One of the questions asked most frequently is, "Do we really need to have an Information Security awareness and training program?" The question is often followed up by a statement calling into question the perceived value of awareness and training. The standard response is typically along the lines of, "Yes. It is required and, perhaps more importantly, the right thing to do."
Setting aside the value-based approach of 'doing the right thing' to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous 'best practice' frameworks.
So, in the spirit of ongoing Information Security awareness and to assist those who have requested more information on this subject, listed here are just a few of the numerous laws, regulations, and frameworks applicable to North America. Bear in mind some are industry specific.
Laws and Regulations (North America)
1. Health Information Portability and Accountability Act (HIPAA): §164.3
2. Canada Personal Information Protection Electronic Documents Act (PIPEDA): Schedule 1 Clause 4.1.4(c), Scedule 1 Clause 4.7.4
3. Privacy Act of 1974: §552a(e)(9)
4. Fair and Accurate Credit Transactions Act (FACTA): §151, §213(d)
5. FACTA Red Flag Rule: §41.90(e)(3), §222.90(e)(3), §334.90(e)(9), §571.90(e)(9), §681.2(e)(9), §717.90(e)(9)
6. Leahy Personal Data Privacy Security Act: §302(b)
7. FFIEC Information Security: Page 7, Page 62
8. NERC: CIP-004-1
9. FDA 21 CFR Pt 11: §11.10(i)
10. Massachusetts 201 CMR 17.00: §17.04(8)
Business Contracts
1. Payment Card Industry Data Security Standard (PCI DSS): §12.6
'Best Practice' Frameworks
1. ISO 17799 / ISO 27002: §8.2.2
2. ITIL Security Management: §4.2.2.2
3. AICPA Privacy: ID 1.1.1
4. NIST 800: numerous publications
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment