Businesses today are highly regulated. They must comply with industry, governmental, regional, and national requirements in all regions they serve. This article provides a deep dive into:

Meeting IT compliance mandates: Increasingly, regulations address specific security requirements, such as controlling data, keeping software and hardware up-to-date, and limiting system access to those needing access.

Complying with regulations: Many organizations must comply with multiple regulations, requiring that IT and security teams have a comprehensive, up-to-date understanding of how data processes, cloud workloads, and other systems perform and how users are interacting with them. They face penalties for lax controls that contribute to data breaches.

Implementing best practices: We offer five best practices for becoming best-in-class at IT compliance and reducing the workload on key stakeholders.

This article can serve as a guide for enabling continuous compliance, enabling key stakeholders to mitigate risks and meet regulatory and customer requirements.

Meeting IT Compliance Mandates

As IT teams know, keeping pace with regulatory changes and compliance requirements is time-consuming and difficult. IT and security professionals spend 4,300 hours a year achieving and maintaining compliance. That’s why 99% of organizations plan to move to a continuous compliance model, up from 40% of those who have achieved this already.

This article discusses the top five compliance mandates impacting IT operations, including their purpose, IT and data requirements, and how to meet them. It also lists other regulations and standards that IT teams may need to adhere to.

Published in 2016, the GDPR is one of the world’s strictest privacy and security laws. It applies to any organization that processes the personal data of citizens or residents in the European Economic Area (EEA) and offers goods or services to them. The EEA includes all 27 countries in the European Union and several other nations. The UK, which left the European Union, has adopted its version of GDPR, while Switzerland has a similar privacy law.

To even be able to process EEA resident data, organizations must meet one of the following criteria: gain consumer consent to process data for a specific reason; create or execute a contract, comply with a legal obligation; save someone’s life; perform a task or function in the public interest; or have a legitimate, lawful interest to process the data. Most organizations fall into the first category. That is why after GDPR passed, organizations everywhere began using opt-in cookies with detailed language about how they would capture, store, and process consumer data.

According to the GDPR website, there are seven fundamental principles all impacted organizations (“data controllers”) must follow. Data processing must be lawful, fair, and transparent to data subjects. Organizations must process data only for legitimate purposes that have been communicated explicitly to consumers upfront. They should limit data collection to what they need to accomplish specific purposes. Personal data should be accurate and up-to-date. In addition, organizations should store data only as long as is necessary to accomplish the specific purpose. Data processing should maintain appropriate security, integrity, and confidentiality. Finally, data controllers must be able to demonstrate that they and any third parties they use to process data comply with GDPR.

So, how can organizations meet these requirements? They must ensure data protection by design and by default and secure data throughout its lifecycle. In addition to abiding by the principles listed above, IT and security teams will want to use best practices, such as encrypting data end-to-end; using two-factor authentication to safeguard accounts storing data; and implementing access controls to limit who can see, use, and manipulate data.

GDPR also has exacting breach notification requirements and penalties for severe data infractions. Organizations must inform breach victims within 72 hours of the incident occurrence or face penalties. Penalties for egregious data violations can soar to either 10 million euros or 2% of organizations’ global turnover—whichever is higher. Meta and Facebook hold the record for the largest fine to date ($1.3 billion in 2023) and the most fines among the top 10 violations, with five total penalties.

As a result, IT, security, compliance, and audit teams are strongly motivated to work together to ensure GDPR compliance when launching new services or evolving processes and to audit them on an ongoing basis.

Navigating HIPAA (the Health Insurance Portability and Accountability Act)

Enacted in 1996, HIPAA establishes national standards to protect the privacy and security of US patients’ healthcare information and ensure that these consumers can take it with them as they move providers or see specialists. HIPAA details both technical and nontechnical requirements that healthcare organizations (“covered entities”), such as payers and providers, must implement to protect individuals’ data (“electronic protected health information,” or e-PHI). Individuals and groups that pay for health insurance, such as employers, are also considered covered entities by HIPAA. The US Department of Health and Human Services (HHS) oversees the enforcement of the rule.

HIPAA’s Privacy Rule, passed in 2000, requires covered entities and their business associates to protect all e-PHI, including demographic data, that could be used to identify individual patients. e-PHI includes data relating to individuals’ past, present, or future physical or mental health or conditions; any healthcare they have received; and all past, present, or future payments for this care. Organizations may not use or disclose e-PHI unless the Privacy Rule permits it or patients approve it in writing. They must provide patients with their e-PHI if they request it or provide it to HHS on-demand for a compliance investigation, review, or enforcement agency. Covered entities must also follow the “minimum necessary” principle – meaning they use, disclose, or request the least amount of information required to accomplish their specific purpose. However, organizations that de-identify health data can use it for business purposes, such as sharing or monetizing it.

