Resources

Useful Links

This section provides links for Governance, Risk and Compliance related bodies that can help your organizational maintain compliance and alleviate risk:

FINRA the Financial Industry Regulatory Authority
Government Regulators concerned with mandates that involve IT compliance issues across the public sector.
Independent Organizations dedicated to assisting IT management and GRC Professionals in meeting compliance requirements.
Industry Associations set up to assist auditing professionals meet compliance requirements.
Policy Standards and Frameworks provides guidance for organizations seeking to meet IT compliance regulations.
Industry Regulations provides an overview of GRC regulations per sector.

The IT GRC Forum welcomes your suggestions for more listings. Please send your suggestions to This email address is being protected from spambots. You need JavaScript enabled to view it.

Click on the links to get a detailed overview of each regulation.

Finance

Energy & Utilities

Healthcare

Public Sector

· Basel II

· FDICIA

· GLBA

· AML

· SOX

· FFIEC

· ISO 27002

· SEC Rule 17a

· DPA

· FERC

· NERC

· NRC guidelines

· M&A regs

· SOX

· ISO 27002

· HIPAA

· FDA

· OSHA

· ISO 27002

· FISMA

· COG

· ISO 27002

· DoD 5015.2

Free Membership

Use the members forum to communicate with peers and create your own online professional network. Within your network you can share ideas and resources that you find online, discuss best practices or simply make new acquaintances.

Connects you to GRC Professionals; peers and IT experts.
SocialNetworking facility to share best practices, in the community forum or on a one to one basis.
Facility to create private blogs (visible to all members).
Provides expert market intelligence to help you make informed market decisions.
FOC access to our categorized archive of articles, whitepapers, case-studies, podcasts and webcasts.

First you should create an account to experience all of the features of the IT GRC Forum. You will be asked to provide your email address, choose a username and password, and provide some basic job and company information (optional). You do not have to list personal information on your member's profile although this may help you to network with other members.

Next you will receive an email from us asking you to confirm your registration to ITGRCForum.com, click the link and you're set! Our Production Department adds new pieces of original editorial content weekly and you will be notified to new content through e-newsletter communications. All site content is indexed continually and made available to registered users.

Forum

Gain free membership to the IT GRC Forum. Members have the facility to share best practices and network with peers in the members forum, and gain access to market intelligence in the form of Analyst Research and vendor Whitepapers, Case Studies and Media Presentations. Read More

eMedia Centre

Improve your knowledge base and Identify the best IT Solutions through our eMedia Centre.

Please click on the links below to access our educational archive:

The IT GRC Forum publishes topical media from leading Solution Providers. There is no cost for submission however all documents will be reviewed pending publication. Please send documents to This email address is being protected from spambots. You need JavaScript enabled to view it..

Product Centre

Gain market intelligence and identify IT Solutions:

e-Learning

Welcome to the Learning Management System! Apart from accessing all your e-learning courses, you can communicate with your training manager, tutor or other learners using chat, messaging services or discussion board, check your progress, maintain an events calendar, take notes and do a lot more. Click Here for access.

Useful Links

Links for Governance, Risk and Compliance related bodies that can help your organizational maintain compliance and alleviate risk:

Independent Organizations

SCCE

www.corporatecompliance.org

SCCE exists to champion ethical practice and compliance standards in all organizations and to provide the necessary resources for compliance professionals and others who share these principles.

The Society of Corporate Compliance & Ethics (SCCE) is dedicated to improving the quality of corporate governance, compliance and ethics

OCEG

www.oceg.org

OCEG is a non-profit organization that has a straightforward , ambitious and timely mission: to help organizations align their governance. compliance and risk management activities to drive business performance and promote integrity.

GAO

www.gao.gov

The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog," GAO investigates how the federal government spends taxpayer dollars.

ISACA

www.isaca.org

ISACA got its start in 1967, when a small group of individuals with similar jobs-auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations-sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.

ITPolicyCompliance.com

www.itpolicycompliance.com

The ITpolicycompliance.com web site is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources.

Government Regulators

WDPA

World Data Protection Authorities

Links to Government authorities that implement and monitor local and regional data protection and privacy regulations.

Bank for International Settlements

GASB
Government Accounting Standards Board
The GASB establishes and improves standards of state and local government accounting and financial reporting.

Federal Reserve

FASB
Financial Accounting Standards Board
The Financial Accounting Standards Board (FASB) is the designated organization in the private sector in the United States for establishing standards of financial accounting and reporting.

FERC
U.S. Federal Energy Regulatory Commission
The Federal Energy Regulatory Commission, or FERC, is an independent agency that regulates the interstate transmission of electricity, natural gas, and oil.

FinCEN Financial Crimes Enforcement Network
The U.S. Department of the Treasury established the Financial Crimes Enforcement Network in 1990 to provide a government-wide multisource financial intelligence and analysis network. The organization's operation was broadened in 1994 to include regulatory responsibilities for administering the Bank Secrecy Act, one of the nation's most potent weapons for preventing corruption of the U.S. financial system.

FISMA
Federal Information Security Management Act
The Federal Information Security Management Act is designed to protect critical information infrastructure.

Board of Governors of the Federal Reserve System

GASB
Government Accounting Standards Board
The mission of the Governmental Accounting Standards Board is to establish and improve standards of state and local governmental accounting and financial reporting.

HIPAA
U.S. Dept. of Health & Human Services - HIPAA Regulations and Guidance
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data.

NERC
North American Electric Reliability Council
NERC's mission is to ensure that the bulk electric system in North America is reliable, adequate and secure.

OCC
Office of the Comptroller of the Currency
The U.S. Office of the Comptroller of the Currency (OCC) charters, regulates, and supervises all national banks. It also supervises the federal branches and agencies of foreign banks.

OTS
Office of Thrift Supervision
The Office of Thrift Supervision (OTS) is the primary federal regulator of federally-chartered and state-chartered savings associations, their subsidiaries, and their registered savings and loan holding companies.

PCAOB
Public Company Accounting Oversight Board
The PCAOB is a private-sector, non-profit corporation that oversees the activities of auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.

SEC
U.S. Securities and Exchange Commission - SOX
The mission of the U.S. Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.

US Department of Treasury
The Department of the Treasury's mission highlights its role as the steward of U.S. economic and financial systems, and as an influential participant in the global economy. Serve the American people and strengthen national security by managing the U.S. Government's finances effectively, promoting economic growth and stability, and ensuring the safety, soundness, and security of the U.S. and international financial systems.

Industry Associations

AAA
American Accounting Association

The American Accounting Association promotes worldwide accounting education, research and practice. The Association is a voluntary organization of persons interested in accounting education and research.

ABA
American Bankers Association - Center for Regulatory Compliance

ABA's Center for Regulatory Compliance is a gateway to support for meeting the challenges of managing compliance risk. It provides direct access to regulatory expertise, up-to-date reports on agency initiatives, and the resources to assist organizations in keeping pace with the demands of supervisory oversight.

AGA
Association of Government Accountants

The Association of Government Accountants is dedicated to the enhancement of public financial management. AGA serves the professional interests of financial managers, from local, state and federal governments, as well as public accounting firms, responsible for effectively using billions of dollars and other monetary resources every day.

AICPA
American Institute of Certified Public Accountants

The American Institute of Certified Public Accountants is a U.S. professional organization for Certified Public Accountants. Its mission is to provide members with the resources, information, and leadership that enable them to provide valuable services in the highest professional manner to benefit the public as well as employers and clients.

Basel II CPA
Basel II Compliance Professionals Association

Basel II is the second Basel Accord. It contains recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision to revise the international standards for measuring the adequacy of a bank's capital. It was created to promote greater consistency in the way banks and banking regulators approach risk management across national borders.

COSO
Committee of Sponsoring Organizations of the Treadway Commission

COSO is an independent private sector initiative which studies the causal factors that can lead to fraudulent financial reporting and develops recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

CSI
Computer Security Institute

The Computer Security Institute (CSI) is a membership organization specifically dedicated to serving and training the information, computer and network security professional. CSI delivers education and aggressively advocates the critical importance of protecting information assets. CSI sponsors two conferences annually, targeted at those entering the field, as well as to experienced practioners. CSI also publishes the annual CSI/FBI Computer Crime and Security Survey.

FASB
Financial Accounting Standards Board

The Financial Accounting Standards Board is the designated organization in the U.S. for establishing standards of financial accounting and reporting. Those standards govern the preparation of financial reports and are officially recognized as authoritative by the Securities and Exchange Commission and the American Institute of Certified Public Accountants. The standards are considered essential to the efficient functioning of the economy because investors, creditors, auditors, and others rely on credible, transparent and comparable financial information.

FEI
Financial Executives International

Financial Executives International (FEI) is an advocate for the views of corporate financial management. Its 15,000 members hold policy-making positions as chief financial officers, treasurers, and controllers. FEI enhances member professional development through peer networking, career planning services, conferences, publications, and special reports and research. Members participate in the activities of 86 chapters, 75 of which are in the United States and 11 in Canada.

HCCA
Health Care Compliance Association

HCCA champions ethical practices and compliance standards and provides the necessary resources for ethics and compliance professionals and others who share these principless.

The IIA
Institute of Internal Auditors

The Institute of Internal Auditors (IIA) is an international professional association of more than 122,000 members with global headquarters in Altamonte Springs, Fla., United States. Throughout the world, The IIA delivers certification, education, research, and technological guidance for internal auditors.

IMA
Institute of Management Accountants

Founded in 1919, the IMA is a professional association devoted to management accounting, finance, and information management. The IMA has approximately 73,000 members consisting of corporate accountants and financial executives. In addition to many educational opportunities, the IMA offers the Certified Management Accountant (CMA) and Certified in Financial Management (CFM) programs for management accounting and financial management professionals and supports field-based research and analysis through its Foundation for Applied Research.

ISACA
Information Systems Audit and Control Association

ISACA delivers guidance for information governance, control, security and audit professionals. Its IS auditing and IS control standards are used by practitioners worldwide. Its research pinpoints professional issues challenging its constituents. Its Certified Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than 48,000 professionals. The Certified Information Security Manager (CISM) certification has been earned by more than 6,000 professionals.

ISSA
Information Systems Security Association

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.

ITGI
IT Governance Institute

The IT Governance Institute is a research think tank delivering references on IT-enabled business systems governance for the global business community.

NALGA
National Association of Local Government Auditors

NALGA is a professional organization dedicated to improving local government auditing. The organization disseminates information and ideas about financial and performance auditing, provides training, and offers a national forum to discuss auditing issues.

NASACT
National Association of State Auditors, Comptrollers & Treasurers

The National Association of State Auditors, Comptrollers and Treasurers is an organization for state officials who deal with the financial management of state government. NASACT's membership is comprised of officials who have been elected or appointed to the office of state auditor, state comptroller or state treasurer in the fifty states, the District of Columbia, and U.S. territories.

NSA
National Security Agency - Central Security Service

NSA initiatives in enhancing software security cover both proprietary and open source software. NSA's work to enhance the security of software is motivated by one simple consideration: to give NSA's customers the best possible security options in the most widely employed products. The objective of the NSA research program is to develop technologic advances that can be shared with the software development community through a variety of transfer mechanisms. NSA does not favor or promote any specific software product or business model. Rather, NSA is promoting enhanced security.

SOXCPA
Sarbanes-Oxley Compliance Professionals Association

The Sarbanes Oxley Compliance Professionals Association provides compliance professionals with resources they need to better serve their organizations or clients, advance their careers, and reach a higher level of personal enrichment.

Policy Standards and Frameworks

CIS
Center for Internet Security
The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors.

COBiT
more information>

CobIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and practices for IT control throughout organizations.

GAGAS

more information

Government Auditing Standards (the "Yellow Book") contains standards for audits of government organizations, programs, activities, and functions, and of government assistance received by contractors, nonprofit organizations, and other nongovernment organizations.

Guide to Assessment of IT General Controls Scope based on Risk (GAIT)
more information>
The IIA's GAIT, focused principally on Sarbanes Oxley, provides guidance to appropriately identify and link COSO constructs of internal control objectives, with assertions, risks and controls, to enable audit and IT practitioners to reach well informed decisions on which controls to include and exclude.

Global Technology Audit Guide (GTAG)
more information>
Written for he chief audit executive, The IIA's GTAG publications provide guidance on information technology. Each guide addresses timely issues related to IT management, control or security.

ISO 17799
more information>

ISO is the developer of International Standards specifying requirements for state-of-the-art products, services, processes, materials and systems. ISO 17999 is focused on controls and practices for information security. Also visit the ISO 17799 Directory at http://www.27002.net/ (see ISO 27000)

ISO 27000 and ISO 27001
The ISO 27000 series of standards promise to cover a larger body of practice. Under way, these developments can be found at http://www.w3j.com/5/index.html. Information on ISO 27001 can be found at http://www.27001-online.com

ITIL
More information
IT Service Management standards from the Office of Government Commerce are focused on the strategic business value delivered by IT through high quality service.

NIST

NIST resources: Computer Security Resource Center
NIST resources: Rainbow Series
NIST's Computer Security Division conducts research, studies and advises agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems. NIST also develops standards, metrics, tests and validation programs and has long published guidance about secure IT development, usage, planning, implementation, management and operation.

