Compliance

What is the Casualty Actuarial Society ERM Framwork (CAS ERM)? The Casualty Actuarial Society (CAS) is an international credentialing and professional education entity. The organization focuses exclusively on property and casualty risks in insurance, reinsurance, finance, and enterprise risk management.  Background on the CAS ERM Framework In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders. The CAS, Society of Actuaries (SOA), and Canadian Institute of Actuaries (CIA) sponsor a risk management website with ERM education r...

What is the Committee of Sponsoring Organizations (COSO) ERM Framework? The COSO Framework is a system used to establish internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently and in accordance with established industry standards. History of the COSO ERM Framework The committee created the framework in 1992, led by Executive Vice President and General Counsel, James Treadway, Jr. along with several private sector organizations, including the following: American Accounting AssociationFinancial Executives InternationalThe Institute of Internal AuditorsAmerican Institute of Certified Public AccountantsThe Institute of Management Accountants (formerly the Na...

Summary of the CCPA The California Consumer Privacy Act (CCPA) grants consumers rights related to the collection, use, and sale of their personal data—and prevents businesses from discriminating against them for exercising those rights. Signed into law in June 2018, the new regulation comes as a response to a multitude of businesses, targeting Silicon Valley firms that are making headlines for mishandling or exploiting private data. The CCPA focuses on making sure organizations have a business purpose for why they need personal information while enabling Californians to readily request, delete, or protect their personal information (PI) collected and governed by a business. Summary of the CPRA The California Privacy Rights Act (CPRA) is a new state-wide data priv...

What is the California Privacy Rights Act (CPRA)? The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations. CPRA History and Summary The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020. It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing Californi...

What is the California Consumer Privacy Act (CCPA)? The California Consumer Privacy Act (CCPA) grants consumers rights related to the collection, use, and sale of their personal data—and prevents businesses from discriminating against them for exercising those rights. Signed into law in June 2018, the new regulation comes as a response to a multitude of businesses, targeting Silicon Valley firms that are making headlines for mishandling or exploiting private data. The CCPA focuses on making sure organizations have a business purpose for why they need personal information while enabling Californians to readily request, delete, or protect their personal information (PI) collected and governed by a business. Who Must Comply with the California Consumer Privacy Act?  Organi...

What is the NIST Risk Management Framework (NIST RMF)? The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).   What are the NIST RMF Steps? Overview Overview of the RMF seven-step process: Prepare - Essential activities to prepare the organization to manage security and privacy risks Categorize - Categorize the system and information processed, stored, and transmitted based on ...

What is Systems and Organizations Controls 2 (SOC 2)? SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 is not a prescriptive list of controls, tools, or processes. Rather, it cites the criteria required to maintain robust information security, allowing each company to adopt the practices and processes relevant to their own objectives and operations. What are the Trust Services Pinciples of SOC 2 SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place. The five trust services criteria are detailed belo...

What is the Children’s Online Privacy Protection Rule (COPPA)? The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law designed to imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The COPPA Compliance In December 2012, the Federal Trade Commission issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that (1) operate a website or online service that is "directed to children" under 13 and that collects "pers...

What is the International Traffic in Arms Regulations (ITAR)? International Traffic in Arms Regulations (ITAR) is a United States regulatory regime to restrict and control the export of defense and military-related technologies to safeguard U.S. national security and further U.S. foreign policy objectives. The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML). Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical ...

What is The Family Educational Rights and Privacy Act of 1974 (FERPA)? The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Who is protected under FERPA? Students who are currently enrolled in higher education institutions or formerly enrolled regardless of their age or status in regard to parental dependency are protected under FERPA. Parents of students termed "dependent" for income tax purposes may have access to the student's educational records. Deceased students have rights under FERPA as long as they were formerly enrolled. Students who have applied but have not attended an institution...