zencoder
June 30th, 2005, 11:43 PM
I'd like to share the basics behind commonly encountered regulations and compliance efforts we see, professionally. I've got a decent list I plaguerized from some slides, with a few added from my own experience at the bottom (Payment Card Industry stuff).
Please add any more you know of, particularly NON-US regulations (I have limited experience in this area, but would like to learn.) I'll try to use a standard format to help make it easier to compare them (too bad we can't make Table's with the AO site code).
Sarbanes-Oxley Act of 2002 (http://www.aicpa.org/info/sarbanes_oxley_summary.htm)
Mandating Organization - US Securities and Exchange Commission (SEC)
Security requirements built on CobiT framework - authentication, access controls, user account management, credential lifecycle management, non-repudiation and audit controls
Affects companies publicly traded on US exchanges
Financial Modernization Act of 1999 (http://www.ftc.gov/privacy/glbact/), also known as the “Gramm-Leach-Bliley Act” or GLB
US Office of the Comptroller of the Currency (OCC)
Security requirements include authentication, access controls, encryption, data integrity controls, and audit controls
Affects all financial institutions regulated by the OCC
HIPAA (http://www.hhs.gov/ocr/hipaa/), the Health Insurance Portability and Accountability Act of 1996
US Department of Health and Human Services (DHHS)
Focused on authentication, access controls, transmission security, audit controls, and data integrity
Healthcare organizations in the US
Basel II (http://www.bis.org/publ/bcbsca.htm)
Basel Committee on Banking Supervision
FFIEC framework - access rights administration, authentication, network access, operating system access, application access, remote access, logging and data collection
Affects global financial service organizations
Directive 95/46/EC of the European Parliament (http://www.cdt.org/privacy/eudirective/EU_Directive_.html)
Mandated by European Union (EU) Parliament and of the Council of 24 October 1995
Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
Affects companies conducting business in EU member nations
Federal Information Security Management Act of 2002 (FISMA) (http://csrc.nist.gov/policies/FISMA-final.pdf)
US Federal Government
Requires federal agencies to develop, document and implement agency wide programs to secure data and information systems that support agency operations and assets, including those managed by other agencies or contractors. Direction from NIST (http://csrc.nist.gov/sec-cert/index.html)
US federal agencies and government contractors
Payment Card Industry (PCI) Data Security Standards (DSS) (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html), usually referred to as PCI or Visa PCI (although, to be honest DSS is more acurate, since PCI is the organization acronym)
Visa, Mastercard, American Express, Diners Club, any credit card issuer (who is a member of the Payment Card Industry group)
Formerly known as CISP for Visa, and SDP for MasterCard...
Data encryption, access controls, data integrity, auditing, firewalls, and many other standards (12 points, each with many sub requirements) to protect credit card data
Private, Industry Standard. Organizations who don't comply risk losing access to doing business with PCI members, and can have substantial fines levied by credit companies for breaches and incidents
Please add any more you know of, particularly NON-US regulations (I have limited experience in this area, but would like to learn.) I'll try to use a standard format to help make it easier to compare them (too bad we can't make Table's with the AO site code).
Sarbanes-Oxley Act of 2002 (http://www.aicpa.org/info/sarbanes_oxley_summary.htm)
Mandating Organization - US Securities and Exchange Commission (SEC)
Security requirements built on CobiT framework - authentication, access controls, user account management, credential lifecycle management, non-repudiation and audit controls
Affects companies publicly traded on US exchanges
Financial Modernization Act of 1999 (http://www.ftc.gov/privacy/glbact/), also known as the “Gramm-Leach-Bliley Act” or GLB
US Office of the Comptroller of the Currency (OCC)
Security requirements include authentication, access controls, encryption, data integrity controls, and audit controls
Affects all financial institutions regulated by the OCC
HIPAA (http://www.hhs.gov/ocr/hipaa/), the Health Insurance Portability and Accountability Act of 1996
US Department of Health and Human Services (DHHS)
Focused on authentication, access controls, transmission security, audit controls, and data integrity
Healthcare organizations in the US
Basel II (http://www.bis.org/publ/bcbsca.htm)
Basel Committee on Banking Supervision
FFIEC framework - access rights administration, authentication, network access, operating system access, application access, remote access, logging and data collection
Affects global financial service organizations
Directive 95/46/EC of the European Parliament (http://www.cdt.org/privacy/eudirective/EU_Directive_.html)
Mandated by European Union (EU) Parliament and of the Council of 24 October 1995
Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
Affects companies conducting business in EU member nations
Federal Information Security Management Act of 2002 (FISMA) (http://csrc.nist.gov/policies/FISMA-final.pdf)
US Federal Government
Requires federal agencies to develop, document and implement agency wide programs to secure data and information systems that support agency operations and assets, including those managed by other agencies or contractors. Direction from NIST (http://csrc.nist.gov/sec-cert/index.html)
US federal agencies and government contractors
Payment Card Industry (PCI) Data Security Standards (DSS) (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html), usually referred to as PCI or Visa PCI (although, to be honest DSS is more acurate, since PCI is the organization acronym)
Visa, Mastercard, American Express, Diners Club, any credit card issuer (who is a member of the Payment Card Industry group)
Formerly known as CISP for Visa, and SDP for MasterCard...
Data encryption, access controls, data integrity, auditing, firewalls, and many other standards (12 points, each with many sub requirements) to protect credit card data
Private, Industry Standard. Organizations who don't comply risk losing access to doing business with PCI members, and can have substantial fines levied by credit companies for breaches and incidents