Regulatory Compliance:

What it means to IT

New Executive Directives in US and Abroad

United States Companies hit with legislation
Sarbanes Oxley
Health Insurance Portability & Accountability Act (HIPAA)
Securities and Exchange Commission Rules
Food and Drug Administration Rules
US Commerce Export Approvals
Europe
Basel II Accord (Global Banking regulations)

Changing Landscape of IT
Regulatory compliance demands
Enhanced business processes
Tighter controls sanctioned from Execs
Greater understanding of New and OLD Rules
Accountability throughout Vendor chain
Regulated access and viewing of sensitive information
Authoritative Experts to translate laws and impact
Chief Governing Officer
Aggregated into role of CIO
HIPAA Officer

Vendors only ENABLE Compliance Processes + Technology Achieve It

3

Sarbanes Oxley: What is it & Why Care

US Public Accounting reform and investors act of 2002 Sarbanes Oxley
Enron, MCI WorldCom, Tyco

Holds CEO and CFO accountable for financial statements and securities
Sections 302, 404 and 409 on monitoring information controls and processes will have
significant impact on IT Projects and Vendors
Impacts ALL Publicly Traded companies and Private ones too!

Fortune 1000 companies will spend upwards of 2.5 billion spent in 2003 to achieve
Sarbanes Oxley compliance (Ziff Davis)
20% of budget on NEW IT initiatives (Gartner)
70% of CIOs will be required to attest on reliability and integrity of Financial IT Systems
(Gartner)
For more information:
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf

What does it mean to IT?

Section 302: Certification of Financial Reports
CEOs/CFO face criminal prosecution for inaccurate statements
CIOs need to attest that email, storage systems, financial systems
Section 404: Certification of Internal Controls (BIGGEST IMPACT)
Any change to a Financial System (ERP, CRM, Accounting, Email)
requires new 404 Audit, CIO Attestation and Report
Large companies year end in June must be in compliance by November
15, 2004 - December Year Remains same
SMBs, Foreign Companies and affiliates by April 15, 2005
Section 409: Material Event Reporting
Real time material event reporting. Not yet finalized.

How does Marimba help?

Policy Based Targeting
Restricts WHO can make WHAT changes to policies, apps, and
equip. that supports Financial Systems
Automated Software Distribution real time

Inventory and Reporting Controls

Restricts report views avoid SEC Violations
Automatically emails reports to achieve process compliance
Accurate Inventory controls for depreciation of Assets
Software compliance reporting calculation of COGS

Patch Management and Support Tools

Implements maintenance and security for Financial Systems
Implements security and integrity checks for data/app sync
Rollback, self healing and more

HIPAA: What is it & Why Care

Health Insurance Portability & Accountability Act
Passed in August of 1996, Took effect April 2003
Compliance Mandated by October 2003
OCR Privacy Rule - Updated January 2004 (Health and Human Services)
Impacts: Health Plans, Insurance Orgs, Hospitals, Doctors, Billing
companies, ISVs and any company responsible for
electronically/manually handling patient records, billing or insurance info.
All Companies
Estimated impact varies from $1 to $17 billion (still unknown Ziff Davis)
50% of Care Delivery Orgs will not be HIPAA compliant by 2005
(Gartner)
For more information:
http://www.hipaa.org/
http://www.hhs.gov/ocr/hipaa/

HIPAA: What does it demand of IT?

Securely managing complex web of
Vendor Applications
Patient Records
Billing/Insurance information
Between:
Doctors
Insurance carriers
Hospitals
Vendors
AND Central Data Center

Why is the Issue even more COMPLEX?

BIGGER Problem then we think:
Affiliated Clinics do not have ON Site IT
Doctors/Nurses are forced to be techs
Puts many automated efficiencies at risk
Lack of Standards
Privately owned machines
Doctors are OWNERS not experts dictate new technology
Many systems are regulated by FDA
Some older systems dont have upgrade pathway

Going back to manual will not WORK

Healthcare Industry is burdened with growing costs
Healthcare professionals are in short supply hospitals/clinics
are overcrowded

Keep Doctors focused on Patients NOT Supporting IT Systems

How does Marimba ENABLE Compliance?

Security
Enables SSL Encryption of data transferred
Code signing restricts installation on non approved systems
Roles based Administration restrict Report viewing and Admin
Policy Based targeting
Restricts application/record access to approved Users/Machines
Uninstall unauthorized views
Restricts WHO can target WHAT (Data/Apps) systems
Self Service
Remote control for troubleshooting applications
Self Healing/Rollback - protect integrity of systems storing records

Patient Information Systems can be compliant NOT specific applications!

1

Other Regulations Marimba Enables

Graham Leah Bliley Financial Services
NIAP (Common Criteria Evaluation and Validation)
Needed by all COTS systems catering to Government
Marimba in Progress for version 5.x
Derived from Federal Security Information Act 2002
Leading the WAY for Regulatory and Private Security Measures
FDA 21CRF Part 11 (regulation of medical equipment)
Basel II Accord (regulate global Banking industry)
US Commerce Export Compliance - ISVs
Restrictions on Encryption Technology Outside US

Key Solution Success Factors for Compliance

Information Integrity (secure, defend, deploy)
Tax, Health, Justice, Intelligence,Trade Secrets, Personnel Info
Adapts to changing requirements (flexible, expandable, modular)
Evolve with new regulations Allows for Implementation over time (modular solutions)
Ease of Maintenance, deployment and use