CSO — This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or reg as well as information about what and who is covered.

The list is intentionally US-centric, but includes selected laws of other nations that have an impact on US-based global companies.

The security regulations and guidelines directory will be updated and expanded over time on CSOonline.com. Please email editor Derek Slater (dslater@cxo.com) with suggestions or updates.

Click on a link to skip to a subsection of the directory:

* Broadly applicable laws and regulations

* Industry-specific guidelines and requirements

* Key state laws

* International laws

Section one: Broadly applicable laws and regulations

Sarbanes-Oxley Act (aka Sarbox, SOX)

What Sarbanes-Oxley covers: Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It was enacted after the high-profile Enron and WorldCom financial scandals of the early 2000s. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long.

More about Sarbanes-Oxley

* How infosec can learn to love Sarbanes-Oxley

* Cyberattacks a SOX issue?

Who is affected: U.S. public company boards, management and public accounting firms.

Full text of Sarbanes-Oxley Act: http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html

Key requirements/provisions: The Act is organized into 11 titles:

1. Public Company Accounting Oversight

2. Auditor Independence

3. Corporate Responsibility

4. Enhanced Financial Disclosures

5. Analyst Conflicts of Interest

6. Commission Resources and Authority

7. Studies and Reports

8. Corporate and Criminal Fraud Accountability

9. White-Collar Crime Penalty Enhancements

10. Corporate Tax Returns

11. Corporate Fraud Accountability

Source: SarbanesOxleyCompliance.com

Payment Card Industry Data Security Standard (PCI DSS)

What it covers: The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed by the founders of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide (MA) and Visa to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

More about PCI DSS

* PCI's post-audit pain points

* The art of the compensating control

* The essential retail security reader

The Council has also issued requirements called the Payment Application Data Security Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS).

Who is affected: Retailers, credit card companies, anyone handling credit card data.

Link to the PCI DSS requirements:

The current version is PCI DSS v2.0, issued 10/28/2010. https://www.pcisecuritystandards.org/security_standards/documents.php

Continue Reading