made aware when their data is received by unauthorized person(s). However, the wording within the bill provides entities that are not aware of a disclosure to not be liable for such disclosures or alerts to customers. ".reasonably believed to have been, acquired by an unauthorized person" (Sec. 2 (a)) SB-1386 provides 'rights of action' for consumers to file a civil case against any noncompliant organization. This legal pressure is unique to this state law as most federal cases do not provide 'rights of action' for consumers.

NERC ( North American Reliability Council )

Presidential Decision Directive 63 (PDD-63), "Protecting America's Critical Infrastructures," officially identifies electricity as a critical infrastructure. The U.S. Department of Energy (DOE) under the direction of PDD-63 has designated the North America Electric Reliability Council (NERC) as the Sector Coordinator for the Electricity Sector (ES).

NERC is responsible for:

  • assessing vulnerabilities
  • developing a plan to reduce electric system vulnerabilities
  • proposing a system for identifying and averting attacks

NERC has issued the following security guidelines:

  • NERC "Security Guidelines for the Electricity Sector" (2002)
  • NERC Urgent Action Standard 1200-Cyber Security (2004)

NERC Objectives:

  • Compliance Reviews - Assess, Investigate, Evaluate, and Report
  • Compliance Enforcement - administers awards, penalties, and sanctions
  • Certification program - ensures those who operate do so at minimum level

NERC 1200 Urgent Action Standard 1200-Cyber Security

  • 1201 Cyber Security Policy
  • 1202 Critical Cyber Assets
  • 1203 Electronic Security Perimeter
  • 1204 Electronic Access Controls
  • 1205 Physical Security Perimeter
  • 1206 Physical Access Controls
  • 1207 Personnel
  • 1208 Monitoring Physical Access
  • 1209 Monitoring Electronic Access
  • 1210 Information Protection
  • 1211 Training
  • 1212 Systems Management
  • 1213 Test Procedures
  • 1214 Electronic Incident Response Actions
  • 1215 Physical Incident Response Actions
  • 1216 Recovery Plans

ISO 17799

The International Standards Organization (ISO) specification 17799 provides a baseline for information security management. Many organizations utilize the ISO 17799 standard as guidelines for developing their own policies. Numerous regulations utilize the ISO framework as the basis for their own logical and technological control requirements.

SAS 70 Audit Readiness

Under SAS 70, an organization undergoes an annual audit performed by an independent and objective auditor that complies with The American Institute of Certified Public Accountants (AICPA) SAS 70 standards designed to satisfy the requirements of SAS 55 - Consideration of Internal Control in a Financial Statement Audit. The intent of this audit is to provide information and assurances regarding the financial controls of an organization. This auditor to auditor report provides validity and substance to an organization's declaration of security and management's focus on continuous security improvements.

The auditor will issue a report on the service organization's description of controls and whether the controls were placed into operations that are suitably designed and operating effectively. There are two types of SAS 70 reports. Type I includes the service auditor's opinion on how fairly the provider presented the description of its controls, and how well those controls are designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I, as well as the auditor's opinion on the effectiveness of the controls during the period under review.

PCI Data Security Standard


This Standard is a result of collaboration between Visa and MasterCard and is designed to create common industry security requirements, incorporating the requirements found within both brands security compliance programs. This program provides a single approach to safeguarding sensitive data for all card brands. This framework applied to the CISP and SDP compliance programs provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry.

The PCI Data Security Standard consists of the following basic requirements supported by more detailed sub-requirements:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

This framework currently is accepted by the following compliance programs:

Mastercard SDP

The MasterCard Site Data Protection Program exists to enable online merchants and service providers to be secure in their dealings with customers and each other. Providing a common baseline, the MasterCard SDP program allows members to trust one another based on the MasterCard certification. Additionally, SDP provides members with best practices guides and architecture solutions.


Visa announced their Cardholder Information Security Program in April of 2000. Required of any organization that will store, process, or transmit Visa customer data, CISP defines practice guidelines for securing customer information. Merchants and service providers must meet different levels of certification, but Visa requires that all of its customers implement aspects of CISP.

Risk Management

Risk Management can be pursued as part of meeting regulator requirements, but it can also be pursued from a cost benefit approach. When risk management is undertaken in this manner our consultants can provide a full range of risk management services, ultimately resulting in optimum combination of Expected Value (EV) or Return On Investment (ROI). Risks represent real potential negative impacts on any organization. Overall, the some of risks represent a negative EV. By smartly employing risk management techniques, and optimizing ROI, the result is investing a relative small amount of funds to reduce the EV of risk by a large amount. Often a large ROI is reached by removing or mitigating these Risk. In the long run, this makes the organization less risky, and increases average returns over the years.

Threat & Vulnerability Assessement

This is a key part of security analysis for any organization. Here all the significant threats to network, financial applications, and business systems are identified, likelihood is estimated, and the overall impact evaluated. This builds the prioritization list of all security risks for an organization. From this Risk Management techniques involving cost tradeoff is used to produce the best ROI in eliminating and mitigating Threats and Vulnerabilities.

Control Gap Analysis

When dealing with regulations such as HIPAA, GLBA, or Sarbanes-Oxley regulator constrains must be adhered to regardless of ROI. Our consultants are experts at evaluating an organizations ability to comply with these regulation and document precisely were the organization falls short. Based on our consultants experience, they can recommend relatively low cost solutions that can be employed to bring the organization into compliance. We remain current on the regulations and current industry and regulator body interpretations, so we can help minimize the cost of compliance for any organization.

Security Management Policy

Our consultants write, revise, review, and evaluate security management policy for a living. We have been exposed to a wide variety of industries and organization so we know best practices. We can evaluate or even create an appropriate security policy customized for your organization that responds to the unique security environment you organization exists in, while at the same time we bring in true and tested industry best practices.

Incident Response

Many organizations have weak, ad hoc, or incomplete incident response processes and documentation. Our consultants can review you incident response processes and documentation, and provide detailed recommendation on how to improve it.

Disaster Recovery & Business Continuity

Each business has a unique requirement for the ability to recover after a disaster and unique requirements for maintaining continuous service or operations. Our consultants are skilled at reviewing the unique features of you business continuity requirements. Based on opportunity cost analysis and tolerance for interrupted operation we can develop a customized set of disaster recovery and business continuity plans an provisions that supports your needs.

Forensic Analysis

Mistakes, accidents, and Fraud happen, even when the best protective measure are employed. Every organization needs the ability or needs business partners with the ability to perform forensic analysis when security is breached or fraud is uncovered. We can assist in the development of an organization’s program for internal IT forensics. Additionally we can be brought in to perform forensics especially when a difficult or unusual security breach or form of fraud has been discovered.

Security Services

Security incidents that have occurred either externally or internally are a growing problem for businesses of all types causing major disruption to their operations leading to significant financial loss. How do you protect your network, your business systems, your financial applications and your private business and customer data from compromise? Our recommendation is to utilize the security services provided by Superior Resources Inc. a trusted component of Your Security Solution. Our Team of experienced and highly skilled security experts in Internet Perimeter Security, Network Security, Threat and Vulnerability Management, Identity Management Architecture Services will work with your in house IT Resources to design, improve and harden all your security defenses.