HIPAA’s Security Rule, enacted in 2003, covers health plans, healthcare clearinghouses, health providers, and business associates that transmit electronic health data. It requires that covered entities ensure the confidentiality, integrity, and availability of the e-PHI they create, receive, maintain, or transmit; identify and protect it against any threats to its integrity or security; protect the data against reasonably anticipated, unauthorized use or disclosure; and ensure compliance by their workforce.

Confidentiality means that the e-PHI should not be made available or disclosed to unauthorized individuals. Integrity means that it should not be altered or destroyed in an unauthorized manner. Availability means that it is accessible and usable on demand.

Organizations handling e-PHI have to implement administrative, physical, and technical safeguards. They must ensure physical controls that limit facility access to authorized personnel and ensure workstation and device security. They must also implement access controls that limit e-PHI use to authorized persons; audit controls that examine access and activity of information systems containing or using e-PHI, and integrity controls that ensure it hasn’t been improperly altered or destroyed. Finally, IT and security teams must protect e-PHI as it is transmitted over networks.

The HHS Office of Civil Rights (OCR) began enforcing the Privacy Rule in 2003 and the Security Rule in 2009. HHS also finalized an Enforcement Rule in 2006.

HHS OCR investigates complaints to determine whether a covered entity violated the Privacy Rule, Security Rule, or both. Investigators’ findings determine whether the incident should be addressed by voluntary compliance, corrective action, or a resolution agreement. If the covered entity does not take appropriate action, HHS OCR will likely impose a penalty. While most HIPAA penalties tend to be in the low seven figures, Anthem was fined $16M for failure to impose security controls, which led to the exposure of nearly 79 million members’ e-PHI in 2015. Anthem also had to settle a class-action lawsuit for $115M to remediate this breach.

Ensuring Compliance with PCI DSS (Payment Card Industry Data Security Standards)

The PCI DSS is a set of 12 standards with 281 guidelines. It provides guidelines and rules for payment processors to store, process, or transmit cardholder payment card data, including credit, debit, and prepaid cards. The standards, the first released in 2004, govern four primary areas: processing digital transactions and payments, storing data, transmitting cardholder information, and securing the card processing environment. Implementing the standards helps processors prevent data breaches and credit card fraud.

Organizations use frameworks to develop PCI-DSS-compliant systems and processes. Small-scale data processors can use self-assessment questionnaires to verify their compliance. Two groups must work with external auditors to verify their processes: Merchants processing over six million payment card transactions and service providers retaining, transmitting, or processing over 300K transactions yearly. Payment processors should carefully study tiered compliance levels and requirements to determine their obligations. Only Qualified Security Assessors can perform the external audits and validate processes.

So, what happens when payment processors don’t comply and cause a data breach? In addition to facing lawsuits and high cleanup costs, processors receive PCI-DSS fines based on the time length of non-compliance and the volume of transactions processed. For example, processors that are non-compliant for 1-3 months may face fines of $5K-$10K for each month of non-compliance. For 4-6 months, fines might increase to $25K to $50K; for more than seven months, $50K to $100K monthly. Equifax’s 2017 data breach, which resulted in a $425M fine from the Federal Trade Commission, could have been prevented if the company had followed PCI-DSS controls. Similarly, Target faced $292M in cleanup costs, including penalties, in 2016 to address a breach caused when an attacker used third-party stolen credentials to access a company gateway server.

Evaluating Sarbanes-Oxley Act (SOX) Compliance

Congress passed the Sarbanes-Oxley Act in 2002 in response to major accounting scandals at Enron, Worldcom, and others. It seeks to improve corporate auditing and disclosures and prevent management from interfering with these duties.

All US public companies, management, and accounting firms must comply with SOX. Private companies planning an IPO or M&A should also review internal controls to ensure they are SOX-compliant before these events. These firms must implement controls and documentation that support their financial statements.

According to SOX Section 302: Corporate Responsibility for Financial Reports, CEOs and CFOs are accountable for determining financial reporting accuracy. They must review and certify that these statements are accurate; maintain internal controls, and disclose significant deficiencies, fraud, and major control changes. If financial statements are inaccurate, these leaders may face criminal penalties.

These internal controls include ensuring that only authorized people can access sensitive financial information; keeping IT systems up-to-date, including logging and monitoring software, and backing up financial data. In addition, companies must monitor access controls and enable alerts when permissions change.

SOX Section 404: Management Assessment of Internal Controls requires that all corporate annual reports include an internal control report describing management responsibilities, control effectiveness, and limitations. Independent external auditors must also certify that controls have been implemented and are effective. The Public Company Accounting Oversight Board then audits auditors.

Determining Compliance with ISO/IEC 27001

The International Organization for Standardization (ISO) is an independent, highly respected standard development organization. Its ISO/IEC 27001 Standard for Information Security Management Systems (ISMS), released in 2022, provides companies with guidance on developing, implementing, maintaining, and improving ISMS. By conforming to ISO/IEC 27001, companies demonstrate that they have implemented a system to manage data security risks and comply with the standards’ principles and best practices. Organizations can use ISO/IEC 27001 certification to meet other regulatory requirements, such as GDPR.

