Compliance Terminology

With so many compliances and regulatory bodies that can be very specific to topics, sectors and regions, compliances related terminology can be confusing and feel complicated. Here are some most referred to compliances and compliance terms with some useful information, hope you find them helpful. Note: Shared here by Compliance Cart is meant only for information, all readers are expected to seek counsel of compliance experts and adhere to compliance requirements as stated by the respective regulatory bodies before taking any compliance related actions or decisions.

The state of being in accordance with relevant federal or regional authorities and their regulatory requirements. Most companies have compliance departments that are charged with making sure that the company is following all the necessary rules and regulations.

The General Data Protection Regulation (GDPR) is an extraterritorial European law that applies to the processing, storage, and exposure of personally identifiable information (PII) of European citizens. The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. The GDPR 2016 has eleven chapters, concerning general provisions, principles, rights of the data subject, duties of data controllers or processors, transfers of personal data to third countries, supervisory authorities, cooperation among member states, remedies, liability or penalties for breach of rights, and miscellaneous final provisions. Compliance with GDPR also means compliance with other privacy laws such as CCPA, LGPD, the SHIELD Act, FIPA, and PIPEDA.

Regulatory Body:

Enforced by the Information Commissioner’s Office (ICO).                                       European Data Protection Board (EDPB) is an independent European body tasked with ensuring that data protection rules are applied throughout the European Union.

 

Key Controls:

Some key GDPR technical controls that need to be in place to ensure your organization is ready for GDPR:

  • Identity and Access Management (IDAM)
  • Data Loss Prevention (DLP)
  • Encryption & Pseudonymization
  • Incident Response Plan (IRP)
  • Third-Party Risk Management
  • Policy Management

Validity

Certification is valid for a maximum of three years, subject to periodic reviews.

HIPAA was signed and enacted into law on August 21, 1996. The law was created to uphold the data integrity of protected health information (PHI) and offer guarantees to patients about how their data was handled. In 2003, the Privacy Rule and Security Rule amendments were introduced to govern the handling of electronically protected health information (ePHI) between healthcare practices and business associates. The Privacy and Security Rules outlined several safeguards designed to keep patient data safe.

Regulatory Body:

The Office for Civil Rights (OCR) at the Department of Health and Human Services is in charge of enforcing the HIPAA Privacy and Security rules. Since 2003, the OCR’s role has significantly increased and covers entities’ privacy practices, resulting in more effective protection of individuals’ health information privacy.

Key Controls:
1. Determine which of the annual audits and assessments are required for your organisation.
2. Conduct the necessary audits and assessments, analyse the results, and document any flaws.
3. Document your remediation plans, put them into action, review them annually, and update them as needed.
4. Appoint a HIPAA Compliance, Privacy, and/or Security Officer if your organisation hasn’t already.
5. Ensure that the designated HIPAA Compliance Officer provides annual HIPAA training to all employees
6. Ensure that HIPAA training is documented, as well as staff member attestation of HIPAA policies and procedures.
7. Perform due diligence on Business Associates to ensure HIPAA compliance, and review BAAs on an annual basis.
8. Examine the processes in place for staff members to report breaches and how breaches are reported to HHS OCR.

Validity
With a lot of changes happening to the healthcare industry and HIPAA rules, the certificate is only valid for one year at the moment.

The Sarbanes-Oxley Act of 2002, often simply called SOX or Sarbox, is a U.S. law meant to protect investors from fraudulent accounting activities by corporations. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company.

Regulatory Body:

The Securities Exchange Act of 1934 and other laws enforced by the Securities and Exchange Commission (SEC). The U.S. Securities and Exchange Commission is a large independent agency of the United States federal government, created in the aftermath of the Wall Street Crash of 1929. The primary purpose of the SEC is to enforce the law against market manipulation.

Key Controls:
1. Detecting security breaches: Ensure you can detect any security breaches (for example, phishing or ransomware attacks).
2. Prevent data loss: Implementing a data loss prevention strategy is a good idea. Using backup software would be beneficial in this situation.
3. Ensure that your data is protected in real-time: Corporate information should stay safe round the clock. That’s why using automated security software may be a good idea.
4. Prevent tampering with your data: Control user logins, login attempts, and other domain activity.
5. Make sure you know who has access to the company’s most critical data.
6. Provide verifiable reporting: Data security, like financial reporting, should be held accountable. You need to have clear reports regarding your security statuses. Any problems should be reported right once.
7. Give SOX auditors access to the data they need: Be ready to provide information about the security measures you take to protect your data. If you use role-based data access, you can configure it.
8. Securely maintain internal controls low SOX compliance, internal controls should be implemented and managed. Internal controls assessment should be performed regularly to confirm their effectiveness.

