Вы находитесь на странице: 1из 22

IT GRC Process Management Pack SP1 Release Notes

Contents
1. Brief Description of the IT GRC Process Management Pack 2. Getting Started 3. Contents of IT GRC Process Management Pack Download Files Known Issues 5. Feedback 6. Disclaimer 8. Supported Authority DocumentsCopyright and License Agreement 8. Supported Authority DocumentsSupported Authority Documents

1. Brief Description of the IT GRC Process Management Pack


The IT GRC Process Management PackSP1 is a Process Management Pack for Microsoft System Center Service Manager 2010 SP1 that helps provide end-to-end compliance management and automation. The included IT Compliance Management Library contains compliance information that can take advantage of System Center Service Managers integration with System Center Configuration Manager to monitor, validate, and report on the compliance state of deployed Microsoft products. Together, these solutions help customers understand and bind complex business objectives to their Microsoft infrastructure.

2. Getting Started
See the IT GRC Process Management Pack Getting Started Guide .

3. Contents of IT GRC Process Management Pack Download Files


The following files are available for download on Microsoft Download Center:

ITGRCProcessManagementPack_amd64SP1.exe. This file includes the IT GRC Process Management Pack for 64-bit server installation and 64-bit clients. You will install the IT GRC Process Management Pack on System Center Service Manager 2010 SP1. For more information about doing so, please refer to the IT GRC Process Management Pack Deployment Guide, available in the following ITGRCProcessManagementPack_DocumentationSP1.exe file. ITGRCProcessManagementPack_x86SP1.exe. This file includes the IT GRC Process Management Pack for 32-bit clients. For more information about doing so, please refer to the IT GRC Process Management Pack Deployment Guide, available in the following ITGRCProcessManagementPack_DocumentationSP1.exe file

ITGRCProcessManagementPack_DocumentationSP1.exe. This file contains the SP1 documentation for the IT GRC Process Management Pack. It includes the following files: o IT GRC Process Management Pack Getting Started Guide.docx o IT GRC Process Management Pack Deployment Guide.docx

o o o

IT GRC Process Management Pack Developers Guide.docx IT GRC Process Management Pack Operations Guide.docx IT GRC Process Management Pack SP1 Release Notes.rtf

ITGRCProcessManagementPack_AuthoringLibrariesSP1.exe. This file includes the authoring library files that are necessary to customize or extend the IT GRC Process Management Pack. For more information on installing these files and customizing or extending the IT GRC Process Management Pack, see the IT GRC Process Management Pack Developers Guide, available in the ITGRCProcessManagementPack_DocumentationSP1.exe file described earlier in this document. TestIdSyncTool.exe. This file includes the IT GRC Test ID Sync Tool and the Getting Started Guide for the tool.

4. Known Issues
The following are known functional issues for this release: Modifying the compliance applicability groups provided in IT Compliance Management Libraries using the Service Manager Console causes the Service Manager console to abnormally terminate or become unresponsive. (9/30/10) Modifying a programs General and Framework tabs at the same time may result in a data conflict error message. To resolve this issue, modify each tab separately and apply the changes separately. (9/30/10) After modifying an existing security role property, such as description, a user who is assigned that security role may not be able to select authorized configuration item types such as Computer, Software Items, and Business Services that were previously available. (9/30/10) The IT GRC Connector may not complete processing or hang. To resolve this issue, delete the connector instance and recreate it. (9/30/10) The Visual Studio Tools for Office (VSTO) version 3.0 (used by Microsoft Excel in the IT GRC Process Management Pack Client Add-in) does not support 64-bit versions of Microsoft Office System 2010. However, 32-bit versions of Microsoft Office System 2007 and 2010 are supported. When a Program Implementer tries to add scope to a program, they may see the following error An item with the same key has already been added." The message is misleading because it is a security issue and the PI role cannot add scope to a program. The SP1 version of the IT GRC Excel Client can only be used to connect to an SP1 server. The 1.0 version of the Excel Client Add-in can connect to both a v1.0 server and a SP1 server. If an unshared risk is created and added into a program, the risk will only be visible to the risks owner and not visible to the Program Manager. If the risk is added to a category in the program framework, then the risk will be visible to Program Manager. Although it is possible to customize both the Risk Management form and the Control Objective form using the Authoring Tool, the customizations will not display. All other forms should work properly after customization. Row deletions in Excel are not allowed. The following are known performance issues for this release: Importing a large number of control objectives and control activities into a program using the Control Import Wizard can take a considerable amount of time. (9/30/10) Refreshing or publishing a program in the IT GRC Process Management Pack Client Add-in that is used in Microsoft Excel can take a considerable amount of time if the program contains a large number of control objectives, control activities, or risks. (9/30/10) Expanding information on the Framework tab of a program can take a considerable amount of time if the program contains a large number of control objectives, control activities, or risks. (9/30/10)

5. Feedback

Send suggestions and comments about this document to secwish@microsoft.com.

6. Disclaimer
IMPORTANT NOTICE: The Microsoft IT GRC Process Management Pack Service Pack 1 for System Center Service Manager (the software) is intended to help organizations simplify and automate IT compliance and risk management processes. The software is designed to facilitate compliance activities conducted by your organizations IT professionals, auditors, accountants, attorneys and other compliance professionals. The software does not replace those professionals. The software ships with some control objectives and authority document citations, but these control objectives and citations do not verify or guarantee fulfillment of your organizations compliance obligations. It is the responsibility of your organization to choose the control objectives and authority document citations to use, modify, add or remove based on guidance from your organizations compliance professionals. Reports and any other information provided by or generated from the software do not constitute auditing, accounting, legal or other professional advice. You must consult compliance professionals to confirm compliance with specific governance, risk and compliance (GRC) authority documents.

7. Copyright and License Agreement


This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2011 Microsoft Corporation. All rights reserved. Microsoft and Excel are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

8. Supported Authority Documents


#
1 2 16 CFR Part 682 Disposal of consumer report information and records 49 CFR Part 1542 - Airport Security

TITLE
1724 California Civil Code

URL LINK
http://www.leginfo.ca.gov/pub/07-08/bill/asm/ab_07510800/ab_779_bill_20070410_amended_asm_v98.pdf http://www.access.gpo.gov/nara/cfr/waisidx_05/16cfr682_05 .html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=4f4fe996be869c46e7a2469576734601&a mp;rgn=div5&view=text&node=49:9.1.3.5.10&a mp;idno=49 http://edocket.access.gpo.gov/cfr_2009/janqtr/pdf/6cfr27.23 0.pdf http://www.theirm.org/publications/documents/Risk_Manage ment_Standard_030820.pdf http://www.occ.treas.gov/ftp/bulletin/2004-58.txt http://www.cica.ca/multimedia/Download_Library/Research_ Guidance/Privacy/English/Incident_Response_Plan_May_200 5.pdf http://www.aicpa.org/pubs/cpaltr/jun2001/auditing.htm http://www.aicpa.org/download/trust_services/final-TrustServices.pdf http://ftp.aicpa.org/CSC/infotech/Privacy/3A_01a.pdf http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDF http://www.ftc.gov/bcp/rulemaking/tsr/ https://www209.americanexpress.com/merchant/singlevoice /dsw/FrontServlet? request_type=dsw&pg_nm=merchinfo&ln=en&a mp;frm=US http://www.whitehouse.gov/omb/circulars/a130/a130append ix_iii.html http://www.privacyinternational.org/article.shtml?cmd %5B347%5D=x-347-61939

3 4 5 6 7 8 9 10 11 12 AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls AICPA Suitable Trust Services Principles and Criteria AICPA/CICA Privacy Framework Alaska Personal Information Protection Act, Chapter 48 Amendments to the FTC Telemarketing Sales Rule, 16 CFR Part 310 American Express Data Security Standard (DSS) 6 CFR Ch. I 27.230 Risk-based performance standards A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58 AICPA Incident Response Plan: Template for Breach of Personal Information

13 14 15 Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources Argentina Personal Data Protection Act

16 17

Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116 Arizona State Law 44-7501. Notification of breach of security system Arkansas Code Title 4 Business and Commercial Law Subtitle 7 Consumer Protection, Chapter 110 Personal Information, 4-110-103 thru 4 -110-105, Personal Information Protection Act Arkansas Personal Information Protection Act AR SB 1167 Army Regulation 380-19: Information Systems Security AS4360 Australian National Standard on Risk Management Australia Better Practice Guide - Business Continuity Management Australia Privacy Act 1988 Australia Spam Act Australia Spam Act 2003: A practical guide for business Australia Telecommunications Act 1997 Australian Government ICT Security Manual (ACSI 33) Austria Data Protection Act Austria Telecommunications Act Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001 Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act) Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework BBBOnline Code of Online Business Practices Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona BIS Sound Practices for the Management and Supervision of Operational Risk BITS Financial Services Roundtable Standardized Information Gathering Questionnaire Bosnia Law on Protection of Personal Data BS25999, Guide to Business Continuity Management Business Continuity Institute (BCI) Good Practice Guidelines CA Civil Code 1798.84 CA Government Code Chapter 13 Miscellaneous Powers 26200-26230

http://www.azleg.state.az.us/FormatDocument.asp? inDoc=/legtext/46leg/2r/laws/0109.htm http://www.azleg.state.az.us/FormatDocument.asp? inDoc=/ars/44/07501.htm&Title=44&DocType=AR S http://www.arkleg.state.ar.us/SearchCenter/Pages/Arkansas CodeSearchResultPage.aspx?name=4-110-103.Definitions. ftp://www.arkleg.state.ar.us/acts/2005/public/Act1526.pdf http://www.fas.org/irp/doddir/army/r380_19.pdf http://www.riskmanagement.com.au/ http://www.anao.gov.au/uploads/documents/Business_Conti nuity_Management.pdf http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilati on1.nsf/framelodgmentattachments/782CE59D0E879E1ACA 2571FE001D50E6 http://www.austlii.edu.au/au/legis/cth/consol_act/sa200366/ http://www.acma.gov.au/acmainterwr/consumer_info/freque ntly_asked_questions/spam_business_practical_guide.pdf http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilati on1.nsf/framelodgmentattachments/40762BCB845F1313CA 2570F2007B810C http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_changes_ u.rtf http://www.dsk.gv.at/site/6230/default.aspx http://www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdf http://www.tsa.gov/assets/pdf/Aviation_and_Transportation_ Security_Act_ATSA_Public_Law_107_1771.pdf http://www.occ.treas.gov/handbook/bsa.pdf http://www.bis.org/publ/bcbs128.pdf http://www.bbbonline.org/reliability/code/CodeEnglish.doc http://www.privacycommission.be/en/static/pdf/wetgeving/p rivacywet-en-input-website-220109.pdf http://www.bis.org/publ/bcbs96.pdf http://www.sharedassessments.org/download/files.html http://www.privacyinternational.org/countries/bosnia/bosniadpa.html http://www.thebci.org/pas56.htm http://www.thebci.org/goodpracticeguidetoBCM.pdf http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.801798.84 http://www.leginfo.ca.gov/cgi-bin/displaycode? section=gov&group=26001-27000&file=2620026230 http://www4.law.cornell.edu/uscode/html/uscode47/usc_sec_ 47_00000551----000-.html

18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

41 42 Cable Communications Privacy Act Title 47 551

43

California Civil Code 1798.91 State Prohibitions on Marketing Practices using Medical Information California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures 1798.251798.29 California Civil Code Title 1.81 Customer Records 1798.80-1798.84 California Financial Information Privacy Act: Senate Bill 1 (Speier & Burton) California General Security Standard for Businesses CA AB 1950 California Information Practice Act, CA SB 1386 California OPP Recommended Practices on Notification of Security Breach California Personal Information: Disclosure to Direct Marketers Act (SB 27) California Public Records Military Veteran Discharge Documents, California Assembly Bill 1798 California Public Records Military Veteran Discharge Documents, California Assembly Bill 1798 California Senate Bill 20 (2009, Simitian), An act to amend Sections 1798.29 and 1798.82 of the Civil Code, relating to personal information Canada Keeping the Promise for a Strong Economy Act, Bill 198 Canada Personal Information Protection Electronic Documents Act (PIPEDA) Canada Privacy Act Canadian Marketing Association Code of Ethics and Standards of Practice Center for Internet Security Mac OS X Tiger Level I Security Benchmark Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Central Bank of Argentina A4609 Central Bank of Brazil 3380 CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27 Children's Online Privacy Protection Act (COPPA), 16 CFR 312 Children's Online Privacy Protection Act of 1998 CI Security AIX Benchmark v1.0 CI Security FreeBSD Benchmark v1.0 CI Security HP-UX Benchmark v1.3 CI Security Persistent Identifiers CI Security Red Hat Enterprise Linux Benchmark v1.0 CI Security Red Hat Enterprise Linux Benchmark v1.0.5

http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.91 http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.251798.29 http://www.leginfo.ca.gov/cgi-bin/displaycode? section=civ&group=01001-02000&file=1798.801798.84 http://www.privacyrights.org/ar/SB1Info.htm http://info.sen.ca.gov/pub/03-04/bill/asm/ab_19011950/ab_1950_bill_20040929_chaptered.pdf http://info.sen.ca.gov/pub/01-02/bill/sen/sb_13511400/sb_1386_bill_20020926_chaptered.html http://www.oispp.ca.gov/consumer_privacy/pdf/secbreach.p df http://info.sen.ca.gov/cgi-bin/postquery? bill_number=sb_27&sess=0304&house=B&s ite=sen http://info.sen.ca.gov/pub/01-02/bill/asm/ab_17511800/ab_1798_bill_20020424_amended_asm.pdf http://info.sen.ca.gov/pub/01-02/bill/asm/ab_17511800/ab_1798_bill_20020626_amended_sen.pdf http://info.sen.ca.gov/pub/09-10/bill/sen/sb_00010050/sb_20_bill_20090908_enrolled.html http://www.ontla.on.ca/web/bills/bills_detail.do? locale=en&BillID=1067&isCurrent=false&Par lSessionID=37%3A3 http://laws.justice.gc.ca/en/ShowTdm/cs/P-8.6///en http://laws.justice.gc.ca/en/ShowTdm/cs/p-21///en http://www.the-cma.org/?WCE=C=47%7CK=225849 http://www.cisecurity.org/bench_macosx.html http://www.cisecurity.org/bench_novell.html

44 45 46 47 48 49

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

http://www.cert.org/octave/ http://www.dhs.gov/xprevprot/laws/gc_1166796969417.sht m http://www.gpo.gov/nara/cfr/waisidx_03/16cfr312_03.html http://www.ftc.gov/ogc/coppa1.htm http://www.cisecurity.org/bench_aix.html http://www.cisecurity.org/bench_freebsd.html http://www.cisecurity.org/bench_hpux.html http://www.cisecurity.org/bench_linux.html http://www.cisecurity.org/bench_linux.html

72 73 74 75 76 77 78 79 80 81 82 83

CI Security Slackware Linux Benchmark v1.1 CI Security Solaris 10 Benchmark CI Security Solaris Benchmark v1.3 CI Security SuSE Linux Enterprise Server Benchmark v1.0 CI Security Windows 2000 CI Security Windows 2000 Professional CI Security Windows 2000 Server CI Security Windows NT CI Security Windows Server 2003 Domain Controllers CI Security Windows Server 2003 Member Servers CI Security Windows XP Professional SP1/SP2 CIS iPhone 2.2.1 Benchmark CISWG Information Security Program Elements

http://www.cisecurity.org/bench_linux.html http://www.cisecurity.org/bench_solaris.html http://www.cisecurity.org/bench_solaris.html http://www.cisecurity.org/bench_linux.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html http://www.cisecurity.org/bench_windows.html https://community.cisecurity.org/download/? redir=/iphone/CIS_iPhone_2.2.1_Benchmark_v1.0.0.pdf http://www.cisecurity.org/Documents/BPMetricsTeamReportF inal111704Rev11005.pdf http://www.cio.gov/Documents/it_management_reform_act_ Feb_1996.html http://www.cms.hhs.gov/manuals/downloads/117_systems_s ecurity.pdf http://wedi.org/cmsUploads/pdfUpload/WEDIBulletin/pub/Co py_of_CSR_HIPAAMatrixFeb05final.pdf http://www.cms.hhs.gov/InformationSecurity/Downloads/ars. pdf http://www.cms.hhs.gov/informationsecurity/downloads/IS_R A_Procedure.pdf http://www.isaca.org/Content/NavigationMenu/Members_an d_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm http://www.isaca.org/Content/NavigationMenu/Members_an d_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm http://alisondb.legislature.state.al.us/acas/CodeOfAlabama/ 1975/147638.htm http://www.ecgi.org/codes/documents/singapore_ccg_2005. pdf http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_205.ht m http://www.michie.com/colorado/lpext.dll/cocode/2/98ff/992 1/9923/9cc7/9dbf?f=templates&fn=documentframe.htm&2.0#JD_6-1-713 http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_393.ht m http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_365.ht m http://www.michie.com/colorado/lpext.dll? f=templates&fn=main-h.htm&cp= http://www.michie.com/colorado/lpext.dll/cocode/2/29af3/29 b24/2a406/2a420/2a43e?f=templates&fn=documentframe.htm&2.0#JD_16-5-103 http://cce.mitre.org/lists/data/downloads/cce-COMBINED5.20090506.xls http://cce.mitre.org/lists/cce_list.html http://www.law.cornell.edu/uscode/18/1030.html

