Regulatory Compliance Planning Guide
Section 3: Mapping Regulations to High-Level Control Objectives in the Control Framework
This section presents an overview of how the major regulations and standards in this guide map to specific technology solution categories in a sample control framework.
The team mapped the five regulations and standards—SOX, GLBA, HIPAA, EUDPD, and ISO 17799—to the framework. Wherever possible, the project team conducted the mapping with the assistance of pre-existing guidance from accredited agencies and government organizations. The documents containing this guidance, which this guide refers to as bridging documents, are generally accepted by the audit and regulatory community as a reasonable representation of the control requirements for these regulations and standards. The team used the following bridging documents to help map the regulations to the sample control framework:
| • | Sarbanes Oxley Act. IT Control Objectives for Sarbanes-Oxley from the IT Governance Institute at www.itgi.org/Template_ITGI.cfm?Section=ITGI&CONTENTID=9757&TEMPLATE=/ContentManagement/ContentDisplay.cfm. |
| • | Gramm-Leach-Bliley Act. Interagency Guidelines Establishing Standards for Safeguarding Customer Information from the Department of the Treasury; Office of the Comptroller of the Currency, Office of Thrift Supervision; Federal Reserve System, and Federal Deposit Insurance Corporation at www.ffiec.gov/ffiecinfobase/resources/info_sec/frb-sr-01-15-standards_safeguard_cus_info.pdf. |
| • | Health Insurance Portability and Accountability Act. HIPAA Administrative Simplification Regulation Text from the Department of Health and Human Services, Office for Civil Rights at www.os.dhhs.gov/ocr/AdminSimpRegText.pdf. |
| • | European Union Data Protection Directive. Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281, 23/11/1995 P. 0031 – 0050 at http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML. |
| • | ISO/IEC 17799:2005(E) Code of Practice for Information Security Management. Available from the International Electrotechnical Committee Web store at http://domino.iec.ch/preview/info_isoiec27002%7Bed1.0%7Den.pdf. |
As described in the “Caveats and Disclaimers” section, this guide does not constitute legal advice and is not a substitute for individualized legal and other advice that you should receive from your legal counsel and auditors. These mappings should therefore only be used as a general guide. To determine the specific requirements for your organization, consult your legal counsel or auditors.
Control Categories
To provide a more general overview of the compliance requirements for each of the five regulations and standards, this topic presents a high-level table of the regulations and standards that map to the control categories in the sample control framework, which is loosely based on the Microsoft Operations Framework.
The mapping in this table can help you identify which control categories apply to your organization. In addition, the table indicates where multiple regulations and standards require the same control framework categories.
IT managers can use this table to help develop a plan to address regulatory compliance requirements. For example, if your organization must comply with SOX and HIPAA, you should consider implementing controls in the categories that contain marks in the SOX and HIPAA columns. Furthermore, you might choose to prioritize your IT control efforts to focus on those control categories that many or all of the regulations require that also apply to your organization. Again, Microsoft notes that this mapping does not constitute legal advice; you must consult your legal counsel and auditors for specific, individualized guidance on this complex subject.
Table 1: Major Regulations and Standards Map to Control Categories
| Control Categories | SOX | GLBA | HIPAA | EUDPD | ISO 17799 |
Organizational Framework | X | X | X | X | X |
IT Strategic Planning | X | X | X | X | X |
IT Resource Planning | X | X | X | X | X |
Development and Communication of Policies and Standards | X | X | X | X | X |
Solution Development | X | X | X |
| X |
IT Risk Management | X | X | X |
| X |
Project Management |
|
|
|
|
|
Change Management | X | X | X |
| X |
Service Level Management | X | X | X | X | X |
Capacity and Availability Management | X | X | X | X | X |
Security Management and Administration | X | X | X | X | X |
Financial Management |
|
|
|
|
|
Awareness and Training | X | X | X |
| X |
Configuration Management | X |
| X |
|
|
Problem and Incident Management | X | X | X |
| X |
Data Management | X | X | X | X | X |
Operations Management | X |
| X | X | X |
IT Effectiveness | X | X |
|
| X |
IT Assurance | X | X | X |
| X |
IT Compliance and Governance | X | X | X | X | X |
Privacy Management |
| X | X | X | X |
The next topic, Technology Solutions for Regulatory Compliance, presents the technology solution categories that are relevant to regulatory compliance.
 Top of page | 1 of 5 |