IT professionals who must ensure regulatory compliance for the IT systems of the organizations in which they work can be in a difficult position. Most regulations do not clearly state what is required from an IT perspective. Moreover, often many different regulations apply to a given organization. Unclear requirements and regulatory complexity make it hard for IT managers to know what they need to do to meet their compliance goals. And because the consequences of noncompliance can be quite severe, including fines and even jail time for egregious offences, many IT managers are understandably apprehensive about this important subject.
To help address these needs, Microsoft has created the Regulatory Compliance Planning Guide. The guide is designed to help IT professionals and others interested in regulatory compliance in a number of ways. Specifically, the guide:
Introduces a more efficient way to address regulatory requirements in your organization.
Outlines the leading thinking in regard to specific IT control requirements related to a number of major regulations and standards.
Demonstrates how currently available Microsoft software and guidance can help address immediate regulatory compliance issues for your organization.
The guide was developed, reviewed, and approved by a team of authoritative experts in IT controls and regulatory compliance. This guide and other security guidance topics are available at the Security Center at www.microsoft.com/security/guidance. Please send questions or feedback about this guide to firstname.lastname@example.org.
This section introduces the Regulatory Compliance Planning Guide and provides a brief overview of the other sections in the guide. This section also contains:
A high-level summary of the guide, including recommendations on who should read it.
A brief introduction to regulatory compliance, and the regulations and standards that are discussed in the guide: Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the European Union Data Protection Directive (EUDPD), and the ISO-17799 international security standard.
An overview of IT controls.
A brief discussion of the IT audit process, and how organizations can best work with auditors to meet their regulatory compliance obligations.
A discussion of the business drivers for regulatory compliance.
This section describes how the regulations drive specific IT control requirements, based on the framework-based approach discussed in the previous section. In addition, this section presents specific technologies that you can use to help address regulatory requirements.