Академический Документы
Профессиональный Документы
Культура Документы
Contents
1. Brief Description of the IT GRC Process Management Pack 2. Getting Started 3. Contents of IT GRC Process Management Pack Download Files Known Issues 5. Feedback 6. Disclaimer 8. Supported Authority DocumentsCopyright and License Agreement 8. Supported Authority DocumentsSupported Authority Documents
2. Getting Started
See the IT GRC Process Management Pack Getting Started Guide .
ITGRCProcessManagementPack_amd64SP1.exe. This file includes the IT GRC Process Management Pack for 64-bit server installation and 64-bit clients. You will install the IT GRC Process Management Pack on System Center Service Manager 2010 SP1. For more information about doing so, please refer to the IT GRC Process Management Pack Deployment Guide, available in the following ITGRCProcessManagementPack_DocumentationSP1.exe file. ITGRCProcessManagementPack_x86SP1.exe. This file includes the IT GRC Process Management Pack for 32-bit clients. For more information about doing so, please refer to the IT GRC Process Management Pack Deployment Guide, available in the following ITGRCProcessManagementPack_DocumentationSP1.exe file
ITGRCProcessManagementPack_DocumentationSP1.exe. This file contains the SP1 documentation for the IT GRC Process Management Pack. It includes the following files: o IT GRC Process Management Pack Getting Started Guide.docx o IT GRC Process Management Pack Deployment Guide.docx
o o o
IT GRC Process Management Pack Developers Guide.docx IT GRC Process Management Pack Operations Guide.docx IT GRC Process Management Pack SP1 Release Notes.rtf
ITGRCProcessManagementPack_AuthoringLibrariesSP1.exe. This file includes the authoring library files that are necessary to customize or extend the IT GRC Process Management Pack. For more information on installing these files and customizing or extending the IT GRC Process Management Pack, see the IT GRC Process Management Pack Developers Guide, available in the ITGRCProcessManagementPack_DocumentationSP1.exe file described earlier in this document. TestIdSyncTool.exe. This file includes the IT GRC Test ID Sync Tool and the Getting Started Guide for the tool.
4. Known Issues
The following are known functional issues for this release: Modifying the compliance applicability groups provided in IT Compliance Management Libraries using the Service Manager Console causes the Service Manager console to abnormally terminate or become unresponsive. (9/30/10) Modifying a programs General and Framework tabs at the same time may result in a data conflict error message. To resolve this issue, modify each tab separately and apply the changes separately. (9/30/10) After modifying an existing security role property, such as description, a user who is assigned that security role may not be able to select authorized configuration item types such as Computer, Software Items, and Business Services that were previously available. (9/30/10) The IT GRC Connector may not complete processing or hang. To resolve this issue, delete the connector instance and recreate it. (9/30/10) The Visual Studio Tools for Office (VSTO) version 3.0 (used by Microsoft Excel in the IT GRC Process Management Pack Client Add-in) does not support 64-bit versions of Microsoft Office System 2010. However, 32-bit versions of Microsoft Office System 2007 and 2010 are supported. When a Program Implementer tries to add scope to a program, they may see the following error An item with the same key has already been added." The message is misleading because it is a security issue and the PI role cannot add scope to a program. The SP1 version of the IT GRC Excel Client can only be used to connect to an SP1 server. The 1.0 version of the Excel Client Add-in can connect to both a v1.0 server and a SP1 server. If an unshared risk is created and added into a program, the risk will only be visible to the risks owner and not visible to the Program Manager. If the risk is added to a category in the program framework, then the risk will be visible to Program Manager. Although it is possible to customize both the Risk Management form and the Control Objective form using the Authoring Tool, the customizations will not display. All other forms should work properly after customization. Row deletions in Excel are not allowed. The following are known performance issues for this release: Importing a large number of control objectives and control activities into a program using the Control Import Wizard can take a considerable amount of time. (9/30/10) Refreshing or publishing a program in the IT GRC Process Management Pack Client Add-in that is used in Microsoft Excel can take a considerable amount of time if the program contains a large number of control objectives, control activities, or risks. (9/30/10) Expanding information on the Framework tab of a program can take a considerable amount of time if the program contains a large number of control objectives, control activities, or risks. (9/30/10)
5. Feedback
6. Disclaimer
IMPORTANT NOTICE: The Microsoft IT GRC Process Management Pack Service Pack 1 for System Center Service Manager (the software) is intended to help organizations simplify and automate IT compliance and risk management processes. The software is designed to facilitate compliance activities conducted by your organizations IT professionals, auditors, accountants, attorneys and other compliance professionals. The software does not replace those professionals. The software ships with some control objectives and authority document citations, but these control objectives and citations do not verify or guarantee fulfillment of your organizations compliance obligations. It is the responsibility of your organization to choose the control objectives and authority document citations to use, modify, add or remove based on guidance from your organizations compliance professionals. Reports and any other information provided by or generated from the software do not constitute auditing, accounting, legal or other professional advice. You must consult compliance professionals to confirm compliance with specific governance, risk and compliance (GRC) authority documents.
TITLE
1724 California Civil Code
URL LINK
http://www.leginfo.ca.gov/pub/07-08/bill/asm/ab_07510800/ab_779_bill_20070410_amended_asm_v98.pdf http://www.access.gpo.gov/nara/cfr/waisidx_05/16cfr682_05 .html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=4f4fe996be869c46e7a2469576734601&a mp;rgn=div5&view=text&node=49:9.1.3.5.10&a mp;idno=49 http://edocket.access.gpo.gov/cfr_2009/janqtr/pdf/6cfr27.23 0.pdf http://www.theirm.org/publications/documents/Risk_Manage ment_Standard_030820.pdf http://www.occ.treas.gov/ftp/bulletin/2004-58.txt http://www.cica.ca/multimedia/Download_Library/Research_ Guidance/Privacy/English/Incident_Response_Plan_May_200 5.pdf http://www.aicpa.org/pubs/cpaltr/jun2001/auditing.htm http://www.aicpa.org/download/trust_services/final-TrustServices.pdf http://ftp.aicpa.org/CSC/infotech/Privacy/3A_01a.pdf http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDF http://www.ftc.gov/bcp/rulemaking/tsr/ https://www209.americanexpress.com/merchant/singlevoice /dsw/FrontServlet? request_type=dsw&pg_nm=merchinfo&ln=en&a mp;frm=US http://www.whitehouse.gov/omb/circulars/a130/a130append ix_iii.html http://www.privacyinternational.org/article.shtml?cmd %5B347%5D=x-347-61939
3 4 5 6 7 8 9 10 11 12 AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls AICPA Suitable Trust Services Principles and Criteria AICPA/CICA Privacy Framework Alaska Personal Information Protection Act, Chapter 48 Amendments to the FTC Telemarketing Sales Rule, 16 CFR Part 310 American Express Data Security Standard (DSS) 6 CFR Ch. I 27.230 Risk-based performance standards A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58 AICPA Incident Response Plan: Template for Breach of Personal Information
13 14 15 Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources Argentina Personal Data Protection Act
16 17
Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116 Arizona State Law 44-7501. Notification of breach of security system Arkansas Code Title 4 Business and Commercial Law Subtitle 7 Consumer Protection, Chapter 110 Personal Information, 4-110-103 thru 4 -110-105, Personal Information Protection Act Arkansas Personal Information Protection Act AR SB 1167 Army Regulation 380-19: Information Systems Security AS4360 Australian National Standard on Risk Management Australia Better Practice Guide - Business Continuity Management Australia Privacy Act 1988 Australia Spam Act Australia Spam Act 2003: A practical guide for business Australia Telecommunications Act 1997 Australian Government ICT Security Manual (ACSI 33) Austria Data Protection Act Austria Telecommunications Act Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001 Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act) Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework BBBOnline Code of Online Business Practices Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona BIS Sound Practices for the Management and Supervision of Operational Risk BITS Financial Services Roundtable Standardized Information Gathering Questionnaire Bosnia Law on Protection of Personal Data BS25999, Guide to Business Continuity Management Business Continuity Institute (BCI) Good Practice Guidelines CA Civil Code 1798.84 CA Government Code Chapter 13 Miscellaneous Powers 26200-26230
http://www.azleg.state.az.us/FormatDocument.asp? inDoc=/legtext/46leg/2r/laws/0109.htm http://www.azleg.state.az.us/FormatDocument.asp? inDoc=/ars/44/07501.htm&Title=44&DocType=AR S http://www.arkleg.state.ar.us/SearchCenter/Pages/Arkansas CodeSearchResultPage.aspx?name=4-110-103.Definitions. ftp://www.arkleg.state.ar.us/acts/2005/public/Act1526.pdf http://www.fas.org/irp/doddir/army/r380_19.pdf http://www.riskmanagement.com.au/ http://www.anao.gov.au/uploads/documents/Business_Conti nuity_Management.pdf http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilati on1.nsf/framelodgmentattachments/782CE59D0E879E1ACA 2571FE001D50E6 http://www.austlii.edu.au/au/legis/cth/consol_act/sa200366/ http://www.acma.gov.au/acmainterwr/consumer_info/freque ntly_asked_questions/spam_business_practical_guide.pdf http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilati on1.nsf/framelodgmentattachments/40762BCB845F1313CA 2570F2007B810C http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_changes_ u.rtf http://www.dsk.gv.at/site/6230/default.aspx http://www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdf http://www.tsa.gov/assets/pdf/Aviation_and_Transportation_ Security_Act_ATSA_Public_Law_107_1771.pdf http://www.occ.treas.gov/handbook/bsa.pdf http://www.bis.org/publ/bcbs128.pdf http://www.bbbonline.org/reliability/code/CodeEnglish.doc http://www.privacycommission.be/en/static/pdf/wetgeving/p rivacywet-en-input-website-220109.pdf http://www.bis.org/publ/bcbs96.pdf http://www.sharedassessments.org/download/files.html http://www.privacyinternational.org/countries/bosnia/bosniadpa.html http://www.thebci.org/pas56.htm http://www.thebci.org/goodpracticeguidetoBCM.pdf http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.801798.84 http://www.leginfo.ca.gov/cgi-bin/displaycode? section=gov&group=26001-27000&file=2620026230 http://www4.law.cornell.edu/uscode/html/uscode47/usc_sec_ 47_00000551----000-.html
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
43
California Civil Code 1798.91 State Prohibitions on Marketing Practices using Medical Information California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures 1798.251798.29 California Civil Code Title 1.81 Customer Records 1798.80-1798.84 California Financial Information Privacy Act: Senate Bill 1 (Speier & Burton) California General Security Standard for Businesses CA AB 1950 California Information Practice Act, CA SB 1386 California OPP Recommended Practices on Notification of Security Breach California Personal Information: Disclosure to Direct Marketers Act (SB 27) California Public Records Military Veteran Discharge Documents, California Assembly Bill 1798 California Public Records Military Veteran Discharge Documents, California Assembly Bill 1798 California Senate Bill 20 (2009, Simitian), An act to amend Sections 1798.29 and 1798.82 of the Civil Code, relating to personal information Canada Keeping the Promise for a Strong Economy Act, Bill 198 Canada Personal Information Protection Electronic Documents Act (PIPEDA) Canada Privacy Act Canadian Marketing Association Code of Ethics and Standards of Practice Center for Internet Security Mac OS X Tiger Level I Security Benchmark Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Central Bank of Argentina A4609 Central Bank of Brazil 3380 CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27 Children's Online Privacy Protection Act (COPPA), 16 CFR 312 Children's Online Privacy Protection Act of 1998 CI Security AIX Benchmark v1.0 CI Security FreeBSD Benchmark v1.0 CI Security HP-UX Benchmark v1.3 CI Security Persistent Identifiers CI Security Red Hat Enterprise Linux Benchmark v1.0 CI Security Red Hat Enterprise Linux Benchmark v1.0.5
http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.91 http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.251798.29 http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.801798.84 http://www.privacyrights.org/ar/SB1Info.htm http://info.sen.ca.gov/pub/03-04/bill/asm/ab_19011950/ab_1950_bill_20040929_chaptered.pdf http://info.sen.ca.gov/pub/01-02/bill/sen/sb_13511400/sb_1386_bill_20020926_chaptered.html http://www.oispp.ca.gov/consumer_privacy/pdf/secbreach.p df http://info.sen.ca.gov/cgi-bin/postquery? bill_number=sb_27&sess=0304&house=B&s ite=sen http://info.sen.ca.gov/pub/01-02/bill/asm/ab_17511800/ab_1798_bill_20020424_amended_asm.pdf http://info.sen.ca.gov/pub/01-02/bill/asm/ab_17511800/ab_1798_bill_20020626_amended_sen.pdf http://info.sen.ca.gov/pub/09-10/bill/sen/sb_00010050/sb_20_bill_20090908_enrolled.html http://www.ontla.on.ca/web/bills/bills_detail.do? locale=en&BillID=1067&isCurrent=false&Par lSessionID=37%3A3 http://laws.justice.gc.ca/en/ShowTdm/cs/P-8.6///en http://laws.justice.gc.ca/en/ShowTdm/cs/p-21///en http://www.the-cma.org/?WCE=C=47%7CK=225849 http://www.cisecurity.org/bench_macosx.html http://www.cisecurity.org/bench_novell.html
44 45 46 47 48 49
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
72 73 74 75 76 77 78 79 80 81 82 83
CI Security Slackware Linux Benchmark v1.1 CI Security Solaris 10 Benchmark CI Security Solaris Benchmark v1.3 CI Security SuSE Linux Enterprise Server Benchmark v1.0 CI Security Windows 2000 CI Security Windows 2000 Professional CI Security Windows 2000 Server CI Security Windows NT CI Security Windows Server 2003 Domain Controllers CI Security Windows Server 2003 Member Servers CI Security Windows XP Professional SP1/SP2 CIS iPhone 2.2.1 Benchmark CISWG Information Security Program Elements