This article or section deals primarily with the United States and does not present a worldwide view of the subject.

Continuity of Government (COG) is the principle of establishing defined procedures that allow a government to continue its essential operations in case of a nuclear war or other catastrophic event. Developed during the Cold War, COG plans were implemented by many countries to avoid leaving a vacuum at any governmental level, which could lead to anarchy or to an unlawful assumption of authority. Effectively the democratic process is revoked temporarily until the effects of the event have subsided and normal government can resume. It is not a generally published part of government policy and is generally shrouded in secrecy for security reasons.

Continuity of Government in the United States
The main points of such a plan in the United States are to suspend certain parts of the United States Constitution and to allow the alternative use of federal land and buildings (including use as internment camps) by FEMA for the housing/detention of US citizens as required, as well as any rescue/recovery operations. It also allows for power in the US to be centralized to the White House and "appointment of military commanders to run state and local governments and declaration of martial law". In the former regard the United States arrangements for Continuity of Government are unusual. The plans in most countries are intended to preserve the legal and constitutional framework, the American system relies on circumventing it. There is no legal basis for the imposition of so-called "martial law".

House Democrat Jack Brooks brought up the issue during the Iran-Contra Affair hearings. Try as he might, he was not able to get the answers to his questions from Col. Oliver North, (it had been reported in the Miami Herald that North had worked on such plans) as he was repeatedly requested by the Chairman to refrain from discussing the issue and to request for a (non-public) executive session if he wanted to discuss the issue at all.

Apparently the Legislative and Judiciary Branches pf the US Government each have similar continuity plans. However, both require the Executive to notify them before they are activated. There appears to have been no notification following 9-11 to either the Congress or US Supreme Court until it was finally admitted to Congress in 2002.

It appears the US is still in the Continuity of Government status invoked as a result of 9/11.

There is considerable confusion between the use of extra-constitutional powers and "martial law" in an emergency situation, and Continuity of Government as such. Continuity of Government properly refers to processes, systems, and infrastructure whereby Government control and communications can be maintained. They involve communications systems, operating procedures, delegation of responsibility, and emergency accommodation- including bunkers.

The use of unusual powers in an emergency- whether legal or illegal- are not Continuity of Government so much as restraints on legal and constitutional rights. Historically many governments and leaders have used a disaster or attack as an excuse to assume illegal and draconian powers.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Continuity of government".

The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The Act was meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.

FISMA has brought attention to cybersecurity within the Federal Government, which had previously been much neglected. As of February 2005, many government agencies received extremely poor marks on the official report card, with an average of 67.3% for 2004, an improvement of only 2.3 percentage points over 2003.This shows a marginal increase in how federal agencies prioritize cybersecurity, but experts warn that this average must increase for the Government to truly protect itself.

FISMA Compliance Process for an Information System
FISMA imposes a mandatory set of processes that must be followed for all information systems used or operated by a US Government federal agency or by a contractor or other organization on behalf of a US Government agency. These processes must follow a combination of Federal Information Processing standards (FIPS) documents, the special publications SP-800 series issued by NIST, and other legislation pertinent to federal information systems, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act.

Determination of Boundaries of System
The first step is determining what constitutes an "information system." There is not a direct mapping of computers to information system; rather an information system can be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18 provides guidance on determining system boundaries.

Determination and Categorization of Information Types in System
The next step is to determine the information types resident in the system and categorize each according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.

Select and Implement a Set of Security Controls for System
If the system in question is in the design or implementation life-cycle phase, a set of security controls must be selected and incorporated into the system implementation. NIST SP 800-53 provides a catalog of

Documenting System
Pertinent system information such as system boundaries, information types, constituent components, responsible individuals, description of user communities, interconnections with other systems and implementation details for each security control need to be documented in the system security plan. NIST SP 800-18 Rev 1 gives guidance on documentation standards. Additional documentation such as a contingency plan for the system also needs to be prepared at this stage. Guidance on contingency planning can be found in NIST SP 800-34.

Performing Risk Assessment
Once the controls implementation are documented, a risk assessment can be performed. A risk assessments starts by identifying potential threats and vulnerabilities, and maps implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact of any given vulnerability being exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities, and describes whether the risk is to accepted or mitigated. If mitigated, one needs to describe what additional SP 800-53 controls will be added to the system. NIST SP 800-30 provides guidance on the risk assessment process.

