Computer Fraud and Abuse Act (CFAA): Federal law that prohibits accessing a computer without authorization, or in excess of authorization. Must be considered when defining access control levels and penalties for violations.
Electronic Communications Privacy Act (ECPA): Federal law governing the interception and monitoring of electronic communications. Relevant for access controls related to email and communication systems.
Federal Information Security Management Act (FISMA): Federal law establishing information security standards for federal agencies and their contractors. Provides framework for protecting government information and operations.
Health Insurance Portability and Accountability Act (HIPAA): Federal law that requires special access controls and security measures for protected health information (PHI). Critical if organization handles healthcare data.
Gramm-Leach-Bliley Act (GLBA): Federal law requiring financial institutions to explain their information-sharing practices and protect sensitive data. Essential for access controls in financial sector.
Sarbanes-Oxley Act (SOX): Federal law requiring public companies to establish internal controls and procedures for financial reporting. Includes IT controls and access management requirements.
State Data Breach Notification Laws: Various state-specific laws requiring organizations to notify individuals of security breaches involving personally identifiable information.
California Consumer Privacy Act (CCPA): State law providing California residents with data privacy rights and requiring businesses to implement appropriate access controls and security measures.
NY SHIELD Act: New York state law requiring businesses to implement safeguards for private information of NY residents, including specific access control requirements.
NIST SP 800-53: National Institute of Standards and Technology Special Publication providing detailed access control guidelines and security controls framework.
Payment Card Industry Data Security Standard (PCI DSS): Industry standard for organizations that handle credit card information, including specific requirements for access control and authentication.
CIS Controls: Cybersecurity best practices framework that includes specific controls for access management and account monitoring.
General Data Protection Regulation (GDPR): EU regulation with strict requirements for protecting personal data, including access control measures, if handling EU residents' data.
ISO 27001 Annex A.9: Specific section of ISO 27001 standard dealing with access control requirements and implementation guidelines.
ISO 27002: Complementary standard to ISO 27001 providing detailed implementation guidance for security controls, including access management.
