IT GRC Process Management Pack SP1 - Release Notes
Oct 29, 2015
IT GRC Process Management Pack SP1 Release Notes
Contents1. Brief Description of the IT GRC Process Management Pack2. Getting Started3. Contents of IT GRC Process Management Pack Download Files4. Known Issues5. Feedback6. Disclaimer7. Copyright and License Agreement8. Supported Authority Documents
1. Brief Description of the IT GRC Process Management PackThe IT GRC Process Management PackSP1 is a Process Management Pack for Microsoft System Center Service Manager 2010 SP1 that helps provide end-to-end compliance management and automation. The included IT Compliance Management Library contains compliance information that can take advantage of System Center Service Managers integration with System Center Configuration Manager to monitor, validate, and report on the compliance state of deployed Microsoft products. Together, these solutions help customers understand and bind complex business objectives to their Microsoft infrastructure.2. Getting StartedSee the IT GRC Process Management Pack Getting Started Guide.
3. Contents of IT GRC Process Management Pack Download FilesThe following files are available for download on Microsoft Download Center:
ITGRCProcessManagementPack_amd64SP1.exe. This file includes the IT GRC Process Management Pack for 64-bit server installation and 64-bit clients. You will install the IT GRC Process Management Pack on System Center Service Manager 2010 SP1. For more information about doing so, please refer to the IT GRC Process Management Pack Deployment Guide, available in the following ITGRCProcessManagementPack_DocumentationSP1.exe file.
ITGRCProcessManagementPack_x86SP1.exe. This file includes the IT GRC Process Management Pack for 32-bit clients. For more information about doing so, please refer to the IT GRC Process Management Pack Deployment Guide, available in the following ITGRCProcessManagementPack_DocumentationSP1.exe file
ITGRCProcessManagementPack_DocumentationSP1.exe. This file contains the SP1 documentation for the IT GRC Process Management Pack. It includes the following files:IT GRC Process Management Pack Getting Started Guide.docxIT GRC Process Management Pack Deployment Guide.docxIT GRC Process Management Pack Developers Guide.docxIT GRC Process Management Pack Operations Guide.docxIT GRC Process Management Pack SP1 Release Notes.rtf
ITGRCProcessManagementPack_AuthoringLibrariesSP1.exe. This file includes the authoring library files that are necessary to customize or extend the IT GRC Process Management Pack. For more information on installing these files and customizing or extending the IT GRC Process Management Pack, see the IT GRC Process Management Pack Developers Guide, available in the ITGRCProcessManagementPack_DocumentationSP1.exe file described earlier in this document.
TestIdSyncTool.exe. This file includes the IT GRC Test ID Sync Tool and the Getting Started Guide for the tool.4. Known IssuesThe following are known functional issues for this release:
Modifying the compliance applicability groups provided in IT Compliance Management Libraries using the Service Manager Console causes the Service Manager console to abnormally terminate or become unresponsive. (9/30/10)Modifying a programs General and Framework tabs at the same time may result in a data conflict error message. To resolve this issue, modify each tab separately and apply the changes separately. (9/30/10)After modifying an existing security role property, such as description, a user who is assigned that security role may not be able to select authorized configuration item types such as Computer, Software Items, and Business Services that were previously available. (9/30/10)The IT GRC Connector may not complete processing or hang. To resolve this issue, delete the connector instance and recreate it. (9/30/10)The Visual Studio Tools for Office (VSTO) version 3.0 (used by Microsoft Excel in the IT GRC Process Management Pack Client Add-in) does not support 64-bit versions of Microsoft Office System 2010. However, 32-bit versions of Microsoft Office System 2007 and 2010 are supported.When a Program Implementer tries to add scope to a program, they may see the following error An item with the same key has already been added." The message is misleading because it is a security issue and the PI role cannot add scope to a program.The SP1 version of the IT GRC Excel Client can only be used to connect to an SP1 server. The 1.0 version of the Excel Client Add-in can connect to both a v1.0 server and a SP1 server.If an unshared risk is created and added into a program, the risk will only be visible to the risks owner and not visible to the Program Manager. If the risk is added to a category in the program framework, then the risk will be visible to Program Manager.Although it is possible to customize both the Risk Management form and the Control Objective form using the Authoring Tool, the customizations will not display. All other forms should work properly after customization.Row deletions in Excel are not allowed.
The following are known performance issues for this release:Importing a large number of control objectives and control activities into a program using the Control Import Wizard can take a considerable amount of time. (9/30/10)Refreshing or publishing a program in the IT GRC Process Management Pack Client Add-in that is used in Microsoft Excel can take a considerable amount of time if the program contains a large number of control objectives, control activities, or risks. (9/30/10)Expanding information on the Framework tab of a program can take a considerable amount of time if the program contains a large number of control objectives, control activities, or risks. (9/30/10)
5. FeedbackSend suggestions and comments about this document to [email protected].
6. DisclaimerIMPORTANT NOTICE: The Microsoft IT GRC Process Management Pack Service Pack 1 for System Center Service Manager (the software) is intended to help organizations simplify and automate IT compliance and risk management processes. The software is designed to facilitate compliance activities conducted by your organizations IT professionals, auditors, accountants, attorneys and other compliance professionals. The software does not replace those professionals. The software ships with some control objectives and authority document citations, but these control objectives and citations do not verify or guarantee fulfillment of your organizations compliance obligations. It is the responsibility of your organization to choose the control objectives and authority document citations to use, modify, add or remove based on guidance from your organizations compliance professionals. Reports and any other information provided by or generated from the software do not constitute auditing, accounting, legal or other professional advice. You must consult compliance professionals to confirm compliance with specific governance, risk and compliance (GRC) authority documents.
7. Copyright and License AgreementThis document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.
2011 Microsoft Corporation. All rights reserved.
Microsoft and Excel are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
8. Supported Authority Documents
#TITLEURL LINK1 1724 California Civil Codehttp://www.leginfo.ca.gov/pub/07-08/bill/asm/ab_0751-0800/ab_779_bill_20070410_amended_asm_v98.pdf216 CFR Part 682 Disposal of consumer report information and recordshttp://www.access.gpo.gov/nara/cfr/waisidx_05/16cfr682_05.html349 CFR Part 1542 - Airport Securityhttp://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=4f4fe996be869c46e7a2469576734601&rgn=div5&view=text&node=49:9.1.3.5.10&idno=4946 CFR Ch. I 27.230 Risk-based performance standardshttp://edocket.access.gpo.gov/cfr_2009/janqtr/pdf/6cfr27.230.pdf5A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRMhttp://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf6ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58http://www.occ.treas.gov/ftp/bulletin/2004-58.txt7AICPA Incident Response Plan: Template for Breach of Personal Informationhttp://www.cica.ca/multimedia/Download_Library/Research_Guidance/Privacy/English/Incident_Response_Plan_May_2005.pdf8AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controlshttp://www.aicpa.org/pubs/cpaltr/jun2001/auditing.htm9AICPA Suitable Trust Services Principles and Criteriahttp://www.aicpa.org/download/trust_services/final-Trust-Services.pdf10AICPA/CICA Privacy Frameworkhttp://ftp.aicpa.org/CSC/infotech/Privacy/3A_01a.pdf11Alaska Personal Information Protection Act, Chapter 48http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDF12Amendments to the FTC Telemarketing Sales Rule, 16 CFR Part 310http://www.ftc.gov/bcp/rulemaking/tsr/13American Express Data Security Standard (DSS)https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=merchinfo&ln=en&frm=US14Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resourceshttp://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.html15Argentina Personal Data Protection Acthttp://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-6193916Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/legtext/46leg/2r/laws/0109.htm17Arizona State Law 44-7501. Notification of breach of security systemhttp://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS18Arkansas Code Title 4 Business and Commercial Law Subtitle 7 Consumer Protection, Chapter 110 Personal Information, 4-110-103 thru 4 -110-105, Personal Information Protection Acthttp://www.arkleg.state.ar.us/SearchCenter/Pages/ArkansasCodeSearchResultPage.aspx?name=4-110-103.Definitions.19Arkansas Personal Information Protection Act AR SB 1167ftp://www.arkleg.state.ar.us/acts/2005/public/Act1526.pdf20Army Regulation 380-19: Information Systems Securityhttp://www.fas.org/irp/doddir/army/r380_19.pdf21AS4360 Australian National Standard on Risk Managementhttp://www.riskmanagement.com.au/22Australia Better Practice Guide - Business Continuity Managementhttp://www.anao.gov.au/uploads/documents/Business_Continuity_Management.pdf23Australia Privacy Act 1988http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/framelodgmentattachments/782CE59D0E879E1ACA2571FE001D50E624Australia Spam Acthttp://www.austlii.edu.au/au/legis/cth/consol_act/sa200366/25Australia Spam Act 2003: A practical guide for businesshttp://www.acma.gov.au/acmainterwr/consumer_info/frequently_asked_questions/spam_business_practical_guide.pdf26Australia Telecommunications Act 1997http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/framelodgmentattachments/40762BCB845F1313CA2570F2007B810C27Australian Government ICT Security Manual (ACSI 33)http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_changes_u.rtf28Austria Data Protection Acthttp://www.dsk.gv.at/site/6230/default.aspx29Austria Telecommunications Acthttp://www.rtr.at/en/tk/TKG2003/TKG_2003_eng.pdf30Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001http://www.tsa.gov/assets/pdf/Aviation_and_Transportation_Security_Act_ATSA_Public_Law_107_1771.pdf31Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act)http://www.occ.treas.gov/handbook/bsa.pdf32Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Frameworkhttp://www.bis.org/publ/bcbs128.pdf33BBBOnline Code of Online Business Practiceshttp://www.bbbonline.org/reliability/code/CodeEnglish.doc34Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of personahttp://www.privacycommission.be/en/static/pdf/wetgeving/privacywet-en-input-website-220109.pdf35BIS Sound Practices for the Management and Supervision of Operational Riskhttp://www.bis.org/publ/bcbs96.pdf36BITS Financial Services Roundtable Standardized Information Gathering Questionnairehttp://www.sharedassessments.org/download/files.html37Bosnia Law on Protection of Personal Datahttp://www.privacyinternational.org/countries/bosnia/bosnia-dpa.html38BS25999, Guide to Business Continuity Managementhttp://www.thebci.org/pas56.htm39Business Continuity Institute (BCI) Good Practice Guidelineshttp://www.thebci.org/goodpracticeguidetoBCM.pdf40CA Civil Code 1798.84http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.8441CA Government Code Chapter 13 Miscellaneous Powers 26200-26230http://www.leginfo.ca.gov/cgi-bin/displaycode?section=gov&group=26001-27000&file=26200-2623042Cable Communications Privacy Act Title 47 551http://www4.law.cornell.edu/uscode/html/uscode47/usc_sec_47_00000551----000-.html43California Civil Code 1798.91 State Prohibitions on Marketing Practices using Medical Informationhttp://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.9144California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures 1798.25-1798.29http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.25-1798.2945California Civil Code Title 1.81 Customer Records 1798.80-1798.84http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.8446California Financial Information Privacy Act: Senate Bill 1 (Speier & Burton)http://www.privacyrights.org/ar/SB1Info.htm47California General Security Standard for Businesses CA AB 1950http://info.sen.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.pdf48California Information Practice Act, CA SB 1386http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html49California OPP Recommended Practices on Notification of Security Breachhttp://www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf50California Personal Information: Disclosure to Direct Marketers Act (SB 27)http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_27&sess=0304&house=B&site=sen51California Public Records Military Veteran Discharge Documents, California Assembly Bill 1798http://info.sen.ca.gov/pub/01-02/bill/asm/ab_1751-1800/ab_1798_bill_20020424_amended_asm.pdf52California Public Records Military Veteran Discharge Documents, California Assembly Bill 1798http://info.sen.ca.gov/pub/01-02/bill/asm/ab_1751-1800/ab_1798_bill_20020626_amended_sen.pdf53California Senate Bill 20 (2009, Simitian), An act to amend Sections 1798.29 and 1798.82 of the Civil Code, relating to personal informationhttp://info.sen.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20090908_enrolled.html54Canada Keeping the Promise for a Strong Economy Act, Bill 198http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&BillID=1067&isCurrent=false&ParlSessionID=37%3A355Canada Personal Information Protection Electronic Documents Act (PIPEDA)http://laws.justice.gc.ca/en/ShowTdm/cs/P-8.6///en56Canada Privacy Acthttp://laws.justice.gc.ca/en/ShowTdm/cs/p-21///en57Canadian Marketing Association Code of Ethics and Standards of Practicehttp://www.the-cma.org/?WCE=C=47%7CK=22584958Center for Internet Security Mac OS X Tiger Level I Security Benchmarkhttp://www.cisecurity.org/bench_macosx.html59Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settingshttp://www.cisecurity.org/bench_novell.html60Central Bank of Argentina A460961Central Bank of Brazil 338062CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE)http://www.cert.org/octave/63Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27http://www.dhs.gov/xprevprot/laws/gc_1166796969417.shtm64Children's Online Privacy Protection Act (COPPA), 16 CFR 312http://www.gpo.gov/nara/cfr/waisidx_03/16cfr312_03.html65Children's Online Privacy Protection Act of 1998http://www.ftc.gov/ogc/coppa1.htm66CI Security AIX Benchmark v1.0http://www.cisecurity.org/bench_aix.html67CI Security FreeBSD Benchmark v1.0http://www.cisecurity.org/bench_freebsd.html68CI Security HP-UX Benchmark v1.3http://www.cisecurity.org/bench_hpux.html69CI Security Persistent Identifiers70CI Security Red Hat Enterprise Linux Benchmark