IT Compliance Management is a relatively new concept. It came about due to large scale financial irregularities perpetrated in large corporations. Compliance can be defined as “being as per regulatory guidelines or specifications or in the process of complying with the same” Compliance encompasses any action needed to ensure that an organization is acting as per industry regulations and within the ambit of government regulations.
Compliance is a crucial business activity, mainly due to the increasing number of regulations, which require all businesses to be vigilant about meeting all regulatory requirements. Some of the major regulatory regulations or standards which an organization needs to be compliant with are:
Sarbanes-Oxley Act
This act, which was passed with the intention of shielding the general public from accounting errors and fraudulent practices using the IT Systems of any organization, came about due to the high voltage Enron and WorldCom financial shenanigans. These financial frauds ruined many people and though it meant more red-tape in doing business, it was widely welcomed by the public at large.
Can Spam Act 2003
The Can Spam Act 2003 has been enacted to help the general public to opt out of unsolicited emails being sent by businesses. It requires a business to label commercial e mail that it sends as advertising and they have to mandatorily only use legitimate return e mail addresses. It should also provide a recipient with an option to opt out of receiving such emails. The opt-out request has to be processed within 10 business days.
The HIPPA Act of1996
This act mandated standardized formats for electronic health records and has sections dealing with the security mechanisms required to protect the privacy and confidentiality of patients. Hospitals, Nursing Homes, other Medical Care facilities, Doctors etc. were barred from releasing patient information without proper authorization from the patient.
Dodd-Frank Act of 2010
The aim of this act is to subject Banks to regulations that ensure transparency and accountability which will protect customers. This meant that Federal Government inspections could be reduced since Banks had to comply with the Act.
PCI DSS Policies and Procedures of 2004
This was a set of policies and procedures created by Visa, MasterCard, Discover and American Express, which created a standard for Card transactions over the internet, to ensure that credit, debit and cash card transactions were carried out in a safe and secure manner. This protected the customers from fraud and loss of money due to criminal activity when they use a Card for payment over the net.
FISMA Act of 2002
The Federal Information Security Management Act became law in 2002. It required all federal agencies to conduct annual security reviews of all information programs, so as to keep risks affecting data at or below acceptable levels, as specified by the Act.
Though these are the major Acts/Regulations etc. in US, the list is not exhaustive. There is similar legislation in other countries and though they may be different, in essence, they all mandate the same thing – customer protection, fraud prevention and transparency in business practices. IT Compliance Management may be cumbersome and requires highly specialized staff, but it is the price to pay in the light of all the scandals that have taken place.
Disasters
