All organizations must work within a framework of laws and regulations. These rules may dictate how data is processed, handled, stored, and destroyed. Businesses are increasingly tasked with processing a growing amount of electronic information. If they fail to handle this information properly with due care and due diligence, they could be subject to legal fines, loss of public confidence, or even jail time. Companies can be held liable if personal data is disclosed to an unauthorized person.

An example of one such legislation is the Safe Harbor Act. This act prohibits the transfer of personal data to non–European Union (E.U.) nations that do not meet the European standard for privacy protection. Companies that fail to meet E.U. standards can face legal recourse, suffer a loss of public confidence, or even be blocked from doing business in the E.U. Although ISACA does not test CISA canidates on the specifics of regulatory standards, candidates should understand the framework in which their industry operates. Some of these regulatory standards include the following:

. U.S. Health Insurance and Portability and Accountability Act (HIPAA)—U.S. standards on management of health-care data
. Sarbanes-Oxley Act (SOX)—U.S. financial and accounting disclosure and accountability
. Basel Accord Standard II—European banking requirements . U.S. Federal Information Security Management Act (FISMA)—Security standards for U.S. government systems
. Committee for Sponsoring Organizations of the Treadway Commission (COSO)—A private industry initiative to identify factors that lead to fraudulent financial reporting and to be used as a voluntary internal framework of controls
. U.S. Supervisory Controls and Data Acquisition (SCADA)—Enhanced security for automated control systems
. U.S. Fair and Accurate Credit Transaction ACT of 2003 (FACTA)—Legislation to reduce fraud and identity theft