Information Security Policies Table: Regulatory
The following list contains a partial list of security or privacy-related regulations and other specific information security policy requirements. Although the "higher-education" sector is not mentioned specifically, let your security conscience be your guide.
| Regulation/Framework | Sector/Industry/Country | Policy Requirement |
|---|---|---|
| HIPAA (Health Insurance Portability and Accountability Act of 1996) Security Final Rule |
Healthcare (U.S.) | Policies and Procedures 164.316 (a) (R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. |
| Sarbanes-Oxley Act, Section 404 - based on COBIT (Control Objectives for Information Technology) Control Objectives, Section 6: Communicate Management Aims and directions. |
All Publicly Traded Companies (U.S) | 6.2 Management's Responsibility for Policies "Management should assume full responsibility for formulating, developing, documenting, promulgating and controlling policies covering general aims and directives." |
| New Basel Capital Accord (Basel II)- Quantitative Standards, Section 606 | Banking (International) | (e) The bank's risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues. |
| Gramm-Leach-Bliley Act (GLBA) Title V - Section 501 Interagency Guidelines Establishing Standards For Safeguarding Customer Information |
Financial Services (U.S.) | "Each Bank shall implement a comprehensive written information security program [policies] that includes administrative, technical and physical safeguards." |
| FERC Cyber Security Standard CIP-003-1 Security Management Controls |
Energy/Infrastructure (U.S.) | Requirement 1. The Responsible Entity shall create and maintain a cyber security policy that addresses the requirements of this standard and the governance of the cyber security controls. |
| Federal Information Security Management Act (FISMA) NIST SP 800-26 |
Federal Government (U.S.) | "(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;" |
| PIPEDA (Bill C6) - Personal Information Protection and Electronic Document Act | All Industries (Canada) | 4.1 Principle 1 - Accountability Organizations shall implement policies and practices to give effect to the principles. 4.8 Principle 8 - Openness Organizations shall be open about their policies and practices with respect to the management of personal information. |
| EU Data Protection Directive | All Industries (European Union) | Organizations must "implement appropriate technical and organizational measures to protect personal data." |
| ISO/IEC 17799 Section 1.1 Information Security Policy Document |
Security Framework | A written policy document should be available to all employees responsible for information security. |
| GAISP - Generally Accepted Information Security Principles, Version 3.0 Section 3.1 Information Security Policy |
Security Framework | Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security. |
The University System - Office of Information Security (OIS) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.