Certification of System
Once the system documentation and risk assessment is complete, the system needs to have its controls assessed and certified to be functioning appropriately. For systems with a FIPS-199 categorization of Low, a self assessment is sufficient for certification. For systems categorized at higher FIPS-199 levels, a certification performed by an independent 3rd party is required. NIST SP 800-26 provides guidance on the self assessment process. NIST SP 800-53A provides guidance on the assessment methods applicable to individual controls.

Accreditation of System
Once a system has been certified, the security documentation package is reviewed by an accrediting official, who, if satisfied with the documentation and the results of certification, accredits the system by issuing an authorization to operate. This authorization is usually for a 3 year period, and may be contingent on additional controls or processes being implemented. NIST SP 800-37 provides guidance on the certification and accreditation of systems.

Continuous Monitoring
All accredited systems are required to monitor a selected set of security controls for efficacy, and the system documentation is updated to reflect changes and modifications to the system. Significant changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified. Guidance on continuous monitoring can be found in NIST SP 800-37 and SP 800-53A.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Federal Information Security Management Act of 2002".

The United States Occupational Safety and Health Administration (OSHA) is an agency of the United States Department of Labor. It was created by Congress under the Occupational Safety and Health Act, signed by President Richard M. Nixon, on December 29, 1970. Its mission is to prevent work-related injuries, illnesses, and deaths by issuing and enforcing rules (called standards) for workplace safety and health.

OSHA Authority
OSHA's statutory authority extends to most nongovernmental workplaces where there are employees. State and local government workers are excluded from Federal coverage, however, states operating their own state workplace safety and health programs under plans approved by the U.S. Department of Labor cover most private sector workers and are also required to extend their coverage to public sector (state and local government) workers in the state. Section 2 (11) of the OSH Act encourages states to develop and operate their own state OSH programs.

The same act (OSHA) also created the National Institute for Occupational Safety and Health (NIOSH) as a research agency whose purpose is to determine the major types of hazards in the workplace and ways of controlling them. As of March 2006, the agency is headed by Assistant Secretary of Labor Edwin Foulke.

OSHA regulations [29 CFR Part 1956] also permit states without approved plans to develop plans that cover only public sector workers. In these states, private sector employment remains under Federal OSHA jurisdiction. Twenty-two states and territories operate plans covering both the public and private sectors and four states - Connecticut, New Jersey, New York and the US Virgin Islands - operate public employee only plans.

History
OSHA was widely criticized in its early years for confusing, burdensome regulations. A good deal of the early conflict came about because of arbitrary and inconsistent enforcement during OSHA's early years. In addition, businesses were expected to retrofit guards and other safety devices on existing equipment and to implement other hazard controls, often at considerable expense, to bring them in line with then-current best safety practices. Other requirements, such as mandated training, communication, and extensive documentation were seen as even more difficult and expensive.

With time, manufacturers of industrial equipment have included OSHA-compliant safety features on new machinery. Enforcement has become more consistent across jurisdictions, and some of the more outdated or irrelevant rules have been repealed or are not enforced.

During the Jimmy Carter administration, under the leadership of University of Cincinnati toxicologist Eula Bingham, OSHA began to concentrate more on health hazards, such as toxic chemicals. Bingham also launched the "New Directions" program, OSHA's first worker training grant program.

With the Ronald Reagan and George H.W. Bush administrations came efforts to weaken OSHA enforcement and rulemaking, although several important rules were issued including hazard communication (right to know about chemical exposures) and blood-borne pathogens (to protect workers against illnesses such as hepatitis and AIDS). The Reagan administration also launched OSHA's Voluntary Protection Program (VPP), OSHA's first foray into voluntary programs and partnerships with industry. In the VPP, management, labor, and OSHA establish cooperative relationships at workplaces that have implemented a comprehensive safety and health management system. Approval into VPP is OSHA's official recognition of the outstanding efforts of employers and employees who have achieved exemplary occupational safety and health.

The Bill Clinton administration began a reorganization of OSHA's approach, focusing more on "stakeholder" satisfaction through compliance assistance. When the Republicans took over Congress in 1994, one of their goals was reducing some of the agency's ability to issue standards. Some Republican sponsored bills were stopped by the Democratic minority and moderate Republicans, but other legislation passed, such as the Small Business Regulatory Enforcement Fairness Act of 1996 and the Congressional Review Act.