http://www.cisecurity.org/bench_linux.html http://www.cisecurity.org/bench_solaris.html http://www.cisecurity.org/bench_solaris.html http://www.cisecurity.org/bench_linux.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html https://community.cisecurity.org/download/? redir=/iphone/CIS_iPhone_2.2.1_Benchmark_v1.0.0.pdf http://www.cisecurity.org/Documents/BPMetricsTeamReportF inal111704Rev11005.pdf http://www.cio.gov/Documents/it_management_reform_act_ Feb_1996.html http://www.cms.hhs.gov/manuals/downloads/117_systems_s ecurity.pdf http://wedi.org/cmsUploads/pdfUpload/WEDIBulletin/pub/Co py_of_CSR_HIPAAMatrixFeb05final.pdf http://www.cms.hhs.gov/InformationSecurity/Downloads/ars. pdf http://www.cms.hhs.gov/informationsecurity/downloads/IS_R A_Procedure.pdf http://www.isaca.org/Content/NavigationMenu/Members_an d_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm http://www.isaca.org/Content/NavigationMenu/Members_an d_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm http://alisondb.legislature.state.al.us/acas/CodeOfAlabama/ 1975/147638.htm http://www.ecgi.org/codes/documents/singapore_ccg_2005. pdf http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_205.ht m http://www.michie.com/colorado/lpext.dll/cocode/2/98ff/992 1/9923/9cc7/9dbf?f=templates&fn=documentframe.htm&2.0#JD_6-1-713 http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_393.ht m http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_365.ht m http://www.michie.com/colorado/lpext.dll? f=templates&fn=main-h.htm&cp= http://www.michie.com/colorado/lpext.dll/cocode/2/29af3/29 b24/2a406/2a420/2a43e?f=templates&fn=documentframe.htm&2.0#JD_16-5-103 http://cce.mitre.org/lists/data/downloads/cce-COMBINED5.20090506.xls http://cce.mitre.org/lists/cce_list.html http://www.law.cornell.edu/uscode/18/1030.html
84 85 86 87 88 89 90 CobiT 4.1 91 92 93 94 Colorado Consumer Credit Solicitation Protection, CO HB 04-1274 Colorado Disposal of Personal Identifying Documents C.R.S. 6-1-713 Colorado Prohibiting Inclusion of Social Security Number, CO HB 04-1311 Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 041134 Colorado Revised Statutes 6-1-716, Notice of Security Breach Colorado Revised Statutes Title 16 Article 5 Section 103 Identity theft victims - definitions Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues Computer Fraud and Abuse Act Code of Alabama, Article 10 The Consumer Identity Protection Act, 13A-8-190 thru 13A8-201 CODE OF CORPORATE GOVERNANCE 2005 CMS Information Security Acceptable Risk Safeguards (ARS) CMS Information Security Risk Assessment _IS RA_ Procedure CobiT Clinger-Cohen Act (Information Technology Management Reform Act) CMS Business Partners Systems Security Manual CMS Core Security Requirements (CSR)
95 96 97 98
Computer Security Incident Handling Guide, NIST SP 800-61 Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184 Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650 Connecticut Public Act 08-167, An Act Concerning the Confidentiality of Social Security Numbers Connecticut State Law Sec. 36a-701b. Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade prac Consumer Interests in the Telecommunications Market, Act No. 661 Contingency Planning Guide for Information Technology Systems, NIST SP 800-34 Controlling the Assault of Non=Solicited Pornography and Marketing Act of 2003 Controls and Procedures, SEC 17 CFR 240.15d15 Corporate Governance in listed Companies Clause 49 of the Listing Agreement Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Ref Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 COSO Enterprise Risk Management (ERM) Integrated Framework (2004)
111 112
113 114 115 116 117 118 119 120 121 122
http://www.comlaw.gov.au/comlaw/management.nsf/lookupi ndexpagesbyid/IP200402596?OpenDocument https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publicat ions/COSO+Enterprise+Risk+Management++Integrated+Framework.htm http://csrc.nist.gov/publications/nistpubs/800-40Ver2/SP800-40v2.pdf http://www.pac-am.com/docs/CTPATBestPractices.pdf http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/secu rity_criteria/criteria_importers/ctpat_importer_criteria.xml http://ec.europa.eu/justice_home/fsj/privacy/docs/implemen tation/czech_republic_act_101_en.pdf http://www.dhs.gov/xlibrary/assets/DIB_SSP_5_21_07.pdf http://iase.disa.mil/stigs/stig/UNISYS-STIG-V7R2.doc http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf http://delcode.delaware.gov/title6/c012b/index.shtml
Creating a Patch and Vulnerability Management Program, NIST SP 800-40 C-TPAT Supply Chain Security Best Practices Catalog Customs-Trade Partnership Against Terrorism (CTPAT) Importer Security Criteria Czech Republic Personal Data Protection Act Defense Industrial Base Information Assurance Standard Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2 Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1 Delaware Code TITLE 6 Commerce and Trade, Subtitle II Other Laws Relating to Commerce and Trade ,Chapter 12B. Computer Security Breaches, 12B-101 thru 104 Denmark Act on Competitive Conditions and Consumer Interests Denmark, The Act on Processing of Personal Data Design Criteria Standard for Electronic Records Management Software Application, DOD 5015.2 Direct Marketing Association Privacy Promise
Directive 2003/4/EC Of The European Parliament 128 129 130 131 DISA Windows XP Security Checklist 132 133 134 135 136 137 138 139 DISA Windows XP Security Checklist Version 6 Release DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2 DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2 DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4 DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3 DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4 Disaster / Emergency Management and Business Continuity, NFPA 1600 District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Noti DOT Physical Security Survey Checklist Driver's Privacy Protection Act (DPPA), 18 USC 2721 EFT (Electronic Fund Transfer) Act (Reg. E) SEC 12 CFR 205 Equal Credit Opportunity Act (Reg. B) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 EU 8th Directive (European SOX) EU Directive on Data Protection, 95/46/EC EU Directive on Privacy and Electronic Communications, 2002/58/EC Fair and Accurate Credit Transactions Act of 2003 (FACT Act) 149 150 Fair Credit Reporting Act (FCRA) Family Education Rights Privacy Act (FERPA), 20 USC 1232 151 FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1 152 153 FDCC SCAP OVAL Patches - IE7 DISA Secure Remote Computing Security Technical Implementation Guide version 1.2 DISA Windows Server 2003 Security Checklist Version 6 Release 1.11 DISA Windows VISTA Security Checklist
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=OJ:L:2003:041:0026:0032:EN:PDF http://iase.disa.mil/stigs/stig/src-stig-v1r2.pdf http://iase.disa.mil/stigs/stig/win2k-XP-03-vistaaddendumv6r1-052107.doc http://iase.disa.mil/stigs/stig/win2k-XP-03-vistaaddendumv6r1-052107.doc http://iase.disa.mil/stigs/checklist/windows_xp_checklist_v6r 1-11_20090424.zip http://iase.disa.mil/stigs/checklist/unclassified_windows_xp_ checklist_v6r1.14_20091023.zip http://iase.disa.mil/stigs/stig/wireless_stig_v5r2.pdf http://iase.disa.mil/stigs/checklist/wireless_stig_apriva_sens a_checklist_v5r2-2_final_14apr2009.pdf http://iase.disa.mil/stigs/checklist/wireless_stig_blackberry_c hecklist_v5r2.4_14apr2009.zip http://iase.disa.mil/stigs/checklist/wireless_stig_good_mobile _messaging_checklist_v5r2-3_final_14apr2009.pdf http://iase.disa.mil/stigs/checklist/wireless_stig_windows_mo bile_messaging_checklist_v5r2-4_final_14apr2009.pdf http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf http://www.dccouncil.washington.dc.us/images/00001/2006 1218135855.pdf
http://transitsafety.volpe.dot.gov/training/Archived/EPSSeminarReg/CD/D ocuments/OHIO_DOT/physicalsecurity.doc http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_ 18_00002721----000-.html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=635f26c4af3e2fe4327fd25ef4cb5638&am p;tpl=/ecfrbrowse/Title12/12cfr205_main_02.tpl http://www.fdic.gov/regulations/laws/rules/6500-2900.html http://csrc.nist.gov/publications/nistpubs/800-97/SP80097.pdf http://www.8th-company-lawdirective.com/8thCompanyLaw.htm http://www.cdt.org/privacy/eudirective/EU_Directive_.html http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:32002L0058:EN:HTML http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=108_cong_public_laws&docid=f:publ159.108 http://www.ftc.gov/os/statutes/031224fcra.pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=432bbda77876ee638be366c1091527ec;rgn=div 5;view=text;node=34%3A1.1.1.1.34;idno=34;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=a486dc03a379dd084f837db8a3150cf2&a mp;rgn=div5&view=text&node=21:1.0.1.1.7&am p;idno=21 http://nvd.nist.gov/chklst_detail.cfm?config_id=171
