This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or reg as well as information about what and who is covered.
The list is intentionally US-centric, but includes selected laws of other nations that have an impact on US-based global companies.
The security regulations and guidelines directory will be updated and expanded over time on CSOonline.com. Please email editor Derek Slater (dslater@cxo.com) with suggestions or updates.
Click on a link to skip to a subsection of the directory:
* Broadly applicable laws and regulations
* Industry-specific guidelines and requirements
Section one: Broadly applicable laws and regulations
Sarbanes-Oxley Act (aka Sarbox, SOX)
What Sarbanes-Oxley covers: Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It was enacted after the high-profile Enron and WorldCom financial scandals of the early 2000s. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long.
More about Sarbanes-Oxley
* How infosec can learn to love Sarbanes-Oxley
Who is affected: U.S. public company boards, management and public accounting firms.
Full text of Sarbanes-Oxley Act: http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html
Key requirements/provisions: The Act is organized into 11 titles:
1. Public Company Accounting Oversight
2. Auditor Independence
3. Corporate Responsibility
4. Enhanced Financial Disclosures
5. Analyst Conflicts of Interest
6. Commission Resources and Authority
7. Studies and Reports
8. Corporate and Criminal Fraud Accountability
9. White-Collar Crime Penalty Enhancements
10. Corporate Tax Returns
11. Corporate Fraud Accountability
Source: SarbanesOxleyCompliance.com
Payment Card Industry Data Security Standard (PCI DSS)
What it covers: The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed by the founders of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
More about PCI DSS
* PCI's post-audit pain points
* The art of the compensating control
* The essential retail security reader
The Council has also issued requirements called the Payment Application Data Security Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS).
Who is affected: Retailers, credit card companies, anyone handling credit card data.
Link to the PCI DSS requirements:
The current version is PCI DSS v2.0, issued 10/28/2010. https://www.pcisecuritystandards.org/security_standards/documents.php
You will also find full text of the latest PA DSS and PCI PTS requirements on that page.
Support documents (including a summary of the significant differences between PCI DSS v1.2 and PCI DSS v2.0): https://www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Key requirements/provisions: Currently, PCI DSS specifies 12 requirements, organized in six basic objectives:
Objective 1: Build and Maintain a Secure Retail Point of Sale System
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Objective 2: Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Objective 3: Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Objective 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Objective 5: Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Objective 6: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Source: PCI Security Standards Council
The Gramm-Leach-Bliley Act (GLB) Act of 1999
What it covers: Also known as the Financial Modernization Act of 1999, the GLB Act includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.
Who is affected: Financial institutions (banks, securities firms, insurance companies), as well as companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts).
Link to the law: The Privacy of Consumer Financial Information rule within GLB: http://www.ftc.gov/os/2000/05/65fr33645.pdf
Laws and rules pertaining to GLB: http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_lr.html
Key requirements/provisions: The privacy requirements of GLB include three principal parts:
The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.
The Safeguards Rule: Requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information.
Pretexting provisions: Protect consumers from individuals and companies that obtain their personal financial information under false pretenses, including fraudulent statements and impersonation.
Source: Federal Trade Commission
Electronic Fund Transfer Act, Regulation E
What it covers: Enacted in 1978, this law protects consumers engaging in electronic fund transfers from errors and fraud. It carries out the purposes of the Electronic Fund Transfer Act, which establishes the basic rights, liabilities, and responsibilities of EFT consumers of financial institutions that offer these services. EFTs include ATM transfers, telephone bill-payment services, point-of-sale terminal transfers in stores and preauthorized transfers from or to a consumer's account (such as direct deposit and Social Security payments). Effective August 2010, a new provision states that institutions may not impose dormancy, inactivity or service fees for pre-paid products, such as gift cards, nor can they have an expiration date of less than five years.
Who is affected: Financial institutions that hold consumer accounts or provide EFT services, as well as merchants and other payees.
Link to the law:
http://www.fdic.gov/regulations/laws/rules/6500-3100.html
With 2010 updates: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title12/12cfr205_main_02.tpl
Key requirements/provisions: Regulation E includes the following provisions:
* Definition of access device (debit cards, PINs, phone transfers, bill payment codes, private label cards).
* Consumer acceptance of device (either through a request for the device or validation of an unsolicited device).
