The Department of Justice and the Securities and Exchange Commission just released A Resource Guide to the U.S. Foreign Corrupt Practices Act. What is the Foreign Corrupt Practices Act, and how does it affect information security? What controls are necessary, and how does the act map to regulations and standards we comply with now, such as SOX?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The Foreign Corrupt Practices Act (FCPA) is a U.S. federal law passed in 1977 that applies to all U.S. individuals and businesses. At its heart, the FCPA has two major provisions. The first is a set of rules that prohibit bribe payments (whether monetary or nonmonetary) from U.S. persons and businesses to foreign officials. The second is a set of accounting rules that require all companies publicly traded in the U.S. to keep a consistent set of records that reflect the business transactions of the organization. These accounting provisions are designed to ensure that companies are not able to hide bribe payments through intentionally sloppy accounting practices.
From an information security perspective, there's not really much to address under the anti-bribery provisions of FCPA, unless you're in the habit of paying bribes related to information security! (If you are, don't do that.) However, the accounting provisions do affect security professionals. Specifically, FCPA requires that businesses implement a set of internal controls that:
- Ensures that transactions are executed with authorization from management;
- Ensures that transactions are recorded in a manner that allows preparation of accurate financial statements and asset tracking;
- Permits access to assets only with management authorization; and
- Performs periodic reconciliations between financial records and assets.
Information security professionals will often be called upon to perform risk assessments and design specific provisions of these controls. Security professionals at publicly traded companies should already be familiar with these practices from Sarbanes-Oxley Act compliance. Internal controls should be applied to all financially significant systems and often include ensuring adequate logging, verification of the proper functioning of access control mechanisms and performing periodic account reviews.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.