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169
Federal Information Security Management Act of 2002 (FISMA) Federal Information System Controls Audit Manual (FISCAM) Federal Rules of Civil Procedure (2007) FERC Security Program for Hydropower Projects FFIEC Guidance on Authentication in an Internet Banking Environment FFIEC IT Examination Handbook Audit FFIEC IT Examination Handbook Business Continuity Planning FFIEC IT Examination Handbook Development and Acquisition FFIEC IT Examination Handbook E-Banking FFIEC IT Examination Handbook Information Security FFIEC IT Examination Handbook Management FFIEC IT Examination Handbook Operations FFIEC IT Examination Handbook Outsourcing Technology Services FFIEC IT Examination Handbook Retail Payment Systems FFIEC IT Examination Handbook Supervision of Technology Service Providers FFIEC IT Examination Handbook Wholesale Payment Systems Financial Reporting Council, Combined Code on Corporate Governance Finland act on the amendment of the Personal Data Act (986/2000) Finland Act on the Protection of Privacy in Electronic Communications Finland Personal Data Protection Act (523/1999) FIPS 140-2, Security Requirements for Cryptographic Modules FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security FIPS 199, Standards for Security Categorization of Federal Information and Information Systems FIPS 200, Minimum Security Requirements for Federal Information and Information Systems Florida Personal Identification Information/Unlawful Use, FL HB 481 Florida Statute 817.5681 Breach of security concerning confidential personal information in third-party possession France Data Processing, Data Files and Individual Liberties FTC Electronic Signatures in Global and National Commerce Act (ESIGN) FTC FACT Act Red Flags Rule Template GAO/PCIE Financial Audit Manual (FAM) General Laws of Massachusetts, Part I, Title XV Chapter 93H, Security Breaches
http://csrc.nist.gov/drivers/documents/FISMA-final.pdf http://www.gao.gov/new.items/d09232g.pdf http://www.law.cornell.edu/rules/frcp/ http://www.ferc.gov/industries/hydropower/safety/guidelines /security/securitytext.pdf http://www.ffiec.gov/pdf/authentication_guidance.pdf http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continui ty_plan.pdf http://www.ffiec.gov/ffiecinfobase/booklets/d_a/d_and_a.pdf http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/e_ban king.pdf http://www.ffiec.gov/ffiecinfobase/booklets/information_secu rity/information_security.pdf http://www.ffiec.gov/ffiecinfobase/booklets/mang/mang.pdf http://www.ffiec.gov/ffiecinfobase/booklets/operations/opera tion.pdf http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/Outs ourcing_Booklet.pdf http://www.ffiec.gov/ffiecinfobase/booklets/Retail/retail.pdf http://www.ffiec.gov/ffiecinfobase/booklets/tsp/tech_ser_pro vider.pdf http://www.ffiec.gov/ffiecinfobase/booklets/Wholesale/whole .pdf http://www.frc.org.uk/documents/pagemanager/frc/Combine d_Code_June_2008/Combined%20Code%20Web %20Optimized%20June%202008(2).pdf http://www.tietosuoja.fi/uploads/p9qzq7zr3xxmm9j.rtf http://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pd f http://www.tietosuoja.fi/uploads/hopxtvf.HTM http://csrc.nist.gov/publications/fips/fips140-2/Fips140-2.zip http://csrc.nist.gov/publications/fips/fips191/fips191.pdf http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199final.pdf http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf http://www.myfloridahouse.gov/Sections/Bills/billsdetail.asp x?BillId=15974 http://www.leg.state.fl.us/statutes/index.cfm?mode=View %20Statutes&SubMenu=1&App_mode=Display_S tatute&Search_String=breach+of+security&URL= CH0817/Sec5681.HTM http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf http://www.ftc.gov/os/2001/06/esign7.htm http://www.finra.org/Industry/Issues/CustomerInformationPr otection/p118480 http://www.gao.gov/special.pubs/gaopcie/ http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
185
Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 Georgia Code Title 10 Chapter 1 Article 34 101-911 thru 10-1-915 Notification required upon breach of security regarding personal information Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656 German Corporate Governance Code ("The Code") German Federal Data Protection Act Gramm-Leach-Bliley Act (GLB) Greece Law Protection ofpersonal data and privacy in electronic telecommunications sector (Law 3471) Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139 Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A Guide for Developing Performance Metrics for Information Security, NIST SP 800-80 Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18 Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 Guide to Bluetooth Security, NIST Special Publication 800-121 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122 Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1 Guidelines for Media Sanitization, NIST Special Publication 800-88 Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124 Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 Hawaii Exempting disclosure of Social Security numbers HI HB 2674 Hawaii Revised Statute 487N. Security Breach of Personal Information Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA HCFA Internet Security Policy HMG Security Policy Framework
192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208
http://csrc.nist.gov/itsec/SP800-68r1.pdf http://csrc.nist.gov/publications/nistpubs/800-53A/SP80053A-final-sz.pdf http://csrc.nist.gov/publications/drafts.html#sp800-80 http://csrc.nist.gov/publications/nistpubs/800-18Rev1/sp800-18-Rev1-final.pdf http://csrc.nist.gov/publications/nistpubs/800-60rev1/SP800-60_Vol2-Rev1.pdf http://csrc.nist.gov/publications/nistpubs/800-121/SP800121.pdf http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800122.pdf http://csrc.nist.gov/publications/nistpubs/800-48rev1/SP800-48r1.pdf http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP80088_rev1.pdf http://csrc.nist.gov/publications/nistpubs/800-124/SP800124.pdf http://csrc.nist.gov/publications/nistpubs/800-41/sp80041.pdf http://www.capitol.hawaii.gov/session2004/bills/hb2674_cd1 _.htm http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch04760490/HRS0487N/ http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw .pdf http://csrc.nist.gov/groups/SMA/fasp/documents/policy_proc edure/internet_policy.pdf http://www.cabinetoffice.gov.uk/media/207318/hmg_securit y_policy.pdf http://www.pco.org.hk/textonly/english/ordinance/section_01 .html http://abiweb.obh.hu/dpc/index.php? menu=gyoker/relevant/national/1992_LXIII http://www.personuvernd.is/information-inenglish/greinar//nr/438 http://www3.state.id.us/idstat/TOC/28051KTOC.html
Hong Kong Personal Data (Privacy) Ordinance 209 210 211 212 Hungary Protection of Personal Data and Disclosure of Data of Public Interest Iceland Protection of Privacy as regards the Processing of Personal Data Idaho Code Title 28 Commercial Transactions, Chapter 51 Identity Theft
Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 IIA Global Technology Audit Guide (GTAG): Auditing Application Controls IIA Global Technology Audit Guide (GTAG): Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment IIA Global Technology Audit Guide (GTAG): Information Technology Controls IIA Global Technology Audit Guide (GTAG): Information Technology Outsourcing IIA Global Technology Audit Guide (GTAG): Management of IT Auditing IIA Global Technology Audit Guide (GTAG): Managing and Auditing IT Vulnerabilities IIA Global Technology Audit Guide (GTAG): Managing and Auditing Privacy Risks IIA Global Technology Audit Guide (GTAG):Change and Patch Management Controls: Critical for Organizational Success Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.