84 85 86 87 88 89 90 CobiT 4.1 91 92 93 94 Colorado Consumer Credit Solicitation Protection, CO HB 04-1274 Colorado Disposal of Personal Identifying Documents C.R.S. 6-1-713 Colorado Prohibiting Inclusion of Social Security Number, CO HB 04-1311 Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 041134 Colorado Revised Statutes 6-1-716, Notice of Security Breach Colorado Revised Statutes Title 16 Article 5 Section 103 Identity theft victims - definitions Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues Computer Fraud and Abuse Act Code of Alabama, Article 10 The Consumer Identity Protection Act, 13A-8-190 thru 13A8-201 CODE OF CORPORATE GOVERNANCE 2005 CMS Information Security Acceptable Risk Safeguards (ARS) CMS Information Security Risk Assessment _IS RA_ Procedure CobiT Clinger-Cohen Act (Information Technology Management Reform Act) CMS Business Partners Systems Security Manual CMS Core Security Requirements (CSR)

95 96 97 98

99 100 101 102

103 104 105 106

107 108 109 110

Computer Security Incident Handling Guide, NIST SP 800-61 Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184 Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650 Connecticut Public Act 08-167, An Act Concerning the Confidentiality of Social Security Numbers Connecticut State Law Sec. 36a-701b. Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade prac Consumer Interests in the Telecommunications Market, Act No. 661 Contingency Planning Guide for Information Technology Systems, NIST SP 800-34 Controlling the Assault of Non=Solicited Pornography and Marketing Act of 2003 Controls and Procedures, SEC 17 CFR 240.15d15 Corporate Governance in listed Companies Clause 49 of the Listing Agreement Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Ref Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 COSO Enterprise Risk Management (ERM) Integrated Framework (2004)

http://csrc.nist.gov/publications/nistpubs/800-61rev1/SP800-61rev1.pdf http://www.cga.ct.gov/2004/act/Pa/2004PA-00119-R00HB05184-PA.htm http://www.cga.ct.gov/2005/act/Pa/2005PA-00148-R00SB00650-PA.htm http://www.cga.ct.gov/2008/ACT/Pa/pdf/2008PA-00167R00HB-05658-PA.pdf http://www.cga.ct.gov/2009/pub/chap669.htm#Sec36a701b.htm

http://en.itst.dk/numbering-issues-and-domainaspects/legal-matters http://csrc.nist.gov/publications/nistpubs/800-34/sp80034.pdf http://www.spamlaws.com/f/pdf/pl108-187.pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=c446d97494e9cd1d9bd0f1c628456f00;rgn=div 8;view=text;node=17%3A3.0.1.1.1.2.87.310;idno=17;cc=e cfr http://www.bseindia.com/downloads/CorpGov281004.zip http://net.educause.edu/ir/library/pdf/CSD3661.pdf

111 112

113 114 115 116 117 118 119 120 121 122

http://www.comlaw.gov.au/comlaw/management.nsf/lookupi ndexpagesbyid/IP200402596?OpenDocument https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publicat ions/COSO+Enterprise+Risk+Management++Integrated+Framework.htm http://csrc.nist.gov/publications/nistpubs/800-40Ver2/SP800-40v2.pdf http://www.pac-am.com/docs/CTPATBestPractices.pdf http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/secu rity_criteria/criteria_importers/ctpat_importer_criteria.xml http://ec.europa.eu/justice_home/fsj/privacy/docs/implemen tation/czech_republic_act_101_en.pdf http://www.dhs.gov/xlibrary/assets/DIB_SSP_5_21_07.pdf http://iase.disa.mil/stigs/stig/UNISYS-STIG-V7R2.doc http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf http://delcode.delaware.gov/title6/c012b/index.shtml

Creating a Patch and Vulnerability Management Program, NIST SP 800-40 C-TPAT Supply Chain Security Best Practices Catalog Customs-Trade Partnership Against Terrorism (CTPAT) Importer Security Criteria Czech Republic Personal Data Protection Act Defense Industrial Base Information Assurance Standard Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2 Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1 Delaware Code TITLE 6 Commerce and Trade, Subtitle II Other Laws Relating to Commerce and Trade ,Chapter 12B. Computer Security Breaches, 12B-101 thru 104 Denmark Act on Competitive Conditions and Consumer Interests Denmark, The Act on Processing of Personal Data Design Criteria Standard for Electronic Records Management Software Application, DOD 5015.2 Direct Marketing Association Privacy Promise

123 124 125 126 127

http://en.vtu.dk/acts/act-on-competitive-conditions-andconsumer-interest-in-the-telecommunications-market-a7114 http://www.datatilsynet.dk/english/the-act-on-processing-ofpersonal-data/ http://jitc.fhu.disa.mil/recmgt/p50152s2.pdf http://www.the-dma.org/privacy/index.shtml

Directive 2003/4/EC Of The European Parliament 128 129 130 131 DISA Windows XP Security Checklist 132 133 134 135 136 137 138 139 DISA Windows XP Security Checklist Version 6 Release DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2 DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2 DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4 DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3 DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4 Disaster / Emergency Management and Business Continuity, NFPA 1600 District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Noti DOT Physical Security Survey Checklist Driver's Privacy Protection Act (DPPA), 18 USC 2721 EFT (Electronic Fund Transfer) Act (Reg. E) SEC 12 CFR 205 Equal Credit Opportunity Act (Reg. B) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 EU 8th Directive (European SOX) EU Directive on Data Protection, 95/46/EC EU Directive on Privacy and Electronic Communications, 2002/58/EC Fair and Accurate Credit Transactions Act of 2003 (FACT Act) 149 150 Fair Credit Reporting Act (FCRA) Family Education Rights Privacy Act (FERPA), 20 USC 1232 151 FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1 152 153 FDCC SCAP OVAL Patches - IE7 DISA Secure Remote Computing Security Technical Implementation Guide version 1.2 DISA Windows Server 2003 Security Checklist Version 6 Release 1.11 DISA Windows VISTA Security Checklist

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=OJ:L:2003:041:0026:0032:EN:PDF http://iase.disa.mil/stigs/stig/src-stig-v1r2.pdf http://iase.disa.mil/stigs/stig/win2k-XP-03-vistaaddendumv6r1-052107.doc http://iase.disa.mil/stigs/stig/win2k-XP-03-vistaaddendumv6r1-052107.doc http://iase.disa.mil/stigs/checklist/windows_xp_checklist_v6r 1-11_20090424.zip http://iase.disa.mil/stigs/checklist/unclassified_windows_xp_ checklist_v6r1.14_20091023.zip http://iase.disa.mil/stigs/stig/wireless_stig_v5r2.pdf http://iase.disa.mil/stigs/checklist/wireless_stig_apriva_sens a_checklist_v5r2-2_final_14apr2009.pdf http://iase.disa.mil/stigs/checklist/wireless_stig_blackberry_c hecklist_v5r2.4_14apr2009.zip http://iase.disa.mil/stigs/checklist/wireless_stig_good_mobile _messaging_checklist_v5r2-3_final_14apr2009.pdf http://iase.disa.mil/stigs/checklist/wireless_stig_windows_mo bile_messaging_checklist_v5r2-4_final_14apr2009.pdf http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf http://www.dccouncil.washington.dc.us/images/00001/2006 1218135855.pdf

140 141 142

143 144 145 146 147 148

http://transitsafety.volpe.dot.gov/training/Archived/EPSSeminarReg/CD/D ocuments/OHIO_DOT/physicalsecurity.doc http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_ 18_00002721----000-.html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=635f26c4af3e2fe4327fd25ef4cb5638&am p;tpl=/ecfrbrowse/Title12/12cfr205_main_02.tpl http://www.fdic.gov/regulations/laws/rules/6500-2900.html http://csrc.nist.gov/publications/nistpubs/800-97/SP80097.pdf http://www.8th-company-lawdirective.com/8thCompanyLaw.htm http://www.cdt.org/privacy/eudirective/EU_Directive_.html http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:32002L0058:EN:HTML http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=108_cong_public_laws&docid=f:publ159.108 http://www.ftc.gov/os/statutes/031224fcra.pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=432bbda77876ee638be366c1091527ec;rgn=div 5;view=text;node=34%3A1.1.1.1.34;idno=34;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=a486dc03a379dd084f837db8a3150cf2&a mp;rgn=div5&view=text&node=21:1.0.1.1.7&am p;idno=21 http://nvd.nist.gov/chklst_detail.cfm?config_id=171

