The compliance requirements that an organization needs to follow will have great effect on the overall shaping of the information security program that will be planned and implemented. The requirements imposed by various laws and compliance frameworks vary from law to framework, and it is critically important that you understand your framework to ensure that your organization can successfully continue to do business.

Without understanding your organization's legal requirements, you run the very real risk of your organization being hit with very serious fines or even being shut down. The following list shows some examples of legal frameworks that are imposed upon organizations, some of the key requirements for those legal frameworks, and the organizations that are affected:

• The Sarbanes-Oxley Act (SOX), 2002 (https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html):
  • The Sarbanes-Oxley Act is intended to protect the public and investors by requiring reliability and accuracy of financial disclosures:
    • Key requirements: Auditor independence, public company accounting oversight, analyst conflicts of interest, enhanced financial disclosures, corporate fraud accountability, corporate responsibility, commission resources and authority, corporate tax returns, white-collar crime penalty enhancements, corporate and criminal fraud accountability, and studies and reports.
    • Who is impacted? US public companies and public accounting firms.
• Payment Card Industry Data Security Standard: PCI DSS (https://www.pcisecuritystandards.org/document_library?document=pci_dss):
  • PCI DSS is a set of requirements established to enhance the security of customer payment card data. The standard was developed by the PCI Security Standards Council. The council includes members from Discover Financial Services, American Express, MasterCard Worldwide, Visa, and JCB International:
    • Key Requirements: Maintain an information security policy, operations and maintenance of applications and systems must be secure, physical access to cardholder data must be restricted, IDs for computer access must be unique, network resources and cardholder data access must be tracked and monitored, information security tools, controls, and processes must be regularly tested, cardholder data must be encrypted across unencrypted public networks, where cardholder data exists to operate and maintain firewalls, access to cardholder data should be restricted on a need-to-know basis, cardholder data should be protected at rest, security parameters and system password defaults must be changed to improve security, and use and maintain antivirus software.
    • Who is impacted? Credit card companies, retailers, and any other entity that handles payment card information.
• The Gramm-Leach-Bliley Act (GLB), 1999 (https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm) and (https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act):
  • The GLB Act serves to protect consumer personal financial information held by financial institutions:
    • Key requirements: Financial privacy rule, safeguards rule, and pretexting provisions
    • Who is impacted? Securities firms, insurance companies, banks, brokers, lenders, and other financial institutions
• Electronic Fund Transfer Act, 1978 (https://www.fdic.gov/regulations/laws/rules/6500-3100.html):
  • The law was established to protect consumers that utilize electronic fund transfers from errors and fraud:
    • Key requirements: Defining access devices (for example, debit cards), acceptance of device by the consumer, responsibilities of the financial institution, rights and responsibilities of the consumer, processes for error resolution, and electronic check transaction and preauthorized debit rules.
    • Who is impacted: Merchants and financial institutions that provide EFT services or manage consumer accounts.

• Fair and Accurate Credit Transaction Act (FACTA), 2003 (https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act):
  • The law was established to protect consumers from identity fraud:
    • Key requirements: Ability to obtain a free credit report once a month, establishment of fraud alerts, payment card data truncation in financial files, victim access to financial fraud information, victim protection from collection agencies, financial institutions must implement early warning fraud detection mechanisms, consumer report information must be properly disposed, and consumer credit information disputing mechanisms.
    • Who is impacted? Financial institutions, credit reporting agencies, credit bureaus, and creditors.
• Federal Information Security Management Act (FISMA), 2002 (http://csrc.nist.gov/drivers/documents/FISMA-final.pdf):
  • The law requires federal agencies to develop information security program and to safeguard their information and information systems:
    • Key requirements: Develop policies and procedures, conduct periodic tests of information security controls, conduct periodic risk assessments, develop information security plans, conduct security awareness training, respond to information security incidents, and ensure continuity of operations of information systems.
    • Who is impacted? Federal agencies.
• Health Insurance Portability and Accountability Act (HIPAA), 1996 (https://www.hhs.gov/hipaa/):
  • The law requires that organizations adopt standards for securing patient health records as well as mechanisms for ensuring standardized identifiers for providers:
    • Key requirements: Providers must use the same code sets and identifiers when doing business electronically. Federal protections are provided for personal health information under the control of a healthcare provider. Specific operational, management, and technical security controls required to safeguard personal health information. Providers, employers, and health plans have standard identifiers on medical transactions.
    • Who is impacted? Health plans, health care providers, and organizations that manage personal health information.
• European Union Data Protection Directive 1995 (http://ec.europa.eu/justice/data-protection/):
  • Establishes strict rules around the use of personal data:
    • Key requirements: Notice of data collection, data can only be used for its intended purpose, consent must be given to disclose data to a third party, information security must be maintained, individuals must be notified if their data is being collected, and individuals must be allowed to update their data.
    • Who is impacted? European businesses or non-European businesses that export data to another country.

As you can see, the requirements and industries vary greatly across the various legal frameworks. Additionally, this is a very small subset of the many laws around the world that speak to information data protection and the requirements imposed on an organization.

Something you will want to think about as you are looking at your organization's compliance requirements is whether you are sitting in multiple legal frameworks or whether you operate in multiple-industry sectors:

• It is not uncommon for organizations to accept credit cards today. You may be subject to PCI DSS:
  • Does your organization have a company store?
  • Do you manufacture items and sell them online?

• Does your organization exist in multiple sectors?
  • Is your organization a holding corporation?
    • Does your organization manufacture engines, run a hospital, and bake cookies?
    • These three sectors are wildly different and have very different information compliance requirements.
    • This means that your enterprise information security program must manage these unique requirements.