ISO/IEC 27001:2022 has ten management system clauses and 93 information security controls covering four categories: organization, people, physical, and technological. Companies conduct risk assessments to determine which of the 93 controls they should implement — and justify which they don’t have to.

To gain ISO certification, IT Governance recommends performing a gap analysis, developing a remediation plan, training staff on new standard requirements, creating or updating ISMS documentation, auditing processes, and completing an external certification audit. Auditors will review documentation for completeness and then conduct an on-site assessment, analyzing policies and processes and interviewing team members to verify that activities executed to develop the ISMS follow ISO/IEC 27001:2022 requirements. Certifications are good for three years.

Benefits of ISO/IEC 27001:2022 compliance include acquiring a certification that is broadly understood and respected; protecting corporate data as it is transmitted, used, stored, or even printed; minimizing the attack surface; being able to respond to emerging threats; and winning more customer business and adhering to contractual requirements by becoming best-in-class at information security controls.

Other Important Regulations to Understand

Other regulations and standards that enterprises may need to comply with include:

The California Consumer Privacy Act (CCPA), enacted in 2018, is one of the most stringent U.S. data protection laws. This act gives California residents extensive rights governing how their data is collected and used, with the ability to opt-out, have information deleted, and not be discriminated against for exercising privileges.

The Cybersecurity Maturity Model Certification (CCMC) 2.0 program requires U.S. Department of Defense contractors enhance their cybersecurity posture, progressing through five levels, to protect the federal contract information and controlled unclassified information that is shared with them. Originally released in 2020 (1.0), the CCMC is currently being updated (2.0) and is expected to be finalized in 2024 or 2025.

The Federal Information Security Management Act (FISMA), passed in 2002 and updated in 2014, provides a comprehensive framework for protecting government information, operations, and assets against different threats. Agency service providers must ensure that their processes and solutions are compliant with FISMA requirements.

FedRAMP, which became law in 2011, is the US federal government’s set of standardized security requirements for vendors that provide agencies with cloud services. They include conducting security and data risk assessments, updating information systems to comply with FedRAMP requirements, implementing continuous monitoring, and receiving operational authorizations.

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires that financial institutions explain how they share and protect US customers’ private information.

The Health and Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2019. It extends HIPAA requirements to address the privacy and security of electronic transmission of consumer health information. It also strengthens HIPAA civil and criminal enforcement of violations.

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was originally released in 2014 (1.0). It was updated and expanded in 2024 (2.0) to support all organizations in improving their cybersecurity posture. It helps organizations identify and protect all assets, detect and respond to threats, and recover from incidents. While voluntary, it is considered best practice.

Service Organization Compliance Control Type 2 (SOC 2) is a cybersecurity compliance framework that was created by the American Institute of Certified Public Accountants and released in 2010. The framework governs how third-party service providers, such as SaaS technology companies, store and process client data.

IT Compliance Best Practices

Meeting compliance requirements is getting more challenging, and the stakes are high. As this article demonstrates, numerous market leaders have received negative media attention for data breaches and paid significant fines. Device42 has prepared a deep dive, Compliance Standards: An In-Depth Multi-Chapter Guide, to help teams understand what they need to do to comply with major regulations, such as GDPR, HIPAA, PCI DSS, SOX, and ISO/IEC 27001: 2022.

Teams can follow these best practices to improve compliance with critical requirements.

Automate discovery: IT teams need a trustworthy, standardized way to discover and inventory all assets. One easy way to do that is with an advanced configuration management database, that automatically discovers all physical, software, virtualized, and cloud assets, bringing these processes into near-real-time. IT can use agentless and agent-based processes to map the environment, discover dependencies, and track traffic flows. IT can further enrich discovered data with third-party insights, such as OS version numbers and support dates (release end of life, end of support, and end of maintenance) to provide a fuller picture of device condition.

Set up dependency mapping groups: IT teams can use tools that offer dependency mapping to see relationships between devices, business applications, and services and visualize traffic flows. This makes it easier to understand the impact of changes and configurations on application and service performance. Stakeholders can also use affinity groups to streamline compliance decision-making and guide strategic work, such as planning for cloud migrations.

Automate reporting to key stakeholders: IT teams can empower other stakeholders with the analytics and visualizations they need to make critical compliance decisions. For example, to ensure GDPR compliance, stakeholders will want to see all devices, applications, and services that capture, use, store, and transmit data from residents in the greater EEA.

Remediate issues: IT needs real-time visibility into asset bases to remediate issues quickly. They want to identify devices that need to be patched, software and hardware that is nearing end of life or end of support, shadow IT that isn’t being actively managed, unauthorized changes or configurations, or unexpected traffic flows. IT teams should prioritize and address these issues to minimize data and system risks.

Commit to continuous improvement: Businesses, IT environments, and compliance regulations constantly evolve. As a result, stakeholders should work closely to understand their requirements and ensure new services are compliant from the start. They should also capture best practices on what works and what doesn’t so that others can benefit from these insights and improvements.