154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169

Federal Information Security Management Act of 2002 (FISMA) Federal Information System Controls Audit Manual (FISCAM) Federal Rules of Civil Procedure (2007) FERC Security Program for Hydropower Projects FFIEC Guidance on Authentication in an Internet Banking Environment FFIEC IT Examination Handbook Audit FFIEC IT Examination Handbook Business Continuity Planning FFIEC IT Examination Handbook Development and Acquisition FFIEC IT Examination Handbook E-Banking FFIEC IT Examination Handbook Information Security FFIEC IT Examination Handbook Management FFIEC IT Examination Handbook Operations FFIEC IT Examination Handbook Outsourcing Technology Services FFIEC IT Examination Handbook Retail Payment Systems FFIEC IT Examination Handbook Supervision of Technology Service Providers FFIEC IT Examination Handbook Wholesale Payment Systems Financial Reporting Council, Combined Code on Corporate Governance Finland act on the amendment of the Personal Data Act (986/2000) Finland Act on the Protection of Privacy in Electronic Communications Finland Personal Data Protection Act (523/1999) FIPS 140-2, Security Requirements for Cryptographic Modules FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security FIPS 199, Standards for Security Categorization of Federal Information and Information Systems FIPS 200, Minimum Security Requirements for Federal Information and Information Systems Florida Personal Identification Information/Unlawful Use, FL HB 481 Florida Statute 817.5681 Breach of security concerning confidential personal information in third-party possession France Data Processing, Data Files and Individual Liberties FTC Electronic Signatures in Global and National Commerce Act (ESIGN) FTC FACT Act Red Flags Rule Template GAO/PCIE Financial Audit Manual (FAM) General Laws of Massachusetts, Part I, Title XV Chapter 93H, Security Breaches

http://csrc.nist.gov/drivers/documents/FISMA-final.pdf http://www.gao.gov/new.items/d09232g.pdf http://www.law.cornell.edu/rules/frcp/ http://www.ferc.gov/industries/hydropower/safety/guidelines /security/securitytext.pdf http://www.ffiec.gov/pdf/authentication_guidance.pdf http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continui ty_plan.pdf http://www.ffiec.gov/ffiecinfobase/booklets/d_a/d_and_a.pdf http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/e_ban king.pdf http://www.ffiec.gov/ffiecinfobase/booklets/information_secu rity/information_security.pdf http://www.ffiec.gov/ffiecinfobase/booklets/mang/mang.pdf http://www.ffiec.gov/ffiecinfobase/booklets/operations/opera tion.pdf http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/Outs ourcing_Booklet.pdf http://www.ffiec.gov/ffiecinfobase/booklets/Retail/retail.pdf http://www.ffiec.gov/ffiecinfobase/booklets/tsp/tech_ser_pro vider.pdf http://www.ffiec.gov/ffiecinfobase/booklets/Wholesale/whole .pdf http://www.frc.org.uk/documents/pagemanager/frc/Combine d_Code_June_2008/Combined%20Code%20Web %20Optimized%20June%202008(2).pdf http://www.tietosuoja.fi/uploads/p9qzq7zr3xxmm9j.rtf http://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pd f http://www.tietosuoja.fi/uploads/hopxtvf.HTM http://csrc.nist.gov/publications/fips/fips140-2/Fips140-2.zip http://csrc.nist.gov/publications/fips/fips191/fips191.pdf http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199final.pdf http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf http://www.myfloridahouse.gov/Sections/Bills/billsdetail.asp x?BillId=15974 http://www.leg.state.fl.us/statutes/index.cfm?mode=View %20Statutes&SubMenu=1&App_mode=Display_S tatute&Search_String=breach+of+security&URL= CH0817/Sec5681.HTM http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf http://www.ftc.gov/os/2001/06/esign7.htm http://www.finra.org/Industry/Issues/CustomerInformationPr otection/p118480 http://www.gao.gov/special.pubs/gaopcie/ http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

170 171 172 173 174 175 176 177 178

179 180 181 182 183 184

185

186 187 188 189 190 191

Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 Georgia Code Title 10 Chapter 1 Article 34 101-911 thru 10-1-915 Notification required upon breach of security regarding personal information Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656 German Corporate Governance Code ("The Code") German Federal Data Protection Act Gramm-Leach-Bliley Act (GLB) Greece Law Protection ofpersonal data and privacy in electronic telecommunications sector (Law 3471) Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139 Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A Guide for Developing Performance Metrics for Information Security, NIST SP 800-80 Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18 Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 Guide to Bluetooth Security, NIST Special Publication 800-121 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122 Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1 Guidelines for Media Sanitization, NIST Special Publication 800-88 Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124 Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 Hawaii Exempting disclosure of Social Security numbers HI HB 2674 Hawaii Revised Statute 487N. Security Breach of Personal Information Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA HCFA Internet Security Policy HMG Security Policy Framework

http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://www.legis.state.ga.us/legis/2005_06/fulltext/sb230.ht m http://www.legis.state.ga.us/legis/2005_06/fulltext/hb656.ht m http://www.corporate-governancecode.de/eng/download/E_Kodex%202008_final.pdf http://www.bdd.de/Download/bdsg_eng.pdf http://www.ftc.gov/privacy/glbact/glbsub1.htm http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_IND EX/LEGAL%20FRAMEWORK/LAW%203471-2006-EN.PDF http://www.cdc.gov/niosh/docs/2002-139/pdfs/2002-139.pdf

192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208

http://csrc.nist.gov/itsec/SP800-68r1.pdf http://csrc.nist.gov/publications/nistpubs/800-53A/SP80053A-final-sz.pdf http://csrc.nist.gov/publications/drafts.html#sp800-80 http://csrc.nist.gov/publications/nistpubs/800-18Rev1/sp800-18-Rev1-final.pdf http://csrc.nist.gov/publications/nistpubs/800-60rev1/SP800-60_Vol2-Rev1.pdf http://csrc.nist.gov/publications/nistpubs/800-121/SP800121.pdf http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800122.pdf http://csrc.nist.gov/publications/nistpubs/800-48rev1/SP800-48r1.pdf http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP80088_rev1.pdf http://csrc.nist.gov/publications/nistpubs/800-124/SP800124.pdf http://csrc.nist.gov/publications/nistpubs/800-41/sp80041.pdf http://www.capitol.hawaii.gov/session2004/bills/hb2674_cd1 _.htm http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch04760490/HRS0487N/ http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw .pdf http://csrc.nist.gov/groups/SMA/fasp/documents/policy_proc edure/internet_policy.pdf http://www.cabinetoffice.gov.uk/media/207318/hmg_securit y_policy.pdf http://www.pco.org.hk/textonly/english/ordinance/section_01 .html http://abiweb.obh.hu/dpc/index.php? menu=gyoker/relevant/national/1992_LXIII http://www.personuvernd.is/information-inenglish/greinar//nr/438 http://www3.state.id.us/idstat/TOC/28051KTOC.html

Hong Kong Personal Data (Privacy) Ordinance 209 210 211 212 Hungary Protection of Personal Data and Disclosure of Data of Public Interest Iceland Protection of Privacy as regards the Processing of Personal Data Idaho Code Title 28 Commercial Transactions, Chapter 51 Identity Theft

213 214 215 216 217 218 219 220 221

Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 IIA Global Technology Audit Guide (GTAG): Auditing Application Controls IIA Global Technology Audit Guide (GTAG): Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment IIA Global Technology Audit Guide (GTAG): Information Technology Controls IIA Global Technology Audit Guide (GTAG): Information Technology Outsourcing IIA Global Technology Audit Guide (GTAG): Management of IT Auditing IIA Global Technology Audit Guide (GTAG): Managing and Auditing IT Vulnerabilities IIA Global Technology Audit Guide (GTAG): Managing and Auditing Privacy Risks IIA Global Technology Audit Guide (GTAG):Change and Patch Management Controls: Critical for Organizational Success Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.

