IT Compliance

Organisations face an ever increasing list of statutory, regulatory, contractual and legal compliance obligations.

Compliance issues should concern the board, not just the IT department, and include issues of Data Governance, the Data Protection Act, Operational Risk, Information Security, Best Practice and Basel II/III.

In today’s complex regulatory environment, organisations must:

• Grapple with the complexities, costs and overlaps of governance requirements (Combined Code, Turnbull, Sarbanes Oxley, Basel II, etc.);
• Comply with a wide range of information-related regulation, from the Data Protection Act to GLBA, HIPAA, PIPEDA and the Computer Misuse Act; and
• Deal with an increasing exposure to rapidly mutating, sophisticated threats to their information and information assets, which exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and the behavioural characteristics of employees.

The table below lists the most common compliance regulations that organisations have to comply with, what security areas they cover and the compliance requirements:

Data Governance is primarily concerned with the Data Protection Act and privacy regulations. All organisations in the UK which store, transmit or process personal data must be DPA compliant. If you suffer a data breach and are not DPA compliant the Information Commissioner’s Office can levy fines of up to £500,000.

Find out more information on our bespoke DPA compliance page.

The Payment Card Industry Data Security Standard (PCI DSS) has been devised to increase security around card transactions. Acknowledged the world over, compliance to the PCI Standard is mandatory for card-accepting organisations. The standard requires merchants to demonstrate a secure IT network that protects card holder data, maintain a vulnerability management programme, implement access control measures and regularly test their networks.

Find out more information on our bespoke PCI DSS page.

ISO 27001 and ITIL^® are all potentially part of a best-practice approach to regulatory and corporate governance compliance.

The challenge for many organisations is to establish a coordinated, integrated framework that draws on all three of these standards.

ISO 27001, the international standard for an information security management system (ISMS), also sets out a best practice approach. This standard links to all the IT-related regulations and provides completely independent structured guidance for a risk-based approach to securing the confidentiality, availability and integrity of corporate information. It also provides the general control environment within which the specific controls of an internal control structure can most effectively operate.

Find out more about ISO27001 and how it can help with compliance.

From 2002, the Sarbanes-Oxley Act (SOX) enforces US organisations to demonstrate corporate governance compliance. SOX requires management to certify the company’s financial reports, and both management and an independent accountant are required to certify the organisation’s internal controls. This has a huge dependency on the IT infrastructure and IT systems.