As a developer, understanding the issues around regulatory compliance can be a difficult and frustrating endeavor. Most developers do not have a legal background and regulators generally do not have a background in software development. The result is a failure to communicate – the language and requirements described in legislation are not easy to pin to explicit software requirements. The problem is compounded by the growing diversity of regulations on a variety of levels – state, federal and international – that now make up a patchwork of compliance requirements with sometimes overlapping applications. This document attempts to bridge this gap and make sense of regulatory compliance from a developer’s point of view. We’ve spent the time reading and analyzing legislation so that you don’t have to. While this document may not contain every detail you need, it should provide a good starting point to help you focus on the right areas to be successful in your compliance objectives.
This document covers six of the most relevant pieces of legislation in depth and then touches on four others more lightly. For each piece of legislation four areas are covered:
- Summary of the Legislation – Explains the act from a developer’s point of view, telling you what you need to know in order to understand its implications on your application development
- Required Process Steps – Explains in more depth which requirements are relevant to software developers. Generally speaking this section will explain what types of data are considered sensitive and how they need to be protected.
- Technologies and Techniques – Explains strategies and techniques for meeting the legislative requirements. These are separated into five main categories: Confidentiality, Integrity, Availability, Auditing and Logging, and Authentication.
- Additional Resources – Provides links where you can gather more information on the legislation in question.