Governance and Regulatory Compliance
This site provides a wide range of information and advice around IT-related regulatory compliance, and you can browse our comprehensive compliance bookshop.
The 'IT Governance triptych' of regulatory pocket guides is packed with useful information;
The Unified Compliance Framework provides a single, comprehensive framework for compliance with multiple laws & regulations - internationally!
IT Governance: Guidelines for Directors provides advice for boards and senior managers on how to approach compliance issues.
From an IT perspective, governance and regulatory compliance today is primarily about data protection, information security and the organization's general control environment.
Data Governance
This is an increasingly important compliance area for organizations - data governance covers Data Protection Act compliance, privacy regulations, information governance and so on.
Best-Practice Compliance Guidance
A best-practice information security framework will support the co-ordination of compliance strategy across multiple channels and guide control responses to multiple threats to all sorts of information assets. While it is clear that no individual information security product is capable of making any user organization 'compliant', those products and services that reflect best-practice guidance will help organizations position themselves most effectively to deal with current and emerging regulatory requirements.
If you would like a copy of our Compliance White Paper: Leveraging Best Practice Frameworks to Simplify Regulatory Compliance, (here is a compliance webinar on the same subject) please give us the details below and we will email you a download link.
Essential Compliance Reading:
 |
 |
 |
 |
 |
|
Operational Risk and Basel 2
Compliance with Basel 2 means that financial entities must implement appropriate operational risk frameworks. The Basel Handbook (2nd edition) provides advice on every possible consequence of the Basel Accord, and Credit Risk Models shows how to keep model performance in line with the requirements of the Basel Accords.
- grapple with the complexities, costs and overlaps of governance requirements (Combined Code, Turnbull, Sarbanes Oxley, Basel 2, etc)
- comply with a wide range of information-related regulation, from the Data Protection Act to GLBA, HIPAA, PIPEDA and the Computer Misuse Act
- deal with an increasing exposure to rapidly mutating, sophisticated threats to their information and information assets. These threats exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and the behavioural characteristics of employees.
Regulatory and commercial penalties for failing to secure information and information assets can be severe and value-destroying; with the exception of the detailed requirements of the PCI standard, regulatory guidance on compliance requirements is, however, still very limited.
Sarbanes Oxley
The emergence of the US Sarbanes Oxley Act in 2002 brought statutory pressure to bear on US-listed organizations to demonstrate corporate governance compliance. These requirements have had significant impacts on the internal control and risk management approaches of listed companies, and compliance with Section 404 and preparation for the new auditing rules have all been major tasks for many US companies. That challenge is now passing to non-US headquartered companies that nevertheless have US listings. Every organization dealing with Sarbanes Oxley needs Practical Implementation Guidance. SEC Regulation Outside the United States is the authoritative guide for non-US companies trading in the US. Most usefully, the Section 404 Implementation Toolkit can save many organizations many millions in implementation dollars.
Some Compliance Requirements
|
Regulations |
Who Needs to Comply |
Security Areas Covered |
Compliance Requirements |
|
HIPAA
|
US Healthcare Organizations & Partners
|
Creating Storing & Transmitting electronic protected health information |
All Major "Best Practice Security" Areas
|
|
Sarbanes Oxley (SOX) & Acctg Standards COSO, COBIT, SAS |
US Public Companies
|
Defined to secure the public against corporate fraud & Misrepresentation |
All Major "Best Practice Security" Areas
|
|
PCI DSS |
Merchants who take Credit Cards
|
Privacy of Customer Financial Data
|
Varies by size of Merchant Requires Best Practices plus 3rd Party Qtly Risk Assessments |
|
GLBA - Federal Law 106 - 102 FDIC/FFIEC Guidelines FACT U.S. Patriot Act (2001) |
US Financial Institutions
|
Financial Services Act - Privacy of Personal Info. Safety of Internet based Products & Services Fair and Accurate Credit Transactions Anti – Terrorism |
"Best Practices" Security Two-Factor Authentication Ensure Accuracy & Safety Identity Verification |
|
Breach Laws in 31 US States Including California SB 1386
|
Any Company storing, accessing private consumer data
|
Consumer Privacy - Security Breach Acts
|
All Major "Best Practices Security" Areas
|
|
EU Data Protection Act and Privacy Regulations
|
Any EU organization holding personal data
|
Personal data
|
All major best practice areas
|
Best-practice approaches
ISO 17799, ITIL and CobiT are all potentially part of a best-practice approach to regulatory and corporate governance compliance. The challenge for many organizations is to establish a co-ordinated, integrated framework that draws on all three of these standards. The recently released Joint Framework, put together by the ITGI (owners of CobiT) and the OGC (owners of ITIL) is a significant step in the right direction.
The solution is to adopt a best-practice approach, such as that set out in the internationally recognized information security standard, ISO/IEC 27001:2005. This standard links to all the IT-related regulations and provides completely independent structured guidance for a risk-based approach to securing the confidentiality, availability and integrity of corporate information. It also provides the general control environment within which the specific controls of an internal control structure can most effectively operate. The ISO 27001 Documentation Toolkit provides essential support to organizations implementing the standard.
