Important Security Regulations

HIPAA (Health Insurance Portability and Accountability Act)

Governing Body: U.S. Department of Health and Human Services (HHS)

Purpose: Safeguard Protected Health Information (PIH)

Details: HIPPA is a U.S. federal regulations that mandates protection of electronic health data. Compliance is required for healthcare providers, insurance companies and their contractors. Non-compliance with HIPAA can result in severe fines and cause reputational damage.

GDPR (General Data Protection Regulation)

Purpose: Protect the personal data and privacy rights of individuals in the EU

Governing Body: European Data Protection Board (EPDB)

Details: The GDPR is an EU regulation that regulates the collection, use and protection of personal data for all EU citizens. This regulation is not specific to organizations inside of the EU, and is enforced globally for any organization that processes this data, regardless of where the data is located. The GPDR enforces very strict data privacy rights which include requirements for breach notification, consent to collect data, transparency over what data is collected and minimizing the data that is required to be collected. Violations of GDPR can result in very large fines which can range int he tens of millions of euros. While the GDPR was specifically designed to protect the personal data of EU citizens, because of it's global reach and enforcement companies frequently find it easier to comply with GDPR regulations for all customers or users regardless of if they are from the EU

FISMA (Federal Information Security Management Act)

Governing Body: Office of Management and Budget, with assistance from NIST

Purpose: Ensure U.S. federal agencies and their vendors/contractors implement and maintain security controls and programs to protect government data and systems.

Details: FISMA is a U.S. regulations that requires federal agencies to implement information security programs. It mandates the use of NIST standards like SP 800-53. FISMA compliance is not only mandated for government agencies it also applies to private companies, contractors and third parties that work with government agencies.

SOX (Sarbanes-Oxley Act of 2002)

Governing Body: U.S. Securities and Exchange Commission (SEC)

Purpose: protect investors by improving the accuracy, transparency and reliability of corporate financial reporting, specifically in publicly traded companies.

Details: The SOX act is a U.S. federal law that was passed in response to address corporate accounting scandals and designed to improve both the accuracy and integrity of financial reporting for publicly traded companies. SOX is not specifically and IT or security regulation, it does have strong implications for IT and security teams working with organizations that must comply with SOX. For example SOX requires controls like proper access controls, change management policies and detailed logging of systems that impact financial reporting. Failure to comply with SOX is so serious that it can result not only in financial penalties but also criminal penalties for executives.