Complying with Regulations

By Melissa Rudy
Updated: June 01, 2012

Complying with Regulations

Compliance is a fact of life for businesses of all shapes and sizes, in every industry. From health and safety laws to industry-specific regulations, there are rules that must be followed, and penalties ranging from fines to revoked licenses to shutdown for breaking them.

When it comes to IT security, the regulations can be tricky. Just as in other areas of business, there are industry-specific compliance issues, as well as more general laws. However, the field of information technology is vast and constantly shifting, making it difficult to apply uniform regulations.

Regardless, there are still some existing issues affecting your IT environment. Understanding IT security regulations is essential for your company to maintain compliance and avoid penalties.

Areas impacted by IT security regulations

Security is a critical component whenever information technology is used. All modern businesses deal with private and customer information in digital form, one way or another—whether it’s through an in-house network, over the Internet, or both.

This data must be protected. Regulations from service providers and governing bodies help ensure that consumers and companies can conduct business electronically in an environment that's as secure as possible.

Some of the areas of your business that may be affected by security regulation compliance include:

  • IT infrastructure. Your company's internal network, including your hardware components, require security and may be subject to local regulations.
  • Risk assessment. This includes sufficient firewall and antivirus protection, as well as risk management for unpredictable factors like fire, natural disasters, and break-ins or theft.
  • Usage policies. Maintaining the proper software licenses and policies on company usage is part of IT security compliance.
  • Documentation. This is an essential step in compliance. If your business is ever audited by a regulatory body, you'll need to be able to prove the steps and measures you've taken to comply.

Federal cyber-security regulations

The United States government has not imposed far-reaching legislation on digital commerce. Instead, federal and state governments have favored collaboration with the private sector that's designed to encourage voluntary improvements in IT security.

However, there are still a handful of federal regulation measures in place that govern specific industries.

In the health industry, the 1996 Health Insurance Portability and Accountability Act, commonly known as HIPAA, initiated security and privacy rules to protect private health information. This act was amended in 2003 to specifically include Electronic Protected Health Information under the existing security and privacy rules. The amendment set forth compliance regulations for administrative, physical, and technical IT security in the health industry.

The 1999 Gramm-Leach-Bliley Act, aimed at financial institutions, includes the Financial Privacy Rule that places regulations on collecting and disclosing personal financial information from customers. This rule also applies to any business that handles private customer financial information.

Federal agencies are affected by the 2002 Homeland Security Act and the simultaneously enacted Federal Information Security Management Act, which outlines mandatory standards, policies, principles, and guidelines for IT security. The HSA and FISMA acts don't apply to ISPs or software companies.

PCI security regulations

In order to accept credit or debit cards, including online transactions, businesses must comply with the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with PCI security regulations can result in your business being shut down.

These regulations are defined by the Payment Card Industry Security Standards Council, strengthening the controls around cardholder data to help reduce credit card fraud and theft. The PCI employs external assessors to annually validate compliance for every financial institution, Internet vendor, and retail merchant that accepts credit and debit cards.

There are six categories of PCI compliance security standards, each with defined regulations:

  • Building and maintaining a secure network
  • Protecting cardholder data
  • Maintaining a vulnerability management program, including antivirus and system security measures
  • Implementing strong access control measures
  • Regular monitoring and testing of networks
  • Maintaining an information security policy

The future of IT security regulations

While state and federal governments currently support a self-regulatory approach for most of IT security, this may not always be the case. Online consumer privacy is becoming more critical than ever, with so many business transactions moving to Internet-based environments.

An article on discusses a recent report from the Federal Trade Commission (FTC) on online consumer privacy, which discusses the necessity of do-not-track tools for Internet users, letting them opt out of targeted marketing and data collection—similar to the do-not-call registry that's used to govern telemarketing.

For now, the FTC is requesting voluntary cooperation with this and other IT security measures. However, if companies are lax in instituting stronger security policies, federal regulation is not out of the question.

If you're responsible for your company's IT security compliance, it's in your best interests to provide the best security possible, for the sake of your customers as well as your business, and the future of e-commerce in the United States.

Related Categories
Featured Research
  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more