Sarbanes-Oxley Act was created in the wake of corporate/financial scandals and fraud, which cost investors billions of dollars and threatened to undermine the economy. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) model, which is a corporate governance model that a company must follow to be found compliant with SOX.
Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act, was signed into law to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Gramm-Leach-Bliley Act of 1999 (GLBA) The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with non-affiliated third parties.
Financial Privacy Rule Provide each consumer with a privacy notice that explains the data collected about the consumer, where that data are shared, how that data are used, and how that data are protected. The notice must also identify the consumer’s right to opt out of the data being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.
The Federal Privacy Act applies to records and documents developed and maintained by specific branches of the federal government, such as executive departments, government organizations, independent regulatory agencies, and government-controlled corporations. It does not apply to congressional, judiciary, or territorial subdivisions.
Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that deals with the protection of personal information. One of its main goals is to oversee how the private sector collects, uses, and discloses personal information in regular business activities.
Payment Card Industry Data Security Standard (PCI DSS): The PCI DSS is made up of 12 main requirements broken down into six major categories. The six categories of PCI DSS are Build and Maintain a Secure Network, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Maintain an Information Security Policy.
The control objectives are implemented via 12 requirements, as stated at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml:
The Federal Information Security Management Act (FISMA) of 2002 is a U.S. law that requires every federal agency to create, document, and implement an agency-wide security program to provide protection for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. It explicitly emphasizes a “risk based policy for cost-effective security.”
The NIST 800-53 document, which outlines all of the necessary security controls that need to be in place to protect federal systems. This NIST document is used to help ensure compliance with FISMA.
The Service Organization (SAS 70): A Statement on Auditing Standards No. 70. The (SAS 70) is an audit that is carried out by a third party to assess the internal controls of a service organization. Auditing and testing should be performed to ensure that each party is indeed holding up its side of the agreement.
Safe Harbor outlines how any entity that is going to move privacy data to and from Europe must go about protecting it.
The first step in any risk analysis is to understand what laws and regulations your organization needs to be compliant with (SOX, HIPAA, PCI DSS, GLBA, FISMA, etc.). This will help determine the type of security framework that should be set up within the business (ISO\IEC 27001, COSO, Zachman).
Then a risk methodology needs to be decided upon (ISO\IEC 27005, NIST 800-30, OCTAVE, AS/NZS 4360). The regulatory and legal requirements will help determine which control objective standard to follow (CobiT, NIST 800-53, ITIL).
The International Organization on Computer Evidence (IOCE) and the Scientific Working Group on Digital Evidence (SWDGE). These two groups put together guidelines on how digital evidence is to be collected and handled.
The IOCE/SWDGE principles and guidelines:
If you do not practice DUE CARE in protecting your systems from computer crime you can be found negligent and legally liable for damages, just ask Target, Sony and the number of lawsuits these companies are facing now.
Best Practices: Organizations must set up compliance programs that allow auditors to communicate to the decision makers so incidents can be dealt with properly.
Incident response should be made up of the following phases:
This by no means covers everything relating to - Legal, Compliance, and Government Regulations. It does give one ideas on what is required now, and you can be sure more laws and regulations are in the works given what has been happening at major retailers, and governments around the world.