http://www.ftc.gov/os/fedreg/2007/november/071109redflag s.pdf http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag8/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag3/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag1/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag7/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag4/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag6/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag5/ http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gtag/gtag2/ http://www.ilga.gov/legislation/ilcs/ilcs3.asp? ActID=2702&ChapAct=815%26nbsp%3BILCS%26nbsp %3B530%2F&ChapterID=67&ChapterName=BUSI NESS+TRANSACTIONS&ActName=Personal+Informatio n+Protection+Act%2E http://www.ilga.gov/legislation/publicacts/fulltext.asp? Name=094-0036 http://www.cfoc.gov/index.cfm? function=specdoc&id=Implementation%20Guide %20for%20OMB%20Circular%20A123&structure=OMB%20Documents%20and %20Guidance&category=Guides http://www.naavi.org/ita_2006/compare_ita2000_vs_ita2006 /index.htm http://www.in.gov/legislative/ic/code/title24/ar4.9/ http://www.in.gov/legislative/ic/code/title4/ar1/ch11.html http://www.in.gov/legislative/bills/2005/SE/SE0503.1.html http://www.fdic.gov/news/news/financial/2005/fil8105.html http://www.iwar.org.uk/comsec/resources/standards/itsec.ht m http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf http://www.fdic.gov/news/news/financial/2005/fil2705a.html http://www.irs.gov/irm/ http://www.occ.treas.gov/ftp/alert/2000-1.txt http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP800-66-Revision1.pdf http://coolice.legis.state.ia.us/Cool-ICE/default.asp? category=billinfo&service=IowaCode&ga=83&am p;input=614#614.4A http://www.legis.state.ia.us/IACODE/2001SUPPLEMENT/714/ 16B.html

222 223 Illinois Personal Information Protection Act IL HB 1633 Implementation Guide for OMB Circular A-123 Managements Responsibility for Internal Control India Information Technology Act (ITA-2000) 225 226 227 228 229 230 231 232 233 234 235 Indiana Code 24, Article 4.9. Disclosure of Security Breach Indiana Code 24, Notice of Security Breach, Chapter 11 Indiana Release of Social Security Number, Notice of Security Breach IN SB 503 Information Technology Risk Management Program (IT-RMP) New Information Technology Examination Proce Information Technology Security Evaluation Criteria (ITSEC) Information Technology Security Evaluation Manual (ITSEM) Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Internal Revenue Manual (IRM) Internet Security: Distributed Denial of Service Attacks OCC Alert 2000-1 Introductory Resource Guide for HIPAA NIST Special Publication 800-66 Iowa Code Annotated 614.4a

224

236 237 Iowa Code Annotated 714.16B Civil Cause of Action

Iowa Code Annotated 715C Personal Information Security Breach Protection 238 239 240 Ireland Data Protection Amendment 2003 241 IRS Internal Revenue Code Section 501(c)(3) 242 IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information IRS Revenue Procedure: Record retention: automatic data processing, 98-25 IRS Revenue Procedure: Retention of books and records, 97-22 ISACA Cross-Border Privacy Impact Assessment ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals 247 248 249 ISF Security Audit of Networks ISF Standard of Good Practice for Information Security ISO 13335-1:2004, Information technology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications techn ISO 13335-3:1998, Information technology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Security ISO 13335-4:2000, Information technology Guidelines for the management of IT Security Part 4: Selection of safeguards ISO 13335-5:2001, Information technology Guidelines for the management of IT Security Part 5: Management guidance on network security ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines ISO 17799:2000, Code of Practice for Information Security Management ISO 17799:2005 Code of Practice for Information Security Management 257 ISO 27001:2005, Information Security Management Systems - Requirements 258 ISO 73:2002, Risk Management - Vocabulary 259 Ireland Consolidated Data Protection Acts of 1988 and 2003 Ireland Data Protection Act of 1988

http://coolice.legis.state.ia.us/Cool-ICE/default.asp? category=billinfo&service=IowaCode&ga=83 http://www.dataprotection.ie/documents/legal/DPAConsolMa y09.pdf http://www.irishstatutebook.ie/1988/en/act/pub/0025/index. html http://www.irishstatutebook.ie/2003/en/act/pub/0006/index. html http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=browse_usc&docid=Cite:+26USC501 http://www.irs.gov/pub/irs-pdf/p1075.pdf

243 244 245 246

http://www.unclefed.com/Tax-Bulls/1998/rp98-25.pdf http://www.recapinc.com/irs_97-22.htm http://www.isaca.org/Template.cfm? Section=Home&CONTENTID=17226&TEMPLATE= /ContentManagement/ContentDisplay.cfm http://www.isaca.org/AMTemplate.cfm? Section=Standards2&Template=/ContentManagement/ ContentDisplay.cfm&ContentID=27785 https://www.isfsecuritystandard.com/SOGP07/index.htm http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail?CSNUMBER=39066

250

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=21756 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=29240 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=31142 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail?CSNUMBER=31908 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail?CSNUMBER=35845 http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail? CSNUMBER=39612&ICS1=35&ICS2=40&ICS 3= http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail? CSNUMBER=39612&ICS1=35&ICS2=40&ICS 3= http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail? CSNUMBER=42103&ICS1=35&ICS2=40&ICS 3 http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDet ail?CSNUMBER=34998

251 252

253 254 255

256

ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 Louisiana Revised Statutes Title 51 30733074 Database Security Breach Notification Law Luxembourg Data Protection Law ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2 ISO/IEC 15408-3:2008 Common Criteria for Information Technology Security Evaluation Part 3 ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3 ISO/IEC 18045:2008 Common Methodology for Information Technology Security Evaluation ISO/IEC 20000-1:2005 Information technology Service Management Part 1 ISO/IEC 20000-2:2005 Information technology Service Management Part 2 ISO/IEC 27002-2005 Code of practice for information security management ISSA Generally Accepted Information Security Principles (GAISP) IT Baseline Protection Manual Standard Security Safeguards Germany IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005 IT Service Management Standard , BS ISO/IEC 20000-1:2005 Italy Personal Data Protection Code Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003) Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) Japan Handbook Concerning Protection Of Personal Data Kansas Statutes Chapter 50, Article 7a Protection Of Consumer Information Kentucky Revised Statutes Title III Chapter 15 113 Prevention of Identity Theft Kentucky Revised Statutes Title XXXVI Chapter 411 210 Action for theft of identity or trafficking in stolen identities Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etc Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994 Korea Act Relating to Use and Protection of Credit Information Level-2 Windows 2000 Professional Operating System Benchmark Lithuania Law on Legal Protection of Personal Data Loi sur la Scurit Financire (French SOX)

http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDe tail? CSNUMBER=40612&ICS1=35&ICS2=40&ICS 3= http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46414 http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46413 http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46412 http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogu e_detail_ics.htm?csnumber=46412 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=41332 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=41333 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=50297 http://all.net/books/standards/GAISP-v30.pdf http://www.iwar.org.uk/comsec/resources/standards/german y/itbpm/menue.htm http://20000.standardsdirect.org/ http://20000.standardsdirect.org/ http://www.garanteprivacy.it/garante/document?ID=311066 http://www.euroacustici.org/eng/Privacy.pdf http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf http://www.ecom.jp/ecom_e/report/full/personal.pdf http://www.meti.go.jp/english/information/downloadfiles/Tar o9-eng.pdf http://kansasstatutes.lesterama.org/Chapter_50/Article_7a/ http://www.lrc.ky.gov/KRS/015-00/113.PDF http://www.lrc.ky.gov/KRS/411-00/210.PDF http://unpan1.un.org/intradoc/groups/public/documents/APC ITY/UNPAN025694.pdf http://www.glin.gov/view.action?glinID=202097 http://www.glin.gov/view.action?glinID=99460 http://www.cisecurity.org/bench_windows.html http://www.ada.lt/images/cms/File/pers.data.prot.law.pdf http://www.assembleenationale.fr/12/dossiers/securite_financiere.asp http://www.legis.state.la.us/lss/lss.asp?doc=322029 http://www.cnpd.lu/objets/en/doc_loi02082002mod_en.pdf# zoom=125,0,0