v1.0http://www.cisecurity.org/bench_linux.html71CI Security Red Hat Enterprise Linux Benchmark v1.0.5http://www.cisecurity.org/bench_linux.html72CI Security Slackware Linux Benchmark v1.1http://www.cisecurity.org/bench_linux.html73CI Security Solaris 10 Benchmarkhttp://www.cisecurity.org/bench_solaris.html74CI Security Solaris Benchmark v1.3http://www.cisecurity.org/bench_solaris.html75CI Security SuSE Linux Enterprise Server Benchmark v1.0http://www.cisecurity.org/bench_linux.html76CI Security Windows 2000http://www.cisecurity.org/bench_windows.html77CI Security Windows 2000 Professionalhttp://www.cisecurity.org/bench_windows.html78CI Security Windows 2000 Serverhttp://www.cisecurity.org/bench_windows.html79CI Security Windows NThttp://www.cisecurity.org/bench_windows.html80CI Security Windows Server 2003 Domain Controllershttp://www.cisecurity.org/bench_windows.html81CI Security Windows Server 2003 Member Servershttp://www.cisecurity.org/bench_windows.html82CI Security Windows XP Professional SP1/SP2http://www.cisecurity.org/bench_windows.html83CIS iPhone 2.2.1 Benchmarkhttps://community.cisecurity.org/download/?redir=/iphone/CIS_iPhone_2.2.1_Benchmark_v1.0.0.pdf84CISWG Information Security Program Elementshttp://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf85Clinger-Cohen Act (Information Technology Management Reform Act)http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html86CMS Business Partners Systems Security Manualhttp://www.cms.hhs.gov/manuals/downloads/117_systems_security.pdf87CMS Core Security Requirements (CSR)http://wedi.org/cmsUploads/pdfUpload/WEDIBulletin/pub/Copy_of_CSR_HIPAAMatrixFeb05final.pdf88CMS Information Security Acceptable Risk Safeguards (ARS)http://www.cms.hhs.gov/InformationSecurity/Downloads/ars.pdf89CMS Information Security Risk Assessment _IS RA_ Procedurehttp://www.cms.hhs.gov/informationsecurity/downloads/IS_RA_Procedure.pdf90CobiThttp://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm91CobiT 4.1http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm92Code of Alabama, Article 10 The Consumer Identity Protection Act, 13A-8-190 thru 13A-8-201http://alisondb.legislature.state.al.us/acas/CodeOfAlabama/1975/147638.htm93CODE OF CORPORATE GOVERNANCE 2005http://www.ecgi.org/codes/documents/singapore_ccg_2005.pdf94Colorado Consumer Credit Solicitation Protection, CO HB 04-1274http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_205.htm95Colorado Disposal of Personal Identifying Documents C.R.S. 6-1-713http://www.michie.com/colorado/lpext.dll/cocode/2/98ff/9921/9923/9cc7/9dbf?f=templates&fn=document-frame.htm&2.0#JD_6-1-71396Colorado Prohibiting Inclusion of Social Security Number, CO HB 04-1311http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_393.htm97Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 04-1134http://www.state.co.us/gov_dir/leg_dir/olls/sl2004a/sl_365.htm98Colorado Revised Statutes 6-1-716, Notice of Security Breachhttp://www.michie.com/colorado/lpext.dll?f=templates&fn=main-h.htm&cp=99Colorado Revised Statutes Title 16 Article 5 Section 103 Identity theft victims - definitionshttp://www.michie.com/colorado/lpext.dll/cocode/2/29af3/29b24/2a406/2a420/2a43e?f=templates&fn=document-frame.htm&2.0#JD_16-5-103100Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issueshttp://cce.mitre.org/lists/data/downloads/cce-COMBINED-5.20090506.xls101Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issueshttp://cce.mitre.org/lists/cce_list.html102Computer Fraud and Abuse Acthttp://www.law.cornell.edu/uscode/18/1030.html103Computer Security Incident Handling Guide, NIST SP 800-61http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf104Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184http://www.cga.ct.gov/2004/act/Pa/2004PA-00119-R00HB-05184-PA.htm105Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650http://www.cga.ct.gov/2005/act/Pa/2005PA-00148-R00SB-00650-PA.htm106Connecticut Public Act 08-167, An Act Concerning the Confidentiality of Social Security Numbershttp://www.cga.ct.gov/2008/ACT/Pa/pdf/2008PA-00167-R00HB-05658-PA.pdf107Connecticut State Law Sec. 36a-701b. Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade prachttp://www.cga.ct.gov/2009/pub/chap669.htm#Sec36a-701b.htm108Consumer Interests in the Telecommunications Market, Act No. 661http://en.itst.dk/numbering-issues-and-domain-aspects/legal-matters109Contingency Planning Guide for Information Technology Systems, NIST SP 800-34http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf110Controlling the Assault of Non=Solicited Pornography and Marketing Act of 2003http://www.spamlaws.com/f/pdf/pl108-187.pdf111Controls and Procedures, SEC 17 CFR 240.15d-15http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=c446d97494e9cd1d9bd0f1c628456f00;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.87.310;idno=17;cc=ecfr112Corporate Governance in listed Companies Clause 49 of the Listing Agreementhttp://www.bseindia.com/downloads/CorpGov281004.zip113Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Refhttp://net.educause.edu/ir/library/pdf/CSD3661.pdf114Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004http://www.comlaw.gov.au/comlaw/management.nsf/lookupindexpagesbyid/IP200402596?OpenDocument115COSO Enterprise Risk Management (ERM) Integrated Framework (2004)https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+-+Integrated+Framework.htm116Creating a Patch and Vulnerability Management Program, NIST SP 800-40http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf117C-TPAT Supply Chain Security Best Practices Cataloghttp://www.pac-am.com/docs/CTPATBestPractices.pdf118Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteriahttp://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/security_criteria/criteria_importers/ctpat_importer_criteria.xml119Czech Republic Personal Data Protection Acthttp://ec.europa.eu/justice_home/fsj/privacy/docs/implementation/czech_republic_act_101_en.pdf120Defense Industrial Base Information Assurance Standardhttp://www.dhs.gov/xlibrary/assets/DIB_SSP_5_21_07.pdf121Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2http://iase.disa.mil/stigs/stig/UNISYS-STIG-V7R2.doc122Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf123Delaware Code TITLE 6 Commerce and Trade, Subtitle II Other Laws Relating to Commerce and Trade ,Chapter 12B. Computer Security Breaches, 12B-101 thru 104http://delcode.delaware.gov/title6/c012b/index.shtml124Denmark Act on Competitive Conditions and Consumer Interestshttp://en.vtu.dk/acts/act-on-competitive-conditions-and-consumer-interest-in-the-telecommunications-market-a7114125Denmark, The Act on Processing of Personal Datahttp://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/126Design Criteria Standard for Electronic Records Management Software Application, DOD 5015.2http://jitc.fhu.disa.mil/recmgt/p50152s2.pdf127Direct Marketing Association Privacy Promisehttp://www.the-dma.org/privacy/index.shtml128Directive 2003/4/EC Of The European Parliamenthttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:041:0026:0032:EN:PDF129DISA Secure Remote Computing Security Technical Implementation Guide version 1.2http://iase.disa.mil/stigs/stig/src-stig-v1r2.pdf130DISA Windows Server 2003 Security Checklist Version 6 Release 1.11http://iase.disa.mil/stigs/stig/win2k-XP-03-vista-addendumv6r1-052107.doc131DISA Windows VISTA Security Checklisthttp://iase.disa.mil/stigs/stig/win2k-XP-03-vista-addendumv6r1-052107.doc132DISA Windows XP Security Checklisthttp://iase.disa.mil/stigs/checklist/windows_xp_checklist_v6r1-11_20090424.zip133DISA Windows XP Security Checklist Version 6 Releasehttp://iase.disa.mil/stigs/checklist/unclassified_windows_xp_checklist_v6r1.14_20091023.zip134DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2http://iase.disa.mil/stigs/stig/wireless_stig_v5r2.pdf135DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2http://iase.disa.mil/stigs/checklist/wireless_stig_apriva_sensa_checklist_v5r2-2_final_14apr2009.pdf136DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4http://iase.disa.mil/stigs/checklist/wireless_stig_blackberry_checklist_v5r2.4_14apr2009.zip137DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3http://iase.disa.mil/stigs/checklist/wireless_stig_good_mobile_messaging_checklist_v5r2-3_final_14apr2009.pdf138DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4http://iase.disa.mil/stigs/checklist/wireless_stig_windows_mobile_messaging_checklist_v5r2-4_final_14apr2009.pdf139Disaster / Emergency Management and Business Continuity, NFPA 1600http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf140District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Notihttp://www.dccouncil.washington.dc.us/images/00001/20061218135855.pdf141DOT