Computer Fraud and Abuse Act (CFAA): Federal law that prohibits accessing a computer without authorization, or in excess of authorization. Must be considered when defining access levels and unauthorized access penalties in the policy.
Electronic Communications Privacy Act (ECPA): Federal law governing the interception and monitoring of electronic communications. Relevant for policies regarding monitoring and logging of user access and activities.
Federal Information Security Management Act (FISMA): Defines framework for protecting government information, operations and assets. Provides guidelines for access control requirements in federal systems.
Sarbanes-Oxley Act (SOX): Requires public companies to establish internal controls and procedures for financial reporting. Includes requirements for IT access controls and audit trails.
Health Insurance Portability and Accountability Act (HIPAA): Establishes standards for protecting sensitive patient health information. Includes specific requirements for access control and user authentication in healthcare settings.
Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to explain their information-sharing practices and protect sensitive data. Includes requirements for access control measures in financial sector.
NIST Special Publication 800-53: Provides detailed security control guidelines including comprehensive access control requirements and best practices for federal information systems.
ISO/IEC 27001: International standard for information security management. Provides framework for access control policies and security management practices.
CIS Controls: Set of cybersecurity best practices developed by the Center for Internet Security. Includes specific controls for access management and authentication.
COBIT: Framework for IT management and governance. Provides guidance on access control objectives and IT governance requirements.
State Data Breach Notification Laws: Various state-specific requirements for reporting unauthorized access to protected data. Must be considered in access control policy incident response procedures.
California Consumer Privacy Act (CCPA): California's comprehensive privacy law that includes requirements for access control and data protection measures for businesses serving California residents.
Payment Card Industry Data Security Standard (PCI DSS): Security standard for organizations handling credit card information. Includes specific requirements for access control and user authentication.
Family Educational Rights and Privacy Act (FERPA): Federal law protecting the privacy of student education records. Includes requirements for controlling access to educational records and information.
FTC Guidelines: Federal Trade Commission guidelines for data security and consumer protection. Provides recommendations for access control and data protection measures.