In 2000, OSHA issued the ergonomics standard after ten years of study and struggles with a Republican-controlled Congress and business associations such as the Chamber of Commerce and National Association of Manufacturers that were unconvinced that additional government regulation was the right way to address the issue of ergonomic injuries to American workers. Ergonomic injuries (also known as musculoskeletal injuries) such as back injuries and carpal tunnel syndrome, account for 1/3 of all serious injuries suffered by American workers. In March 2001, the Republican controlled Congress voted to repeal the standard and the repeal was one of the first major pieces of legislation signed by President George W. Bush. Since the repeal of the ergonomics standard, OSHA has issued three ergonomics guidelines, and only a small handful of ergonomic citations under the Act's "general duty" clause.

The Bush administration has largely replaced the process of issuing mandatory regulations with voluntary guidelines and put additional resources into other, previously existing voluntary programs, as well as new "Alliance" program. In 2004, the General Accounting Office issued a report questioning the effectiveness of these programs and warning that their projected growth threatened to take resources away from OSHA's enforcement budget.

Controversy
Much of the debate about OSHA regulations and enforcement policies revolves around the cost of regulations and enforcement, versus the actual benefit in reduced worker injury, illness and death. A 1995 study of several OSHA standards by the Office of Technology Assessment (OTA) found that regulated industries as well as OSHA typically overestimate the expected cost of proposed OSHA standards.

OSHA has come under considerable criticism for the ineffectiveness of its penalties, particularly criminal penalties. OSHA is only able to pursue a criminal penalty when a willful violation of an OSHA standard results in the death of a worker. The maximum penalty is a misdemeanor with a maximum of 6-months in jail. In response to the criticism, OSHA, in conjunction with the Department of Justice, has pursued several high-profile criminal prosecutions for violations under the Act, and has announced a joint enforcement initiative between OSHA and the Environmental Protection Agency (EPA) which has the ability to issue much higher fines than OSHA. Meanwhile, Congressional Democrats, labor unions and community safety and health advocates are attempting to revise the OSHAct to make it a felony with much higher penalties to commit a willful violation that results in the death of a worker. Some local prosecutors are charging company executives with manslaughter and other felonies when criminal negligence leads to the death of a worker.

Regulatory Impact
Here are some of the changes in industrial safety regulation brought about by OSHA:

• Guards on all moving parts - By 1970, there were guards to prevent inadvertent contact with most moving parts that were accessible in the normal course of operation. With OSHA, use of guards was expanded to cover essentially all parts where contact is possible.
• Permissible exposure levels (PEL) - Maximum concentrations of chemicals stipulated by law for chemicals and dusts. They cover only around 600 chemicals and most are based on research from the 1950's and 1960's
• Personal protective equipment (PPE) - broader use of respirators, gloves, coveralls, and other protective equipment when handling hazardous chemicals; goggles, face shields, ear protection in typical industrial environments
• Lockout/tagout - In the 1980s, requirements for locking out energy sources in an "off" condition when performing repairs or maintenance
• Confined space - In the 1990s, specific requirements for air sampling and use of a "buddy system" when working inside tanks, manholes, pits, bins, and similar enclosed areas
• Hazard Communication (HazCom) - Also known as the "Right to Know" standard, it was issued as 29CFR1910.1200 in November 25, 1983 (48 FR 53280, requires developing and communicating information on the hazards of chemical products used in the workplace.
• Process Safety Management (PSM) - Issued in 1992 as 29CFR1910.119 in an attempt to reduce large scale industrial accidents. Although enforcement of the standard has been spotty, its principles have long been widely accepted by the petrochemical industry.
• Bloodborne Pathogens (BBD)- In 1990, OSHA issued a standard designed to prevent health care (and other) workers from being exposed to bloodborne pathogens such as hepatitis B and HIV.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Occupational Safety and Health Administration".

The Food and Drug Administration (FDA) is an agency of the United States Department of Health and Human Services and is responsible for regulating food (humans and animal), dietary supplements, drugs (human and animal), cosmetics, medical devices (human and animal) and radiation emitting devices (including non-medical devices), biologics, and blood products in the United States.

Authorization and mandate
The FDA derives its authority and jurisdiction from various Congressional acts. The main source of the FDA's authority is the Federal Food, Drug, and Cosmetic Act. Additionally, as a Federal agency, the FDA is required by Executive orders 13132 to review all proposed new rules for Federalism issues.

The main purpose of the FDA is to protect citizens from products that are inherently unsafe or that make claims of effectiveness that cannot be substantiated. Because of the vast number of products or substances that may affect the public and the expertise required to evaluate them, Congress delegates this task to a specilized administrative agency.