Physical Security Survey Checklisthttp://transit-safety.volpe.dot.gov/training/Archived/EPSSeminarReg/CD/Documents/OHIO_DOT/physicalsecurity.doc142Driver's Privacy Protection Act (DPPA), 18 USC 2721http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002721----000-.html143EFT (Electronic Fund Transfer) Act (Reg. E) SEC 12 CFR 205http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=635f26c4af3e2fe4327fd25ef4cb5638&tpl=/ecfrbrowse/Title12/12cfr205_main_02.tpl144Equal Credit Opportunity Act (Reg. B)http://www.fdic.gov/regulations/laws/rules/6500-2900.html145Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf146EU 8th Directive (European SOX)http://www.8th-company-law-directive.com/8thCompanyLaw.htm147EU Directive on Data Protection, 95/46/EChttp://www.cdt.org/privacy/eudirective/EU_Directive_.html148EU Directive on Privacy and Electronic Communications, 2002/58/EChttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML149Fair and Accurate Credit Transactions Act of 2003 (FACT Act)http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ159.108150Fair Credit Reporting Act (FCRA)http://www.ftc.gov/os/statutes/031224fcra.pdf151Family Education Rights Privacy Act (FERPA), 20 USC 1232http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=432bbda77876ee638be366c1091527ec;rgn=div5;view=text;node=34%3A1.1.1.1.34;idno=34;cc=ecfr152FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=a486dc03a379dd084f837db8a3150cf2&rgn=div5&view=text&node=21:1.0.1.1.7&idno=21153FDCC SCAP OVAL Patches - IE7http://nvd.nist.gov/chklst_detail.cfm?config_id=171154Federal Information Security Management Act of 2002 (FISMA)http://csrc.nist.gov/drivers/documents/FISMA-final.pdf155Federal Information System Controls Audit Manual (FISCAM)http://www.gao.gov/new.items/d09232g.pdf156Federal Rules of Civil Procedure (2007)http://www.law.cornell.edu/rules/frcp/157FERC Security Program for Hydropower Projectshttp://www.ferc.gov/industries/hydropower/safety/guidelines/security/securitytext.pdf158FFIEC Guidance on Authentication in an Internet Banking Environmenthttp://www.ffiec.gov/pdf/authentication_guidance.pdf159FFIEC IT Examination Handbook Audithttp://www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf160FFIEC IT Examination Handbook Business Continuity Planninghttp://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf161FFIEC IT Examination Handbook Development and Acquisitionhttp://www.ffiec.gov/ffiecinfobase/booklets/d_a/d_and_a.pdf162FFIEC IT Examination Handbook E-Bankinghttp://www.ffiec.gov/ffiecinfobase/booklets/e_banking/e_banking.pdf163FFIEC IT Examination Handbook Information Securityhttp://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf164FFIEC IT Examination Handbook Managementhttp://www.ffiec.gov/ffiecinfobase/booklets/mang/mang.pdf165FFIEC IT Examination Handbook Operationshttp://www.ffiec.gov/ffiecinfobase/booklets/operations/operation.pdf166FFIEC IT Examination Handbook Outsourcing Technology Serviceshttp://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/Outsourcing_Booklet.pdf167FFIEC IT Examination Handbook Retail Payment Systemshttp://www.ffiec.gov/ffiecinfobase/booklets/Retail/retail.pdf168FFIEC IT Examination Handbook Supervision of Technology Service Providershttp://www.ffiec.gov/ffiecinfobase/booklets/tsp/tech_ser_provider.pdf169FFIEC IT Examination Handbook Wholesale Payment Systemshttp://www.ffiec.gov/ffiecinfobase/booklets/Wholesale/whole.pdf170Financial Reporting Council, Combined Code on Corporate Governancehttp://www.frc.org.uk/documents/pagemanager/frc/Combined_Code_June_2008/Combined%20Code%20Web%20Optimized%20June%202008(2).pdf171Finland act on the amendment of the Personal Data Act (986/2000)http://www.tietosuoja.fi/uploads/p9qzq7zr3xxmm9j.rtf172Finland Act on the Protection of Privacy in Electronic Communicationshttp://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pdf173Finland Personal Data Protection Act (523/1999)http://www.tietosuoja.fi/uploads/hopxtvf.HTM174FIPS 140-2, Security Requirements for Cryptographic Moduleshttp://csrc.nist.gov/publications/fips/fips140-2/Fips140-2.zip175FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Securityhttp://csrc.nist.gov/publications/fips/fips191/fips191.pdf176FIPS 199, Standards for Security Categorization of Federal Information and Information Systemshttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf177FIPS 200, Minimum Security Requirements for Federal Information and Information Systemshttp://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf178Florida Personal Identification Information/Unlawful Use, FL HB 481http://www.myfloridahouse.gov/Sections/Bills/billsdetail.aspx?BillId=15974179Florida Statute 817.5681 Breach of security concerning confidential personal information in third-party possessionhttp://www.leg.state.fl.us/statutes/index.cfm?mode=View%20Statutes&SubMenu=1&App_mode=Display_Statute&Search_String=breach+of+security&URL=CH0817/Sec5681.HTM180France Data Processing, Data Files and Individual Libertieshttp://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf181FTC Electronic Signatures in Global and National Commerce Act (ESIGN)http://www.ftc.gov/os/2001/06/esign7.htm182FTC FACT Act Red Flags Rule Templatehttp://www.finra.org/Industry/Issues/CustomerInformationProtection/p118480183GAO/PCIE Financial Audit Manual (FAM)http://www.gao.gov/special.pubs/gaopcie/184General Laws of Massachusetts, Part I, Title XV Chapter 93H, Security Breacheshttp://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm185Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf186Georgia Code Title 10 Chapter 1 Article 34 10-1-911 thru 10-1-915 Notification required upon breach of security regarding personal informationhttp://www.legis.state.ga.us/legis/2005_06/fulltext/sb230.htm187Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656http://www.legis.state.ga.us/legis/2005_06/fulltext/hb656.htm188German Corporate Governance Code ("The Code")http://www.corporate-governance-code.de/eng/download/E_Kodex%202008_final.pdf189German Federal Data Protection Acthttp://www.bdd.de/Download/bdsg_eng.pdf190Gramm-Leach-Bliley Act (GLB)http://www.ftc.gov/privacy/glbact/glbsub1.htm191Greece Law Protection ofpersonal data and privacy in electronic telecommunications sector (Law 3471)http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/LEGAL%20FRAMEWORK/LAW%203471-2006-EN.PDF192Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139http://www.cdc.gov/niosh/docs/2002-139/pdfs/2002-139.pdf193Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68http://csrc.nist.gov/itsec/SP800-68r1.pdf194Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53Ahttp://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf195Guide for Developing Performance Metrics for Information Security, NIST SP 800-80http://csrc.nist.gov/publications/drafts.html#sp800-80196Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf197Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf198Guide to Bluetooth Security, NIST Special Publication 800-121http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf199Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf200Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf201Guidelines for Media Sanitization, NIST Special Publication 800-88http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf202Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf203Guidelines on Firewalls and Firewall Policy, NIST SP 800-41http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf204Hawaii Exempting disclosure of Social Security numbers HI HB 2674http://www.capitol.hawaii.gov/session2004/bills/hb2674_cd1_.htm205Hawaii Revised Statute 487N. Security Breach of Personal Informationhttp://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/206Health Insurance Portability and Accountability Act of 1996 (HIPAA)http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf207HIPAA HCFA Internet Security Policyhttp://csrc.nist.gov/groups/SMA/fasp/documents/policy_procedure/internet_policy.pdf208HMG Security Policy Frameworkhttp://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdf209Hong Kong Personal Data (Privacy) Ordinancehttp://www.pco.org.hk/textonly/english/ordinance/section_01.html210Hungary Protection of Personal Data and Disclosure of Data of Public Interesthttp://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1992_LXIII211Iceland Protection of Privacy as regards the Processing of Personal Datahttp://www.personuvernd.is/information-in-english/greinar//nr/438212Idaho Code Title 28 Commercial Transactions, Chapter 