http://www.ftc.gov/os/fedreg/2007/november/071109redflag s.pdf http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag8/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag3/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag1/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag7/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag4/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag6/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag5/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag2/ http://www.ilga.gov/legislation/ilcs/ilcs3.asp? ActID=2702&ChapAct=815%26nbsp%3BILCS%26nbsp %3B530%2F&ChapterID=67&ChapterName=BUSI NESS+TRANSACTIONS&ActName=Personal+Informatio n+Protection+Act%2E http://www.ilga.gov/legislation/publicacts/fulltext.asp? Name=094-0036 http://www.cfoc.gov/index.cfm? function=specdoc&id=Implementation%20Guide %20for%20OMB%20Circular%20A123&structure=OMB%20Documents%20and %20Guidance&category=Guides http://www.naavi.org/ita_2006/compare_ita2000_vs_ita2006 /index.htm http://www.in.gov/legislative/ic/code/title24/ar4.9/ http://www.in.gov/legislative/ic/code/title4/ar1/ch11.html http://www.in.gov/legislative/bills/2005/SE/SE0503.1.html http://www.fdic.gov/news/news/financial/2005/fil8105.html http://www.iwar.org.uk/comsec/resources/standards/itsec.ht m http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf http://www.fdic.gov/news/news/financial/2005/fil2705a.html http://www.irs.gov/irm/ http://www.occ.treas.gov/ftp/alert/2000-1.txt http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP800-66-Revision1.pdf http://coolice.legis.state.ia.us/Cool-ICE/default.asp? category=billinfo&service=IowaCode&ga=83&am p;input=614#614.4A http://www.legis.state.ia.us/IACODE/2001SUPPLEMENT/714/ 16B.html
222 223 Illinois Personal Information Protection Act IL HB 1633 Implementation Guide for OMB Circular A-123 Managements Responsibility for Internal Control India Information Technology Act (ITA-2000) 225 226 227 228 229 230 231 232 233 234 235 Indiana Code 24, Article 4.9. Disclosure of Security Breach Indiana Code 24, Notice of Security Breach, Chapter 11 Indiana Release of Social Security Number, Notice of Security Breach IN SB 503 Information Technology Risk Management Program (IT-RMP) New Information Technology Examination Proce Information Technology Security Evaluation Criteria (ITSEC) Information Technology Security Evaluation Manual (ITSEM) Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Internal Revenue Manual (IRM) Internet Security: Distributed Denial of Service Attacks OCC Alert 2000-1 Introductory Resource Guide for HIPAA NIST Special Publication 800-66 Iowa Code Annotated 614.4a
224
Iowa Code Annotated 715C Personal Information Security Breach Protection 238 239 240 Ireland Data Protection Amendment 2003 241 IRS Internal Revenue Code Section 501(c)(3) 242 IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information IRS Revenue Procedure: Record retention: automatic data processing, 98-25 IRS Revenue Procedure: Retention of books and records, 97-22 ISACA Cross-Border Privacy Impact Assessment ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals 247 248 249 ISF Security Audit of Networks ISF Standard of Good Practice for Information Security ISO 13335-1:2004, Information technology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications techn ISO 13335-3:1998, Information technology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Security ISO 13335-4:2000, Information technology Guidelines for the management of IT Security Part 4: Selection of safeguards ISO 13335-5:2001, Information technology Guidelines for the management of IT Security Part 5: Management guidance on network security ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines ISO 17799:2000, Code of Practice for Information Security Management ISO 17799:2005 Code of Practice for Information Security Management 257 ISO 27001:2005, Information Security Management Systems - Requirements 258 ISO 73:2002, Risk Management - Vocabulary 259 Ireland Consolidated Data Protection Acts of 1988 and 2003 Ireland Data Protection Act of 1988
http://coolice.legis.state.ia.us/Cool-ICE/default.asp? category=billinfo&service=IowaCode&ga=83 http://www.dataprotection.ie/documents/legal/DPAConsolMa y09.pdf http://www.irishstatutebook.ie/1988/en/act/pub/0025/index. html http://www.irishstatutebook.ie/2003/en/act/pub/0006/index. html http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=browse_usc&docid=Cite:+26USC501 http://www.irs.gov/pub/irs-pdf/p1075.pdf
http://www.unclefed.com/Tax-Bulls/1998/rp98-25.pdf http://www.recapinc.com/irs_97-22.htm http://www.isaca.org/Template.cfm? Section=Home&CONTENTID=17226&TEMPLATE= /ContentManagement/ContentDisplay.cfm http://www.isaca.org/AMTemplate.cfm? Section=Standards2&Template=/ContentManagement/ ContentDisplay.cfm&ContentID=27785 https://www.isfsecuritystandard.com/SOGP07/index.htm http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail?CSNUMBER=39066
250
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=21756 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=29240 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=31142 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail?CSNUMBER=31908 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail?CSNUMBER=35845 http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail? CSNUMBER=39612&ICS1=35&ICS2=40&ICS 3= http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail? CSNUMBER=39612&ICS1=35&ICS2=40&ICS 3= http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail? CSNUMBER=42103&ICS1=35&ICS2=40&ICS 3 http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail?CSNUMBER=34998
251 252
256
ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 Louisiana Revised Statutes Title 51 30733074 Database Security Breach Notification Law Luxembourg Data Protection Law ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2 ISO/IEC 15408-3:2008 Common Criteria for Information Technology Security Evaluation Part 3 ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3 ISO/IEC 18045:2008 Common Methodology for Information Technology Security Evaluation ISO/IEC 20000-1:2005 Information technology Service Management Part 1 ISO/IEC 20000-2:2005 Information technology Service Management Part 2 ISO/IEC 27002-2005 Code of practice for information security management ISSA Generally Accepted Information Security Principles (GAISP) IT Baseline Protection Manual Standard Security Safeguards Germany IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005 IT Service Management Standard , BS ISO/IEC 20000-1:2005 Italy Personal Data Protection Code Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003) Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) Japan Handbook Concerning Protection Of Personal Data Kansas Statutes Chapter 50, Article 7a Protection Of Consumer Information Kentucky Revised Statutes Title III Chapter 15 113 Prevention of Identity Theft Kentucky Revised Statutes Title XXXVI Chapter 411 210 Action for theft of identity or trafficking in stolen identities Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etc Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994 Korea Act Relating to Use and Protection of Credit Information Level-2 Windows 2000 Professional Operating System Benchmark Lithuania Law on Legal Protection of Personal Data Loi sur la Scurit Financire (French SOX)
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail? CSNUMBER=40612&ICS1=35&ICS2=40&ICS 3= http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46414 http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46413 http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46412 http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46412 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=41332 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=41333 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=50297 http://all.net/books/standards/GAISP-v30.pdf http://www.iwar.org.uk/comsec/resources/standards/german y/itbpm/menue.htm http://20000.standardsdirect.org/ http://20000.standardsdirect.org/ http://www.garanteprivacy.it/garante/document?ID=311066 http://www.euroacustici.org/eng/Privacy.pdf http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf http://www.ecom.jp/ecom_e/report/full/personal.pdf http://www.meti.go.jp/english/information/downloadfiles/Tar o9-eng.pdf http://kansasstatutes.lesterama.org/Chapter_50/Article_7a/ http://www.lrc.ky.gov/KRS/015-00/113.PDF http://www.lrc.ky.gov/KRS/411-00/210.PDF http://unpan1.un.org/intradoc/groups/public/documents/APC ITY/UNPAN025694.pdf http://www.glin.gov/view.action?glinID=202097 http://www.glin.gov/view.action?glinID=99460 http://www.cisecurity.org/bench_windows.html http://www.ada.lt/images/cms/File/pers.data.prot.law.pdf http://www.assembleenationale.fr/12/dossiers/securite_financiere.asp http://www.legis.state.la.us/lss/lss.asp?doc=322029 http://www.cnpd.lu/objets/en/doc_loi02082002mod_en.pdf# zoom=125,0,0
