Information Security is paramount in todays world. The world of information security is driven by the business needs and regulations. To achieve compliance, organizations often choose well known standards as benchmarks.Many countries have enforced regulations to protect the interests of the common public. Protection of everyone.s privacy is one among the top priorities of every government. Other than privacy, regulations protect investor interests, security of personal, financial information etc..
Here is a list of Security and Privacy regulations in various countries
United States of America
HIPAA – Health Insurance Portability and Accountability Act
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included .Administrative Simplification. provisions that required Health and Human Services (HHS) to adopt national standards for electronic health care transactions.
The information security references in HIPAA are the following rules
HIPAA Security – The HIPAA Security rule describes the requirements to secure the electronic protected health information(ePHI)
HIPAA Privacy – The HIPAA privacy rule make the law of the need of keeping the health information private.
More details about HIPAA can be found at http://www.hhs.gov/ocr/hipaa/
HIPAA applies to all healthcare providers, payers, and clearinghouses in the US.
SOX – Sarbanes-Oxley Act
The Sarbanes-Oxley Act is designed to review dated legislative audit requirements to protect investors by improving the accuracy and reliability of corporate disclosures, covering issues such as establishing a public company accounting oversight board, corporate responsibility, auditor independence, and enhanced financial disclosure.
All companies publicly traded in the United States and regulated by the Securities and Exchange Commission (SEC), including US-based companies as well as all international companies that have shares traded on a US exchange.
GLBA- Gramm-Leach-Bliley Act
GLBA includes provisions to establishing administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of consumer financial information. GLBA applies to financial institutions in the US, such as banks, securities firms, insurance companies, and other companies selling financial products.
California Assembly Bill 1950
California.s Assembly Bill 1950 expands on the privacy requirements of Senate Bill 1386 and requires that organizations take .reasonable precautions. to protect California residents. personal data from modification, deletion, disclosure, and misuse rather than just report on its disclosure.
This bill is applicable to state Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.
Authentication in an Internet Banking Environment(FFIEC November 2005 Guidance)
This guidance recommends that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers. It considers single-factor authentication, as the only control mechanism, to be inadequate for online banking. Banks should use authentication methods that are both effective and appropriate to the risks associated with online banking. These methods include multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
This is applicable for all financial institutions in the U.S., including banks, brokerages, credit unions and the like, and ASPs that offer Internet banking applications.
21 CFR Part 11
21 CFR Part 11 outlines the US Food and Drug Administration.s requirements for electronic records and electronic signatures. It is designed to prevent fraud while permitting the widest possible use of electronic technology within the pharmaceutical industry.
Organizations must implement controls to ensure authenticity, integrity, confidentiality, and non-repudiation of electronic records. In some cases, organizations must also implement measures such as encryption and digital signatures.
All organizations regulated by the FDA, which includes pharmaceutical, biotech, medical device, food, and cosmetic companies.
California Information Practice Act ( SB 1386)
This regulation requires organizations conducting business in California to disclose any security breach that occurs to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Since the law requires notification of security breaches involving .unencrypted. sensitive data, there is a safe harbor for those organizations which have encrypted the data.
This is applicable for all State Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.
North American Electric Reliability Council
The stated purpose is .to protect the critical cyber assets essential to the reliability of the bulk electric system..
The standard includes:
- additional detail to clarify technical requirements and compliance measures
- authorization requirements to place these measures into production
- access authorization process requirements
- generic account management requirements
- change control and configuration management requirements
- operating status monitoring tools
- backup and recovery requirements
- Applicable for all entities responsible for planning, operating, and using the bulk electric system must comply with NERC reliability standards.
Federal Information Security Management Act (FISMA)
FISMA requires federal agencies to develop, document, and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or contractors.
Applicable for all Federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the United States.
USA PATRIOT Act
The Act gives federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes.
All US companies and companies conducting business in the US are affected by this regulation
Federal Information Processing Standards (FIPS)
For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been Federal Information Processing Standard (FIPS) 140 validated or Common Criteria (CC) validated, and most CC Protection Profiles rely on FIPS validation for cryptographic security.
The FIPS 140 requirement .. . . is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information including any organization selling products to U.S. and Canadian government agencies