- How do regulations affect application security?
- How do government regulations address application security?
- Explainer: Security standards and frameworks
- Funding, testing shortfalls threaten compliance
- Identity management critical to improve security
- Sun, SAP help businesses comply with government, security policies
- Podcast: Regulatory requirements and their impact on you
 Data breach disclosure laws |
[Return to Table of Contents]
Twenty-six states, plus Puerto Rico, now have data breach notification laws. The U.S. government is also working on a federal law.
| IEEE P1074 |
[Return to Table of Contents]
IEEE P1074 gives project leaders a plan for including all aspects of the software development life cycle (SDLC) when making security-related decisions. It puts projects in enterprise business context, and it provides the framework for coordinating software security efforts across all disciplines and over the lifetime of the software.
| ISO 17799 |
[Return to Table of Contents]
ISO17799, is a detailed security standard. It is organized into ten major sections, each covering a different topic or area: business continuity planning, system access control, system development and maintenance, physical and environmental security, compliance, personnel security, security organization, computer & operations management, asset classification and control, security policy.
| Gramm-Leach-Bliley Act |
[Return to Table of Contents]
The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law enacted in the U.S. to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting.
| HIPAA |
[Return to Table of Contents]
HIPAA seeks to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.
| PCI Data Security Standard |
[Return to Table of Contents]
The PCI Data Security Standard was developed by Visa and MasterCard, and endorsed by other payment providers including American Express, Diner's Club and Discover. This Standard included the requirements of Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP). The Standard basically requires merchants and member service providers (MSPs) who store, process or transmit cardholder data to build and maintain a secure IT network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and regularly monitor and test networks.
| Sarbanes-Oxley Act |
[Return to Table of Contents]
Public companies that are subject to the U.S. Sarbanes Oxley Act of 2002 are required to adopt the following control frameworks: the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework and the IT Governance Institute's Control Objectives for Information and Related Technology (COBIT). In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.
COSO Internal Control Integrated Framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives.
COBIT approaches IT control by looking at information -- not just financial information -- that is needed to support business requirements and the associated IT resources and processes.
| Expert Advice on Application Security Standards & Regulations | |
[Return to Table of Contents]
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.
Many standards and laws regulate security issues for companies. Often, however, what's expected is unclear -- especially when it comes to application security. But that is starting to change, as regulations begin including application security mandates.
Do you have a question about application security standards and regulations that you're having trouble getting answered? SearchAppSecurity.com experts Jeremiah Grossman and Caleb Sima can help. 
