International
EuropeEuropean Union EU Data Protection Directive (1998) EU Internet Privacy Law (2002)
France Data Protection Act of 1978 (updated 2004)
Germany Federal Data Protection Act (2001)
Netherlands Personal Data Protection (2000)
Norway Personal Data Protection (2000)
Spain
United Kingdom |
Asia Pacific
Australia
Hong Kong
India Information Technology Act of 2000
New Zealand
South America
Argentina Personal Data Protection Act (2000)
Chile |
INDUSTRY STANDARD BEST PRACTICES
International Standards Organization - ISO 27001/27002
ISO 27002 is a broadly-accepted international standard for information security established by the International Standards Organization. It offers a broad set of best practices for information security controls across organizations of any type. Unlike regulations and mandates designed to support specific types of data (such as PCI DSS) or specific business processes (such as SOX), the ISO27002 framework is intended to assist all organizations - commercial, governmental or nonprofit - in the process of managing information security.
Control Objectives for Information and related Technology - COBIT
The Control Objectives for Information and related Technology (COBIT) is a comprehensive set of IT management best practices first established by the Information Systems Audit and Control Association (ISACA) in 1992, now managed by the IT Governance Institute (ITGI). COBIT serves as an IT governance framework to help enterprises understand and manage IT control requirements, technical issues and business risks. This enables clear policy development and good practice alignment for IT control that enables organizations to emphasize regulatory compliance, increase the value attained from IT and communicate control levels to stakeholders. COBIT is frequently used as a security controls framework in support of federal laws such as Sarbanes-Oxley (SOX).
DoD Information Assurance Certification and Accreditation Process - DIACAP
The U.S. Department of Defense maintains strict information security requirements, especially for computer systems that connect to confidential private government networks such as NIPRNet and CIPRNet. The DoD Information Assurance Certification and Accreditation Process (DIACAP) was developed specifically to provide certification and accreditation (C&A;) of systems by ensuring that both risk management, and a minimum level of security controls based on risk, are applied to systems connecting to federal networks. There are several components to a DIACAP accreditation process, including system identification, implementation and validation of appropriate security controls, and a scorecard of how well the organization meets requirements.
National Institute of Standards and Technology - NIST 800-53
The National Institute of Standards and Technology Special Publication (NIST) 800-53, "Recommended Security Controls for Federal Information Systems," offers a set of best practices created to assist federal agencies and any associated entities handling federal data such as state and local governments, contractors and grantees in implementing the Federal Information Security Management Act (FISMA). NIST 800-53 represents the bedrock foundation of FISMA. To guide agencies in implementing a risk-based information security program, the FISMA framework maps security program elements to the NIST 800-53 standard.
PERSCRIPTIVE SECURITY STANDARDS
Center for Internet Security (CIS) Benchmarks
Poorly configured or improperly configured systems are the "low-hanging fruit" that entices malicious attackers and malware. From weak password settings and incorrect file system access controls, to running applications and services with known vulnerabilities, security professionals spend an inordinate amount of time tracking down and eliminating one-off configurations that can expose an otherwise secure network to major threats. Security professionals can address this issue is by implementing standard, "security hardened" configurations. The Center for Internet Security (CIS) has established a series of secure, system-specific configuration benchmarks that provide comprehensive, detailed security controls. The standards cover an extremely diverse range of systems, and when applied, result in a security-hardened configuration that can eliminate common attack vectors.
Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)
As part of its information assurance-focused mission, the Defense Information Systems Agency (DISA) has established a series of Security Technical Implementation Guides (STIGs) to ensure secure configurations across federal systems, including operating systems, network devices such as routers and firewalls, databases and both enterprise and desktop applications. Based around the information security "triad" - confidentiality, integrity and availability - and updated frequently to reflect the ever-changing need for information assurance through continuous vigilance, DISA STIGs are mandatory for many federal agencies and military branches. Historically, agencies have had difficulty implementing DISA STIG standards across the enterprise, primarily due to the detailed nature and broad applicability of STIGs. Although DISA's Field Service Office (FSO) provides both STIG content and supporting tools to implement the standard, agencies and branches of the military have struggled with the details of technical implementation of STIGs and spend an inordinate amount of time in the STIG evaluation process using manual auditing tools.