IT Regulatory Compliance

This site provides a wide range of information and advice around IT-related regulatory compliance in the US, and you can browse our comprehensive compliance bookshop.

SOX Compliance
HIPAA Compliance
Basel Compliance
PCI DSS Compliance
SB-1386 Compliance
The Unified Compliance Framework provides a single, comprehensive framework for compliance with multiple laws & regulations - internationally!
IT Governance: Guidelines for Directors provides advice for directors and executives on how to approach compliance issues.

From an IT perspective, governance and regulatory compliance today is primarily about controls on processing, data protection, information security and the organization's general control environment.

Best-Practice Compliance Guidance

A best-practice information security framework will support the co-ordination of compliance strategy across multiple channels and guide control responses to multiple threats to all sorts of information assets. While it is clear that no individual information security product is capable of making any user organization 'compliant', those products and services that reflect best-practice guidance will help organizations position themselves most effectively to deal with current and emerging regulatory requirements.

If you would like a copy of our Compliance White Paper: Leveraging Best Practice Frameworks to Simplify Regulatory Compliance please give us the details below and we will email you a download link.

Essential Compliance Reading (order today for immediate despatch):

Operational Risk and Basel 2

Compliance with Basel 2 means that financial entities must deal with Operational Risk. The Basel Handbook (2nd edition) provides advice on every possible consequence of the Basel Accord, and Credit Risk Models shows how to keep model performance in line with the requirements of the Basel Accords.

In today’s complex regulatory environment, organizations must

grapple with the complexities, costs and overlaps of governance requirements, including Sarbanes Oxley, SEC regulation, and Basel 2
comply with a wide range of information-related regulation, from the Data Protection & Data Breach legislation to GLBA, HIPAA, PIPEDA and SB-1386
deal with an increasing exposure to rapidly mutating, sophisticated threats to their information and information assets. These threats exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and the behavioural characteristics of employees.

Regulatory and commercial penalties for failing to secure information and information assets can be severe and value-destroying; with the exception of the detailed requirements of the PCI standard (see PCI Books & Tools), regulatory guidance on compliance requirements is, however, still very limited.

Sarbanes Oxley

The emergence of the US Sarbanes Oxley Act in 2002 brought statutory pressure to bear on US-listed organizations to demonstrate corporate governance compliance. These requirements have had significant impacts on the internal control and risk management approaches of listed companies, and SOX Section 404 Compliance Tips and How to Comply with SOX Section 404 - 3rd edition and provide up-to-date guidance that can help organisations improve the effectiveness of their compliance regimes. Also, the Section 404 Implementation Toolkit can save organizations many millions in implementation dollars.

Some Compliance Requirements

Regulations	Who Needs to Comply	Security Areas Covered	Compliance Requirements
HIPAA	US Healthcare Organizations & Partners	Creating Storing & Transmitting electronic protected health information	All Major "Best Practice Security" Areas
Sarbanes Oxley (SOX) & Acctg Standards COSO, COBIT, SAS	US Public Companies	Defined to secure the public against corporate fraud & Misrepresentation	All Major "Best Practice Security" Areas
PCI DSS (Also Covered by Breach Laws)	Merchants who take Credit Cards	Privacy of Customer Financial Data	Varies by size of Merchant Requires Best Practices plus 3rd Party Qtly Risk Assessments
GLBA - Federal Law 106 - 102 FDIC/FFIEC Guidelines FACT U.S. Patriot Act (2001)	US Financial Institutions	Financial Services Act - Privacy of Personal Info. Safety of Internet based Products & Services Fair and Accurate Credit Transactions Anti – Terrorism	"Best Practices" Security Two-Factor Authentication Ensure Accuracy & Safety Identity Verification
Breach Laws in 31 US States Including California SB 1386	Any Company storing, accessing private consumer data	Consumer Privacy - Security Breach Acts	All Major "Best Practices Security" Areas
EU Data Protection Act and Privacy Regulations	Any EU organization holding personal data	Personal data	All major best practice areas

Best-practice approaches

ISO 27002 (ISO 17799), ITIL and CobiT are all potentially part of a best-practice approach to regulatory and corporate governance compliance. The challenge for many organizations is to establish a co-ordinated, integrated framework that draws on all three of these standards. The solution is to adopt a best-practice approach, such as that set out in the internationally recognized information security standard, ISO/IEC 27001:2005. This standard links to all the IT-related regulations and provides completely independent structured guidance for a risk-based approach to securing the confidentiality, availability and integrity of corporate information. It also provides the general control environment within which the specific controls of an internal control structure can most effectively operate. The ISO 27001 Documentation Toolkit provides essential support to organizations implementing the standard.