Kodit

Please login to the site by entering your username and password below:

You are here: home / education / regulatory compliance

Education

Regulatory Compliance

Regulatory Compliance Compliance in the UK

There is considerable regulation in the UK, some of which is from EU legislation. Various areas are policed by different bodies, such as the FSA (Financial Services Authority), EPA (Environment Protection Agency), Information Commissioner and others. Important compliance issues for all organisations large and small include the Data Protection Act and Freedom of Information Act 2000, and combined code issued by the London Stock Exchange (LSE) is the Sarbanes-Oxley equivalent in the UK.

Compliance in the USA

Compliance in the USA generally means conforming to a specification or policy, standard or law that has been clearly defined. These laws can have criminal or civil penalties or can be regulations. The definition of what constitutes an effective compliance plan has been elusive. Most authors, however, continue to cite the guidance provided by the United States Sentencing Commission.

Corporate scandals have highlighted the need for stronger compliance regulations for publicly listed companies. The most significant regulation in this context is the Sarbanes-Oxley Act developed by two U.S. congressmen, Senator Paul Sarbanes and Representative Michael Oxley in 2002 which defined significant tighter personal responsibility of corporate top management for the accuracy of reported financial statements.

There are a number of other regulations such as FISMA. In some cases other compliance frameworks (such as COBIT) or standards (NIST) inform on how to comply with the regulations.

Compliance in Australia

Regulators in Australia continue to endorse and encourage (by regulation) the use of the standard AS 3806 - Compliance Programs, when establishing a compliance framework.

Compliance demands in the superannuation industry continue to increase due to the new licensing regime implemented by APRA. The new licensing regime requires trustees of superannuation funds to demonstrate to APRA that they have adequate resources (human, technology and financial), risk management systems and appropriate skills and expertise to manage the superannuation fund. The licensing regime has lifted the bar for superannuation trustees with a significant number of small to medium size superannuation funds exiting the Industry due to the increasing risk and compliance demands.

Frameworks and Regulations in Detail

ITIL

The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing IT infrastructure, development, and operations. ITIL is published in a series of books, each of which cover an IT management topic. ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that can be tailored to any IT organization.

The current ITIL library (v3) consists of the following Core Volumes;

Service Strategy focuses on the identification of market opportunities for which services could be developed in order to meet a requirement on the part of internal or external customers. The output is a strategy for the design, implementation, maintenance and continual improvement of the service as an organizational capability and a strategic asset. Key areas of this volume are Service Portfolio Management and Financial Management.
Service Design focuses on the activities that take place in order to develop the strategy into a design document which addresses all aspects of the proposed service, as well as the processes intended to support it. Key areas of this volume are Availability Management, Capacity Management, Continuity Management and Security Management.
Service Transition focuses on the implementation of the output of the service design activities and the creation of a production service or modification of an existing service. There is an area of overlap between Service Transition and Service Operation. Key areas of this volume are Change Management, Release Management, Configuration Management and Service Knowledge Management.
Service Operation focuses on the activities required to operate the services and maintain their functionality as defined in the Service Level Agreements with the customers. Key areas of this volume are Incident Management, Problem Management and Request Fulfillment. A new process added to this area is Event Management, which is concerned with normal and exception condition events.
Continual Service Improvement focuses on the ability to deliver continual improvement to the quality of the services that the IT organization delivers to the business. Key areas of this volume are Service Reporting, Service Measurement and Service Level Management.

WEEE

The directive imposes the responsibility for the disposal of Waste Electrical and Electronic Equipment (WEEE) on the manufacturers of such equipment. Those companies should establish an infrastructure for collecting WEEE, in such a way that "Users of electrical and electronic equipment from private households should have the possibility of returning WEEE at least free of charge". Also, the companies are compelled to use the collected waste in an ecological-friendly manner, either by ecological disposal or by reuse/refurbishment of the collected WEEE.

SOX

The financial reporting processes of many companies depend to some extent on IT systems. Therefore, Information technology controls that specifically address financial risks may be within the scope of a SOX 404 assessment. Chief information officers are typically responsible for the IT organization and IT personnel may be directly involved in SOX compliance efforts.

The SOX 404 guidance requires the usage of an internal control framework, such as the COSO framework. The IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" is also used by many companies as a framework supporting IT SOX 404 efforts. However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation.

FISMA

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The Act was meant to bolster computer and network security within the Federal Government and affiliated parties by mandating yearly audits.

FISMA has brought attention within the Federal Government to cybersecurity which had previously been much neglected.

By understanding the requirements and goals of these, and other, Regulations and Frameworks, Kodit Database can provide you with the perfect foundations for your plans in regulatory compliance.