I have a love/hate relationship with standards and regulations. On the one hand, they pay my bills, and I like having my bills paid. Without them, infosec would be mostly ignored, especially in large enterprises, and that’s not good for anyone. Our personal data would constantly be at risk without oversight or hope for improvement.
On the flip side, despite the existence nine meaty, enforceable regulations that I plan to blog about in this series, we still have large scale compromises on a regular basis. Compliance costs billions of dollars to organizations of all shapes and sizes, and to what end? A single large-scale breach that affects tens or hundreds of millions of individuals, such as the recent Heartland breach, can undo most of that effort. Furthermore, many of the regulations are impractical, vague, or not enforced.
In the end, however, I agree with Bruce Schneier who says that “more important than the specific list of countermeasures is a process of continual security improvement.” I’ll support any effort that protects my privacy and yours.
So, without further adieu, I present a list of ten regulations that those of us in information security have come to know and love.
- PCI DSS – The Payment Card Industry Data Security Standard – A series of technical and operation security standards that applies to any organization that processes credit cards in any capacity.
- HIPAA – Health Insurance Portability and Accountability Act (in particular, the security rule) – Administrative, physical, and technical safeguards for protected health information (PHI), or health information that can be linked to an individual.
- NERC CIP 002-009 – North American Electric Reliability Corporation, Critical Infrastructure Protection – “A cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.” I’m a big fan of any regulation that uses the term “cyber” twice in a sentence.
- Red Flag Rule – What, you’ve never heard of this one? This new rule that applies to a variety of financial institutions mandates written plans to “flag” suspicious transactions that could indicate fraud or identity theft.
- FISMA – Federal Information Security Management Act of 2002 – A set of processes intended to improve security within the United States Government and associated entities. Sadly, it seems that we still have work to do.
- SOX ITGC – Sarbanes-Oxley Act Section 404, Information Technology General Controls – Application, operational, and general controls to ensure accuracy in financial reports for publicly traded companies.
- GLBA – Gramm-Leach-Blilely Financial Services Modernization Act – Section 501 of GLBA requires certain privacy and safeguards for financial institutions, much like HIPAA for the health care industry.
- FERPA – Family Educational Rights and Privacy Act – This seemingly simple requirement to control the disclosure of sensitive student data is harder than it seems with the proliferation of data across educational institutions.
- COPPA – Children’s Online Privacy Protection Act – Safeguarding the privacy of information on children for web sites targeting people under thirteen years of age.
If you’ve been in IT long enough this alphabet soup of regulation acronyms is all too familiar. Did I miss any? Let me know! In the meantime, I know you’ll be waiting with bated breath for elaboration on these fascinating regulations!
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment