Compliance is either a state of being in accordance with established guidelines or specifications, or the process of becoming so. Software, for example, may be developed in compliance with specifications created by a standards body, and then deployed by user organizations in compliance with a vendor's licensing agreement. The definition of compliance can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation.
Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements. Some prominent regulations, standards and legislation with which organizations may need to be in compliance include:
- Sarbanes-Oxley Act (SOX) of 2002: SOX was enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Among other provisions, the law sets rules on storing and retaining business records in IT systems.
- Can Spam Act of 2003: The Can Spam Act requires businesses to label commercial emails as advertising, use legitimate return email addresses, provide recipients with opt-out options and process opt-out requests with 10 business days.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Title II includes an administrative simplification section that mandates standardization of electronic health records systems and includes security mechanisms designed to protect data privacy and patient confidentiality.
- Dodd-Frank Act: Enacted in 2010, this act aims to reduce federal dependence on banks by subjecting them to regulations that enforce transparency and accountability in order to protect customers.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of policies and procedures created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions.
- Federal Information Security Management Act (FISMA): Signed into law in 2002, FISMA requires federal agencies to conduct annual reviews of information security programs, in order to keep risks to data at or below specified acceptable levels.
IT compliance guidelines vary by country; SOX, for example, is a U.S. legislation. Similar legislation in other countries includes Germany's Deutscher Corporate Governance Kodex and Australia's Corporate Law Economic Reform Program Act 2004. As a result, multinational organizations must be cognizant of the regulatory compliance requirements of each country they operate within.
As regulations and other guidelines have increasingly become a concern of corporate management, companies are turning more frequently to specialized compliance software and IT compliance consultancies. Many organizations have even added compliance jobs such as a chief compliance officer (CCO).
The main responsibilities of a chief compliance officer include ensuring that an organization is able to both manage compliance risk and pass a compliance audit. The exact nature of a compliance audit will vary depending upon factors such as the organization's industry, whether it is a public or private company, and the nature of the data it creates, collects and stores.
Regular regulatory compliance training programs for both IT staff members and business users can protect the organization as a whole. Compliance training program guidelines will also vary depending on the industry a company is in and the data it generates and uses.
How are other companies using ECM tools?