The Department of Justice and the Securities and Exchange Commission just released A Resource Guide to the U.S....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Foreign Corrupt Practices Act. What is the Foreign Corrupt Practices Act, and how does it affect information security? What controls are necessary, and how does the act map to regulations and standards we comply with now, such as SOX?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The Foreign Corrupt Practices Act (FCPA) is a U.S. federal law passed in 1977 that applies to all U.S. individuals and businesses. At its heart, the FCPA has two major provisions. The first is a set of rules that prohibit bribe payments (whether monetary or nonmonetary) from U.S. persons and businesses to foreign officials. The second is a set of accounting rules that require all companies publicly traded in the U.S. to keep a consistent set of records that reflect the business transactions of the organization. These accounting provisions are designed to ensure that companies are not able to hide bribe payments through intentionally sloppy accounting practices.
From an information security perspective, there's not really much to address under the anti-bribery provisions of FCPA, unless you're in the habit of paying bribes related to information security! (If you are, don't do that.) However, the accounting provisions do affect security professionals. Specifically, FCPA requires that businesses implement a set of internal controls that:
- Ensures that transactions are executed with authorization from management;
- Ensures that transactions are recorded in a manner that allows preparation of accurate financial statements and asset tracking;
- Permits access to assets only with management authorization; and
- Performs periodic reconciliations between financial records and assets.
Information security professionals will often be called upon to perform risk assessments and design specific provisions of these controls. Security professionals at publicly traded companies should already be familiar with these practices from Sarbanes-Oxley Act compliance. Internal controls should be applied to all financially significant systems and often include ensuring adequate logging, verification of the proper functioning of access control mechanisms and performing periodic account reviews.
Dig Deeper on Sarbanes-Oxley Act
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.