Validity
Three times throughout the calendar year. The last one is a year-end test to ensure compliance requirements are being met.

ISO/IEC 27001:2013 (also known as ISO27001) is the international standard for information security. It sets out the specification for an information security management system (ISMS). Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Regulatory Body:

Regulated by the International Organization for Standardization

The Standard takes a risk-based approach to information security. This requires organisations to identify information security risks and select appropriate controls to tackle them.

Key Controls:

ISO 27001 checklist: a step-by-step guide to implementation

Step 1: Assemble an implementation team

Step 2: Develop the implementation plan

Step 3: Initiate the ISMS

Step 4: Define the ISMS scope

Step 5: Identify your security baseline

Step 6: Establish a risk management process

Step 7: Implement a risk treatment plan

Step 8: Measure, monitor and review

Step 9: Certify your ISMs

Validity

ISO 27001 certification is only valid three years

Regulatory Body:

Regulated by the International Organization for Standardization

The Standard takes a risk-based approach to information security. This requires organisations to identify information security risks and select appropriate controls to tackle them.

Key Controls:

ISO 27001 checklist: a step-by-step guide to implementation

Step 1: Assemble an implementation team

Step 2: Develop the implementation plan

Step 3: Initiate the ISMS

Step 4: Define the ISMS scope

Step 5: Identify your security baseline

Step 6: Establish a risk management process

Step 7: Implement a risk treatment plan

Step 8: Measure, monitor and review

Step 9: Certify your ISMs

Validity

ISO 27001 certification is only valid three years

Regulatory Body:

The Securities Exchange Act of 1934 and other laws enforced by the Securities and Exchange Commission (SEC). The U.S. Securities and Exchange Commission is a large independent agency of the United States federal government, created in the aftermath of the Wall Street Crash of 1929. The primary purpose of the SEC is to enforce the law against market manipulation.

Key Controls:
1. Detecting security breaches: Ensure you can detect any security breaches (for example, phishing or ransomware attacks).
2. Prevent data loss: Implementing a data loss prevention strategy is a good idea. Using backup software would be beneficial in this situation.
3. Ensure that your data is protected in real-time: Corporate information should stay safe round the clock. That’s why using automated security software may be a good idea.
4. Prevent tampering with your data: Control user logins, login attempts, and other domain activity.
5. Make sure you know who has access to the company’s most critical data.
6. Provide verifiable reporting: Data security, like financial reporting, should be held accountable. You need to have clear reports regarding your security statuses. Any problems should be reported right once.
7. Give SOX auditors access to the data they need: Be ready to provide information about the security measures you take to protect your data. If you use role-based data access, you can configure it.
8. Securely maintain internal controls low SOX compliance, internal controls should be implemented and managed. Internal controls assessment should be performed regularly to confirm their effectiveness.

Validity
Three times throughout the calendar year. The last one is a year-end test to ensure compliance requirements are being met.

The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document, and implement an information security and protection program. FISMA is part of the larger E-Government Act of 2002 introduced to improve the management of electronic government services and processes. The Federal Information Security Management Act (FISMA) applies to all agencies within the U.S. federal government.

Regulatory Body:

Two regulatory bodies work with FISMA-

The National Institute of Standards and Technology (NIST) has the authority to create programs that bolster IT security and risk management practices.
The Department of Homeland Security is responsible for administering the implementation of programs created by NIST to secure federal information system security.

Key Controls:

FISMA Checklist-

  • Maintain information System Inventory.
  • Categorize Information Systems.
  • Maintain a System Security Plan.
  • Utilize Security Controls.
  • Conduct Risk Assessments.
  • Certification and Accreditation.
  • Continuous Monitoring

Validity: 

Three years.

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations guide how to implement the law. Businesses must provide consumers with specific notices outlining their privacy policies. The CCPA applies to many businesses, including data brokers.

Regulatory Body:

The California Consumer Privacy Act (CCPA) is a state statute under the California Civil Code.

Key Controls:
This landmark law secures new privacy rights for California consumers, including

  • The right to know what personal information a company collects about them and how that information is used and shared;
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights

Validity

CCPA certificate is only valid for 12 months at the moment.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI SSC was launched on September 7, 2006, which focuses on improving payment account security throughout the transaction process.

Regulatory Body:

The PCI Standards Security Council was formed in 2006 by the major card brands (i.eVisa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate, maintain, evolve and promote PCI DSS compliance.

