Compliance requirements will often affect how systems operate. When considering the legal and compliance requirements, how compliance may affect operations needs to be considered.

Here are some examples:

• HIPAA—HIPAA requires the protection of all health-related data. When this data is stored electronically, it becomes easier to control using standard access controls in a network. A company may choose to switch from paper-based to computer-based records, which will affect how employees access data and represent a change in operational procedures.
• SOX—SOX requires the protection of financial data, which may be stored on a database server. If so, the database server is subject to additional controls that may not be required for other database servers. Administrators may need to take additional steps to protect the data and users to access the data.
• FISMA—FISMA requires specific procedures for government agencies to purchase and deploy systems. If a company purchases systems outside of the norm, the process to get them certified and authorized can be lengthy, and this delay may affect the agency’s ability to field new systems in a timely manner.
• FERPA—FERPA mandates access to educational records by students or parents. If the school has a large volume of these requests, its regular operations could be affected. To avoid this situation, the school could choose to limit when access to records is granted.
• CIPA—CIPA requires that minors be protected from offensive content but adults should be able to have unrestricted access. Librarians may not have had to manage systems in the past. However, they may need to be trained on how to turn off the TPM for adult access.
• PCI DSS—If an organization is already conducting standard security practices, PCI DSS has little effect on normal operations. However, if the organization has weak security practices, PCI DSS standards could drastically change operations. Although this is good in the long run, it may be uncomfortable for users to get used to in the short term.
• GDPR—GDPR differentiates the duties and responsibilities of data controllers from data processors. Data controllers have an obligation to engage only processors that provide sufficient guarantees to implement appropriate technical and organizational measures that protect the rights of data subjects. The processors must also follow all applicable measures to protect the personal data of data subjects.