Understanding the Major Regulations
CUI Protection
What is CUI protection?
The standard by which government agencies and their private sector affiliates handle the sharing of controlled unclassified information (CUI) which is government data that is not designated classified but is still information that should not be made public.
Who should care about CUI protection?
Federal government agencies and private sector businesses or contractors that work with the government should comply with CUI rules.
What systems does this affect?
All systems that contain controlled unclassified information (CUI) are impacted by this regulation.
FISMA
What is FISMA?
The Federal Information Security Management Act (FISMA) sets forth requirements for rigorous information security protection processes to protect federal government data.
Who should care about FISMA?
Federal agencies and state agencies that administer federal programs, and contractors or private sector companies that interface with federal government agencies or programs are affected by FISMA.
What systems does this affect?
FISMA impacts any systems that store or transmit sensitive federal agency data.
GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) regulates the way personal data is processed, stored, and destroyed by organizations in the European Union (EU) and United Kingdom (UK).
Who should care about GDPR?
Organizations that store or process personal data of citizens of the EU and UK, even if they’re located outside these locations, are impacted by GDPR regulations.
What systems does this affect?
GDPR regulations affect all systems that handle personally identifying information for any EU or UK citizen.
HIPAA
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets out privacy and security rules for patient healthcare data.
Who should care about HIPAA?
Healthcare organizations that store electronic health records and other personal health information (PHI), as well as companies and contractors that provide services or functions for those organizations are required to comply with HIPAA regulations and can face substantial fines if they do not.
What systems does this affect?
HIPAA regulations affect any system that store or transmit personal health information.
ITAR
What is ITAR?
The International Traffic in Arms Regulations (ITAR) controls the import and export from the United States (US) of certain defense and military equipment and technologies.
Who should care about ITAR?
Companies that create or distribute goods or services covered under the United States Munitions List (USML) or sell products to the US Department of Defense are impacted by ITAR regulations.
What systems does this affect?
Systems interfacing with data on the manufacturing of defense weapons and classified information relating to technologies on the USML are impacted by ITAR.
LGPD
What is LGPD?
The General Personal Data Protection Law (LGPD) is the overarching law for the protection of personal data in Brazil. It regulates the processing of personal data, with its objective being to protect the fundamental rights of freedom and privacy and a natural person’s ability to freely develop their personality.
Who should care about LGPD?
LGPD applies to organizations in either of the following scenarios: - When processing of personal data is a) carried out in Brazil and b) the purpose of the processing is to offer or provide goods or services. - When personal data is processed that was collected from individuals who were in Brazil when that data was collected.
What systems does this affect?
LGPD regulations affect all systems that handle personally identifying information that is processed in Brazil and has the purpose of offering or providing goods or services; or was collected from individuals who were in Brazil at that time.
NIST
What is NIST?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is guidance supplied by the federal government to help protect federal agencies and critical infrastructure providers against cyberattacks.
Who should care about NIST?
NIST impacts critical infrastructure providers and other agencies or private sector organizations looking for guidance on reducing cyber risk.
What systems does this affect?
The NIST framework provides guidance on identifying, protecting, detecting, responding, and recovering sensitive data, resulting in any systems containing sensitive data being included.
PCI DSS
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) regulates organizations that handle cardholder data in order to prevent breaches and fraud.
Who should care about PCI DSS?
Any entity that processes, stores, or transmits payment card data need to adhere to PCI DSS regulations.
What systems does this affect?
PCI DSS regulations affect any system and network that interacts with cardholder data.
SOX
What is SOX?
The Sarbanes-Oxley Act (SOX) was created by the US Government to reduce fraud in financial recordkeeping and reporting for SEC-registered companies.
Who should care about SOX?
Publicly traded American or overseas companies registered with the Securities and Exchange Commission (SEC) and the companies that provide financial services to them are under obligation to meet SOX compliance.
What systems does this affect?
Systems that store and report on financial data for companies are mandated with SOX compliance.
Compliance & Audit Reporting Services
Take the Next Step Toward Compliance
Ace your next audit with Fortra and take the guesswork out of the compliance process.