European Union

EU Data Protection Directive (1998)

EU Internet Privacy Law (2002)



Data Protection Act of 1978 (updated 2004)



Federal Data Protection Act (2001)



Personal Data Protection (2000)



Personal Data Protection (2000)



Organic Law 15/99 (1999)


United Kingdom

UK Data Protection Act 1998

GCSX Code of Connection (CoCo) 4.1

Asia Pacific


Privacy Act (1998)


Hong Kong

Personal Data Ordinance



Information Technology Act of 2000


New Zealand

The Privacy Act (1993)



South America


Personal Data Protection Act (2000)



Act on the Protection of Personal Data




International Standards Organization -  ISO 27001/27002

ISO 27002 is a broadly-accepted international standard for information security established by the International Standards Organization. It offers a broad set of best practices for information security controls across organizations of any type. Unlike regulations and mandates designed to support specific types of data (such as PCI DSS) or specific business processes (such as SOX), the ISO27002 framework is intended to assist all organizations - commercial, governmental or nonprofit - in the process of managing information security.

More Information


Control Objectives for Information and related Technology  - COBIT

The Control Objectives for Information and related Technology (COBIT) is a comprehensive set of IT management best practices first established by the Information Systems Audit and Control Association (ISACA) in 1992, now managed by the IT Governance Institute (ITGI). COBIT serves as an IT governance framework to help enterprises understand and manage IT control requirements, technical issues and business risks. This enables clear policy development and good practice alignment for IT control that enables organizations to emphasize regulatory compliance, increase the value attained from IT and communicate control levels to stakeholders. COBIT is frequently used as a security controls framework in support of federal laws such as Sarbanes-Oxley (SOX).

More Information


DoD Information Assurance Certification and Accreditation Process  - DIACAP

The U.S. Department of Defense maintains strict information security requirements, especially for computer systems that connect to confidential private government networks such as NIPRNet and CIPRNet. The DoD Information Assurance Certification and Accreditation Process (DIACAP) was developed specifically to provide certification and accreditation (C&A;) of systems by ensuring that both risk management, and a minimum level of security controls based on risk, are applied to systems connecting to federal networks. There are several components to a DIACAP accreditation process, including system identification, implementation and validation of appropriate security controls, and a scorecard of how well the organization meets requirements.

More Information


National Institute of Standards and Technology - NIST 800-53

The National Institute of Standards and Technology Special Publication (NIST) 800-53, "Recommended Security Controls for Federal Information Systems," offers a set of best practices created to assist federal agencies and any associated entities handling federal data such as state and local governments, contractors and grantees in implementing the Federal Information Security Management Act (FISMA). NIST 800-53 represents the bedrock foundation of FISMA. To guide agencies in implementing a risk-based information security program, the FISMA framework maps security program elements to the NIST 800-53 standard.

More Information



Center for Internet Security (CIS) Benchmarks

Poorly configured or improperly configured systems are the "low-hanging fruit" that entices malicious attackers and malware. From weak password settings and incorrect file system access controls, to running applications and services with known vulnerabilities, security professionals spend an inordinate amount of time tracking down and eliminating one-off configurations that can expose an otherwise secure network to major threats. Security professionals can address this issue is by implementing standard, "security hardened" configurations. The Center for Internet Security (CIS) has established a series of secure, system-specific configuration benchmarks that provide comprehensive, detailed security controls. The standards cover an extremely diverse range of systems, and when applied, result in a security-hardened configuration that can eliminate common attack vectors.

More Information


Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)

As part of its information assurance-focused mission, the Defense Information Systems Agency (DISA) has established a series of Security Technical Implementation Guides (STIGs) to ensure secure configurations across federal systems, including operating systems, network devices such as routers and firewalls, databases and both enterprise and desktop applications. Based around the information security "triad" - confidentiality, integrity and availability - and updated frequently to reflect the ever-changing need for information assurance through continuous vigilance, DISA STIGs are mandatory for many federal agencies and military branches. Historically, agencies have had difficulty implementing DISA STIG standards across the enterprise, primarily due to the detailed nature and broad applicability of STIGs. Although DISA's Field Service Office (FSO) provides both STIG content and supporting tools to implement the standard, agencies and branches of the military have struggled with the details of technical implementation of STIGs and spend an inordinate amount of time in the STIG evaluation process using manual auditing tools.

More Information