Mac OS X Security Configuration for version 10.4 or later, second edition Maine Revised Statutes Title 10, Part 3 Chapter 210-B Notice of Risk to Personal Data Maryland Code of Commercial Law Subtitle 35. Maryland Personal Information Protection Act 14-3501 thru 14-3508 Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts MasterCard Electronic Commerce Security Architecture Best Practices MasterCard Wireless LANs - Security Risks and Guidelines Mexico Federal Personal Data Protection Law Michigan Identity Theft Protection Act, Act 452 of 2004, 445.61 thru 445.72a Microsoft Developer Network Security Glossary Microsoft Office 2007 Security Guide
http://images.apple.com/server/macosx/docs/Tiger_Security _Config_021507.pdf http://www.mainelegislature.org/legis/statutes/10/title10ch2 10-Bsec0.html http://www.michie.com/maryland/lpext.dll? f=templates&fn=main-h.htm&cp=mdcode http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended. pdf http://www.powerpay.biz/docs/risk/MC_best_practices_online .pdf http://www.mastercard.com/us/sdp/assets/pdf/wl_entire_ma nual.pdf https://www.agpd.es/upload/English_Resources/Mexico_decl aration.pdf http://legislature.mi.gov/doc.aspx?mcl-Act-452-of-2004 http://msdn.microsoft.com/enus/library/ms721607(VS.85).aspx http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://technet.microsoft.com/en-us/bb629420.aspx https://www.revisor.leg.state.mn.us/bin/bldbill.php? bill=H1758.4.html&session=ls85 http://www.revisor.leg.state.mn.us/data/revisor/statute/2008 /013/2008-13.055.pdf https://www.revisor.leg.state.mn.us/statutes/? id=325E.61#stat.325E.61 https://www.revisor.leg.state.mn.us/statutes/?id=325E.64 http://www.moga.mo.gov/statutes/c400499/4070001500.htm http://www.house.missouri.gov/content.aspx? info=/bills041/biltxt/intro/HB0957I.HTM http://data.opi.state.mt.us/BILLS/2005/BillPDF/HB0732.pdf http://data.opi.state.mt.us/bills/mca_toc/30_14_17.htm
297 Microsoft Solutions for Security and Compliance; Windows XP Security Guide 298 299 300 301 302 303 304 305 306 Minnesota Statute 13.055 State Agencies; Disclosure of Breach in Security Minnesota Statute 325E.61 Data Warehouses; Notice Required For Certain Disclosures Minnesota Statute 325E.64 Access Devices; Breach of Security Missouri Revised Statutes Chapter 407 Merchandising Practices 407.1500 Missouri War on Terror Veteran Survivor Grants, MO HB 957 Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732 Montana Code 30-14-1701 thru 30-14-1705 and 30-14-1721 thru 30-14-1722; Protection of individual privacy and to impede identity theft as prohibited by 45-6-332 Montana Code 45-6-332. Theft of identity Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide NASD Manual National Incident Management System (NIMS), Department of Homeland Security, December 2008 NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 Nebraska Revised Statutes 87-801 thru 87807, Data Protection and Consumer Notification of Data Security Breach Act of 2006 Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings Minnesota Plastic Card Security Act H.F. 1758
307 308
314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341
Netherlands Act of 6 July 2000 Personal Data Protection Act Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92 Nevada Revised Statute Chapter 603A, Security of Personal Information Nevada Security Breach Notification Law, NV SB 347 New Hampshire Statute Title XXXI, Chapter 359C Right to Privacy, Notice of Security Breach New Jersey Identity Theft Prevention Act, NJ A4001/S1914 New Jersey Permanent Statutes Title 56 Security of Personal Information New York Disposal of Records Containing Personal Identifying Information NY CLS Gen Bus 399-h New York Information Security Breach and Notification Act New York State General Business Law Chapter 20, Article 39-F, 899-aa New Zealand Privacy Act 1993 NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006 NIST SCAP Microsoft Internet Explorer Version 7.0 OVAL North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards North Carolina Security Breach Notification Law (Identity Theft Protection Act of 2005) North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act 75-60 through 75-66 North Dakota Century Code, CHAPTER 51-30 Notice of Security Breach For Personal Information North Dakota Personal Information Protection Act, ND SB 2251 NRC Regulations (10 CFR) 73.54 Protection of digital computer and communication systems and networks NSA Guide to Securing Microsoft Windows 2000 Group Policy NSA Guide to Security Microsoft Windows XP NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5 NSA Guide to the Secure Configuration of Solaris 8 NYSE Listed Company Manual OECD / World Bank Technology Risk Checklist OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data OECD Principles of Corporate Governance OGC ITIL: Application Management OGC ITIL: ICT Infrastructure Management
http://www.dutchdpa.nl/indexen/en_ind_wetten_wbp_wbp.sh tml http://www.dutchdpa.nl/downloads_wetten/wbp.pdf? refer=true&theme=purple http://www.leg.state.nv.us/NRS/NRS-603A.html http://www.leg.state.nv.us/73rd/bills/SB/SB347_EN.pdf http://www.gencourt.state.nh.us/rsa/html/XXXI/359-C/359-Cmrg.htm http://www.njleg.state.nj.us/2004/Bills/A3500/4001_I1.PDF http://www.njleg.state.nj.us/2004/Bills/PL05/226_.HTM http://it.rockefeller.edu/pdf/disposal.pdf http://www.cscic.state.ny.us/security/securitybreach/ http://www.cscic.state.ny.us/lib/laws/documents/899-aa.pdf http://www.legislation.govt.nz/act/public/1993/0028/latest/D LM296639.html http://www.dtic.mil/whs/directives/corres/html/522022m.ht m http://nvd.nist.gov/chklst_detail.cfm?config_id=148 http://www.nerc.com/page.php?cid=2%7C20 http://www.ncleg.net/Sessions/2005/Bills/Senate/PDF/S1048 v2.pdf http://www.ncga.state.nc.us/EnactedLegislation/Statutes/HT ML/ByArticle/Chapter_75/Article_2A.html http://www.legis.nd.gov/cencode/t51c30.pdf http://www.legis.nd.gov/assembly/59-2005/billtext/FRBS0500.pdf http://www.nrc.gov/reading-rm/doccollections/cfr/part073/part073-0054.html http://www.nsa.gov/ia/_files/os/win2k/w2k_group_policy.pdf http://www.nsa.gov/ia/_files/os/winxp/Windows_XP_Security_ Guide_v2.2.zip http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf http://www.nsa.gov/ia/_files/os/sunsol/I331-008R-2004.pdf http://nysemanual.nyse.com/lcm/ http://www.infragard.net/library/pdfs/technologyrisklist.pdf http://www.oecd.org/document/18/0,2340,en_17642234_17 642806_1815186_1_1_1_1,00.html http://www.oecd.org/DATAOECD/32/18/31557724.pdf http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449817 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449815
342
OGC ITIL: Planning to Implement Service Management 343 OGC ITIL: Security Management 344 OGC ITIL: Service Delivery 345 OGC ITIL: Service Support 346 347 348 349 350 351 352 353 354 355 Ohio Personal information - contact if unauthorized access, OH HB 104 Ohio Revised Code Title XIII Chapter 1347 1347.12 Agency disclosure of security breach of computerized personal information data Ohio Revised Code Title XIII Chapter 1349 1349.19 Private disclosure of security breach of computerized personal information data Oklahoma Administrative Code Title 375 Chapter 40 Oklahoma Identity Theft Passport Program 375:40-1-1 thru 375:40-1-11 Oklahoma State Law Disclosure of breach of security of computerized personal information, 74-3113.1 OMB Circular A-123 Managements Responsibility for Internal Control Oregon Consumer Identity Theft Protection Act, Senate Bill 583 Oregon Revised Statutes Chapter 646a 646A.600 thru 646A.624 Identity Theft Protection Act ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule Payment Card Industry (PCI) Data Security Standard Security Audit Procedures Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline
