If you are maintaining customer information, conducting financial transactions electronically, preparing or auditing the financial statements of clients, or even preparing your own financial reports on your internal network, you are likely subject to a variety of data security regulations and standards that have been implemented by governments and industry organizations.
Compliance with these regulations can involve implementing a comprehensive set of security technologies in your organization, as well as developing, adopting and adhering to stringent security policies.
Precisely which technologies and standards must be implemented in an organization is a matter of judgment, but most regulating bodies and industry experts recommend implementing two-factor authentication as a part of demonstrating and maintaining compliance.
Some of the more pertinent standards are below.
The Payment Card Industry Data Security Standard was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing card payments must be PCI compliant or they risk exposure to substantial financial losses and losing the ability to process credit card payments.
The PCI reflects the combined interests of VISA, MasterCard, Discover, American Express, and JCB. These five credit card brands have agreed upon a common set of security standards. Prior to this each card brand managed their own set of requirements.
Section 8.3 of PCI DSS specifically identifies the requirement to "implement two-factor authentication for remote access to the network by employees, administrators and third parties."
Title II of the Health Insurance Portability and Accountability Act, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.
HIPAA §164.312(d) requires that the complying organization must "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
The Sarbanes-Oxley Act of 2002 , commonly called SOX or Sarbox, is a United States federal law passed in response to a number of major corporate and accounting scandals.
With the widespread use of IT systems, any system of internal controls must include Information Technology controls. In the United States, the Sarbanes-Oxley Act makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting. For most organizations, the role of IT will be crucial to achieving these objectives.
The Federal Financial Institutions Examination Council is an inter-agency set out to dictate policies, standards, and report forms for the scrutiny of financial institutions by the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, National Credit Union Administration, the Office of the Comptroller of Currency, and the Office of Thrift Supervision.
In a 2005 Guidance entitled Authentication in an Internet Banking Environment , the FFIEC said "the agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."