IT Compliance and Regulations

The regulatory landscape is constantly evolving, with an ever-increasing number of laws and statutes worldwide mandating information security and data protection requirements. Along with more established regulations and standards, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), U.S. Gramm–Leach–Bliley Act (GLBA), SWIFT data protection policies, Payment Card Industry Data Security Standard (PCI-DSS), and Canada Personal Information Protection and Electronic Documents Act (PIPEDA), recent laws and regulations have garnered much attention, including the European Union’s (EU) General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive (EU 2016/1148), both of which became enforceable in 2018.

These new laws, among others, have important implications for organizations operating in the cloud. Compliance requirements are typically based on information security best practices, but it’s important to remember that security and compliance aren’t the same thing. The GDPR applies to entities that control or process personal data on individuals located in the EU. Personal data is defined in the law quite broadly as any information relating to an individual that is identified or identifiable.


IT Compliance and Policy

It’s important to understand your personal data-impacting business processes and the information life cycle collection, processing, storage, and transfer associated with these processes. Once understood, these business processes will need to be risk assessed and a set of remediation actions defined where compliance gaps are uncovered. Compliance regulations allow organizations to implement policies preventing company data from being shared with unauthorized personnel.


Microsoft recently implement a new strategy called “compliance and conditional access” a device compliance state in the Azure AD conditional access policies. These policies necessitate mobile devices to be compliant with organization standards defined in Microsoft Intune before accessing network resources, such as Office 365 applications and business-related email and other correspondence. You can restrict access to individual Office 365 applications if the device is unmanaged and not compliant. For instance, you can opt to allow users to access Microsoft Word on any device while restricting access to OneDrive to only managed and compliant devices.

Microsoft Entra

Enterprise security is an ongoing process that requires continuous monitoring, updating of security measures, and staying informed about the latest security threats and solutions. It’s essential for organizations to have a dedicated team of IT security professionals or partners with security experts to effectively manage and enhance their security posture. Microsoft has added an umbrella approach known as Microsoft Entra ID to protect any identity and secure access to any resource and network access solutions. Additionally, organizations had to deploy different identity methods and secure ID in their environments which was a proven costly deployment. Today Microsoft Entra External ID enables organizations to secure and manage any external user, including customers and partners. Skafos IT Services are here to help you drive this strategy into your company and organization.