Information Technology Reference
In-Depth Information
Legal Mandates
Value may be present or gained through technology renovation in many
forms, though few issues are potentially as threatening to an organization
as compliance with legal mandates and regulatory requirements. Many
acts of legislation and industry standards require detailed documenta-
tion and certification of compliance in order to avoid fines, fees, or other
negative results. Any efforts made to develop or realign an enterprise must
take into account existing and emerging legal requirements from the very
start. It is difficult—sometimes impossible—to go back and implement
controls to review past actions or data access. For example, logging must
be in place before a service is exposed for production use, because without
this logging from the initial entry into service, it may be impossible to
comply with privacy or regulatory mandates that may be imposed.
Alphabet Soup
Legislative responses to issues such as data loss, privacy violations, and
fiscal accountability have generated an ever-growing number of “alphabet
soup” legal requirements that the lead architect must include in enterprise
planning. These include items such as the Sarbanes-Oxley Act (SoX), the
Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and
Accountability Act (HIPAA), the Federal Educational Rights Protection
Act (FERPA), the Children's Online Privacy Protection Act (COPPA),
and a host of other similar articles and regulations.
Each item carries its own potential pitfalls when applied to the enter-
prise. HIPAA mandates for segregation of health care clearinghouse data
from other organizational access may complicate data storage, backup,
and archival planning. Mandates for truthful disclosure of intellectual
property ownership under SoX may complicate the use of free open-source
software, where individual package intellectual property (IP) ownership
may be difficult to document.
Many of these articles have common themes, however, making it eas-
ier to integrate specific requirements for compliance into more general
planning steps. Privacy laws such as COPPA, HIPAA, and GLBA all
include provisions for the privacy and protection of personally identifying
information, as do industry regulations such as the Payment Card Indus-
try Data Security Standards (PCI DSS). Following recent large-scale
