If data in your network relates to employee or customer medical records, or to your company’s finances—either in terms of revenue or reporting—then most likely you must comply with federal law (HIPAA, Sarbanes-Oxley). Similarly, for all federal agencies and organizations, the National Standards and Technology (NIST) group dictates minimum standards for handling data in the government’s IT systems. Compliance requirements are strictest of all for handling data in US defense-related organizations.
The penalties for non-compliance are severe: federal prosecution (for corporate officers), demotion or discharge (for civil servants).
From an IT perspective, complying with such requirements involves implementing practices for maintaining the integrity and security of data, which often includes creating a repository of network device configurations. While only legal and technical experts with specific knowledge of your business or agency can determine how and to what extent your IT systems must comply with federal laws and regulations, the practices and tools themselves for managing compliance have predictable features.
Most compliance management systems for IT are policy-based. Each policy is built from specific rules and then applied to specific network devices. Running a report that is itself built from specific policies allows an IT manager to audit devices across the network, quickly discovering which devices are running compliant configurations and flagging configuration statements that need to be remediated on devices that are currently out of compliance.
The most useful tools come with packaged reports covering the laws and regulations that commonly impact IT systems. For example, this video showcases a compliance management system that is ready to audit compliance for SOX, HIPAA, DISA Stig, and CISP: