ITIL

The Ultimate IT Compliance & Terminology Encyclopedia (2026 Edition) | Lazy Admin Blog

Posted on Updated on

In the enterprise world, “Standard” is a myth. Every system you touch falls into a bucket that defines how you patch it, who can access it, and how long you keep the logs. If you misclassify a system, you’re not just breaking a rule—you’re inviting an auditor to move into your office for a month.

1. The “Big Three” of Regulatory Compliance

Sarbanes-Oxley (SOx)

  • Industry: Finance / Publicly Traded Companies (US).
  • The Focus: Preventing financial fraud.
  • IT Impact: Controls over who can modify financial data. If a system supports a key business financial process (ERP, Payroll, Billing), it is In-Scope for SOx.
  • The Issue: A failure to rotate admin passwords or an unlogged manual change to a database.

GxP (Good Practice)

  • Industry: Life Sciences / Pharmaceuticals / Medical Devices.
  • The Focus: Product safety and human life. (GMP = Manufacturing, GLP = Lab, GCP = Clinical).
  • IT Impact: Systems must be Validated (proven to do exactly what they say). Any uncontrolled change can “De-validate” the environment.
  • The Issue: Loss of clinical data or unscheduled downtime during a manufacturing run.

GDPR / CCPA / LGPD

  • Industry: Global / Consumer Data.
  • The Focus: Individual Privacy.
  • IT Impact: The “Right to be Forgotten.” You must be able to delete a specific user’s data from all production systems and backups upon request.
  • The Issue: A data leak of personal information or failing to delete data within the legal timeframe.

2. Industry-Specific Verticals

ComplianceIndustryKey Requirement
HIPAAHealthcare (US)Protection of ePHI (Electronic Protected Health Information). Encryption is non-negotiable.
PCI-DSSRetail / FinanceSecurity of the CDE (Cardholder Data Environment). Strict network isolation for credit card traffic.
FERPAEducation (US)Protection of student records and privacy.
FISMAGovernment (US)Security standards for federal agencies and contractors.

3. Internal Quality vs. Security Issues

Quality Issue (Non-Conformance)

A failure to follow internal Standard Operating Procedures (SOPs).

  • Example: You applied a patch during a blackout period without CAB approval. The server didn’t break, and it’s not a legal breach, but it is a Quality Issue because you ignored the process.

Security Issue (Breach)

An uncontrolled event that compromises the Confidentiality, Integrity, or Availability of data.

  • Example: Social engineering (phishing), unauthorized root access, malicious code (Trojans/Worms), or theft of hardware.

4. Technical Audit Terminology

  • ALCOA+: The gold standard for data integrity. Data must be Attributable, Legible, Contemporaneous, Original, and Accurate.
  • Segregation of Duties (SoD): The person who requests a change cannot be the same person who approves it or implements it.
  • SOC 2 (Type I & II): An audit report demonstrating that a service provider manages data securely (Common for SaaS).
  • SLA (Service Level Agreement): The promised uptime. Exceeding downtime isn’t just a technical fail; it’s a Quality Issue.
  • Tombstone Lifetime: In AD, the number of days a deleted object is kept before being physically removed from the database (usually 60–180 days).

Lazy Admin Tip 💡

Always keep a “Compliance Map” of your server rack. Knowing which VLAN is PCI-In-Scope versus which one is just Dev/Test will save you from accidentally triggering a massive audit trail for a routine reboot.

#ITCompliance #GDPR #CyberSecurity #SysAdmin #ITAudit #EnterpriseIT #LazyAdmin #CareerDevelopment

This entry was posted in ITIL and tagged , , , , , , , , , .