288 289 290

291 292 293 294 295 296

Mac OS X Security Configuration for version 10.4 or later, second edition Maine Revised Statutes Title 10, Part 3 Chapter 210-B Notice of Risk to Personal Data Maryland Code of Commercial Law Subtitle 35. Maryland Personal Information Protection Act 14-3501 thru 14-3508 Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts MasterCard Electronic Commerce Security Architecture Best Practices MasterCard Wireless LANs - Security Risks and Guidelines Mexico Federal Personal Data Protection Law Michigan Identity Theft Protection Act, Act 452 of 2004, 445.61 thru 445.72a Microsoft Developer Network Security Glossary Microsoft Office 2007 Security Guide

http://images.apple.com/server/macosx/docs/Tiger_Security _Config_021507.pdf http://www.mainelegislature.org/legis/statutes/10/title10ch2 10-Bsec0.html http://www.michie.com/maryland/lpext.dll? f=templates&fn=main-h.htm&cp=mdcode http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended. pdf http://www.powerpay.biz/docs/risk/MC_best_practices_online .pdf http://www.mastercard.com/us/sdp/assets/pdf/wl_entire_ma nual.pdf https://www.agpd.es/upload/English_Resources/Mexico_decl aration.pdf http://legislature.mi.gov/doc.aspx?mcl-Act-452-of-2004 http://msdn.microsoft.com/enus/library/ms721607(VS.85).aspx http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://technet.microsoft.com/en-us/bb629420.aspx https://www.revisor.leg.state.mn.us/bin/bldbill.php? bill=H1758.4.html&session=ls85 http://www.revisor.leg.state.mn.us/data/revisor/statute/2008 /013/2008-13.055.pdf https://www.revisor.leg.state.mn.us/statutes/? id=325E.61#stat.325E.61 https://www.revisor.leg.state.mn.us/statutes/?id=325E.64 http://www.moga.mo.gov/statutes/c400499/4070001500.htm http://www.house.missouri.gov/content.aspx? info=/bills041/biltxt/intro/HB0957I.HTM http://data.opi.state.mt.us/BILLS/2005/BillPDF/HB0732.pdf http://data.opi.state.mt.us/bills/mca_toc/30_14_17.htm

297 Microsoft Solutions for Security and Compliance; Windows XP Security Guide 298 299 300 301 302 303 304 305 306 Minnesota Statute 13.055 State Agencies; Disclosure of Breach in Security Minnesota Statute 325E.61 Data Warehouses; Notice Required For Certain Disclosures Minnesota Statute 325E.64 Access Devices; Breach of Security Missouri Revised Statutes Chapter 407 Merchandising Practices 407.1500 Missouri War on Terror Veteran Survivor Grants, MO HB 957 Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732 Montana Code 30-14-1701 thru 30-14-1705 and 30-14-1721 thru 30-14-1722; Protection of individual privacy and to impede identity theft as prohibited by 45-6-332 Montana Code 45-6-332. Theft of identity Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide NASD Manual National Incident Management System (NIMS), Department of Homeland Security, December 2008 NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 Nebraska Revised Statutes 87-801 thru 87807, Data Protection and Consumer Notification of Data Security Breach Act of 2006 Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings Minnesota Plastic Card Security Act H.F. 1758

307 308

http://data.opi.state.mt.us/bills/mca/45/6/45-6-332.htm http://iase.disa.mil/stigs/checklist/span_mfd_checklist_v1r13_04_15_2009.pdf http://onlinestore.cch.com/default.asp?ProductID=1926 http://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf http://www.ffiec.gov/exam/InfoBase/documents/02-ncu12_cfr_748_app_a_safeguard_info-010100.pdf http://www.legislature.ne.gov/laws/browse-chapters.php? chapter=87

309 310 311 312 313

314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341

Netherlands Act of 6 July 2000 Personal Data Protection Act Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92 Nevada Revised Statute Chapter 603A, Security of Personal Information Nevada Security Breach Notification Law, NV SB 347 New Hampshire Statute Title XXXI, Chapter 359C Right to Privacy, Notice of Security Breach New Jersey Identity Theft Prevention Act, NJ A4001/S1914 New Jersey Permanent Statutes Title 56 Security of Personal Information New York Disposal of Records Containing Personal Identifying Information NY CLS Gen Bus 399-h New York Information Security Breach and Notification Act New York State General Business Law Chapter 20, Article 39-F, 899-aa New Zealand Privacy Act 1993 NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006 NIST SCAP Microsoft Internet Explorer Version 7.0 OVAL North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards North Carolina Security Breach Notification Law (Identity Theft Protection Act of 2005) North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act 75-60 through 75-66 North Dakota Century Code, CHAPTER 51-30 Notice of Security Breach For Personal Information North Dakota Personal Information Protection Act, ND SB 2251 NRC Regulations (10 CFR) 73.54 Protection of digital computer and communication systems and networks NSA Guide to Securing Microsoft Windows 2000 Group Policy NSA Guide to Security Microsoft Windows XP NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5 NSA Guide to the Secure Configuration of Solaris 8 NYSE Listed Company Manual OECD / World Bank Technology Risk Checklist OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data OECD Principles of Corporate Governance OGC ITIL: Application Management OGC ITIL: ICT Infrastructure Management

http://www.dutchdpa.nl/indexen/en_ind_wetten_wbp_wbp.sh tml http://www.dutchdpa.nl/downloads_wetten/wbp.pdf? refer=true&theme=purple http://www.leg.state.nv.us/NRS/NRS-603A.html http://www.leg.state.nv.us/73rd/bills/SB/SB347_EN.pdf http://www.gencourt.state.nh.us/rsa/html/XXXI/359-C/359-Cmrg.htm http://www.njleg.state.nj.us/2004/Bills/A3500/4001_I1.PDF http://www.njleg.state.nj.us/2004/Bills/PL05/226_.HTM http://it.rockefeller.edu/pdf/disposal.pdf http://www.cscic.state.ny.us/security/securitybreach/ http://www.cscic.state.ny.us/lib/laws/documents/899-aa.pdf http://www.legislation.govt.nz/act/public/1993/0028/latest/D LM296639.html http://www.dtic.mil/whs/directives/corres/html/522022m.ht m http://nvd.nist.gov/chklst_detail.cfm?config_id=148 http://www.nerc.com/page.php?cid=2%7C20 http://www.ncleg.net/Sessions/2005/Bills/Senate/PDF/S1048 v2.pdf http://www.ncga.state.nc.us/EnactedLegislation/Statutes/HT ML/ByArticle/Chapter_75/Article_2A.html http://www.legis.nd.gov/cencode/t51c30.pdf http://www.legis.nd.gov/assembly/59-2005/billtext/FRBS0500.pdf http://www.nrc.gov/reading-rm/doccollections/cfr/part073/part073-0054.html http://www.nsa.gov/ia/_files/os/win2k/w2k_group_policy.pdf http://www.nsa.gov/ia/_files/os/winxp/Windows_XP_Security_ Guide_v2.2.zip http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf http://www.nsa.gov/ia/_files/os/sunsol/I331-008R-2004.pdf http://nysemanual.nyse.com/lcm/ http://www.infragard.net/library/pdfs/technologyrisklist.pdf http://www.oecd.org/document/18/0,2340,en_17642234_17 642806_1815186_1_1_1_1,00.html http://www.oecd.org/DATAOECD/32/18/31557724.pdf http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449817 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449815

342

OGC ITIL: Planning to Implement Service Management 343 OGC ITIL: Security Management 344 OGC ITIL: Service Delivery 345 OGC ITIL: Service Support 346 347 348 349 350 351 352 353 354 355 Ohio Personal information - contact if unauthorized access, OH HB 104 Ohio Revised Code Title XIII Chapter 1347 1347.12 Agency disclosure of security breach of computerized personal information data Ohio Revised Code Title XIII Chapter 1349 1349.19 Private disclosure of security breach of computerized personal information data Oklahoma Administrative Code Title 375 Chapter 40 Oklahoma Identity Theft Passport Program 375:40-1-1 thru 375:40-1-11 Oklahoma State Law Disclosure of breach of security of computerized personal information, 74-3113.1 OMB Circular A-123 Managements Responsibility for Internal Control Oregon Consumer Identity Theft Protection Act, Senate Bill 583 Oregon Revised Statutes Chapter 646a 646A.600 thru 646A.624 Identity Theft Protection Act ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule Payment Card Industry (PCI) Data Security Standard Security Audit Procedures Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline

http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449809 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449811 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449807 http://www.best-management-practice.com/PublicationsLibrary/IT-Service-Management-ITIL/ITIL-Version-2/? DI=610977#GEMS6449805 http://www.legislature.state.oh.us/BillText126/126_HB_104_E N_N.pdf http://codes.ohio.gov/orc/1347.12 http://codes.ohio.gov/orc/1349.19 http://www.oar.state.ok.us/oar/codedoc02.nsf/All/0941DE04 6451FFD3862575F400119991?OpenDocument http://www2.lsb.state.ok.us/os/os_74-3113.1.rtf http://www.whitehouse.gov/OMB/circulars/a123/a123_rev.ht ml http://www.leg.state.or.us/07reg/measpdf/sb0500.dir/sb058 3.b.pdf http://www.leg.state.or.us/ors/646a.html https://www.agpd.es/upload/Ley%20Org%E1nica%201599_ingles.pdf http://www.sec.gov/rules/final/2007/33-8809fr.pdf

