by John Kulas, Bridge360 Software Security Analyst

Why compliance you might ask?
Why do we need compliance,what good does compliance do?

I’ll define “compliance” in terms of obeying a request, a law, or, in particular, a standard. Obviously there are usually penalties if you are not compliant.

1. If you do not comply with someone’s request, that person might be angry with you;
2. If you do not comply with the speed limit sign, a policeman might observe your non-compliance and either write you a ticket to pay a fine or maybe remove you from your car and haul you off to jail;
3. If you do not comply with a standard, depending on which standard, there are a variety of penalties, ranging from fines, mandated actions, delisting your company from the stock exchange and/or imprisoning your corporate officers.

I am a Certified Information Systems Auditor (a “CISA”, certified by ISACA, see http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx) so I am most interested in the 3^rd example. In the next few posts I’ll comment on three fairly well known technology-related compliance standards, why we need them, and how they work:

1. Payment Card Industry Data Security Standard (“PCI-DSS”).
2. Sarbanes–Oxley Act of 2002 (“SOX”)
3. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the American Recovery and Reinvestment Act of 2009 (“ARRA”)

Continue reading →