Main Regulations Affecting Information Security - United Kingdom
GLOBAL: universal regulations or standards, applicable to entities worldwide.
Who's impacted: entities to which the standards or regulations apply.
 GLOBAL | |
|---|---|
| Risk Management | Who's impacted? |
Basel II The aim of this regulation is to better align bank capital requirements with underlying risks. Banks are required to monitor, mitigate and disclose risk. |
|
Payment Card Industry (PCI) Data Security Standard The aim of this standard is to provide a single set of security requirements to be used by all payment organizations. Merchants and service providers should use the standard to assess their security status. |
|
 UNITED KINGDOM | |
|---|---|
| Corporate Governance | Who's impacted? |
The Turnbull Guidance 1999 The aim of this regulation is to encourage companies to identify and manage internal and external risk within their organizations. |
|
The Companies Act 1985 Regulations 2005 These regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. |
|
The Companies Act 2004 This act aims to improve the reliability of financial reporting and the independence of auditors. It emphasizes the role of the Financial Reporting Review Panel (FRRP) in enforcing good accounting and reporting. |
|
Money Laundering Regulations 2003 (MLR) These regulations require businesses to appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and securely maintain records of client identification and transactions for five years. |
|
| Privacy | |
UK Data Protection Act This act legally binds any entity processing personal data to establish good practice in managing and using the data. All entities must comply with eight enforceable principles of good information handling practice. The principles also require entities to prevent unauthorized or unlawful processing of data, and accidental loss or damage to data. |
|
The Freedom of Information Act 2000 - UK This act states that public authority information cannot be altered, defaced, corrupted or destroyed. Public authorities need to ensure uptime of systems holding the information. |
|
 EUROPEAN UNION | |
|---|---|
| Privacy | Who's impacted? |
EU Data Protection Directive (EU DPD) This directive covers the processing of personal data, including automatically-processed data and manual data in a filing system. Organizations must implement appropriate measures to protect personal data against unauthorized access, accidental or unlawful destruction, accidental loss, alteration or unauthorized disclosure. The US Safe Harbor Arrangement is a streamlined process for US companies to comply with the Directive. |
|
EC Privacy and Electronic Communication Regulations This directive protects the public from electronic marketing practices that cause nuisance, offence and invasion of privacy. It calls for secure measures to be put in place to ensure that electronic marketing records are both available and correct. Electronic service providers are required to maintain system and network uptime as well as implement security measures to protect customer data. http://europa.eu.int/comm/justice_home/fsj/privacy/law/index_en.htm |
|
| Information Integrity | |
EU Annex 11, Computerized Systems The main aim of this regulation is to ensure that "records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process". http://www.labcompliance.com/documents/europe/h-213-eu-gmp-annex11.pdf |
|
