Compliance ensures that organisation adheres to government regulations domestically as well as globally if applicable and avoids missteps that could result in fines, legal ramifications and reputation damage. 
 
Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organisational processes and technologies to safeguard data.

Organisations are required to maintain compliance with security and privacy regulations specific to the types of data they handle from the customers by means of how it collected, stored, and transmitted. Some standards are universal, whereas others apply to specific industries meeting specific business requirements. 

Audits should be conducted in every organisation, regardless of size and industry at a regular interval, where the policy and procedures are updated in record with their current working pattern. The weakness should be noted and considered for the improvements. 

Compliance Violations

As the name suggests, compliance violation is of being in a state of non-compliance which allows the organisation to put them in serious risk. 
 
A state of non-compliance with any of the framework or process might cause the organisation to be in lot of trouble like security breaches. Even if an organisation can absorb the costs, it will still create a negative effect on reputation. Organisation should consider adopting to the latest security standard and being compliant following the best practices implied by it. To mitigate the risk, companies should always use authentication systems for all the sensitive data handled by the firm. 

A few common regulatory / compliance requirements are

• SOX – Sarbanes – Oxley Act,  
• PCI DSS – Payment Card Industry Data Security Standards, 
• GDPR – Global Data Protection Regulation,  
• HIPAA – Health Insurance Portability and Accountability Act. 

Sarbanes-Oxley Act

It is a United States Federal Law that mandates certain practices in financial record keeping and reporting for corporations. The act is passed on 2002 to protect the public from fraudulent or erroneous practices by corporations or other business entities. The goal is to protect investors by improving the accuracy and reliability of corporate disclosures. 
 
The data security framework of SOX compliance can be summarized by the following primary pillars: 

• Ensure Financial data security. 
• Prevent malicious tampering of financial data. 
• Track data breach attempts and remediation efforts. 
• Keep event logs readily available for auditors. 
• Demonstrate compliance in 90-day cycles.

SOX for IAM

• Providing centralised administration for managing user access rights and authentication. 
• Enforcing segregation of duties (SoD) policies. 
• Adjusting access rights when someone’s job function changes. 
• Revoking user access upon termination. 
• Managing access based on job roles and providing access only as per “Least privilege and need to know” access. 
• Performing periodic audits of access rights and privileges and providing automated reports. 

SOX for IT Departments

IT department must provide documentation proving that the company’s internal processes are well within the data security thresholds outlined in the Sarbanes-Oxley Act. To fulfil the compliance obligation, IT department must: 

• Have confident awareness of all privilege access policies. 
• Understand current log management standards for all financial records. 
• Be open to increased transparency into financial data security practices. 
• Continuous improvement of security risk remediation processes. 

SOX Audits

The primary purpose of a SOX compliance audit is to verify the authenticity of a company’s financial statements. The following parameters and conditions must be monitored, logged and audited: 

• Internal Controls 
• Network Activity 
• Database Activity 
• Login Activity 
• Account Activity 
• User Activity 
• Information Access 

Payment Card Industry Data Security Standard (PCI DSS)

• PCI DSS is a common compliance law which must be mandatorily followed by organisation which are accepting card payments. This standard ensures the protection of sensitive card information during its storage, processing, and transmission.  
• Merchants, Service providers and financial institutions must adhere this standard as they are directly accepting payments using cards. 
• Organisation must establish secure network and infrastructure for processing card transactions. 
  Business should consider having their entire infrastructure on-premises and cloud complying the regulations. 
• PCI standards limit cardholder data access to the minimum required for employees to serve customers as this minimize the risk of data theft and identity fraud and increases consumer trust. 

General Data Protection Regulation (GDPR)

• GDPR is a European Union regulation which implies Information privacy in the European Union (EU) and European Economic Area (EEA).  
• It is implemented to enhances individuals control over their personal information. 
• The regulation applies to  the data controller (an organisation that collects information about living people, whether they are in the EU or not), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. 
• It also applicable to the organisations based outside the EU if they are collecting or processing personal data of individuals located inside EU. 
• The organisation must get the individual consent clearly and keep them informed before processing their personal data. 
• Allowing customers to deny data collection or revoke storage privileges. 
• Business should notify their customers in case of any breach activity in a timely manner.

Health Insurance Portability and Accessibility Act (HIPAA)

• HIPAA is a United states federal law, it focuses primarily on health information and ensuring privacy and security in the healthcare industry whether the use of electronic records and its data are properly protected.
• Any organisation, healthcare or other industries which handles protected health information (PHI) is required to comply with this regulation. 
• Department of Health and Human Services Office for Civil Rights is responsible for enforcing HIPAA. 
• Healthcare transactions and electronic health records fall under HIPAA laws. 
• Securing electronic access to sensitive private health data and limiting health plans, medical records, personal health information’s and other sensitive data access based on the purpose and identity. 
• HIPAA requires the business entities to notify individuals in the event of a breach of unsecured PHI. 

Author: Nathersha Sahulhameed is a Senior Consultant at Fusion Practices