written by Don H. Byrne, CBCP, CDCP, CBROI, Lead Auditor, Senior Writer and Contributing Editor.
While the media has spent many hours discussing the waning importance of the U.S. economy, the facts seem to indicate the opposite. The U.S. economy remains very influential and the regulations that are attempting to control business transactions are impacting all of the economies that are connected to the U.S.
Certainly, other economies are on the rise — most significantly those in Asia and around the Indian subcontinent. But the full impact and reach of the U.S. economy, and the associated business continuity, security management issues, especially information security requirements, and compliance reporting demands on non-U.S. vendors to whom business is outsourced; must be taken into consideration when gauging the true significance of the U.S. economy on the world stage. This article will explore the impact and influence that U.S. regulations, especially information security regulations, have on business operations outside of the United States.
U.S. laws and regulations are designed so that compliance with established requirements flow through any U.S. company and impose a responsibility on all business partners and outsourced vendors. Take for an example, HIPAA Compliance. Many insurance companies now outsource the data entry associated with claims processing to organizations located outside the U.S. The reason for this movement of labor offshore is quite simple; the cost of labor in these locations is quite low. However, even though these offshore companies operate as independent companies, and, one would otherwise assume them to be outside of the jurisdiction of U.S. regulators; the need to provide compliance reporting and the requirement to follow HIPAA security procedures remains.
Clever U.S. companies make compliance with U.S. regulations part of their outsourcing contracts and insist on reviewing the firm’s compliance systems that monitor and track this adherence to regulations. Some firms even egnage in sample compliance studies in an effort to gain creditability with U.S. regulators, showing that the rules are being followed.
Given the rash of data breaches that have been reported in the past few years, many vendors are now insisting on a formal review of the outsourced vendor’s information security strategy and a detailed description of the information security procedures in place. While there is an effort to sanitize records as much as possible , some personal information must be included in order to properly identify the patient or insured person. This requirement will contribute to the ongoing demand for risk management and security management personnel to oversee these operations.
Associated with the growth of this profession will be an insistence that the outsourced vendor develop an information security framework. The information security procedure associated with control of identity information that could then facilitate better control of or elminate the risk of identity threat will obviously receive ongoing attention.
In closing, while the checking of physical compliance with various U.S. regulations such as the proper storage of records covered by HIPAA regulations will continue; this is only part of the impact that U.S. regulations will have on businesses outside of the U.S. The same or a greater level of attention will be paid to information security controls especially as they relate to information that poses a danger to individuals, or disclosure of sensitive financial information. The information security industry is aware of this opportunity and is gearing up for it.
Even organizatons such as SUNGARD, IBM and other regional vendors who have been traditionally associated with disaster recovery software and recovery sites are beginning to expand their consulting practice and product offerings to capitalize on the opportunity and need for an information security plan that, without consulting help, will not exist in most small to mid-sized U.S. companies. Similarly, vendors of business continuity software are adding a compliance template to their products and re-branding these offerings as a new product category called “business continuity security products”.
As the regulatory environment in the U.S. becomes more complex and each major industry sector establishes its own business continuity standard, the ripple effect of these decisions will be fellt around the world. In the future, as the concept of the extended enterprise becomes commonplace, an information security audit will have to account not only for operations being conducted in the U.S., but at the offices of trading partners and outsourced vendors around the world.