http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449809 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449811 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449807 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449805 http://www.legislature.state.oh.us/BillText126/126_HB_104_E N_N.pdf http://codes.ohio.gov/orc/1347.12 http://codes.ohio.gov/orc/1349.19 http://www.oar.state.ok.us/oar/codedoc02.nsf/All/0941DE04 6451FFD3862575F400119991?OpenDocument http://www2.lsb.state.ok.us/os/os_74-3113.1.rtf http://www.whitehouse.gov/OMB/circulars/a123/a123_rev.ht ml http://www.leg.state.or.us/07reg/measpdf/sb0500.dir/sb058 3.b.pdf http://www.leg.state.or.us/ors/646a.html https://www.agpd.es/upload/Ley%20Org%E1nica%201599_ingles.pdf http://www.sec.gov/rules/final/2007/33-8809fr.pdf
356 357
358
https://www.pcisecuritystandards.org/docs/pci_saq_b.doc
359
https://www.pcisecuritystandards.org/docs/pci_saq_c.doc
360
https://www.pcisecuritystandards.org/docs/pci_saq_d.doc
Payment Card Industry (PCI) Payment Application Data Security Standard Payment Card Industry Self-Assessment Questionnaire A and Attestation of Compliance No Electronic St Payment Card Industry Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines Payment Card Industry Self-Assessment Questionnaire C and Attestation of Compliance Payment Applicat Payment Card Industry Self-Assessment Questionnaire D and Attestation of Compliance All Other Merch PCAOB Auditing Standard No. 2 PCAOB Auditing Standard No. 3
https://www.pcisecuritystandards.org/pdfs/pci_padss_security_audit_procedures_v1-1.pdf https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc https://www.pcisecuritystandards.org/docs/saq_b_v1-1.doc https://www.pcisecuritystandards.org/docs/saq_c_v1-1.doc https://www.pcisecuritystandards.org/docs/saq_d_v1-1.doc http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_ Standard_2.pdf http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_ Standard_3.pdf http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_ Standard_5.pdf https://www.pcisecuritystandards.org/security_standards/pci _dss_download_agreement.html https://www.pcisecuritystandards.org/pdfs/pci_scanning_pro cedures_v1-1.pdf http://www.schwartzandballen.com/ImportedLawsBills/Penns ylvania%20Security%20Breach.pdf http://csrc.nist.gov/publications/nistpubs/800-55Rev1/SP800-55-rev1.pdf http://www.mp.gov.si/fileadmin/mp.gov.si/pageuploads/2005 /PDF/zakonodaja/2007_10_29_personal_data_protection_act _RS.pdf http://www.giodo.gov.pl/plik/id_p/61/j/en/ http://www.cnpd.pt/english/bin/legislation/Law6798EN.HTM http://www.usdoj.gov/opcl/privacyact1974.htm http://www.ftc.gov/os/2000/05/65fr33645.pdf http://www.protectionofassets.com/ http://thomas.loc.gov/cgi-bin/query/D? c109:7:./temp/~c109XRfrcN:: http://www.schwartzandballen.com/ImportedDocs/Puerto %20Rico%20security%20breach.pdf http://csrc.nist.gov/publications/nistpubs/800-53Rev2/sp800-53-rev2_pdf.zip http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=c81f9f1046cb6bc1569a5db1ff1cb3ca;rgn=div8; view=text;node=17%3A3.0.1.1.1.2.97.421;idno=17;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=8a707a87faf38f7d2846d9b026ef323e;rgn=div8; view=text;node=17%3A3.0.1.1.1.2.94.371;idno=17;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=c81f9f1046cb6bc1569a5db1ff1cb3ca;rgn=div8; view=text;node=17%3A3.0.1.1.1.2.97.421;idno=17;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=45bcefcbca5a2961e1cee9a9cb01b160;rgn=div8 ;view=text;node=17%3A3.0.1.1.1.2.94.373;idno=17;cc=ecf r http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=90722b0e4f8ff362197b60c394489ce4;rgn=div8 ;view=text;node=17%3A3.0.1.1.1.2.94.375;idno=17;cc=ecf r
370 PCAOB Auditing Standard No. 5 371 372 373 374 375 Pennsylvania Statutes Title 73 Trade and Commerce Chapter 43 Breach of Personal Information Notification Act 2301 thru 2329 Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1 Personal Data Protection Act of the Republic of Slovenia of 2004 Poland Protection of Personal Data Act Portuguese Act on the Protection of Personal Data 67/98 Privacy Act of 1974, 5 USC 552a Privacy of Consumer Financial Information, FTC 16 CFR 313 Protection of Assets Manual, ASIS International PUBLIC LAW 109295OCT. 4, 2006 382 383 384 Puerto Rico Code Title 10 Subtitle 3 Chapter Citizen Information on Data Banks Security Act, 10 L.P.R.A. 4051 Recommended Security Controls for Federal Information Systems, NIST SP 800-53 Record retention SEC 17 CFR 240.17Ad-7 PCI DSS (Payment Card Industry Data Security Standard) PCI DSS Security Scanning Procedures
385 Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1 386 Recordkeeping SEC 17 CFR 240.17Ad-6 387 Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3 388 Records to be preserved by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-4 389
Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3 390 391 Responsible Care Security Code of Management Practices, American Chemistry Council Retention of Audit and Review Records, SEC 17 CFR 210.2-06 Revised Code of Washington Title 19 Chapter 19.215 Disposal of personal information 19.215.005 thru 19.215.030 Revised Code of Washington Title 19 Chapter 19.255 Personal information - notice of security breaches 19.255.010 Rhode Island General Law Chapter 11-49.2 Identity Theft Protection 11-49.2-1 thru 1149. 2-4 Rhode Island Security Breach Notification Law, RI HB 6191 Right to Financial Privacy Act Risk Management Guide for Information Technology Systems, NIST SP 800- 30 Royal Decree of 13 February 2001 implementing the Law of 8 December 1992 on the protection of privacy in relation to the processing of personal data Safety and Soundness Standards, Appendix of OCC 12 CFR 30
http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=3fc1d2e7d4a2c838ca758408923105a8;rgn=div 8;view=text;node=17%3A3.0.1.1.1.2.90.348;idno=17;cc=e cfr http://www.americanchemistry.com/securitycode_pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=1e057afa900af722d0a59a28773472ed&a mp;rgn=div8&view=text&node=17:2.0.1.1.8.0.18 .9&idno=17 http://apps.leg.wa.gov/RCW/default.aspx?cite=19.215 http://apps.leg.wa.gov/RCW/default.aspx?cite=19.255.010 http://www.rilin.state.ri.us/statutes/TITLE11/1149.2/INDEX.HTM http://www.rilin.state.ri.us/Billtext/BillText05/HouseText05/H 6191.pdf http://www.accessreports.com/statutes/RFPA.htm http://csrc.nist.gov/publications/nistpubs/800-30/sp80030.pdf http://www.privacycommission.be/en/static/pdf/wetgeving/ui tvoeringsbesluit-2001-en-input-website-220109.pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=55f63dbb4ec993a25080b4cb3eb14e06&a mp;rgn=div5&view=text&node=12:1.0.1.1.28&a mp;idno=12 http://www.aicpa.org/download/members/div/auditstd/AU00314.PDF http://www.aicpa.org/download/members/div/auditstd/AU00318.PDF http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=91f3f63db5cf1624698533e65e823221&a mp;rgn=div5&view=text&node=12:3.0.1.1.10&a mp;idno=12#12:3.0.1.1.10.4.8.11.30 http://uscode.house.gov/download/pls/15C2A.txt http://uscode.house.gov/download/pls/15C2B.txt http://csrc.nist.gov/publications/nistpubs/800-64Rev2/SP800-64-Revision2.pdf http://csrc.nist.gov/publications/nistpubs/800-55/sp80055.pdf http://csrc.nist.gov/publications/nistpubs/800-26/sp80026.pdf http://www.dataprotection.gov.sk/buxus/docs/act_428.pdf http://www.frc.org.uk/documents/pagemanager/frc/The %20Smith%20Guidance%20on%20Audit%20Committees %20June%202006.pdf http://freedominfo.org/documents/South%20Africa %20PAIA.pdf http://www.scstatehouse.gov/code/t01c011.htm http://www.scstatehouse.gov/code/t39c001.htm http://leahy.senate.gov/press/200506/062905a.html
399
400 401 402 SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SEC 12 CFR 229 Availability of Funds and Collection (Check Clearing for the 21st Century)
