IT compliance: FAQs about IT operations, regulations and standards

This index links to resources about the relationship between IT operations and compliance regulations and standards, including HIPAA, e-discovery, SOX and PCI.

Applying regulatory mandates to IT operations is challenging, even for experienced security and compliance professionals....

The FAQs listed below provide more information organized around specific topics -- each list of frequently asked questions is focused on how a given standard, regulation or law affects IT compliance. As we add more FAQs on IT compliance, you'll find them listed below.

Admission of guilt in SEC settlements

To promote accountability, SEC settlements now sometimes require admission of corporate misconduct. In this FAQ, learn what prompted the change and why some are opposed to it.

Bank of America fraud settlement

Bank of America's huge settlement with the DoJ exposed numerous fraudulent lending practices in the years leading up to the 2008 financial crisis.

Basel III standards

Basel III is a set of standards developed to ensure that internationally active banks maintain adequate capital during periods of economic strain. Learn how the Basel III accord affects you with this FAQ.

Big data analytics creates compliance risk

Modern companies are reaping the business benefits of dissecting consumer information, but the FTC is warning companies about the discrimination risks of analyzing big data.

BYOD security and compliance

Bring-your-own-device programs are touted as a way to improve employee satisfaction, increase productivity and reduce costs. They also create huge security and compliance risks. Is your program prepared?

Compliance audits

Complying with the increasing number of regulations has made leveraging IT essential. That's particularly true in the automation of processes to handle the information in an organization's possession. As requirements grow, systems that both facilitate IT compliance and demonstrate to auditors that standards for security and data protection have been met are an increasingly critical area of IT operations.

Computer forensics

Computer forensics is perceived as a science rarely used by compliance officers. Not true. Learn more about how it's useful in a number of ways, including risk management.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act of 1986 was originally designed to combat hacking, but amendments that dramatically broadened its scope and penalties have drawn some criticism.

Cybersecurity legislation

After several failed cybersecurity legislation efforts, could 2013 finally be the year lawmakers create rules protecting the nation's infrastructure and businesses from cybercrime?

Dodd-Frank call recording rule

The new Dodd-Frank call recording rule requires swaps dealers to record oral communications, a move regulators say will deter illicit activity and improve compliance oversight.


A landmark case in 2004, Zubulake v UBS Warburg, broke new ground for electronic data that must be produced during a lawsuit, a requirement known as electronic discovery, or e-discovery. Since then, the law and practice surrounding the legal obligations for handling e-discovery have continued to evolve. Because the lion's share of corporate information is now stored electronically, e-discovery can be a complicated, time-consuming and expensive process.

Enterprise document management

Compliance with an increasing number of regulations requires a strategy for enterprise document management wherever content crosses an organization's network. Information technologies that facilitate the secure and controlled handling of documents are the foundation of such a strategy. As compliance-related enterprise document management requirements grow, improved document management systems and strategies will become an increasingly critical aspect of IT operations. In this FAQ, you'll find answers and resources to frequently asked questions about the relationship of enterprise document management to IT operations and compliance.

Epsilon security breach

The Epsilon security breach put a spotlight on email regulations, or the lack thereof. In this FAQ, learn what caused the breach, its cost to customers and the potential impact.

European Commission's data protection framework proposal

Reforms to the EU's data protection framework are designed to enhance privacy and create uniform regulations. But what will be the cost to businesses?

Financial CHOICE Act

In this FAQ, we examine how the Financial CHOICE Act of 2017 would change U.S. regulatory compliance mandates targeting the finance industry's business practices.

FINRA hones in on compliance culture

The Financial Industry Regulatory Authority has shifted priorities in 2016, focusing on how businesses exemplify a "compliance culture" through their internal processes.


The Federal Information Security Management Act aims to improve information security by requiring federal agencies to comply with standards. Learn more with this FISMA FAQ.

Foreign Corrupt Practices Act

The DOJ and SEC have ramped up Foreign Corrupt Practices Act enforcement. Is your organization ready for the increased FCPA compliance scrutiny?

FTC consumer privacy and security

As businesses continue to collect and share the personal information of unknowing consumers, the FTC is lobbying for improved data privacy and security standards.

GDPR compliance

Learn how compliance with the EU's General Data Protection Regulation is making companies rethink their data protection policies and processes.

Generally Accepted Recordkeeping Principles

Many organizations do not have an information governance structure that works with defined record-keeping principles that ensures accountability. The Generally Accepted Recordkeeping Principles may be your answer.

Google settlement

Google has agreed to a $500 million settlement for illegally assisting online pharmacies via its AdWords program. Here's why the Google settlement could have wider ramifications.


Compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires organizations to implement safeguards and security standards when electronically storing and transmitting personal health information. HIPAA mandates standardized formats for all patient health, administrative and financial data. Learn more about HIPAA requirements, the penalties for noncompliance and other issues in this FAQ.


On Feb. 18, President Barack Obama signed into law the American Recovery and Reinvestment Act (ARRA) of 2009, commonly known as the "stimulus package." In doing so, Obama also made the Health Information Technology for Economic and Clinical Health (HITECH) Act the law of the land, in the process significantly expanding the reach of the Health Insurance Portability and Accountability Act (HIPAA) and its corresponding penalties.