51 Identity Thefthttp://www3.state.id.us/idstat/TOC/28051KTOC.html213Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf214IIA Global Technology Audit Guide (GTAG): Auditing Application Controlshttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag8/215IIA Global Technology Audit Guide (GTAG): Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessmenthttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag3/216IIA Global Technology Audit Guide (GTAG): Information Technology Controlshttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag1/217IIA Global Technology Audit Guide (GTAG): Information Technology Outsourcinghttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag7/218IIA Global Technology Audit Guide (GTAG): Management of IT Auditinghttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag4/219IIA Global Technology Audit Guide (GTAG): Managing and Auditing IT Vulnerabilitieshttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag6/220IIA Global Technology Audit Guide (GTAG): Managing and Auditing Privacy Riskshttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag5/221IIA Global Technology Audit Guide (GTAG):Change and Patch Management Controls: Critical for Organizational Successhttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag2/222Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%26nbsp%3BILCS%26nbsp%3B530%2F&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act%2E223Illinois Personal Information Protection Act IL HB 1633http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=094-0036224Implementation Guide for OMB Circular A-123 Managements Responsibility for Internal Controlhttp://www.cfoc.gov/index.cfm?function=specdoc&id=Implementation%20Guide%20for%20OMB%20Circular%20A-123&structure=OMB%20Documents%20and%20Guidance&category=Guides225India Information Technology Act (ITA-2000)http://www.naavi.org/ita_2006/compare_ita2000_vs_ita2006/index.htm226Indiana Code 24, Article 4.9. Disclosure of Security Breachhttp://www.in.gov/legislative/ic/code/title24/ar4.9/227Indiana Code 24, Notice of Security Breach, Chapter 11http://www.in.gov/legislative/ic/code/title4/ar1/ch11.html228Indiana Release of Social Security Number, Notice of Security Breach IN SB 503http://www.in.gov/legislative/bills/2005/SE/SE0503.1.html229Information Technology Risk Management Program (IT-RMP) New Information Technology Examination Procehttp://www.fdic.gov/news/news/financial/2005/fil8105.html230Information Technology Security Evaluation Criteria (ITSEC)http://www.iwar.org.uk/comsec/resources/standards/itsec.htm231Information Technology Security Evaluation Manual (ITSEM)http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf232Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Noticehttp://www.fdic.gov/news/news/financial/2005/fil2705a.html233Internal Revenue Manual (IRM)http://www.irs.gov/irm/234Internet Security: Distributed Denial of Service Attacks OCC Alert 2000-1http://www.occ.treas.gov/ftp/alert/2000-1.txt235Introductory Resource Guide for HIPAA NIST Special Publication 800-66http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf236Iowa Code Annotated 614.4ahttp://coolice.legis.state.ia.us/Cool-ICE/default.asp?category=billinfo&service=IowaCode&ga=83&input=614#614.4A237Iowa Code Annotated 714.16B Civil Cause of Actionhttp://www.legis.state.ia.us/IACODE/2001SUPPLEMENT/714/16B.html238Iowa Code Annotated 715C Personal Information Security Breach Protectionhttp://coolice.legis.state.ia.us/Cool-ICE/default.asp?category=billinfo&service=IowaCode&ga=83239Ireland Consolidated Data Protection Acts of 1988 and 2003http://www.dataprotection.ie/documents/legal/DPAConsolMay09.pdf240Ireland Data Protection Act of 1988http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html241Ireland Data Protection Amendment 2003http://www.irishstatutebook.ie/2003/en/act/pub/0006/index.html242IRS Internal Revenue Code Section 501(c)(3)http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+26USC501243IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Informationhttp://www.irs.gov/pub/irs-pdf/p1075.pdf244IRS Revenue Procedure: Record retention: automatic data processing, 98-25http://www.unclefed.com/Tax-Bulls/1998/rp98-25.pdf245IRS Revenue Procedure: Retention of books and records, 97-22http://www.recapinc.com/irs_97-22.htm246ISACA Cross-Border Privacy Impact Assessmenthttp://www.isaca.org/Template.cfm?Section=Home&CONTENTID=17226&TEMPLATE=/ContentManagement/ContentDisplay.cfm247ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionalshttp://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=27785248ISF Security Audit of Networks249ISF Standard of Good Practice for Information Securityhttps://www.isfsecuritystandard.com/SOGP07/index.htm250ISO 13335-1:2004, Information technology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications technhttp://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39066251ISO 13335-3:1998, Information technology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Securityhttp://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=21756252ISO 13335-4:2000, Information technology Guidelines for the management of IT Security Part 4: Selection of safeguardshttp://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=29240253ISO 13335-5:2001, Information technology Guidelines for the management of IT Security Part 5: Management guidance on network securityhttp://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=31142254ISO 15489-1:2001, Information and Documentation: Records management: Part 1: Generalhttp://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=31908255ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelineshttp://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=35845256ISO 17799:2000, Code of Practice for Information Security Managementhttp://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=257ISO 17799:2005 Code of Practice for Information Security Managementhttp://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=258ISO 27001:2005, Information Security Management Systems - Requirementshttp://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3259ISO 73:2002, Risk Management - Vocabularyhttp://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=34998260ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=40612&ICS1=35&ICS2=40&ICS3=261ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=46414262ISO/IEC 15408-3:2008 Common Criteria for Information Technology Security Evaluation Part 3http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=46413263ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=46412264ISO/IEC 18045:2008 Common Methodology for Information Technology Security Evaluationhttp://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=46412265ISO/IEC 20000-1:2005 Information technology - Service Management Part 1http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41332266ISO/IEC 20000-2:2005 Information technology - Service Management Part 2http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41333267ISO/IEC 27002-2005 Code of practice for information security managementhttp://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297268ISSA Generally Accepted Information Security Principles (GAISP)http://all.net/books/standards/GAISP-v30.pdf269IT Baseline Protection Manual Standard Security Safeguards Germanyhttp://www.iwar.org.uk/comsec/resources/standards/germany/itbpm/menue.htm270IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005http://20000.standardsdirect.org/271IT Service Management Standard , BS ISO/IEC 20000-1:2005http://20000.standardsdirect.org/272Italy Personal Data Protection Codehttp://www.garanteprivacy.it/garante/document?ID=311066273Italy Protection of Individuals Other Subject with regard to the Processing of Personal Datahttp://www.euroacustici.org/eng/Privacy.pdf274Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003)http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf275Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0)http://www.ecom.jp/ecom_e/report/full/personal.pdf276Japan Handbook Concerning Protection Of Personal Datahttp://www.meti.go.jp/english/information/downloadfiles/Taro9-eng.pdf277Kansas Statutes Chapter 50, Article 7a Protection Of Consumer Informationhttp://kansasstatutes.lesterama.org/Chapter_50/Article_7a/278Kentucky Revised Statutes Title III Chapter 15 113 Prevention of Identity Thefthttp://www.lrc.ky.gov/KRS/015-00/113.PDF279Kentucky Revised Statutes Title XXXVI Chapter 411 210 Action for theft of identity or trafficking in stolen