403 404 405 406 407 408 409 410 411 412 413 414 South Africa Promotion of Access to Information Act South Carolina Code of Laws 1-11-490 Breach of security of state agency data notification South Carolina Code of Laws 16-13-512 Credit Card and 39-1-90 Breach of security of business data notification Specter-Leahy Personal Data Privacy and Security Act Slovak Republic Protection of Personal Data in Information Systems Smith Guidance on Audit Committees, UK FRC Securities Act of 1933 Securities Exchange Act of 1934 Security Considerations in the Information System Development Life Cycle, NIST SP 800-64 Security Metrics Guide for Information Technology Systems, NIST SP 800-55 Security Self-Assessment Guide, NIST SP 800-26
415 416
Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314 State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal State Prohibitions on Marketing Practices using Medical Information (CA SB1633) State Prohibitions on Marketing Practices using Medical Information (TX SB11) Sweden Personal Data Act (1998:204) Swedish Code of Corporate Governance; A Proposal by the Code Group
http://www.ftc.gov/os/2002/05/67fr36585.pdf http://www.azgita.gov/policies_standards/pdf/P800S880%20Media%20San+Disp.pdf http://info.sen.ca.gov/cgi-bin/postquery? bill_number=sb_1633&sess=0304&house=B&am p;site=sen http://www.legis.state.tx.us/billlookup/BillSummary.aspx? LegSess=80R&Bill=SB11 http://www.sweden.gov.se/content/1/c6/01/55/42/b451922d. pdf http://www.sweden.gov.se/download/f8334504.pdf? major=1&minor=26296&cn=attachmentPublDupl icator_0_attachment http://www.dataprotection.eu/pmwiki/pmwiki.php? n=Main.CH http://www.cms.hhs.gov/informationsecurity/downloads/SSP _Procedure.pdf http://www.ics.uci.edu/~kobsa/privacy/Taiwan1.htm http://www.occ.treas.gov/ftp/bulletin/98-3.txt http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=bf60e7b87681ffcbf1030185f246d305&am p;rgn=div5&view=text&node=16:1.0.1.3.34&am p;idno=16 http://www.michie.com/tennessee/lpext.dll? f=templates&fn=main-h.htm&cp=tncode http://tennessee.gov/sos/acts/104/pub/pc0473.pdf http://www.hro.house.state.tx.us/PDF/ba80r/HB3222.PDF http://www.statutes.legis.state.tx.us/Docs/BC/pdf/BC.521.pd f http://www.bakers-legalpages.com/leg2005/bills/sb00122f.htm http://www.cisecurity.org/benchmarks.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.naa.gov.au/recordsmanagement/publications/dirks-manual.aspx http://www.ecgi.org/codes/documents/cg_code_nl_en.pdf http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gait/gait-m/ http://www.ecgi.org/codes/documents/executive_summary.p df http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Str
420 Switzerland Federal Act on Data Protection 421 System Security Plan (SSP) Procedure 422 423 424 Taiwan Computer-Processed Personal Data Protection Law 1995 Technology Risk Management Guide for Bank Examiners OCC Bulletin 98-3 Telemarketing Sales Rule (TSR), 16 CFR 310
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 The King Committee on Corporate Governance, Executive Summary of the King Report 2002 The National Strategy to Secure Cyberspace Tennessee Code Title 47 Chapter 18 Part 21 Identity Theft Deterrence 47-18-2101 thru 47-18-2110 Tennessee Security Breach Notification, TN SB 2220 Texas Business and Commerce Code, secs. 48.102, 48.103 Texas Business and Commercial Code Title 11, Subtitle B, Chapter 521 Subchapter A 521 Texas Identity Theft Enforcement and Protection Act, TX SB 122 The Center for Internet Security Security Benchmark For Multi-Function Devices The Center for Internet Security Wireless Networking Benchmark version 1.0 The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0 The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0 The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, version 1.0 The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0 The DIRKS Manual: A Strategic Approach to Managing Business Information The Dutch corporate governance code, Principles of good corporate governance and best practice provisions The GAIT Methodology
ategy.pdf The Sarbanes-Oxley Act of 2002 442 443 444 445 Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004 Turnbull Guidance on Internal Control, UK FRC UK Data Protection Act of 1998 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 Vermont Statute Title 9 Chapter 62 Protection of Personal Information 2430, 2435, 2440, 2445 Video Privacy Protection Act (VPPA), 18 USC 2710 Virgin Islands Code Tittle 14 Chapter 110 The Identity Theft Prevention Act 2201 thru 2211 Virginia Code Title 18.2 Chapter 6 Breach of personal information notification 18.2-186.6 Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872 VISA CISP: What to Do If Compromised Visa Fraud Control and Investigation Procedures Visa Data Field Encryption VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business VISA Incident Response Procedure for Account Compromise Visa Payment Application Best Practices (PABP) 468 469 Washington DC Consumer Personal Information Security Breach Notification Act of 2006 Utah Protection of Personal Information Act, Utah Code Title 13-44. Protection of Personal Information Act Vermont Relating to Identity Theft , VT HB 327 UN Guidelines for the Regulation of Computerized Personal Data Files (1990) Underlying Technical Models for Information Technology Security, SP 800-33 Uniform Electronic Transactions Act (UETA) (1999) Uniform Rules of Evidence Act US Department of Commerce EU Safe Harbor Privacy Principles US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11 US Export Administration Regulations Database US The International Traffic in Arms Regulations The Sedona Principles Addressing Electronic Document Production The Standard of Good Practice for Information Security TITLE 49, Subtitle VII - Aviation Programs http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=107_cong_bills&docid=f:h3763enr.tst.pdf http://www.thesedonaconference.org/dltForm? did=7_05TSP.pdf https://www.isfsecuritystandard.com/SOGP07/index.htm http://www.tsa.gov/assets/pdf/49_USC_Chapters_401_to_50 1.pdf http://www.tsa.gov/assets/pdf/security_guidelines_for_gener al_aviation_airports.pdf http://www.frc.org.uk/documents/pagemanager/frc/Revised %20Turnbull%20Guidance%20October%202005.pdf http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_ 1 http://www.worldlii.org/int/other/PrivLRes/1990/1.html http://csrc.nist.gov/publications/nistpubs/800-33/sp80033.pdf http://www.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.htm http://www.law.upenn.edu/bll/ulc/ure/evid1200.htm http://www.export.gov/safeharbor/index.asp http://cio.energy.gov/CS11_Clearing_and_Media_Sanitization_Guidance.pdf http://www.gpo.gov/bis/ear/ear_data.html http://www.pmddtc.state.gov/regulations_laws/itar_official.h tml http://le.utah.gov/~code/TITLE13/13_44.htm http://www.leg.state.vt.us/docs/legdoc.cfm? URL=/docs/2004/acts/ACT155.HTM http://www.leg.state.vt.us/statutes/fullchapter.cfm? Title=09&Chapter=062 http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_1 8_00002710----000-.html http://www.michie.com/virginislands/lpext.dll? f=templates&fn=main-h.htm&cp=vicode http://leg1.state.va.us/000/cod/18.2-186.6.HTM http://leg1.state.va.us/cgi-bin/legp504.exe? 041+ful+CHAP0450 http://usa.visa.com/download/merchants/cisp_what_to_do_if _compromised.pdf http://corporate.visa.com/_media/best-practices.pdf http://usa.visa.com/download/merchants/visa_risk_manage ment_guide_ecommerce.pdf http://www.visaasia.com/ap/center/merchants/riskmgmt/includes/uploads/Vi saAP_Inc_Resp_Procedv1_2_2004.pdf http://usa.visa.com/download/merchants/cisp_payment_appl ication_best_practices.doc http://www.dccouncil.washington.dc.us/images/00001/2006 1218135855.pdf
446 447
467
470 471
Washington Notice of a breach of the security, WA SB 6043 West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information 46A-2A-101 thru 46A-2A-105 Windows Server 2003 Security Guide
http://www.leg.wa.gov/pub/billinfo/2005-06/Htm/Bills/Senate %20Bills/6043-S.htm http://www.legis.state.wv.us/WVCODE/Code.cfm? chap=46a&art=2A#2A http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://www.legis.state.wi.us/2005/data/acts/05act138.pdf www.legis.state.wi.us/statutes/Stat0134.pdf http://legisweb.state.wy.us/statutes/statutes.aspx? file=titles/Title40/Title40.htm
472 Windows Server 2008 Security Guide 473 474 475 476 Wisconsin Act 138 Notice of unauthorized acquisition of personal information Wisconsin Statute Chapter 134 Notice of unauthorized acquisition of personal information 134.98 Wyoming Statute Title 40 Article 5 Breach of the security of the data system 40-12-501 thru 40-12-509