Key Controls:

Data covered by PCI-PCI DSS covers PII (Personally identifiable information) Cardholder data, such as the PAN cardholder name, service code, card expiration date. It also covers sensitive authentication data such as a card PIN. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.

The 12 requirements of PCI DSS are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Validity

The PCI compliance certificate is valid for one year from the date the certificate is issued.

SOC 2 reports address a service organization’s controls that are relevant to their operations and compliance to ensure security. SOC 2 also addresses data privacy rules around custodianship, more deeply than privacy regulations like GDPR or CCPA.

Regulatory Body:

SOC 2 compliance is part of the American Institute of CPAs’ Service Organization Control reporting platform

Key Controls:

For an organization to achieve successful certification, it must meet the following criteria.

  • Security. The organization’s system must have controls in place to safeguard against unauthorized physical and logical access.
  • Availability. The system must be available for operation and must be used as agreed.
  • Processing Integrity. The system processing must be complete, accurate, well-timed, and authorized.
  • Confidentiality. The information held by the organization that is classified as “confidential” by a user must be protected.
  • Privacy. All personal information that the organization collects, uses, retains, and discloses must be by their privacy notice and principles.
  • These are specified by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)

Validity

SOC 2 certification is only valid for 12 months

Dangerous working conditions nationwide sparked the creation of the Occupational Safety and Health Act (OSH Act) in 1970. The goal of the OSH Act is to protect workers from harm on the job. OSHA sets rules that serve as a baseline for safety and health protection in American workplaces. Its mission is to ensure all workers have safe working conditions by setting and enforcing standards. It also provides employers and employees with training, outreach, education, and assistance to take on safety challenges

Regulatory Body:

The Department of Labor oversees the administration of the Act and enforces standards in all 50 states.

Key Controls:

OSHA’s Construction, General Industry, Maritime and Agriculture standards protect workers from a wide range of serious hazards. Examples of OSHA standards include requirements for employers to:

  • provide fall protection;
  • prevent trenching cave-ins;
  • prevent exposure to some infectious diseases;
  • ensure the safety of workers who enter confined spaces;
  • prevent exposure to harmful chemicals;
  • put guards on dangerous machines;
  • provide respirators or other safety equipment; and
  • provide training for certain dangerous jobs in a language and vocabulary workers can understand.

Validity

While the completion card does not expire, it is recommended to take OSHA outreach safety training every 4 to 5 years to stay updated with the latest safety regulations and industry practices.

Proposition 65 requires businesses to provide warnings to Californians about significant exposures to chemicals that cause cancer, birth defects or other reproductive harm. These chemicals can be in the products that Californians purchase, in their homes or workplaces, or that are released into the environment. By requiring that this information be provided, Proposition 65 enables Californians to make informed decisions about their exposures to these chemicals.

Regulatory Body:
The Office of Environmental Health Hazard Assessment (OEHHA) maintains the list of chemicals regulated under Proposition 65. (CA Code of Regulations, Title 27, Section 27001)

Key Controls:
The Consequences of Non-Compliance with Prop 65 :
If a product sold in California is found to contain a chemical listed under Prop 65 without the “clear and reasonable warning” required by this regulation, the manufacturer is issued a 60-day Notice of Violation. During the 60 days, the California Attorney General’s office can take legal action against the manufacturer, and if no such action is taken, a private party can file a lawsuit after the 60 days has expired.Historically, an average settlement for a Prop 65 lawsuit is around $65,000. In lawsuits involving large groups of retailers and manufacturers, settlements can exceed $1,000,000. Given the high costs and reputational damage of Prop 65 lawsuits, more and more brands and retailers are taking a proactive approach to Prop 65 compliance and ensuring that their products meet all the relevant requirements.

The Fair Labor Standards Act (FLSA) is a U.S. law that is intended to protect workers against certain unfair pay practices.1 As such, the FLSA sets out various labour regulations regarding interstate commerce employment, including minimum wages, requirements for overtime pay, and limitations on child labour. The FLSA—which was passed in 1938 and has seen numerous changes over the years—is one of the most important laws for employers to understand, as it sets out a wide array of regulations for dealing with employees, whether salaried or paid by the hour.

Regulatory Body:

The Wage and Hour Division (WHD) of the U.S. Department of Labor (DOL) administers and enforces the FLSA with respect to private employment, State and local government employment, and Federal employees of the Library of Congress, U.S. Postal Service, Postal Rate Commission, and the Tennessee Valley Authority.

Key Controls:

The four main elements of the FLSA-

The Fair Labor Standards Act (FLSA) establishes minimum wage, overtime pay, recordkeeping, and child labour standards affecting full-time and part-time workers in the private sector and in Federal, State, and local governments.