Solved

IT Resources for Regulatory/Legal Requirements

Posted on 2013-12-02
3
412 Views
Last Modified: 2014-03-03
Apologies if this is not appropriate , but need some advice/recommendations on possible sources/websites to review/monitor possible regulatory/legal issue and or requirements for Information Security/IT Managment
0
Comment
Question by:schuitkds
3 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39691758
Anything you get online is going to be half-baked at best.  Contact an attorney for your state/country.  Regulatory and legal advice offered here will most certainly not be considered a valid defense if you do something you shouldn't have.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39692205
You can find what you need online, but you need to know the industry, the locality and have a good idea about security before hand. If your company/Client is in the Health Care business, they are subject to HIPAA. If you're company/client is publicly traded in the US, they are bound by SOX, if your company/client does credit card processing or the storing of CC info then PCI-DSS needs to be looked into (worldwide). Then there are breach reporting laws like those in California and other states.
That last link is helpful for some US State laws.
http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx
Wikipedia has a good entry for Personally Identifiable Information: http://en.wikipedia.org/wiki/Personally_identifiable_information#United_States_of_America
-rich
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39692371
This link has good summary and can differs from country, it does set some good fundamental ground of understanding as other take references and learn from it as well.

1) Broadly applicable laws and regulations includes:
Sarbanes-Oxley Act (SOX);
Payment Card Industry Data Security Standard (PCI DSS);
Gramm-Leach-Bliley Act (GLB) Act;
Electronic Fund Transfer Act, Regulation E (EFTA);
Customs-Trade Partnership Against Terrorism (C-TPAT);
Free and Secure Trade Program (FAST);
Children's Online Privacy Protection Act (COPPA);
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule;
Federal Rules of Civil Procedure (FRCP)

2) Industry-specific guidelines and requirements includes:
Federal Information Security Management Act (FISMA);
North American Electric Reliability Corp. (NERC) standards;
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
Health Insurance Portability and Accountability Act (HIPAA);
The Health Information Technology for Economic and Clinical Health Act (HITECH);
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

3) Key state laws includes:
Massachusetts 201 CMR 17 (aka Mass Data Protection Law);
Nevada Personal Information Data Privacy Encryption Law NRS 603A

4) International laws includes:
Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)—Canada;
Law on the Protection of Personal Data Held by Private Parties—Mexico;
European Union Data Protection Directive; Safe Harbor Act

I do also see  ISO 27001 standard itself "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)". It is widely adopted globally as baseline standard as well as COBIT (from ISACA) on Framework for IT Governance and Control

http://www.27000.org/iso-27001.htm
http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Mac-address sticky 12 61
Botnet detection help me please 21 134
Firewall report connections 8 94
Standalone trial or freeware to do SSL scan 4 36
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question