This website uses cookies. View our cookie policy
Select regional store:

IT Regulatory Compliance

From an IT perspective, governance and regulatory compliance today is primarily about controls on processing, data protection, information security and the organization's general control environment.

On this page you will find a wide range of information and advice about IT-related regulatory compliance in the US.

On this page:

The Basel Accords
SOX (Sarbanes–Oxley)
Best-practice Approaches
Compliance Requirements

The Basel Accords

The Basel Accords (Basel I, Basel II, and Basel III) are a series of banking supervision accords agreed by the representatives of the 27 countries that make up the Basel Committee on Banking Supervisions (BCBS).

Developed in response to the global financial crisis of 2008 and its aftermath, they have been adopted by over 100 countries, either directly or through local adaptions, and aim to regulate the levels of capital that financial institutions need to maintain.

For full information, visit our Basel Accords page >>


The Payment Card Industry Data Security Standard (usually shortened to PCI DSS) is a collection of 12 requirements set out by the PCI Security Standards Council (PCI SSC).

The purpose of this standard is to ensure the security of cardholders’ payment card information and reduce levels of fraud and identity theft.

ALL organizations that store, transmit or process cardholder data must ensure they are complying with PCI DSS in its entirety or face non-compliance fines from their payment brand (e.g. AmEx, Visa, MasterCard, Discover, etc.), or data breach fines.

Merchants are banded into four categories based on the volume of transactions they process each year, with each band being required to meet specific requirements.

Full information, visit our PCI DSS page >>

SOX (Sarbanes–Oxley)

The emergence of the Sarbanes–Oxley Act in 2002 brought statutory pressure to bear on US-listed organizations to demonstrate corporate governance compliance. These requirements have had significant impacts on the internal control and risk management approaches of listed companies.

Under SOX, management is required to register the company’s financial reports and both management and an independent accountant are required to register the organization’s internal controls.

In almost every organization, financial reporting depends on the IT infrastructure, whether it is for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system.

For full information, visit our Sarbanes–Oxley page >>

Best-practice Approaches

ISO27002, ITIL, and COBIT are all potentially part of a best-practice approach to regulatory and corporate governance compliance. The challenge for many organizations is to establish a coordinated, integrated framework that draws on all three of these standards. The solution is to adopt a best-practice approach, such as that set out in the internationally recognized information security standard ISO/IEC 27001:2013.

This standard links to all of the IT-related regulations and provides completely independent, structured guidance for a risk-based approach to securing the confidentiality, availability, and integrity of corporate information. It also provides the general control environment within which the specific controls can most effectively operate.

The ISO27001 Documentation Toolkit provides essential support to organizations implementing the standard.

Compliance Requirements

There are a number of regulations that affect your business. The table below presents a quick reference guide to which ones affect you, what security areas need to be covered and what compliance requirements you need.

Regulations Who needs to comply Security areas covered Compliance requirements
HIPAA US healthcare organizations & partners Creating, storing, and transmitting electronic protected health information All major "best-practice security" Areas
Sarbanes–Oxley (SOX) and Accounting Standards COSO, COBIT, SAS US public companies Defined to secure the public against corporate fraud and misrepresentation All major "best-practice security" Areas
PCI DSS (also covered by breach laws) An entity that transmits, stores, processes, or controls credit card data Privacy of customer financial data Varies by size of merchant. Requires best practices plus third party quarterly risk assessments
GLBA—Federal Law 106–102 FDIC/FFIEC Guidelines FACT US PATRIOTAct (2001) US financial institutions
  • Financial Services Act – Privacy of personal information
  • Safety of Internet-based products and services
  • Fair and accurate credit transactions
  • Anti-Terrorism
  • "Best-practice security"
  • Two-factor authentication
  • Ensure accuracy
  • Safety identity verification
Data breach notification laws in 47 US States Relevant companies storing and/or accessing private consumer data in relevant US states Consumer Privacy – Security Breach Acts All Major "best-practice security" areas
General EU Data Protection Regulation All organizations that hold EU citizens' personal data Personal data All major "best-practice security" areas
Federal Information Security Management Act of 2002 (FISMA) US Federal agencies Information and IT systems NIST has developed its six-step Risk Management Framework (RMF) to enable agencies to achieve compliance