356 357

https://www.pcisecuritystandards.org/pdfs/pci_audit_proced ures_v1-1.pdf https://www.pcisecuritystandards.org/docs/pci_saq_a.doc

358

https://www.pcisecuritystandards.org/docs/pci_saq_b.doc

359

https://www.pcisecuritystandards.org/docs/pci_saq_c.doc

360

https://www.pcisecuritystandards.org/docs/pci_saq_d.doc

361 362 363

https://www.pcisecuritystandards.org/security_standards/pci _dss_download_agreement.html https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless _Guidelines.pdf

364 365 366 367 368 369

Payment Card Industry (PCI) Payment Application Data Security Standard Payment Card Industry Self-Assessment Questionnaire A and Attestation of Compliance No Electronic St Payment Card Industry Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines Payment Card Industry Self-Assessment Questionnaire C and Attestation of Compliance Payment Applicat Payment Card Industry Self-Assessment Questionnaire D and Attestation of Compliance All Other Merch PCAOB Auditing Standard No. 2 PCAOB Auditing Standard No. 3

https://www.pcisecuritystandards.org/pdfs/pci_padss_security_audit_procedures_v1-1.pdf https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc https://www.pcisecuritystandards.org/docs/saq_b_v1-1.doc https://www.pcisecuritystandards.org/docs/saq_c_v1-1.doc https://www.pcisecuritystandards.org/docs/saq_d_v1-1.doc http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_ Standard_2.pdf http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_ Standard_3.pdf http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_ Standard_5.pdf https://www.pcisecuritystandards.org/security_standards/pci _dss_download_agreement.html https://www.pcisecuritystandards.org/pdfs/pci_scanning_pro cedures_v1-1.pdf http://www.schwartzandballen.com/ImportedLawsBills/Penns ylvania%20Security%20Breach.pdf http://csrc.nist.gov/publications/nistpubs/800-55Rev1/SP800-55-rev1.pdf http://www.mp.gov.si/fileadmin/mp.gov.si/pageuploads/2005 /PDF/zakonodaja/2007_10_29_personal_data_protection_act _RS.pdf http://www.giodo.gov.pl/plik/id_p/61/j/en/ http://www.cnpd.pt/english/bin/legislation/Law6798EN.HTM http://www.usdoj.gov/opcl/privacyact1974.htm http://www.ftc.gov/os/2000/05/65fr33645.pdf http://www.protectionofassets.com/ http://thomas.loc.gov/cgi-bin/query/D? c109:7:./temp/~c109XRfrcN:: http://www.schwartzandballen.com/ImportedDocs/Puerto %20Rico%20security%20breach.pdf http://csrc.nist.gov/publications/nistpubs/800-53Rev2/sp800-53-rev2_pdf.zip http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=c81f9f1046cb6bc1569a5db1ff1cb3ca;rgn=div8; view=text;node=17%3A3.0.1.1.1.2.97.421;idno=17;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=8a707a87faf38f7d2846d9b026ef323e;rgn=div8; view=text;node=17%3A3.0.1.1.1.2.94.371;idno=17;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=c81f9f1046cb6bc1569a5db1ff1cb3ca;rgn=div8; view=text;node=17%3A3.0.1.1.1.2.97.421;idno=17;cc=ecfr http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=45bcefcbca5a2961e1cee9a9cb01b160;rgn=div8 ;view=text;node=17%3A3.0.1.1.1.2.94.373;idno=17;cc=ecf r http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=90722b0e4f8ff362197b60c394489ce4;rgn=div8 ;view=text;node=17%3A3.0.1.1.1.2.94.375;idno=17;cc=ecf r

370 PCAOB Auditing Standard No. 5 371 372 373 374 375 Pennsylvania Statutes Title 73 Trade and Commerce Chapter 43 Breach of Personal Information Notification Act 2301 thru 2329 Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1 Personal Data Protection Act of the Republic of Slovenia of 2004 Poland Protection of Personal Data Act Portuguese Act on the Protection of Personal Data 67/98 Privacy Act of 1974, 5 USC 552a Privacy of Consumer Financial Information, FTC 16 CFR 313 Protection of Assets Manual, ASIS International PUBLIC LAW 109295OCT. 4, 2006 382 383 384 Puerto Rico Code Title 10 Subtitle 3 Chapter Citizen Information on Data Banks Security Act, 10 L.P.R.A. 4051 Recommended Security Controls for Federal Information Systems, NIST SP 800-53 Record retention SEC 17 CFR 240.17Ad-7 PCI DSS (Payment Card Industry Data Security Standard) PCI DSS Security Scanning Procedures

376 377 378 379 380 381

385 Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1 386 Recordkeeping SEC 17 CFR 240.17Ad-6 387 Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3 388 Records to be preserved by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-4 389

Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3 390 391 Responsible Care Security Code of Management Practices, American Chemistry Council Retention of Audit and Review Records, SEC 17 CFR 210.2-06 Revised Code of Washington Title 19 Chapter 19.215 Disposal of personal information 19.215.005 thru 19.215.030 Revised Code of Washington Title 19 Chapter 19.255 Personal information - notice of security breaches 19.255.010 Rhode Island General Law Chapter 11-49.2 Identity Theft Protection 11-49.2-1 thru 1149. 2-4 Rhode Island Security Breach Notification Law, RI HB 6191 Right to Financial Privacy Act Risk Management Guide for Information Technology Systems, NIST SP 800- 30 Royal Decree of 13 February 2001 implementing the Law of 8 December 1992 on the protection of privacy in relation to the processing of personal data Safety and Soundness Standards, Appendix of OCC 12 CFR 30

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr;sid=3fc1d2e7d4a2c838ca758408923105a8;rgn=div 8;view=text;node=17%3A3.0.1.1.1.2.90.348;idno=17;cc=e cfr http://www.americanchemistry.com/securitycode_pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=1e057afa900af722d0a59a28773472ed&a mp;rgn=div8&view=text&node=17:2.0.1.1.8.0.18 .9&idno=17 http://apps.leg.wa.gov/RCW/default.aspx?cite=19.215 http://apps.leg.wa.gov/RCW/default.aspx?cite=19.255.010 http://www.rilin.state.ri.us/statutes/TITLE11/1149.2/INDEX.HTM http://www.rilin.state.ri.us/Billtext/BillText05/HouseText05/H 6191.pdf http://www.accessreports.com/statutes/RFPA.htm http://csrc.nist.gov/publications/nistpubs/800-30/sp80030.pdf http://www.privacycommission.be/en/static/pdf/wetgeving/ui tvoeringsbesluit-2001-en-input-website-220109.pdf http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=55f63dbb4ec993a25080b4cb3eb14e06&a mp;rgn=div5&view=text&node=12:1.0.1.1.28&a mp;idno=12 http://www.aicpa.org/download/members/div/auditstd/AU00314.PDF http://www.aicpa.org/download/members/div/auditstd/AU00318.PDF http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=91f3f63db5cf1624698533e65e823221&a mp;rgn=div5&view=text&node=12:3.0.1.1.10&a mp;idno=12#12:3.0.1.1.10.4.8.11.30 http://uscode.house.gov/download/pls/15C2A.txt http://uscode.house.gov/download/pls/15C2B.txt http://csrc.nist.gov/publications/nistpubs/800-64Rev2/SP800-64-Revision2.pdf http://csrc.nist.gov/publications/nistpubs/800-55/sp80055.pdf http://csrc.nist.gov/publications/nistpubs/800-26/sp80026.pdf http://www.dataprotection.gov.sk/buxus/docs/act_428.pdf http://www.frc.org.uk/documents/pagemanager/frc/The %20Smith%20Guidance%20on%20Audit%20Committees %20June%202006.pdf http://freedominfo.org/documents/South%20Africa %20PAIA.pdf http://www.scstatehouse.gov/code/t01c011.htm http://www.scstatehouse.gov/code/t39c001.htm http://leahy.senate.gov/press/200506/062905a.html

392 393 394 395 396 397 398

399

400 401 402 SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SEC 12 CFR 229 Availability of Funds and Collection (Check Clearing for the 21st Century)

403 404 405 406 407 408 409 410 411 412 413 414 South Africa Promotion of Access to Information Act South Carolina Code of Laws 1-11-490 Breach of security of state agency data notification South Carolina Code of Laws 16-13-512 Credit Card and 39-1-90 Breach of security of business data notification Specter-Leahy Personal Data Privacy and Security Act Slovak Republic Protection of Personal Data in Information Systems Smith Guidance on Audit Committees, UK FRC Securities Act of 1933 Securities Exchange Act of 1934 Security Considerations in the Information System Development Life Cycle, NIST SP 800-64 Security Metrics Guide for Information Technology Systems, NIST SP 800-55 Security Self-Assessment Guide, NIST SP 800-26

