Standards

(Industry specific guidelines, standards, or global regulations)

- J.D. Meier, Prashant Bansode, Paul Enfield.

The following is a list of standards customers have indicate are possibly of importance for this platform. We solicit feedback on any additions or removals from this list..

Area	Items
Education	* Children's Internet Protection Act (CIPA) (Pub. L. 106-554)
Insurance	*
Financial	* Basel II
	* Basel I
	* Gramm-Leach-Bliley Act of 1999 (GLBA)
	* Securities and Exchange Commission (SEC) Compliance issue (17a-4)
	* NASD
	* Sarbanes-Oxley Act (SOX)
	* USA Patriot Act
General	* ISO/IEC 27002 (formerly ISO17799)
	* ISO/IEC 27001 (formerly BS7799 Part 1)
	* Common Criteria (CC) also published as ISO/IEC 15408
	* COPPA (Children’s Online Privacy Protection Act)
	* Visa CISP Program
	* ECPA (Electronic Communications Privacy Act)
	* FERPA (Family Education Rights and Privacy Act)
	* ADA (Americans with Disabilities Act)
	* Singapore Technology Risk Mngt Guidelines
	* California's SB 1386
	* Information Security Forum (ISF) Directives
	* COSO standard
	* ITIL
	* NCUA Security Directive (guidance)
	* FFIEC
	* COBIT
	* SSE-CMM (ISO 21827)
	* SAS 70
	* Pending: ISO/IEC JTC1 SC27
Government	Germany Specific
	* Telemediengesetz (TMG)
	* Bundesdatenschutzgesetz (BDSG)
	UK Specific
	* Data Protection Act 1998 (DPA)
	* Regulation of Investigatory Powers Act 2000 (RIPA)
	* Computer Misuse Act 1990
	US Specific
	* Communications Act of 1934
	* Computer Fraud & Abuse Act (18 U.S.C. 1030)
	* Privacy Act of 1974
	* Computer Crime Act 1987
	* Economic Espionage Act 1996
	* ECPA –Electronic Communications Privacy Act 1986 (Wiretap Act)
	* Clinger-Cohen Act (The CIO Act)
	* Federal Information Security Management Act (FISMA) of 2002, Appendix III of the E-Government Act of 2002
	* US PATRIOT Act
	* Defense Federal Acquisition Regulations Supplement (DFARS)
	* Federal Acquisition Regulation (FAR) Part 39
	* OMB Circular A-130 Appendix III
	* OMB Circular A-123
	* Common Criteria - ISO 15408
	* HSPD-7, Critical Infrastructure Protection
	* HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
	* FIPS-140-2 (Soon to be FIPS-140-3)
	* FIPS-199, Standards for Security Categorization of Federal Information and Information Systems
	* FIPS-200, Minimum Security Requirements for Federal Information and Information Systems
	* DoD 8500.1, Information Assurance (IA)
	* DoD 8500.2, Information Assurance (IA) Implementation
	* GAO Federal Information System Controls Audit Manual (FISCAM)
	* NIST Special Publication (SP) 800-53 Rev 3, Recommended Security Controls for Federal Information Systems
	* NIST SP 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
	* <a whole slew of NIST SPs available at http://csrc.nist.gov/publications/index.html >
	* OMB Memo 06-15, Safeguarding Personally Identifiable Information
	* OMB Memo 06-16, Protection of Sensitive Agency Information
	* OMB Memo 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments
	* OMB Memo 07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating Systems
	* OMB Memo 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information
	* OMB Memo 07-18, Ensuring New Acquisitions Include Common Security Configurations
	* OMB Memo 08-05, Implementation of Trusted Internet Connections (TIC)
	* OMB Memo 08-22, Guidance on the Federal Desktop Core Configuration (FDCC)
Healthcare	* HIPAA Privacy
	* HIPAA Security
	* FDA's Electronic Record/Signature (ERES-21CFR11)
	* Mental Hygiene Law Sec. 33.13
UK / Europe	* Data Protection Act
Utilities / Energy	* NERC Security Rules (mandatory security standard)
	* NSA INFOSEC Assessment-Capability Maturity Model (IA-CMM) Appraisals

Resources

	* BS7799 Compliance and Risk Analysis: http://www.security.kirion.net/bs7799standard/