identitieshttp://www.lrc.ky.gov/KRS/411-00/210.PDF280Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etchttp://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN025694.pdf281Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994http://www.glin.gov/view.action?glinID=202097282Korea Act Relating to Use and Protection of Credit Informationhttp://www.glin.gov/view.action?glinID=99460283Level-2 Windows 2000 Professional Operating System Benchmarkhttp://www.cisecurity.org/bench_windows.html284Lithuania Law on Legal Protection of Personal Datahttp://www.ada.lt/images/cms/File/pers.data.prot.law.pdf285Loi sur la Scurit Financire (French SOX)http://www.assemblee-nationale.fr/12/dossiers/securite_financiere.asp286Louisiana Revised Statutes Title 51 3073-3074 Database Security Breach Notification Lawhttp://www.legis.state.la.us/lss/lss.asp?doc=322029287Luxembourg Data Protection Lawhttp://www.cnpd.lu/objets/en/doc_loi02082002mod_en.pdf#zoom=125,0,0288Mac OS X Security Configuration for version 10.4 or later, second editionhttp://images.apple.com/server/macosx/docs/Tiger_Security_Config_021507.pdf289Maine Revised Statutes Title 10, Part 3 Chapter 210-B Notice of Risk to Personal Data http://www.mainelegislature.org/legis/statutes/10/title10ch210-Bsec0.html290Maryland Code of Commercial Law Subtitle 35. Maryland Personal Information Protection Act 14-3501 thru 14-3508http://www.michie.com/maryland/lpext.dll?f=templates&fn=main-h.htm&cp=mdcode291Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusettshttp://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf292MasterCard Electronic Commerce Security Architecture Best Practiceshttp://www.powerpay.biz/docs/risk/MC_best_practices_online.pdf293MasterCard Wireless LANs - Security Risks and Guidelineshttp://www.mastercard.com/us/sdp/assets/pdf/wl_entire_manual.pdf294Mexico Federal Personal Data Protection Lawhttps://www.agpd.es/upload/English_Resources/Mexico_declaration.pdf295Michigan Identity Theft Protection Act, Act 452 of 2004, 445.61 thru 445.72ahttp://legislature.mi.gov/doc.aspx?mcl-Act-452-of-2004296Microsoft Developer Network Security Glossaryhttp://msdn.microsoft.com/en-us/library/ms721607(VS.85).aspx297Microsoft Office 2007 Security Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en298Microsoft Solutions for Security and Compliance; Windows XP Security Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en299Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settingshttp://technet.microsoft.com/en-us/bb629420.aspx300Minnesota Plastic Card Security Act H.F. 1758https://www.revisor.leg.state.mn.us/bin/bldbill.php?bill=H1758.4.html&session=ls85301Minnesota Statute 13.055 State Agencies; Disclosure of Breach in Securityhttp://www.revisor.leg.state.mn.us/data/revisor/statute/2008/013/2008-13.055.pdf302Minnesota Statute 325E.61 Data Warehouses; Notice Required For Certain Disclosureshttps://www.revisor.leg.state.mn.us/statutes/?id=325E.61#stat.325E.61303Minnesota Statute 325E.64 Access Devices; Breach of Securityhttps://www.revisor.leg.state.mn.us/statutes/?id=325E.64304Missouri Revised Statutes Chapter 407 Merchandising Practices 407.1500http://www.moga.mo.gov/statutes/c400-499/4070001500.htm305Missouri War on Terror Veteran Survivor Grants, MO HB 957http://www.house.missouri.gov/content.aspx?info=/bills041/biltxt/intro/HB0957I.HTM306Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732http://data.opi.state.mt.us/BILLS/2005/BillPDF/HB0732.pdf307Montana Code 30-14-1701 thru 30-14-1705 and 30-14-1721 thru 30-14-1722; Protection of individual privacy and to impede identity theft as prohibited by 45-6-332http://data.opi.state.mt.us/bills/mca_toc/30_14_17.htm308Montana Code 45-6-332. Theft of identityhttp://data.opi.state.mt.us/bills/mca/45/6/45-6-332.htm309Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guidehttp://iase.disa.mil/stigs/checklist/span_mfd_checklist_v1r1-3_04_15_2009.pdf310NASD Manualhttp://onlinestore.cch.com/default.asp?ProductID=1926311National Incident Management System (NIMS), Department of Homeland Security, December 2008http://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf312NCUA Guidelines for Safeguarding Member Information, 12 CFR 748http://www.ffiec.gov/exam/InfoBase/documents/02-ncu-12_cfr_748_app_a_safeguard_info-010100.pdf313Nebraska Revised Statutes 87-801 thru 87-807, Data Protection and Consumer Notification of Data Security Breach Act of 2006http://www.legislature.ne.gov/laws/browse-chapters.php?chapter=87314Netherlands Act of 6 July 2000 Personal Data Protection Acthttp://www.dutchdpa.nl/indexen/en_ind_wetten_wbp_wbp.shtml315Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92http://www.dutchdpa.nl/downloads_wetten/wbp.pdf?refer=true&theme=purple316Nevada Revised Statute Chapter 603A, Security of Personal Informationhttp://www.leg.state.nv.us/NRS/NRS-603A.html317Nevada Security Breach Notification Law, NV SB 347http://www.leg.state.nv.us/73rd/bills/SB/SB347_EN.pdf318New Hampshire Statute Title XXXI, Chapter 359-C Right to Privacy, Notice of Security Breachhttp://www.gencourt.state.nh.us/rsa/html/XXXI/359-C/359-C-mrg.htm319New Jersey Identity Theft Prevention Act, NJ A4001/S1914http://www.njleg.state.nj.us/2004/Bills/A3500/4001_I1.PDF320New Jersey Permanent Statutes Title 56 Security of Personal Informationhttp://www.njleg.state.nj.us/2004/Bills/PL05/226_.HTM321New York Disposal of Records Containing Personal Identifying Information NY CLS Gen Bus 399-hhttp://it.rockefeller.edu/pdf/disposal.pdf322New York Information Security Breach and Notification Acthttp://www.cscic.state.ny.us/security/securitybreach/323New York State General Business Law Chapter 20, Article 39-F, 899-aahttp://www.cscic.state.ny.us/lib/laws/documents/899-aa.pdf324New Zealand Privacy Act 1993http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html325NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006http://www.dtic.mil/whs/directives/corres/html/522022m.htm326NIST SCAP Microsoft Internet Explorer Version 7.0 OVALhttp://nvd.nist.gov/chklst_detail.cfm?config_id=148327North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standardshttp://www.nerc.com/page.php?cid=2%7C20328North Carolina Security Breach Notification Law (Identity Theft Protection Act of 2005)http://www.ncleg.net/Sessions/2005/Bills/Senate/PDF/S1048v2.pdf329North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act 75-60 through 75-66http://www.ncga.state.nc.us/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html330North Dakota Century Code, CHAPTER 51-30 Notice of Security Breach For Personal Informationhttp://www.legis.nd.gov/cencode/t51c30.pdf331North Dakota Personal Information Protection Act, ND SB 2251http://www.legis.nd.gov/assembly/59-2005/bill-text/FRBS0500.pdf332NRC Regulations (10 CFR) 73.54 Protection of digital computer and communication systems and networkshttp://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html333NSA Guide to Securing Microsoft Windows 2000 Group Policyhttp://www.nsa.gov/ia/_files/os/win2k/w2k_group_policy.pdf334NSA Guide to Security Microsoft Windows XPhttp://www.nsa.gov/ia/_files/os/winxp/Windows_XP_Security_Guide_v2.2.zip335NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf336NSA Guide to the Secure Configuration of Solaris 8http://www.nsa.gov/ia/_files/os/sunsol/I331-008R-2004.pdf337NYSE Listed Company Manualhttp://nysemanual.nyse.com/lcm/338OECD / World Bank Technology Risk Checklisthttp://www.infragard.net/library/pdfs/technologyrisklist.pdf339OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Datahttp://www.oecd.org/document/18/0,2340,en_17642234_17642806_1815186_1_1_1_1,00.html340OECD Principles of Corporate Governancehttp://www.oecd.org/DATAOECD/32/18/31557724.pdf341OGC ITIL: Application Managementhttp://www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/ITIL-Version-2/?DI=610977#GEMS6449817342OGC ITIL: ICT Infrastructure Managementhttp://www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/ITIL-Version-2/?DI=610977#GEMS6449815343OGC ITIL: Planning to Implement Service Managementhttp://www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/ITIL-Version-2/?DI=610977#GEMS6449809344OGC ITIL: Security Managementhttp://www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/ITIL-Version-2/?DI=610977#GEMS6449811345OGC ITIL: Service Deliveryhttp://www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/ITIL-Version-2/?DI=610977#GEMS6449807346OGC ITIL: Service Supporthttp://www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/ITIL-Version-2/?DI=610977#GEMS6449805347Ohio Personal information - contact if unauthorized access, OH HB 104http://www.legislature.state.oh.us/BillText126/126_HB_104_EN_N.pdf348Ohio Revised Code Title XIII