No Records Found
Sorry, no records were found. Please adjust your search criteria and try again.
Compliance can be described as a set of established guidelines that all involved parties are expected to abide.
For instance, when a software programmer develops a software or a hardware manufacturer develops a hardware component, they are expected to follow the guidelines and specific standards that have been set by the industry, and ensure that their product product is in compliance with their respective industry standards.
Post development, the other party is expected to comply by the vendor’s agreement or license. This, in turn, ensures that both involved parties are following industry set regulations and laws.
Different industry sectors have their own industry specific compliances which they, with their involved parties, are expected to abide.
International standards ISO/IEC 27001 are created and regulated by ISO (International Organization for Standardization) while IEC (International Electrotechnical Commission) regulates the international standards in electrotechnology field.
There are some which have been created and are regulated by the government while there are some which a created and regulated by organizations for compliances pertaining to their respective industry.
Following compliance is not as easy as it sounds because of nature of the constantly evolving technologies which gives rise to new compliances. Some of the existing compliance standards include:
SOX of 2002
SOX is short for Sarbanes-Oxley Act. The U.S. Congress had passed a legislation named Sarbanes-Oxley Act of 2002. Its purpose is to protect the shareholders and the public from accounting errors, fraudelent practices in an enterprise.
The act is administered by the U.S. SEC (Securitities and Exchange Commission). One of its law dictates that companies concerned should store all business records as part of their IT systems.
The law dictates that these electronic records should be saved for not less than five years. Failing of compliance could mean fine or imprisonment or even both.
Can Spam Act of 2003
Can Spam Act is also an acronym for Controlling the Assault of Non-Solicited Pornography and Marketing Act. The law was introduced on 1st january 2003 and it is formally known as S. 877.
The basic requirements and compliances that businesses are expected to follow include:
A label is to be present if the content is adult oriented
Accurate “From” line
Using an accurate and legitimate and return email address
Using Relevant and truthful subject line
The message must have an unsubscribe option
Unsubscription should be processed within ten business days
A legitimate physical address of the publisher or advertiser has to be present
A message cannot be null
The U.S. government has been criticized by many people saying Spamming is an international concern and the U.S. may not be able to control or punish those outside its jurisdiction. Can Spam Act has also been criticized for its name “Can Spam”.
HIPAA is short for Health Insurance Portability and Accountability Act of 1996. HIPAA act states the provisioning of security and safeguarding of a person’s medical and health related information.
The covered entities expected to abide by HIPAA laws are the Health care providers, Health care supplier and services, and the individual (or group of individuals) who are paying for the health care.
HIPAA Act contains 5 main sections, they are:
Title I: Health Care Access, Portability, and Renewability
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title III: Tax-related health provisions governing medical savings accounts
Title IV: Application and enforcement of group health insurance requirements
Title V: Revenue offset governing tax deductions for employers
Depending on the type of Violation, the concerned party may face both fine and imprisonment.
The Dodd-Frank act is short for Dodd-Frank Wall Street Reform and Consumer Protection Act, which was brought in effect by U.S. government in July 2010.
The purpose of Dodd-Frank act is to prevent any major financial crisis. This was done by enforcing businesses with transparency and accountability with financial regulatory processes.
The great recession of 2000 was one of the primary reasons why Dodd Frank Act needed to be introduced. A lot of businesses were highly dependent on the banks, hence the act makes sure to monitor companies which cannot have the luxury to fail as they can affect the consumers and economy alike, while also closely monitoring banks.
PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS was created to secure and optimize payments made via credit card, debit card and cash card by protecting the cardholders personal information.
PCI DSS was jointly created by four major credit card companies; Visa, MasterCard, Discover and American Express. PCI DSS has six main objectives:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
FISMA is an acronym for Federal Information Security Management Act introduced by the U.S. government in the year 2002, as Title III of E-Government Act of 2002.
The primary purpose of the act is Information Security. It focuses on protecting the government information and systems used for the operations of the government from the natural or man made disasters.
Compliance Standards in relation with Cloud Computing
Compliances have been set for industries. Different industry sectors have guidelines specifically set for them. Some compliance standards in correlation with cloud computing industries include:
Cloud Security Alliance CCM
Control Objectives for Information and related Technology (COBIT)
Criminal Justice Information System Database (CJIS)
European Data Protection Directive 95/46/EC
Family Educational Rights and Privacy Act (FERPA)
Federal Risk and Authorization Management Program (FedRAMP)/ Federal Information Security Management Act (FISMA)
ISO/IEC 27001:2005 Audit and Certification
Federal Information Processing Standard (FIPS)
Gramm-Leach-Bliley Act (GLBA)
International Traffic & Arms Regulations (ITAR)
Life Sciences GxP Compliance
MTCS Tier 3 Certification
SOC 1, SOC 2, ,and SOC 3, SSAE 16/ISAE 3402 Attestations (formerly SAS 70)
United Kingdom G-Cloud OFFICIAL Accreditation
U.S. Commerce Department Safe Harbor Certification:
Compliance and Cloud Security
Although there may be a distinct correlation between compliance and cloud security, they still have differentiating factors.
For instance, cloud security is not a service a business is obligated to have although its importance cannot be emphasized enough.
Compliance, however, encompasses security itself. Compliances are regulated by the governed authorities and privacy and information security remain its prime motive. Depending upon the industry sector an enterprise operates in, following the compliances may be highly recommended or mandatory.
Compliance as a service
Much the same as the other cloud based services, Compliance as a Service or CaaS also offers a similar fixed monthly fee subscription based model. The service ensures that the clients are always compliant with all the industry regulations and standards.
Compliance requires periodic audits and evaluations to be conducted within an enterprises across all operations and processes and further ensure that all of them are complying with the regulations relevant to them.
However, it is possible that a company may not have the training and expertise to conduct such audits and the nature of the audit does not allow for any mistakes. Moreover, these services are generally less expensive and therefore helps save time and money.
Data Center Location
Compliance audits strictly require information on where the data is located. To rephrase that, auditors need the assurance that the assessed party is aware of the physical location as to where their data is stored.
This can pose as a problem for public cloud as it defeats the purpose the service. As of today, cloud vendors providing public cloud services are not necessarily obligated to share the information on data center location. However, neither is there any such rule or law they can’t.
In a traditional IT infrastructure setup, data center location is known but this is not the case with cloud computing. Hence it is necessary to put forth this point if a business has a problem with the restricted information of data center location.
Compliance audits require that a company is able to prove that they have process access controls in place.
Access control refers to the access management which the compliance auditors will expect the business to not just be configured and defined but also able to prove them with the help of proper documentation
The documentation should be able to show who has access to what, when is it accessed and also show segregation of accesses depending upon the duties, roles & responsibilities and departments.
A business has to be absolutely sure regarding the security of the data when using a cloud service. Especially because the data will be constantly transferred to the cloud.
Compliance requirements also state that the data must be, at all times, encrypted. That includes the data at rest, data in transmission mode and any additional or backup copy. Some compliance standards require the entire disk or drives to be encrypted.
The stringent regulations on data encryption must not be surprising as the whole purpose of compliance is privacy and security of data. However, it is also worth noting that data encryption regulations may be different depending upon the region and compliance standard for the industry in question.