Commonly Used Regulatory Frameworks

This page is to show basic knowledge, and demonstrative understanding of some of the common regulatory frameworks that I have seen listed in job descriptions. There are quite a few to say the least, so this is not a complete list. I will be continuing research, and adding more in the future.

Sarbanes-Oxley Act of 2002 (SOX) - A financial law that was passed by the U.S Congress. The intended purpose of this law is to protect investors from fraudulent financial reporting by corporations.

https://sarbanes-oxley-act.com/

https://secureframe.com/

https://www.investopedia.com/

Reason For This Law:

The SOX ACT was enacted after several financial scandals from corporations. One of the most notable being Enron. This corporation used Market-to-Market accounting to hide its losses from investors which resulted in the loss of millions of dollars for many of its shareholders.

Key Objectives & Amendments:

The key objective of this law was to amend and further enforce the Security Exchange Act of 1934. The SOX Act emphasizes on transparency where financial reporting is concerned, and also increased punishment for financial crimes. There are three key sections that are often referenced in this law which are:

Section 302 - This section requires corporate officers to certify in writing that the company’s financial statements are in compliance with the Securities and Exchange Commission.

Section 404 - This section requires that internal controls and reporting are implemented to ensure compliance is being maintained from within.

Section 802 - This section enforces the rules of record keeping. There are three major objectives of this section. The first rule regulates destroying and falsifying records. The second rule enforces the retention period of records, and the third rule specifies the types of business records that a company is required to store.

General Data Protection Regulation (GDPR) - A law that is enforced by the European Data Protection Board which regulates how personal data of European Union (EU) citizens can be collected, processed, and stored.

https://gdpr.eu/

https://secureframe.com/

https://www.investopedia.com/

Reason For This Law:

This law is designed to provide residents of the European Union control of their personal data, and enforce privacy regulations on organizations that are using the data, as well as how it can be used. The law went into effect on May 25, 2018.

Key Objectives:

  • To set guidelines for organizations that handle personal data of EU residents.

  • To give EU residents control of how their personal information is handled.

  • To protect the privacy of EU citizens.

  • Gives individuals the “Right to be Forgotten” which means they have the right to ask any organization to delete their personal data.

  • Organizations are required to inform the individual of what they do with their data.

  • Organizations are required to immediately notify any individual if there is a data breach.

Health Insurance Portability and Accountability Act (HIPAA) - A federal law that was enacted on August 21, 1996 to protect the privacy and security of health information for individuals.

https://www.hhs.gov/

https://www.cdc.gov/

https://secureframe.com/

Reason For This Law:

The purpose of this law is to secure protected health information (PHI) of patients, and regulates how this information can be used. Unless under certain circumstances, the individual’s information cannot be disclosed without their permission. Most importantly, this law is enforced to help prevent disclosure of personally identifiable information (PII) which could lead to identity theft, and possibly jeopardize the patient’s safety especially in cases that involve abuse.

Key Objectives:

  • Protect health information by maintaining the confidentiality of individuals which helps to prevent disclosure of information that could lead to identity theft, and possibly affect the patient’s safety

  • To ensure integrity of health information and prevent healthcare fraud with falsified information.

  • Provide availability of health information to the patient, and individuals that the patient has authorized for the purpose treating them, and possibly making decisions on their behalf.

Health Information Trust Alliance (HITRUST) - A framework that was created in 2007 in order to ensure information security compliance will be implemented in conjunction with HIPAA. It is designed to help ensure healthcare organizations are taking necessary the steps to secure patient information that is digital.

https://hitrustalliance.net/

https://secureframe.com/

https://learn.microsoft.com/en-us/compliance/regulatory/offering-hitrust

Reason For This Framework:

HITRUST was created to help covered entities implement information security measures to ensure digital health information is in compliance with HIPAA. This framework also aims to combine compliance measures from other frameworks such as: ISO/IEC 20071, NIST, GDPR, and PCI DSS and apply it to the Healthcare Industry to protect patient information that is online. HITRUST is the founder of the Common Security Framework (CSF).

Key Objectives:

  • Assist healthcare organizations with becoming HIPAA compliant through information security, and protect patient information that is online.

  • Implement a single framework that adheres to various other regulatory frameworks which include: HIPAA, ISO/IEC 20071, NIST, GDPR, and PCI DSS.

  • Provide risk management by helping organizations proactively identify and mitigate security risks.

ISO/IEC 27001 - An international standard created by the International Organization for Standardization and International Electronic Commission for implementing information security, protection of privacy, and Cybersecurity.

https://www.iso.org/

https://secureframe.com/

Reason For This Standard:

This was initiated when the Department of Trade and Industry (DTI) of the UK government made a request to the Commercial Computer Security Centre (CCSC) to create a set of standards and guidelines for securing IT based equipment. At the beginning, the standard was split into two documents, the BS1799-1, and BS1799-2. The BS1799-1 later became the ISO 27002 standard which mainly focuses on security controls. The BS1799-2 later became the ISO 27001 standard which is focused on information security. Both standards are largely based on the CIA triad.

Confidentiality - Only authorized personnel will be allowed to view information.

Integrity - Ensuring that information remains intact and will only be changed by authorized personnel.

Availability - Ensuring that authorized personnel are able to access information when it is needed.

Key Objectives:

  • Create a holistic international framework to guide individuals, and companies with implementing information security, and protecting data.

  • Establish greater trust with potential customers.

  • Guide users with implementing risk assessment and management.