Compliance in business: Laws and regulations IT departments should be aware of

In a business sense, compliance refers to a company’s efforts to obey all of the laws and regulations that govern how they can manage the business, their staff, and their treatment to their customers. The concept of compliance is to make sure that companies act responsibly and are held accountable for those actions.

This doesn’t just deal with ethical business practices or providing adequate customer service -- these regulations are put in place to safeguard sensitive data, both of the business and the customer. So why is this so important? The most obvious and valuable outcome of compliance is that it decreases your risk of fines, penalties, work stoppages, lawsuits or a shutdown of your business. It also helps to secure sensitive data, which is probably the most important aspect if your business.

There are many laws and regulations IT departments need to be aware of in regards to compliance. What follows is a list of the most noteworthy to ensure your business follows:

• The Sarbanes-Oxley Act of 2002 (SOX). Section 404 of SOX requires public companies annual reports to include the company's own assessment of internal control over financial reporting, and its attestation by independent auditor. The above-mentioned assessment has been extended into the IT sphere by the opinion of the Public Company Accounting Oversight Board (PCAOB), corporation created by SOX to oversee the auditors of public companies
• The Financial Services Modernization Act of 1999 (also known as Gramm-Leach-Bliley Act -- GLBA) protects the privacy and security of individually identifiable financial information collected, stored, and processed by financial institutions. This set of recommendations for audit was produced by the Federal Financial Institutions Examination Council (FFIEC), an interagency group that includes five of the eight major financial regulatory agencies.
• Health Insurance Portability and Accountability Act (HIPAA) focuses on the healthcare industry, but other companies can be impacted however, if they engage in related activities or if they provide services to companies that are directly affected by the regulation.
• European Union Data Protection Directive (EUDPD)refers to the protection of data privacy for citizens throughout the European Union. It has a strong influence on international regulations, since it puts strict limitations on sending EU citizens' personal information outside of the European Union to areas that are considered to have less than adequate standards for data security.
• Bank Secrecy Act (BSA) requires banks and other financial institutions to report certain transactions to government agencies to help eliminate money laundering, tax evasion, or other criminal activities.
• Payment Card Industry (PCI) Data Security Standard is used as a framework for the Cardholder Information Security Program (CISP), which is intended to protect cardholder data from exposure and compromise across the entire payment industry. Its goal is to ensure that members, merchants, and service providers maintain the highest information security standard.
• California Senate Bill 1386 puts into practice robust disclosure requirements for businesses and government agencies that experience security breaches that might imperil the personal information of California residents. The bill was the first attempt to address the problem of identity theft on the state level.
• International Convergence of Capital Measurement and Capital Standards -- A Revised Framework (also known as Basel II) introduces recommendations by bank supervisors and central bankers from the assemblage of countries, which are the members of the Basel Committee on Banking Supervision for revising the international standards for measuring regulatory capital the adequacy of a bank's capital.

There is also another set of rules arisen for the IT industry from the service providers’ perspective -- the Defense Federal Acquisition Regulation Supplement (DFARS), used by Department of Defense (DoD). Special attention should be paid to the DFARS-252.204-7012 clause, issued by DoD in November 2013, which contains rules and requirements regarding utilizing and safeguarding Unclassified Controlled Technical Information (UCTI) that is vital to national security.

According to its requirements the following specific areas must be protected:

• The adequate safeguarding of UCTI on or transiting through contractor unclassified information systems
• Reporting to the DoD and investigating any cyber incidents that affect UCTI

A widely known fact is that the success of your business pretty much depends on its public image. And accordance to this set of required compliance standards, laws and regulations will help you to build positive reputation and also to improve consumer loyalty, since customers are more likely going to return to a product or service from a company they identify as trustworthy.

Photo Credit: khz/Shutterstock

Michael Starostin, Chief Technology Officer and a founder of PlexHosted, has held engineering and strategy positions in the Internet infrastructure solutions industry since 2008. PlexHosted, founded in 2010, is a cloud based hosting company that specializes in managed SharePoint site deployments and associated infrastructure applications.