The FDA thus has the power to regulate a multitude of products in a manner that ensures the safety of the American public and the effectiveness of marketed food, medical, and cosmetic products. Regulations may take several forms, including but not limited to outright ban, controlled distribution, and controlled marketing. Additionally, the FDA sets the standards under which individuals may be licensed to prescribe drugs or other medical devices. Regulatory enforcement is carried out by Consumer Safety Officers within the Office of Regulatory Affairs and criminal matters are handled by special agents within the Office of Criminal Investigations (OCI).

Citizen's Petitions
Anyone can request or petition the FDA to change or create an Agency policy or regulation through the Citizen's Petition process. 21 CFR Part 10.30. [1]. Despite the name, this process is primarily used by companies seeking a change to an FDA policy.

Political susceptibility
Since the FDA derives its authority from enabling legislation, it is principally a delegate of Congress to handle the large number of detailed issues related to its authority. As such, it at any time may be redirected, reorganized or even dissolved at the discretion of Congress. This puts the purpose of the FDA at risk with any change in the balance of power in Congress.

In addition to direct control over the agency's charter, Congress has leverage over the FDA's operations by means of budget allocation. Since budgetary legislation and amendments are very common and many times have a "must pass" status, this method of control is much easier to implement than to gain the wide agreement by Congress to modify the charter of an agency.

Additionally, the FDA's Commissioner is nominated by the President and confirmed by the Senate. This allows the President to select Commissioners who may be sympathetic to political issues he deems important. Additionally Senate rules allow for nominations to be blocked by means of filibuster, whereby the Senate must first obtain a super-majority of 60% to close debate on an issue before vote.

Finally, the Commissioner himself has discretion regarding the staff employees within the agency and has the power to influence their decisions simply by being able to dismiss those who are not aligned with his views.

Jurisdiction
The FDA does not pre-approve dietary supplements on their safety and efficacy, unlike drugs. In contrast, the FDA can only go after dietary supplement manufacturers after they have put unsafe products on the market. However, certain foods (such as infant formula and medical foods) are deemed special nutritional because they are consumed by highly vulnerable populations and are thus regulated more strictly than the majority of dietary supplements.

Under former Commissioner David Aaron Kessler the FDA in the 1990's attempted to regulate tobacco as a pharmaceutical. The courts determined in FDA v. Brown & Williamson Tobacco Corp. that the FDA did not have Congressional authority to regulate tobacco.

Jurisdictional conflicts
One aspect of its jurisdiction over food is regulation of the content of health claims on food labels. However, because regulating the content of labels impacts First Amendment issues, FDA must balance concerns about the public health with the right to free speech. Daniel Troy, Chief Counsel of the Food and Drug Division from August 2001 to November 2004, raised the agency's focus on First Amendment issues.

Organization
Currently, the FDA is divided into five major Centers, each with its own origins and history:

• The Center for Drug Evaluation and Research (CDER)
• The Center for Biologics Evaluation and Research (CBER)
• The Center for Devices and Radiological Health (CDRH)
• The Center for Food Safety and Applied Nutrition (CFSAN)
• The Center for Veterinary Medicine (CVM)
• National Center for Toxicological Research (NCTR)
• Office of Regulatory Affairs (ORA)

FDA-Affiliated Organizations
• Joint Institute for Food Safety and Applied Nutrition
• National Center for Food Safety and Technology

CDER operations
The CDER, which regulates human pharmaceuticals, receives considerable public scrutiny, and thus implements processes that tend toward objectivity and tend to isolate decisions from being attributed to specific individuals. In keeping with this, reviews are generally staffed by teams that are intended to come to consensus on decisions.

Within the CDER "Review teams" employs around 1,300 employees to approve new drugs. Additionally, the CDER employs a "safety team" has 72 employees to determine whether new drugs are unsafe or present risks not disclosed in the product's labeling.

The FDA's budget for approving, labeling, and monitoring drugs is roughly $290 million per year. The safety team monitors the effects of more than 3,000 prescription drugs on 200 million people with a budget of about $15 million a year. The FDA requires a four phased series of clinical trials, with phase three being the largest and usually requiring 1,000-3,000 patients.

CBER operations
The CBER, which is the oldest operations center, oversees blood products, vaccines, and newer therapeutics related to stem cells and gene therapy.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "The Food and Drug Administration (FDA)".

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services' (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.

Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.

Title I: Health Care Access, Portability, and Renewability
Title I of HIPAA regulates the availability and breadth of group and individual health insurance plans. It amends both the Employee Retirement Income Security Act and the Public Health Service Act.

Title I prohibits any group health plan from creating eligibility rules or assessing premiums for individuals in the plan based on health status, medical history, genetic information, or disability. This does not apply to private individual insurance.