Chapter 1347 1347.12 Agency disclosure of security breach of computerized personal information datahttp://codes.ohio.gov/orc/1347.12349Ohio Revised Code Title XIII Chapter 1349 1349.19 Private disclosure of security breach of computerized personal information datahttp://codes.ohio.gov/orc/1349.19350Oklahoma Administrative Code Title 375 Chapter 40 Oklahoma Identity Theft Passport Program 375:40-1-1 thru 375:40-1-11http://www.oar.state.ok.us/oar/codedoc02.nsf/All/0941DE046451FFD3862575F400119991?OpenDocument351Oklahoma State Law Disclosure of breach of security of computerized personal information, 74-3113.1http://www2.lsb.state.ok.us/os/os_74-3113.1.rtf352OMB Circular A-123 Managements Responsibility for Internal Controlhttp://www.whitehouse.gov/OMB/circulars/a123/a123_rev.html353Oregon Consumer Identity Theft Protection Act, Senate Bill 583http://www.leg.state.or.us/07reg/measpdf/sb0500.dir/sb0583.b.pdf354Oregon Revised Statutes Chapter 646a 646A.600 thru 646A.624 Identity Theft Protection Acthttp://www.leg.state.or.us/ors/646a.html355ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Datahttps://www.agpd.es/upload/Ley%20Org%E1nica%2015-99_ingles.pdf356Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rulehttp://www.sec.gov/rules/final/2007/33-8809fr.pdf357Payment Card Industry (PCI) Data Security Standard Security Audit Procedureshttps://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf358Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Datahttps://www.pcisecuritystandards.org/docs/pci_saq_a.doc359Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data https://www.pcisecuritystandards.org/docs/pci_saq_b.doc360Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storagehttps://www.pcisecuritystandards.org/docs/pci_saq_c.doc361Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providershttps://www.pcisecuritystandards.org/docs/pci_saq_d.doc362Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedureshttps://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html363Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guidelinehttps://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf364Payment Card Industry (PCI) Payment Application Data Security Standardhttps://www.pcisecuritystandards.org/pdfs/pci_pa-dss_security_audit_procedures_v1-1.pdf365Payment Card Industry Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Sthttps://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc366Payment Card Industry Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machineshttps://www.pcisecuritystandards.org/docs/saq_b_v1-1.doc367Payment Card Industry Self-Assessment Questionnaire C and Attestation of Compliance Payment Applicathttps://www.pcisecuritystandards.org/docs/saq_c_v1-1.doc368Payment Card Industry Self-Assessment Questionnaire D and Attestation of Compliance All Other Merchhttps://www.pcisecuritystandards.org/docs/saq_d_v1-1.doc369PCAOB Auditing Standard No. 2http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf370PCAOB Auditing Standard No. 3http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_3.pdf371PCAOB Auditing Standard No. 5http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_5.pdf372PCI DSS (Payment Card Industry Data Security Standard)https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html373PCI DSS Security Scanning Procedureshttps://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf374Pennsylvania Statutes Title 73 Trade and Commerce Chapter 43 Breach of Personal Information Notification Act 2301 thru 2329http://www.schwartzandballen.com/ImportedLawsBills/Pennsylvania%20Security%20Breach.pdf375Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf376Personal Data Protection Act of the Republic of Slovenia of 2004http://www.mp.gov.si/fileadmin/mp.gov.si/pageuploads/2005/PDF/zakonodaja/2007_10_29_personal_data_protection_act_RS.pdf377Poland Protection of Personal Data Acthttp://www.giodo.gov.pl/plik/id_p/61/j/en/378Portuguese Act on the Protection of Personal Data 67/98http://www.cnpd.pt/english/bin/legislation/Law6798EN.HTM379Privacy Act of 1974, 5 USC 552ahttp://www.usdoj.gov/opcl/privacyact1974.htm380Privacy of Consumer Financial Information, FTC 16 CFR 313http://www.ftc.gov/os/2000/05/65fr33645.pdf381Protection of Assets Manual, ASIS Internationalhttp://www.protectionofassets.com/382PUBLIC LAW 109295OCT. 4, 2006http://thomas.loc.gov/cgi-bin/query/D?c109:7:./temp/~c109XRfrcN::383Puerto Rico Code Title 10 Subtitle 3 Chapter Citizen Information on Data Banks Security Act, 10 L.P.R.A. 4051http://www.schwartzandballen.com/ImportedDocs/Puerto%20Rico%20security%20breach.pdf384Recommended Security Controls for Federal Information Systems, NIST SP 800-53http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2_pdf.zip385Record retention SEC 17 CFR 240.17Ad-7http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=c81f9f1046cb6bc1569a5db1ff1cb3ca;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.97.421;idno=17;cc=ecfr386Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=8a707a87faf38f7d2846d9b026ef323e;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.94.371;idno=17;cc=ecfr387Recordkeeping SEC 17 CFR 240.17Ad-6http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=c81f9f1046cb6bc1569a5db1ff1cb3ca;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.97.421;idno=17;cc=ecfr388Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=45bcefcbca5a2961e1cee9a9cb01b160;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.94.373;idno=17;cc=ecfr389Records to be preserved by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-4http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=90722b0e4f8ff362197b60c394489ce4;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.94.375;idno=17;cc=ecfr390Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=3fc1d2e7d4a2c838ca758408923105a8;rgn=div8;view=text;node=17%3A3.0.1.1.1.2.90.348;idno=17;cc=ecfr391Responsible Care Security Code of Management Practices, American Chemistry Councilhttp://www.americanchemistry.com/securitycode_pdf392Retention of Audit and Review Records, SEC 17 CFR 210.2-06http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=1e057afa900af722d0a59a28773472ed&rgn=div8&view=text&node=17:2.0.1.1.8.0.18.9&idno=17393Revised Code of Washington Title 19 Chapter 19.215 Disposal of personal information 19.215.005 thru 19.215.030http://apps.leg.wa.gov/RCW/default.aspx?cite=19.215394Revised Code of Washington Title 19 Chapter 19.255 Personal information - notice of security breaches 19.255.010http://apps.leg.wa.gov/RCW/default.aspx?cite=19.255.010395Rhode Island General Law Chapter 11-49.2 Identity Theft Protection 11-49.2-1 thru 11-49. 2-4http://www.rilin.state.ri.us/statutes/TITLE11/11-49.2/INDEX.HTM396Rhode Island Security Breach Notification Law, RI HB 6191http://www.rilin.state.ri.us/Billtext/BillText05/HouseText05/H6191.pdf397Right to Financial Privacy Acthttp://www.accessreports.com/statutes/RFPA.htm398Risk Management Guide for Information Technology Systems, NIST SP 800- 30http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf399Royal Decree of 13 February 2001 implementing the Law of 8 December 1992 on the protection of privacy in relation to the processing of personal datahttp://www.privacycommission.be/en/static/pdf/wetgeving/uitvoeringsbesluit-2001-en-input-website-220109.pdf400Safety and Soundness Standards, Appendix of OCC 12 CFR 30http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=55f63dbb4ec993a25080b4cb3eb14e06&rgn=div5&view=text&node=12:1.0.1.1.28&idno=12401SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatementhttp://www.aicpa.org/download/members/div/auditstd/AU-00314.PDF402SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtainedhttp://www.aicpa.org/download/members/div/auditstd/AU-00318.PDF403SEC 12 CFR 229 Availability of Funds and Collection (Check Clearing for the 21st Century)http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=91f3f63db5cf1624698533e65e823221&rgn=div5&view=text&node=12:3.0.1.1.10&idno=12#12:3.0.1.1.10.4.8.11.30404Securities Act of 1933http://uscode.house.gov/download/pls/15C2A.txt405Securities Exchange Act of 1934http://uscode.house.gov/download/pls/15C2B.txt406Security Considerations in the Information System Development Life Cycle, NIST SP 800-64http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf407Security Metrics Guide for Information Technology Systems, NIST SP 800-55http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf408Security Self-Assessment Guide, NIST SP 800-26http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf409Slovak Republic Protection of Personal Data in Information