I'd like to share the basics behind commonly encountered regulations and compliance efforts we see, professionally. I've got a decent list I plaguerized from some slides, with a few added from my own experience at the bottom (Payment Card Industry stuff).

Please add any more you know of, particularly NON-US regulations (I have limited experience in this area, but would like to learn.) I'll try to use a standard format to help make it easier to compare them (too bad we can't make Table's with the AO site code).

  • Sarbanes-Oxley Act of 2002
  • Mandating Organization - US Securities and Exchange Commission (SEC)
  • Security requirements built on CobiT framework - authentication, access controls, user account management, credential lifecycle management, non-repudiation and audit controls
  • Affects companies publicly traded on US exchanges
  • Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB
  • US Office of the Comptroller of the Currency (OCC)
  • Security requirements include authentication, access controls, encryption, data integrity controls, and audit controls
  • Affects all financial institutions regulated by the OCC
  • HIPAA, the Health Insurance Portability and Accountability Act of 1996
  • US Department of Health and Human Services (DHHS)
  • Focused on authentication, access controls, transmission security, audit controls, and data integrity
  • Healthcare organizations in the US
  • Basel II
  • Basel Committee on Banking Supervision
  • FFIEC framework - access rights administration, authentication, network access, operating system access, application access, remote access, logging and data collection
  • Affects global financial service organizations
  • Directive 95/46/EC of the European Parliament
  • Mandated by European Union (EU) Parliament and of the Council of 24 October 1995
  • Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
  • Affects companies conducting business in EU member nations
  • Federal Information Security Management Act of 2002 (FISMA)
  • US Federal Government
  • Requires federal agencies to develop, document and implement agency wide programs to secure data and information systems that support agency operations and assets, including those managed by other agencies or contractors. Direction from NIST
  • US federal agencies and government contractors
  • Payment Card Industry (PCI) Data Security Standards (DSS), usually referred to as PCI or Visa PCI (although, to be honest DSS is more acurate, since PCI is the organization acronym)
  • Visa, Mastercard, American Express, Diners Club, any credit card issuer (who is a member of the Payment Card Industry group)
  • Formerly known as CISP for Visa, and SDP for MasterCard...
  • Data encryption, access controls, data integrity, auditing, firewalls, and many other standards (12 points, each with many sub requirements) to protect credit card data
  • Private, Industry Standard. Organizations who don't comply risk losing access to doing business with PCI members, and can have substantial fines levied by credit companies for breaches and incidents