Main Regulations Affecting Information Security - United States
GLOBAL: universal regulations or standards, applicable to entities worldwide.
Who's impacted: entities to which the standards or regulations apply.
 GLOBAL | |
|---|---|
| Risk Management | Who's impacted? |
Basel II The aim of this regulation is to better align bank capital requirements with underlying risks. Banks are required to monitor, mitigate and disclose risk. |
|
Payment Card Industry (PCI) Data Security Standard The aim of this standard is to provide a single set of security requirements to be used by all payment organizations. Merchants and service providers should use the standard to assess their security status. |
|
 UNITED STATES | |
| Corporate Governance | Who's impacted? |
The Sarbanes-Oxley Act (SOX) This act makes it mandatory for organizations to ensure that their financial information is accurate and that systems generating the information are reliable. Management is required to undergo assessment of internal controls over financial reporting. The assessment should be carried out by external auditors. |
|
| Privacy | Who's impacted? |
Gramm-Leach-Bliley Act (GLBA) This act stipulates which safeguards need to be put in place to protect the security, confidentiality and integrity of consumer financial information. |
|
Health Insurance Portability and Accountability Act (HIPAA) The HIPAA Privacy Rule provides standards for the use and disclosure of individuals' health information by organizations. Standards also address individuals' privacy rights to understand and control how their health information is used. The Privacy Rule requires covered entities to ensure the confidentiality, integrity and availability of individuals' health information. |
|
California Assembly Bill 1950 (AB 1950) This bill builds on the privacy requirements of Senate Bill 1386 and requires that organizations take "reasonable precautions" to protect California residents' personal data from modification, deletion, disclosure, and misuse rather than just report on its disclosure. http://info.sen.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.pdf |
|
| Risk Management | |
Authentication in an Internet Banking Environment This guidance recommends that organizations deploy security measures to reliably authenticate their online banking customers. http://www.ffiec.gov/ffiecinfobase/resources/info_sec/2006/ncu-05-CU-18.pdf |
|
| Information Integrity | |
Title 21 of the Federal Regulations Part 11 (21 CFR Part 11) This regulation outlines the US Food and Drug Administration's requirements for electronic records and electronic signatures. Organizations must implement controls to ensure authenticity, integrity, confidentiality, and non-repudiation of electronic records. In some cases, organizations must also implement measures such as encryption and digital signatures. |
|
Federal Information Security Management Act (FISMA) This act requires federal agencies to develop, document, and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or third-parties. |
|
| Security Breach Notification | |
California Information Practice Act or Senate Bill 1386 This act requires organizations to disclose any security breach that occurs to any California resident whose unencrypted personal information may have been acquired by an unauthorized person. http://www.leginfo.ca.gov/cgi-bin/postquery?bill_number=sb_1386&sess=PREV&house=B&author=peace |
|
| National Security | |
USA PATRIOT Act This act gives federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes. |
|
| Standards | |
Federal Information Processing Standards (FIPS) This standard requires that all applications and devices using cryptography have been FIPS or Common Criteria (CC) validated. |
|
