IT Compliance and Guidelines

Compliance consists of a framework of rules, regulations, and practices that need to be followed. There can be corporate compliance that is enforced through technology, however, many compliance guidelines enforced by IT are regulatory.

What is Regulatory Compliance?

While you may get in trouble at work by not adhering to corporate compliance policies, regulatory compliance is often heavily enforced. Should a company fail to adhere to regulatory compliance as it applies to their business or industry, they could be subject to legal punishment including federal fines.  Regulatory compliance is an organization’s adherence to laws, regulations, guidelines, and specifications relevant to its business processes.

Why is Regulatory Compliance Important?

Strategies and processes revolving around regulatory compliance provide guidance for companies trying to attain their business goals. These strategies and processes not only work to help the company reach their goals, but also to provide protection for predatory practices that have happened or could happen.  When organizations are transparent about compliance processes it builds trust with their target audience and clients, often resulting in improving profitability.

Some regulatory bodies are specifically designed to ensure the protection of data. From financial data to health data, poor cybersecurity practices could result in a data breach. Regulatory compliance offers the guidance many companies may need to avoid a breach.

Who is Responsible for Following Regulatory Compliance Policies?

Companies generally know when their industry or business falls under a regulatory umbrella. For example, businesses that accept credit cards on site without the use of third-party software must adhere to PCI compliance practices. Let’s take a look at some other examples of regulatory compliance and the industries they pertain to.

  • HIPAA – Health Insurance Portability and Accountability Act
    • Established in 1996
    • Pertains to anyone who transmits or holds individually identifiable health information whether it’s electronic, paper, or oral
    • Designed to hold businesses accountable for data such as: Name, address, phone number, SSN, Medical records, financial info, full-facial photos
    • HIPAA is regulated by the Department of Health and Human Services and is enforced by the Office for Civil Rights (OCR)
  • SOX – Sarbanes – Oxley Act
    • Established in 2002
    • SOX compliance standards must be met by all publicly traded companies in the U.S. as well as wholly owned subsidiaries and foreign companies that are publicly traded and do business in the U.S. Sox also regulates accounting firms that audit SOX regulated companies.
    • Designed to help protect investors from fraudulent corporate financial reporting in response to multiple corporate financial scandals.
    • SOX is regulated and enforced by the Securities and Exchange Commission (SEC)
  • DFARS – Defense Federal Acquisition Regulation Supplement
    • Published as a Federal Acquisition Regulations (FAR) supplement in 2015 to maintain cybersecurity standards according to requirements of NIST SP 800-171
    • DFARS compliance standards must be met by all contractors that deal with CUI (Controlled Unclassified Information). This regulation applies to all DOD contractors.
    • DFARS is regulated and enforced by the Department of Defense (DOD) and will be replaced by the CMMC Standards.
  • CMMC – Cybersecurity Model Certification
    • Launched in 2019 and updated to CMMC 2.0 in 2021
    • CMMC compliance standards must be met by any individual in the DOD supply chain, including contractors who interact exclusively with the DOD and all subcontractors.
    • Designed to reinforce cooperation between the DOD and private industry when addressing cyber threats.
  • ISO-27001 – International Standardization Organization (International Standard)
    • Established in 2005 and revised in 2013
    • ISO 27001 is a framework that helps organizations establish, implement, operate, monitor, review, maintain and continually improve an information security management system (ISMS). This certification applies to any organization that wishes or is required to formalize and improve business processes around information security, privacy and securing its information assets. Generally used by companies that need to prove to their client base their organization can be trusted.
    • ISO 27001 is not regulated and is intended to help companies comply with industry or legal regulations.
  • NIST – National Institute of Standards and Technology
    • The National Institute of Standards and Technology was founded in 1901 and folded into the Department of Commerce in 1903.
    • NIST compliance standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense, General Services Administration, NASA, and other government agencies or state agencies.
    • NIST is not regulated. Many of its cybersecurity efforts and publications were created in response to various laws and regulations from other agencies, departments and branches of the U.S. Government.
  • COBIT 5 – Control Objectives for Information and Related Technology
    • COBIT 5 was established in 2012 and updated in 2019.
    • COBIT compliance standards are used by both government and private sector organizations to help increase the sensibility of IT processes.
    • COBIT is not regulated, however, it does ensure that IT is regulated and handled holistically for the entire organization by encompassing all business and IT functional areas of responsibility.


How do Organizations Ensure Regulatory Compliance?

When a company falls under regulatory compliance, their job is to analyze the requirements and/or mandates that are specific to their industry. Once these targets have been identified they then must develop processes to meet those requirements. These processes lead to instructions for everyone in the company and should be well documented for use in regulatory audits. Once the processes are in place and the employees have been trained, it is then imperative to monitor the success. Employees should be retrained in areas in which they are not meeting standards. Finally, the compliance requirements themselves should be regularly checked upon to ensure the organization remains in compliance as regulatory requirements change or evolve.

Regulatory Compliance and Your Business

Most of the regulatory compliance and frameworks mentioned above require auditing. Auditors will comb an environment to discern any deficiency or non-compliance. Once the audit has been finished it is then the responsibility of the company to determine how to remediate and become compliant before engaging in a follow-up audit.

Customers of ERGOS now have access to our compliance department. Currently this service is not stand-alone and requires a managed service contract. Remediation services can be one time or can be added onto services as a yearly agreement. The yearly agreement includes monthly hours to perform remediation tasks as well as review of internal policies, creation of training materials, and technology documentation.

Contact ERGOS today to discuss your current IT infrastructure and compliance needs.