Many organizations need to comply with applicable laws and industry standards. Noncompliance can mean fines, jail time for executives or even the end of a business. To achieve compliance, you must focus on controls. Although most common standards are vague about implementation, a few provide detailed documentation to help organizations achieve compliance. For example, NIST provides a guide for complying with federal information standards.
- Contractual, legal, industry standards, and regulatory requirements. Understand the legal systems. Civil law is most common; rulings from judges typically do not set precedents that impact other cases. With common law, which is used in the USA, Canada, the UK and former British colonies, rulings from judges can set precedents that have significant impact on other cases. An example of religious law is Sharia (Islamic law), which use the Qur’an and Hadith for the foundation of laws. Customary law takes common, local and accepted practices and sometimes makes them laws. Within common law, you have criminal law (laws against society) and civil law (typically person vs. person and results in a monetary compensation from the losing party). Compliance factors into laws, regulations, and industry standards such as Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). Many well known Certification programs related to information security, familiarize you with these standards by reading their high-level summaries.
- Privacy requirements. Privacy is about protection of PII. Laws vary. The European Union has tough laws around privacy. Be familiar with the General Data Protection Regulation (GDPR). Be familiar with the requirements around healthcare data, credit card data and other PII data as it relates to various countries and their laws and regulations.