This resource provides answers and resources to frequently asked questions regarding the HITECH Act. As you read the FAQ, you'll learn more about what the act is, where it came from, what it requires and what the role of IT is in achieving and maintaining HITECH compliance.


In this FAQ, learn how the Heartbleed OpenSSL vulnerability was discovered, the potential damage inflicted by the bug and advice to avoid associated security risks.

Investment Company Act Rule 38a-1(c)

The SEC has issued its first sanctions under the Investment Company Act's Rule 38a-1(c), which is designed to protect misled CCOs from securities law liability.

International Cybersecurity Principles

A consortium of financial services associations is calling for international cybersecurity standards to help avoid conflicting compliance mandates across global markets.

ISO 31000

Learn more about ISO 31000:2009, a new risk management standard: It's plainly written, short, process-oriented and relevant reading for anyone dealing with risk.

Knight Capital Group

Knight Capital Group lost $440 million in less than an hour due to faulty trading software. Regulators are now taking a closer look at how to prevent IT systems from causing future stock market upheaval.

MF Global

Following a series of questionable business practices, MF Global Holdings Ltd., the parent company of MF Global Inc., filed for bankruptcy protection on Oct. 31, 2011. It was quickly discovered that $1.6 billion in customer funds were missing, likely in violation of federal regulations surrounding segregating customer assets. Could the firm's collapse influence future financial regulations?

Mobile computing

More mobile computing devices means more security threats. Here are things to consider in adjusting your IT compliance strategy to meet challenges brought by iPhones and the like.


Under the NERC CIP, power generators and suppliers must prove NERC compliance on critical infrastructure protection provisions by the end of the second quarter. Will you be ready?

Net neutrality

Federal Communications Commission broadband proposals have led to contentious net neutrality debates, as lawmakers, consumers and corporations are concerned about how the changes would influence Internet services.


This resource provides answers and resources to frequently asked questions regarding the Payment Card Industry Data Security Standard (PCI DSS). As you read the FAQ, you'll learn more about what the standard is, where it came from, what it requires, who it affects and what the role of IT is in achieving and maintaining compliance.


Updated PCI DSS 3.0 standards make payment card security part of everyday operations for all employees. In this FAQ, learn how the update changes businesses' PCI DSS compliance.

Privacy Shield compliance

The Privacy Shield framework was agreed to by the European Commission and the U.S. Department of Commerce in 2016, and is considered to be a stronger means of protecting data than the Safe Harbor framework that it replaces. In this FAQ, learn details about how the EU-U.S. Privacy Shield data protection requirements strive to raise consumer privacy standards.


When it comes to IT operations, the impact of the Sarbanes-Oxley Act (SOX) has been clear and far-reaching. In fact, the costs of complying with SOX have resulted in many companies choosing to go public outside the U.S. capital markets. The Securities and Exchange Commission, which administered SOX, has exempted companies with market capitalizations of less than $75 million from the requirement to audit their financial control systems. That exemption is currently set to end in December. Should it do so, SOX requirements will extend to the IT departments of many more public companies. Get ready with this FAQ.

Secret surveillance information requests

Under U.S. surveillance laws, companies have the right to fight information requests in court. But do businesses really have any leeway when challenging these information request orders?

Shadow IT

As shadow IT has proliferated in the corporate world, so, too, have data privacy and security risks. In this FAQ, learn about shadow IT and how to avoid its compliance pitfalls.

SEC compliance rules

Penalties levied through SEC enforcement actions have increased during the economic crisis. Find out if your corporate compliance program ready for the additional SEC scrutiny.

SEC regulations 2014

The Securities and Exchange Commission has ramped up regulation in recent years and 2014 will be no different. In this FAQ, learn what to expect for SEC enforcement in 2014.

SEC social media rules

The SEC recently updated rules to accommodate businesses' social media use when disseminating company information. But does the new policy create more questions than answers?

Social media policies

Corporate social media policies are designed to protect against employees posting job complaints online, but cases show labor laws’ interpretation of these rules is fuzzy at best.

Sony PlayStation Network breach

The Sony PlayStation Network security breach affected millions of users. In this FAQ, learn how it was done, and its costs and likely ramifications.


Examinations-based SSAE 16 has become a common tool for service providers to demonstrate risk controls to customers. But does passing an SSAE 16 report actually provide proof of sound regulatory compliance controls?

Target data breach

The massive Target data breach has led legislators and regulators to reexamine retailers' data security processes. Will the efforts lead to new consumer protection frameworks?

Target data breach and executive accountability

Target Corp. has made major executive changes in the months following its massive 2013 data breach as the company strives to reassure customers and rework digital information security processes.

Travel ban executive order

In this FAQ, learn how members of the technology industry are working together to voice opposition to President Trump's travel ban executive order.

The Volcker Rule

The Volcker Rule portion of the Dodd-Frank Act is designed to rein in high-risk, speculative trading. Here's why it also could influence your compliance program.

Wal-Mart de Mexico's FCPA violations

Allegations that Wal-Mart bribed Mexican officials to advance business not only gave the retail giant a black eye, but also brought FCPA violation charges.

Next Steps

SSAE 16 audits should be a CODB for IT channel companies

Dig Deeper on PCI compliance