* Financial institution responsibilities, such as disclosure requirements and records retention.
* Consumer rights and responsibilities, such as procedures for reporting lost or stolen access devices and notifying the institution of an error.
* Rules for preauthorized debits and electronic check transactions.
* Error resolution process.
* Unauthorized EFTs.
Source: BankersOnline.com, Alston & Byrd LLP
Customs-Trade Partnership Against Terrorism (C-TPAT)
What it covers: C-TPAT is a worldwide supply chain security initiative established in 2004. It is a voluntary initiative run by U.S. Customs and Border Protection, with the goals of preventing terrorists and terrorist weapons from entering the U.S. It is designed to build cooperative government-business relationships that strengthen and improve the overall international supply chain and U.S. border security. Businesses are asked to ensure the integrity of their security practices and communicate and verify the security guidelines of their business partners within the supply chain.
More about C-TPAT and supply chain security
* C-TPAT and cargo security: Sea change
* 10 steps to loading dock security
Benefits for participating in C-TPAT include a reduced number of CBP inspections, priority processing for CBP inspections, assignment of a C-TPAT supply chain security specialist to validate security throughout the company's supply chain and more.
Who is affected: Trade-related businesses, such as importers, carriers, consolidators, logistics providers, licensed customs brokers, and manufacturers.
Link to overview of C-TPAT:
http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/what_ctpat/ctpat_overview.xml
Security criteria for various players:
http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/security_criteria/
Key requirements/provisions: C-TPAT relies on a multi-layered approach consisting of the following five goals:
1. Ensure that C-TPAT partners improve the security of their supply chains pursuant to C-TPAT security criteria.
2. Provide incentives and benefits to include expedited processing of C-TPAT shipments to C-TPAT partners.
3. Internationalize the core principals of C-TPAT.
4. Support other CBP initiatives, such as Free and Secure Trade, Secure Freight Initiative, Container Security Initiative.
5. Improve administration of the C-TPAT program.
C-TPAT security criteria encompass the following areas:
* Business partners
* Conveyance security
* Physical access control
* Personnel security
* Procedural security
* Physical security
* Security training/Threat awareness
* Information technology security
Source: U.S. Bureau of Customs and Border Protection
Free and Secure Trade Program (FAST)
What it covers: FAST is a voluntary commercial clearance program run by U.S. Customs and Border Protection for pre-approved, low-risk goods entering the U.S. from Canada and Mexico. Initiated after 9/11, the program allows for expedited processing for commercial carriers who have completed background checks and fulfill certain eligibility requirements. Participation in FAST requires that every link in the supply chain -- from manufacturer to carrier to driver to importer -- is certified under the C-TPAT program (see above). Cards cost $50 and are valid for 5 years.
Benefits of using FAST and C-TPAT include:
* Upon terrorist alerts, FAST/C-TPAT drivers will be allowed to cross the border.
* Dedicated lanes for greater speed and efficiency
* Reduced cost of compliance with customs requirements.
Who is affected: Importers, carriers, consolidators, licensed customs brokers, and manufacturers.
Link to FAST program details: http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/fast/fast_driver/
Key requirements/provisions: Highway carriers authorized to use the FAST/C-TPAT program need to meet the following requirements:
* A demonstrated history of complying with all relevant legislative and regulatory requirements.
* Have made a commitment to security-enhancing business practices, as required by the C-TPAT and Canada's PIP program.
* Use drivers that are in possession of a valid FAST commercial driver card when using FAST clearance.
* In the case of carriers seeking FAST clearance into Canada, be bonded and have the necessary business processes required for the Customs Self Assessment (CSA) program.
Source: U.S. Bureau of Customs and Border Protection
Children's Online Privacy Protection Act
What it covers: COPPA, which took effect in 2000, applies to the online collection of personal information from children under 13. Monitored by the Federal Trade Commission (FTC), the rules limit how companies may collect and disclose children's personal information. They codify what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.
Who is affected: Operators of commercial Web sites and online services directed to children under 13 that collect personal information from children, as well as general audience Web sites with actual knowledge they are collecting personal information from children.
Link to the law: http://www.ftc.gov/ogc/coppa1.htm
Key requirements/provisions: Basic provisions of COPPA include: