Compliance Definitions

Vulnerabilities may be associated with various government and industry-specific regulations, including SOX, HIPAA and GLBA, and the CobIT information technology standard. Definitions for these compliance types are provided below.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (SOX) requires effective controls and processes for validating the integrity of annual financial reports. Section 404 of the Sarbanes-Oxley Act is relevant to information security as it requires management to demonstrate that they have established appropriate "internal controls" to safeguard an organization's financial processes. The regulation's internal controls specify that organizations safeguard financial data through the prevention and detection of security breaches that may have a material effect on financial statements.

SOX applies to publicly traded companies looking to achieve and prove compliance with Section 404 of Sarbanes-Oxley.  

For complete details, go to:

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) regulations require organizations to enforce security controls that promote the confidentiality, integrity and availability of all personal health information, including patient records and any individually identifiable health information.

HIPAA standards require organizations to use risk-based methods for protecting health information. HIPAA specifies compliance guidelines for achieving a minimum security baseline in areas covering administrative and technical safeguards.

HIPAA applies to health care institutions, insurance companies, and any organization that processes, stores or manages personal health information electronically.

For complete details, go to:

Gramm-Leach-Bliley Act (GLBA)

Gramm-Leach-Bliley Act (GLBA) regulations require IT controls to maintain the confidentiality and privacy of consumer financial information. Organizations must protect themselves against unauthorized access, anticipated hazards and risks threatening the security or integrity of consumer financial information.

GLBA introduces strict guidelines for how banks and credit unions handle, manage and secure their customers' personal information. The guidelines define customer information as any record containing a customer's non-public personal information, whether in printed, electronic or other form. They require each institution to implement a written information security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the bank as well as the nature and scope of its activities.

GLBA applies to banks, credit unions, brokers, dealers and investment companies.

For complete details, go to:

Control Objectives for Information and related Technology (CobIT)

Control Objectives for Information and related Technology (CobIT) is an IT governance framework and supporting toolset for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992.

CobIT provides best practices for control over information, IT governance, and related business risks. It features high-level and detailed control objectives that correlate IT operations with business security, profitability and risk management.

For complete details, go to: