IT Resources for Regulatory/Legal Requirements

Apologies if this is not appropriate , but need some advice/recommendations on possible sources/websites to review/monitor possible regulatory/legal issue and or requirements for Information Security/IT Managment
schuitkdsAsked:
Who is Participating?
 
btanExec ConsultantCommented:
This link has good summary and can differs from country, it does set some good fundamental ground of understanding as other take references and learn from it as well.

1) Broadly applicable laws and regulations includes:
Sarbanes-Oxley Act (SOX);
Payment Card Industry Data Security Standard (PCI DSS);
Gramm-Leach-Bliley Act (GLB) Act;
Electronic Fund Transfer Act, Regulation E (EFTA);
Customs-Trade Partnership Against Terrorism (C-TPAT);
Free and Secure Trade Program (FAST);
Children's Online Privacy Protection Act (COPPA);
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule;
Federal Rules of Civil Procedure (FRCP)

2) Industry-specific guidelines and requirements includes:
Federal Information Security Management Act (FISMA);
North American Electric Reliability Corp. (NERC) standards;
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
Health Insurance Portability and Accountability Act (HIPAA);
The Health Information Technology for Economic and Clinical Health Act (HITECH);
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

3) Key state laws includes:
Massachusetts 201 CMR 17 (aka Mass Data Protection Law);
Nevada Personal Information Data Privacy Encryption Law NRS 603A

4) International laws includes:
Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)—Canada;
Law on the Protection of Personal Data Held by Private Parties—Mexico;
European Union Data Protection Directive; Safe Harbor Act

I do also see  ISO 27001 standard itself "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)". It is widely adopted globally as baseline standard as well as COBIT (from ISACA) on Framework for IT Governance and Control

http://www.27000.org/iso-27001.htm
http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Anything you get online is going to be half-baked at best.  Contact an attorney for your state/country.  Regulatory and legal advice offered here will most certainly not be considered a valid defense if you do something you shouldn't have.
0
 
Rich RumbleSecurity SamuraiCommented:
You can find what you need online, but you need to know the industry, the locality and have a good idea about security before hand. If your company/Client is in the Health Care business, they are subject to HIPAA. If you're company/client is publicly traded in the US, they are bound by SOX, if your company/client does credit card processing or the storing of CC info then PCI-DSS needs to be looked into (worldwide). Then there are breach reporting laws like those in California and other states.
That last link is helpful for some US State laws.
http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx
Wikipedia has a good entry for Personally Identifiable Information: http://en.wikipedia.org/wiki/Personally_identifiable_information#United_States_of_America
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.