Computer Fraud and Abuse Act (CFAA): Federal law that prohibits accessing a computer without authorization, or in excess of authorization. Must be considered for defining unauthorized access and penalties in the access policy.
Electronic Communications Privacy Act (ECPA): Federal law governing the interception and monitoring of electronic communications. Relevant for monitoring and logging of user activities in systems.
Federal Information Security Management Act (FISMA): Defines framework for protecting government information, operations and assets. Important for federal agencies and contractors in establishing security controls.
Health Insurance Portability and Accountability Act (HIPAA): Regulates the use and disclosure of protected health information. Critical for healthcare organizations in establishing access controls for medical data.
Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to explain their information-sharing practices and protect sensitive data. Essential for financial sector access policies.
Sarbanes-Oxley Act (SOX): Mandates proper internal control structures and financial reporting for public companies. Important for access controls related to financial systems.
Payment Card Industry Data Security Standard (PCI DSS): Security standard for organizations handling credit card data. Specific requirements for access controls and authentication must be incorporated.
Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records. Essential for educational institutions in defining access controls for student data.
Defense Federal Acquisition Regulation Supplement (DFARS): Cybersecurity requirements for defense contractors. Critical for organizations working with the Department of Defense.
State Data Breach Notification Laws: Various state-specific requirements for reporting unauthorized access to protected data. Must be considered in incident response procedures.
California Consumer Privacy Act (CCPA): California's comprehensive privacy law with specific requirements for handling personal information of California residents.
SHIELD Act: New York's Stop Hacks and Improve Electronic Data Security Act requiring security measures for protecting private information of New York residents.
General Data Protection Regulation (GDPR): EU privacy law with global impact, requiring strict controls on personal data access and processing for EU residents' data.
NIST Cybersecurity Framework: Voluntary framework of computer security guidance for private sector organizations to better manage and reduce cybersecurity risk.
ISO 27001: International standard for information security management systems, providing requirements for establishing, implementing, and maintaining security controls.
CIS Controls: Set of prioritized actions to protect organizations and data from known cyber attack vectors. Provides practical guidelines for access control implementation.
