Chapter 20
Compliance
When one thinks of compliance, one usually thinks of having to follow rules—and so it is with information technology compliance.
There are regulatory rules that must be met as well as organizational policy directives from management to be implemented. Additionally, there are also directives from outsiders (such as hackers) or from insiders (such as those with particular departmental or personal priorities that conflict with management's objectives) that must be avoided.
As a result, compliance can be considered to fall into three general categories:
1. Regulatory: Mandated actions from outside governmental/regulatory agencies
2. Procedural/Policy: Mandated actions from (inside) management
3. Security: Prevention of the actions of outsiders and insiders attempting to enhance personal interests that are in conflict with owners' (stockholders' or the public's) best interests
In some cases, categories 2 and 3 may overlap, such as when the actions of management are not in the best interests of the organization. An example of this would be a CEO who treats the company's funds as her own personal piggy bank or a government official who uses public funds for personal gain. For example, consider the actions of former CEO Dennis Kozlowski at Tyco, who threw lavish parties (costing over $200 million) with company funds, and the actions of former Maryland governor Spiro Agnew, who took kickbacks on government contracts.
Regulatory Compliance
The IT department—since ...