Compliance

Compliance means conforming to a rule, such as a specification, policy, standard, or law. For example: ISO 27001, PCI DSS, GDPR, HIPAA, etc.

Need For Compliance:

• Protect the critical information
• Enforce control through written policy
• Understand the requirements for protecting organizational information
• Identify requirements for protecting organizational information
• Avoid inadequate implementation and enforcement; this can lead to fines, penalties, and imprisonment
• Avoid failures that lead to loss of customer confidence, competitive advantage, contracts, jobs, etc.
• Protect shareholder interests
• Use good controls that make good business sense

Regulatory Compliance

Regulatory compliance describes the goal that corporations or public agencies aspire to ensure the personnel are aware of and take steps to comply with the relevant laws and regulations.

Regulatory Environment helps:

• To cover: Data privacy, computer misuse, software copyright, data protection, and controls on cryptography
• To address: Environmental protection, intellectual property, national security, personal privacy, public order, health and safety, and prevention of fraudulent activities.

Auditing

Audits are performed to ensure compliance to contracts, regulations, and laws and assist in detecting abnormal activities.

Audit provides information on:

• The types of unauthorized activities
• The person or processes involved in the activities

Standards/Manuals/Guidelines for Compliance

Examples of standards, manuals, or guidelines are as follows:

• Control Objectives for Information and Related Technology (COBIT)
• Federal Information System Controls Audit Manual (FISCAM)
• U.S. Government Accountability Office (GAO) and Government Auditing Standards (GAS)
• GAO/PCIE Financial Audit Manual (FAM)
• ISO 27000 Series