415 416

Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314 State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal State Prohibitions on Marketing Practices using Medical Information (CA SB1633) State Prohibitions on Marketing Practices using Medical Information (TX SB11) Sweden Personal Data Act (1998:204) Swedish Code of Corporate Governance; A Proposal by the Code Group

http://www.ftc.gov/os/2002/05/67fr36585.pdf http://www.azgita.gov/policies_standards/pdf/P800S880%20Media%20San+Disp.pdf http://info.sen.ca.gov/cgi-bin/postquery? bill_number=sb_1633&sess=0304&house=B&am p;site=sen http://www.legis.state.tx.us/billlookup/BillSummary.aspx? LegSess=80R&Bill=SB11 http://www.sweden.gov.se/content/1/c6/01/55/42/b451922d. pdf http://www.sweden.gov.se/download/f8334504.pdf? major=1&minor=26296&cn=attachmentPublDupl icator_0_attachment http://www.dataprotection.eu/pmwiki/pmwiki.php? n=Main.CH http://www.cms.hhs.gov/informationsecurity/downloads/SSP _Procedure.pdf http://www.ics.uci.edu/~kobsa/privacy/Taiwan1.htm http://www.occ.treas.gov/ftp/bulletin/98-3.txt http://ecfr.gpoaccess.gov/cgi/t/text/text-idx? c=ecfr&sid=bf60e7b87681ffcbf1030185f246d305&am p;rgn=div5&view=text&node=16:1.0.1.3.34&am p;idno=16 http://www.michie.com/tennessee/lpext.dll? f=templates&fn=main-h.htm&cp=tncode http://tennessee.gov/sos/acts/104/pub/pc0473.pdf http://www.hro.house.state.tx.us/PDF/ba80r/HB3222.PDF http://www.statutes.legis.state.tx.us/Docs/BC/pdf/BC.521.pd f http://www.bakers-legalpages.com/leg2005/bills/sb00122f.htm http://www.cisecurity.org/benchmarks.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.cisecurity.org/bench_wireless.html http://www.naa.gov.au/recordsmanagement/publications/dirks-manual.aspx http://www.ecgi.org/codes/documents/cg_code_nl_en.pdf http://www.theiia.org/guidance/standards-andguidance/ippf/practice-guides/gait/gait-m/ http://www.ecgi.org/codes/documents/executive_summary.p df http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Str

417 418 419

420 Switzerland Federal Act on Data Protection 421 System Security Plan (SSP) Procedure 422 423 424 Taiwan Computer-Processed Personal Data Protection Law 1995 Technology Risk Management Guide for Bank Examiners OCC Bulletin 98-3 Telemarketing Sales Rule (TSR), 16 CFR 310

425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 The King Committee on Corporate Governance, Executive Summary of the King Report 2002 The National Strategy to Secure Cyberspace Tennessee Code Title 47 Chapter 18 Part 21 Identity Theft Deterrence 47-18-2101 thru 47-18-2110 Tennessee Security Breach Notification, TN SB 2220 Texas Business and Commerce Code, secs. 48.102, 48.103 Texas Business and Commercial Code Title 11, Subtitle B, Chapter 521 Subchapter A 521 Texas Identity Theft Enforcement and Protection Act, TX SB 122 The Center for Internet Security Security Benchmark For Multi-Function Devices The Center for Internet Security Wireless Networking Benchmark version 1.0 The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0 The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0 The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, version 1.0 The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0 The DIRKS Manual: A Strategic Approach to Managing Business Information The Dutch corporate governance code, Principles of good corporate governance and best practice provisions The GAIT Methodology

ategy.pdf The Sarbanes-Oxley Act of 2002 442 443 444 445 Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004 Turnbull Guidance on Internal Control, UK FRC UK Data Protection Act of 1998 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 Vermont Statute Title 9 Chapter 62 Protection of Personal Information 2430, 2435, 2440, 2445 Video Privacy Protection Act (VPPA), 18 USC 2710 Virgin Islands Code Tittle 14 Chapter 110 The Identity Theft Prevention Act 2201 thru 2211 Virginia Code Title 18.2 Chapter 6 Breach of personal information notification 18.2-186.6 Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872 VISA CISP: What to Do If Compromised Visa Fraud Control and Investigation Procedures Visa Data Field Encryption VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business VISA Incident Response Procedure for Account Compromise Visa Payment Application Best Practices (PABP) 468 469 Washington DC Consumer Personal Information Security Breach Notification Act of 2006 Utah Protection of Personal Information Act, Utah Code Title 13-44. Protection of Personal Information Act Vermont Relating to Identity Theft , VT HB 327 UN Guidelines for the Regulation of Computerized Personal Data Files (1990) Underlying Technical Models for Information Technology Security, SP 800-33 Uniform Electronic Transactions Act (UETA) (1999) Uniform Rules of Evidence Act US Department of Commerce EU Safe Harbor Privacy Principles US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11 US Export Administration Regulations Database US The International Traffic in Arms Regulations The Sedona Principles Addressing Electronic Document Production The Standard of Good Practice for Information Security TITLE 49, Subtitle VII - Aviation Programs http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=107_cong_bills&docid=f:h3763enr.tst.pdf http://www.thesedonaconference.org/dltForm? did=7_05TSP.pdf https://www.isfsecuritystandard.com/SOGP07/index.htm http://www.tsa.gov/assets/pdf/49_USC_Chapters_401_to_50 1.pdf http://www.tsa.gov/assets/pdf/security_guidelines_for_gener al_aviation_airports.pdf http://www.frc.org.uk/documents/pagemanager/frc/Revised %20Turnbull%20Guidance%20October%202005.pdf http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_ 1 http://www.worldlii.org/int/other/PrivLRes/1990/1.html http://csrc.nist.gov/publications/nistpubs/800-33/sp80033.pdf http://www.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.htm http://www.law.upenn.edu/bll/ulc/ure/evid1200.htm http://www.export.gov/safeharbor/index.asp http://cio.energy.gov/CS11_Clearing_and_Media_Sanitization_Guidance.pdf http://www.gpo.gov/bis/ear/ear_data.html http://www.pmddtc.state.gov/regulations_laws/itar_official.h tml http://le.utah.gov/~code/TITLE13/13_44.htm http://www.leg.state.vt.us/docs/legdoc.cfm? URL=/docs/2004/acts/ACT155.HTM http://www.leg.state.vt.us/statutes/fullchapter.cfm? Title=09&Chapter=062 http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_1 8_00002710----000-.html http://www.michie.com/virginislands/lpext.dll? f=templates&fn=main-h.htm&cp=vicode http://leg1.state.va.us/000/cod/18.2-186.6.HTM http://leg1.state.va.us/cgi-bin/legp504.exe? 041+ful+CHAP0450 http://usa.visa.com/download/merchants/cisp_what_to_do_if _compromised.pdf http://corporate.visa.com/_media/best-practices.pdf http://usa.visa.com/download/merchants/visa_risk_manage ment_guide_ecommerce.pdf http://www.visaasia.com/ap/center/merchants/riskmgmt/includes/uploads/Vi saAP_Inc_Resp_Procedv1_2_2004.pdf http://usa.visa.com/download/merchants/cisp_payment_appl ication_best_practices.doc http://www.dccouncil.washington.dc.us/images/00001/2006 1218135855.pdf

446 447

467

470 471

Washington Notice of a breach of the security, WA SB 6043 West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information 46A-2A-101 thru 46A-2A-105 Windows Server 2003 Security Guide

http://www.leg.wa.gov/pub/billinfo/2005-06/Htm/Bills/Senate %20Bills/6043-S.htm http://www.legis.state.wv.us/WVCODE/Code.cfm? chap=46a&art=2A#2A http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://www.microsoft.com/downloads/details.aspx? FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e&displaylang=en http://www.legis.state.wi.us/2005/data/acts/05act138.pdf www.legis.state.wi.us/statutes/Stat0134.pdf http://legisweb.state.wy.us/statutes/statutes.aspx? file=titles/Title40/Title40.htm

472 Windows Server 2008 Security Guide 473 474 475 476 Wisconsin Act 138 Notice of unauthorized acquisition of personal information Wisconsin Statute Chapter 134 Notice of unauthorized acquisition of personal information 134.98 Wyoming Statute Title 40 Article 5 Breach of the security of the data system 40-12-501 thru 40-12-509

Вам также может понравиться