What Is Compliance?

Despite being a relatively simple term, the term compliance has become something of an enigma within many organizations. Different people view and define compliance in different ways. This is evident across different industries, within the same industries, and even within organizations.

The Merriam-Webster Online dictionary defines compliance as “the act or process of doing what you have been asked or ordered to do.” Where do these compliance rules for organizations come from? They come in many forms such as laws and regulations, industry norms and frameworks, and ethical standards established through internal company policies and standards. An information systems compliance assessment or audit not only considers each of these forms of rules but also measures the effectiveness of the governance and management oversight to ensure the rules are being followed.

Regarding IT compliance, compliance pertains to two broad areas: internal and external. Internal compliance refers to an organization’s ability to follow its own rules, which are typically based on defined policies and standards. External compliance refers to the need and desire for an organization to follow rules and guidelines set forth by external organizations and authorities. Although many external-compliance mandates are regulatory, other compliance requirements include standards and guidelines that must be followed as set forth by industry frameworks.

The credit card industry is a prime example, which developed a set of security standards in an attempt to provide self-regulation which is typically enforced through contractual obligations. The majority of external compliance mandates are, however, laws and regulations. There are numerous compliance mandates to which organizations may be required to adhere. In most cases, regulations do not provide specifics and are open for interpretation. Compliance frameworks, such as Control Objectives for Information and Related Technology (COBIT), and standards, such as NIST, help interpret how to comply with the regulations.

Unlike a simple traffic law, such as the requirement to stop at a red light, compliance laws and regulations are not always so clear. This is often another source of frustration for those responsible for helping an organization comply. The general steps to meeting compliance include the following:

1. Interpret the regulation and how it applies to the organization.

2. Understand how regulators are interpreting the regulation through fines and penalties assessed across an industry group.

3. Identify any gaps in controls or determine where the organization stands with the compliance mandate.

4. Align the view of gaps and risks with key stakeholders across the organization such as legal, operational risk, risk management, and compliance departments.

5. Identify accountability at the governance, department, and executive levels.

6. Ensure management devises a plan to close the gap.

7. Monitor management’s execution of the plan.

Compliance is closely related to risk management and governance on all levels, be it technical, procedural, or strategic. Risk management seeks to mitigate risk through controls. For example, an organization identifies, evaluates, and takes action to lessen its risk. Compliance helps risk management by verifying that the desired controls are in place. Governance seeks to better run an organization using complete and accurate information and management processes or controls. For example, a sound security policy and comprehensive procedures are in place to implement the policy.

Compliance helps governance by ensuring such information and controls also satisfy applicable standards or regulations. On a strategic level, compliance ensures an organization can effectively meet organizational goals and objectives as planned. This means IT must ensure it is capable of delivering services to satisfy business needs and to stay compliant with external laws and regulations.