Systemshttp://www.dataprotection.gov.sk/buxus/docs/act_428.pdf410Smith Guidance on Audit Committees, UK FRChttp://www.frc.org.uk/documents/pagemanager/frc/The%20Smith%20Guidance%20on%20Audit%20Committees%20June%202006.pdf411South Africa Promotion of Access to Information Acthttp://freedominfo.org/documents/South%20Africa%20PAIA.pdf412South Carolina Code of Laws 1-11-490 Breach of security of state agency data notificationhttp://www.scstatehouse.gov/code/t01c011.htm413South Carolina Code of Laws 16-13-512 Credit Card and 39-1-90 Breach of security of business data notificationhttp://www.scstatehouse.gov/code/t39c001.htm414Specter-Leahy Personal Data Privacy and Security Acthttp://leahy.senate.gov/press/200506/062905a.html415Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314http://www.ftc.gov/os/2002/05/67fr36585.pdf416State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposalhttp://www.azgita.gov/policies_standards/pdf/P800-S880%20Media%20San+Disp.pdf417State Prohibitions on Marketing Practices using Medical Information (CA SB1633)http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_1633&sess=0304&house=B&site=sen418State Prohibitions on Marketing Practices using Medical Information (TX SB11)http://www.legis.state.tx.us/billlookup/BillSummary.aspx?LegSess=80R&Bill=SB11419Sweden Personal Data Act (1998:204)http://www.sweden.gov.se/content/1/c6/01/55/42/b451922d.pdf420Swedish Code of Corporate Governance; A Proposal by the Code Grouphttp://www.sweden.gov.se/download/f8334504.pdf?major=1&minor=26296&cn=attachmentPublDuplicator_0_attachment421Switzerland Federal Act on Data Protectionhttp://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.CH422System Security Plan (SSP) Procedurehttp://www.cms.hhs.gov/informationsecurity/downloads/SSP_Procedure.pdf423Taiwan Computer-Processed Personal Data Protection Law 1995http://www.ics.uci.edu/~kobsa/privacy/Taiwan1.htm424Technology Risk Management Guide for Bank Examiners OCC Bulletin 98-3http://www.occ.treas.gov/ftp/bulletin/98-3.txt425Telemarketing Sales Rule (TSR), 16 CFR 310http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=bf60e7b87681ffcbf1030185f246d305&rgn=div5&view=text&node=16:1.0.1.3.34&idno=16426Tennessee Code Title 47 Chapter 18 Part 21 Identity Theft Deterrence 47-18-2101 thru 47-18-2110http://www.michie.com/tennessee/lpext.dll?f=templates&fn=main-h.htm&cp=tncode427Tennessee Security Breach Notification, TN SB 2220http://tennessee.gov/sos/acts/104/pub/pc0473.pdf 428Texas Business and Commerce Code, secs. 48.102, 48.103http://www.hro.house.state.tx.us/PDF/ba80r/HB3222.PDF429Texas Business and Commercial Code Title 11, Subtitle B, Chapter 521 Subchapter A 521http://www.statutes.legis.state.tx.us/Docs/BC/pdf/BC.521.pdf430Texas Identity Theft Enforcement and Protection Act, TX SB 122http://www.bakers-legal-pages.com/leg2005/bills/sb00122f.htm431The Center for Internet Security Security Benchmark For Multi-Function Deviceshttp://www.cisecurity.org/benchmarks.html432The Center for Internet Security Wireless Networking Benchmark version 1.0http://www.cisecurity.org/bench_wireless.html433The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0http://www.cisecurity.org/bench_wireless.html434The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0http://www.cisecurity.org/bench_wireless.html435The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, version 1.0http://www.cisecurity.org/bench_wireless.html436The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0http://www.cisecurity.org/bench_wireless.html437The DIRKS Manual: A Strategic Approach to Managing Business Informationhttp://www.naa.gov.au/records-management/publications/dirks-manual.aspx438The Dutch corporate governance code, Principles of good corporate governance and best practice provisionshttp://www.ecgi.org/codes/documents/cg_code_nl_en.pdf439The GAIT Methodologyhttp://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-m/440The King Committee on Corporate Governance, Executive Summary of the King Report 2002http://www.ecgi.org/codes/documents/executive_summary.pdf441The National Strategy to Secure Cyberspacehttp://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf442The Sarbanes-Oxley Act of 2002http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf443The Sedona Principles Addressing Electronic Document Productionhttp://www.thesedonaconference.org/dltForm?did=7_05TSP.pdf444The Standard of Good Practice for Information Securityhttps://www.isfsecuritystandard.com/SOGP07/index.htm445TITLE 49, Subtitle VII - Aviation Programshttp://www.tsa.gov/assets/pdf/49_USC_Chapters_401_to_501.pdf446Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004http://www.tsa.gov/assets/pdf/security_guidelines_for_general_aviation_airports.pdf447Turnbull Guidance on Internal Control, UK FRChttp://www.frc.org.uk/documents/pagemanager/frc/Revised%20Turnbull%20Guidance%20October%202005.pdf448UK Data Protection Act of 1998http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1449UN Guidelines for the Regulation of Computerized Personal Data Files (1990)http://www.worldlii.org/int/other/PrivLRes/1990/1.html450Underlying Technical Models for Information Technology Security, SP 800-33http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf451Uniform Electronic Transactions Act (UETA) (1999)http://www.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.htm452Uniform Rules of Evidence Acthttp://www.law.upenn.edu/bll/ulc/ure/evid1200.htm453US Department of Commerce EU Safe Harbor Privacy Principleshttp://www.export.gov/safeharbor/index.asp454US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11http://cio.energy.gov/CS-11_Clearing_and_Media_Sanitization_Guidance.pdf455US Export Administration Regulations Databasehttp://www.gpo.gov/bis/ear/ear_data.html456US The International Traffic in Arms Regulationshttp://www.pmddtc.state.gov/regulations_laws/itar_official.html457Utah Protection of Personal Information Act, Utah Code Title 13-44. Protection of Personal Information Acthttp://le.utah.gov/~code/TITLE13/13_44.htm458Vermont Relating to Identity Theft , VT HB 327http://www.leg.state.vt.us/docs/legdoc.cfm?URL=/docs/2004/acts/ACT155.HTM459Vermont Statute Title 9 Chapter 62 Protection of Personal Information 2430, 2435, 2440, 2445http://www.leg.state.vt.us/statutes/fullchapter.cfm?Title=09&Chapter=062460Video Privacy Protection Act (VPPA), 18 USC 2710http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002710----000-.html461Virgin Islands Code Tittle 14 Chapter 110 The Identity Theft Prevention Act 2201 thru 2211http://www.michie.com/virginislands/lpext.dll?f=templates&fn=main-h.htm&cp=vicode462Virginia Code Title 18.2 Chapter 6 Breach of personal information notification 18.2-186.6http://leg1.state.va.us/000/cod/18.2-186.6.HTM463Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872http://leg1.state.va.us/cgi-bin/legp504.exe?041+ful+CHAP0450464VISA CISP: What to Do If Compromised Visa Fraud Control and Investigation Procedureshttp://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf465Visa Data Field Encryptionhttp://corporate.visa.com/_media/best-practices.pdf466VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Businesshttp://usa.visa.com/download/merchants/visa_risk_management_guide_ecommerce.pdf467VISA Incident Response Procedure for Account Compromisehttp://www.visa-asia.com/ap/center/merchants/riskmgmt/includes/uploads/VisaAP_Inc_Resp_Procedv1_2_2004.pdf468Visa Payment Application Best Practices (PABP)http://usa.visa.com/download/merchants/cisp_payment_application_best_practices.doc469Washington DC Consumer Personal Information Security Breach Notification Act of 2006http://www.dccouncil.washington.dc.us/images/00001/20061218135855.pdf470Washington Notice of a breach of the security, WA SB 6043http://www.leg.wa.gov/pub/billinfo/2005-06/Htm/Bills/Senate%20Bills/6043-S.htm471West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information 46A-2A-101 thru 46A-2A-105http://www.legis.state.wv.us/WVCODE/Code.cfm?chap=46a&art=2A#2A472Windows Server 2003 Security Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en473Windows Server 2008 Security Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en474Wisconsin Act 138 Notice of unauthorized acquisition of personal informationhttp://www.legis.state.wi.us/2005/data/acts/05act138.pdf475Wisconsin Statute Chapter 134 Notice of unauthorized acquisition of personal information 134.98www.legis.state.wi.us/statutes/Stat0134.pdf476Wyoming Statute Title 40 Article 5 Breach of the security of the data system 40-12-501 thru 40-12-509http://legisweb.state.wy.us/statutes/statutes.aspx?file=titles/Title40/Title40.htm