Title I also limits restrictions that a group health plan can place on benefits for preexisting conditions. Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment. However, individuals may reduce this exclusion period if they had health insurance prior to enrolling in the plan. Title I allows individuals to reduce the exclusion period by the amount of time that they had "creditable coverage" prior to enrolling in the plan and after any "significant breaks" in coverage. "Creditable coverage" is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid. A "significant break" in coverage is defined as any 63 day period without any creditable coverage.

To illustrate, suppose someone enrolls in a group health plan on January 1, 2006. This person had previously been insured from January 1, 2004 until February 1, 2005 and from August 1, 2005 until December 31, 2005. To determine how much coverage can be credited against the exclusion period in the new plan, start at the enrollment date and count backwards until you reach a significant break in coverage. So, the five months of coverage between August 1, 2005 and December 31, 2005 clearly counts against the exclusion period. But the period without insurance between February 1, 2005 and August 1, 2005 is greater than 63 days. Thus, this is a significant break in coverage, and any coverage prior to it cannot be deducted from the exclusion period. So, this person could deduct five months from his or her exclusion period, reducing the exclusion period to seven months, Hence, Title I requires that any preexisting condition begin to be covered on August 1, 2006.

Title I also forbids individual health plans from denying coverage or imposing preexisting condition exclusions on individuals who have at least 18 months of creditable group coverage without significant breaks and who are not eligible to be covered under any group, state, or federal health plans at the time they seek individual insurance [6].

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title II of HIPAA defines numerous offenses relating to health care and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system[7][8][9]. However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.

These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA [10] [11].

Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

The Privacy Rule
The Privacy Rule took effect April 14, 2003, with a one-year extension for certain "small plans". It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual[12]. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

Covered entities must disclose PHI to the individual within 30 days upon request[13]. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies[14].

A covered entity may disclose PHI to facilitate treatment, payment, or health care operations[15] or if the covered entity has obtained authorization from the individual[16]. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose[17].

The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI[18]. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals[19]. For instance, an individual can ask to be called at his or her work number, instead of home or cell phone number.

The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures[20]. They must appoint a Privacy Official and a contact person[21]responsible for receiving complaints and train all members of their workforce in procedures regarding PHI[22].

An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR) [23][24].

The Transactions and Code Sets Rule
The HIPAA/EDI provision was scheduled to take effect October 16, 2003 with a one-year extension for certain "small plans"; however, due to widespread confusion and difficulty in implementing the rule, CMS granted a one-year extension to all parties. As of October 16, 2004, full implementation was not achieved and CMS began an open-ended "contingency period." Penalties for non-compliance were not levied; however, all parties are expected to make a "good-faith effort" to come into compliance.

CMS announced that the Medicare contingency period ended July 1, 2005. After July 1, most medical providers that file electronically will have to file their electronic claims using the HIPAA standards in order to be paid. There are exceptions for doctors that meet certain criteria.

Key EDI transactions are:

837: Medical claims with subtypes for Professional, Institutional, and Dental varieties.
820: Payroll Deducted and Other Group Premium Payment for Insurance Products
834: Benefits enrollment and maintenance
835: Electronic remittances
270/271: Eligibility inquiry and response
276/277: Claim status inquiry and response
278: Health Services Review request and reply
These standards are X12 compliant, and are grouped under the label X12N.

Implementation Guides are available from the Washington Publishing Company for a fee, now that CMS is not subsidizing the publications.

The National Council for Prescription Drug Programs' Telecommunication Standard version 5.1 is also used for the transmission of third-party pharmacy claims. The NCPDP Telecommunication Standard version 5.1 is available to NCPDP members at NCPDP's website.

The Security Rule
The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans". The Security Rule complements the Privacy Rule. It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows:

Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act
• Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.
• The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls.
• Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). Access to PHI in all forms must be restricted to only those employees who have a need for it to complete their job function.
• The procedures must address access authorization, establishment, modification, and termination.
• Entities must show that an appropriate ongoing training program regarding the handling PHI is provided to employees performing health plan administrative functions.
• Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
• A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures.
• Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based.
• Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.

Physical Safeguards - controlling physical access to protect against inappropriate access to protected data
• Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
• Access to equipment containing health information should be carefully controlled and monitored.
• Access to hardware and software must be limited to properly authorized individuals.
• Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
• Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
• If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.

Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
• Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
• Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
• Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
• Covered entities must also authenticate entities it communicates with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
• Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
• In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
• Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act's security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)

The Enforcement Rule
On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Health Insurance Portability and Accountability Act".