Customer Needs Assessment

Determine Risk Tolerance

Federal Information Security Management Act of 2002

(FISMA)—FISMA is the primary legislation governing U.S. federal infor- mation security. Passed as part of the Homeland Security Act of 2002 and the E-Government Act of 2002, FISMA requires every government agency to secure information and the information systems that support its operations and assets. If the government uses commercially developed security prod- ucts, those products must offer advanced and effective information security solutions and work in concert with government policies, procedures, and guidelines.

Payment Card Industry Data Security Standard (PCI DSS)—To combat breaches and identity theft dangers, all major credit card compa- nies agreed upon PCI DSS as an industry-wide data security standard. PCI applies to all members, merchants, and service providers that store, process, or transmit cardholder data, as well as any network component, server, or application included in, or connected to, the cardholder data domain. Companies must use firewalls, message encryption, access con- trols, and anti-virus software. PCI also requires frequent security audits and network monitoring and forbids the use of default passwords.

As the member states of the European Union (EU) began to legislate electronic privacy protection in the 1980s and 1990s, the European Commission soon realized that countries had diverging data protection laws, which would impede the flow of data, and therefore, the flow of trade within the EU. In 1995 the European Commission proposed the Directive on the Protection of Personal Data (Directive 95/46/EC), which specifies how personal and sensitive data should be handled.

Although the majority of the directive focuses on the explicit reasons for which an entity can collect and store personal data, it also includes the specification that stored data must be secured, protected against accidental loss, and kept for a limited amount of time. Meeting these specifications necessitates a highly secure and organized network infrastructure.

Other countries have passed regulations, such as:

Germany—Bundesdatenschutzgesetz (Federal Data Protection Act)

United Kingdom—Data Protection Act of 1998

France—Law 78-17 (revised)

Canada—Personal Information Protection and Electronic Documents Act (PIPEDA)

Australia—Private Sector Provisions of the Privacy Act 1988 (Cth)

Japan—Personal Information Protection Law

2-17