Organizations face an ever-increasing list of statutory, regulatory, contractual, and legal compliance obligations.
Learn more about regulatory compliance and which regulations may affect your organization.
Common compliance requirements
In today’s complex regulatory environment, organizations must:
- Grapple with the complexities, costs, and overlaps of governance requirements
- Comply with a wide range of information-related regulation, such as:
- Deal with an increasing exposure to rapidly mutating, sophisticated threats to information and information assets, which exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and employee behavior
Common regulations
The table below lists the most common regulations that organizations have to comply with, the security areas they cover, and their requirements:
Regulations
|
Who Needs to Comply
|
Security Areas Covered
|
Compliance Requirements
|
HIPAA
|
US healthcare organizations and partners
|
Creating, storing and transmitting electronic protected health information
|
All major best-practice security areas
|
SOX (Sarbanes–Oxley Act) and accounting standards, COSO, COBIT®, SAS
|
US public companies
|
Defined to secure the public against corporate fraud and misrepresentation
|
All major best-practice security areas
|
PCI DSS (Payment Card Industry Data Security Standard)
|
Merchants that take credit cards, and service providers that facilitate card payments
|
Privacy of customer financial data
|
Varies by size of merchant, requires best practices plus third-party assessments
|
GLBA – Public Law 106–102, FDIC/FFIEC guidelines, FACT Act, Patriot Act (2001)
|
US financial institutions
|
Privacy of personal information, safety of Internet-based products and services, fair and accurate credit transactions, anti-terrorism
|
Best-practice security, 2FA (two-factor authentication), ensure accuracy and safety, identity verification
|
Breach laws in all US states
|
Any company storing, accessing, or sharing personal information
|
Consumer privacy
|
All major "Best Practices Security" areas
|
EU GDPR (General Data Protection Regulation)
|
Any organization processing personal data of EU residents
|
Personal data
|
All major best-practice security areas
|
FISMA (Federal Information Security Management Act)
|
US federal agencies
|
Information and IT systems
|
NIST has developed its six-step RMF (Risk Management Framework) to enable agencies to achieve compliance
|
CCPA (California Consumer Privacy Act)
|
Organizations processing information on California residents or doing business in California
|
Personal data
|
All major best-practice areas
|
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), is a federal law that was enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, to protect the confidentiality and security of health care information, and to help the health care industry control its administrative costs.
Learn more about HIPPA >>
The Sarbanes Oxley Act (SOX)
From 2002, the Sarbanes-Oxley Act (SOX) enforces US organizations to demonstrate corporate governance compliance. SOX requires management to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. This has a huge dependency on the IT infrastructure and IT systems.
Find out more about the Sarbanes-Oxley Act >>
The Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) has been devised to increase security around card transactions. Acknowledged the world over, compliance to the PCI Standard is mandatory for card-accepting organisations. The standard requires merchants to demonstrate a secure IT network that protects card holder data, maintain a vulnerability management programme, implement access control measures and regularly test their networks.
Find out more information on our bespoke PCI DSS page >>
US breach laws by State
Personal information in the United States is currently protected by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary. Our Data Breach Notification Laws by State page provides more information on individual state obligations.
Find more more >>
The EU General Data Protection Regulation (GDPR)
The GDPR supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with. The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed.
Find out more about the key elements EU GDPR >>
Federal Information Security Management Act of 2002 (FISMA)
The Federal Information Security Management Act (FISMA) is a United States federal law that was enacted as Title III of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.
Learn more about FISMA implementation and compliance >>
The California Consumer Privacy Act (CCPA)
The CCPA (California Consumer Privacy Act) is a data privacy law that will come into effect on January 1, 2020 in the State of California.
It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR (General Data Protection Regulation).
Find out more about the CCPA >>
Speak to an expert
Whatever the nature or size of your problem, we are here to help. Get in touch today using one of the contact methods below.