Category Archives: Other Regulations

Other federal, international, state and local regulations

Final phase of Mass. data protection law kicks in March 1

All companies storing personal data on Massachusetts residents have just over a month to ensure that their contractors, suppliers, technology providers and other third parties comply with a provision of a state data breach law that went into effect in March 2010

via Final phase of Mass. data protection law kicks in March 1.

Q&A: Teresa Carlson of Amazon Web Services Discusses GovCloud | WHIR Web Hosting Industry News

The new AWS GovCloud Region offers the same high level of security as other AWS Regions and supports existing AWS security controls and certifications such as FISMA, SAS-70 Type II, ISO 27001, FIPS 140-2 compliant end points, and PCI DSS Level 1

via Q&A: Teresa Carlson of Amazon Web Services Discusses GovCloud | WHIR Web Hosting Industry News.

California: Consumers Must Be Notified Directly of Data Breaches

Most importantly, the new law PDF available here, courtesy Information Law Group states that notification must be direct. Yes, it can be electronic, but it must provide a way for the notified party to follow up with questions, and give that person a point of contact who represents the company. The company contact must be accessible through toll-free telephone, not just e-mail.

via California: Consumers Must Be Notified Directly of Data Breaches.

Google Apps and Google App Engine complete SSAE-16 audit

One of the ways our customers can be are assured their data is protected is through third-party audits and certifications. Since 2008, Google Apps has successfully undergone annual SAS 70 Type II audits. This year the SAS70 Type II audit has evolved into the SSAE 16 Type II attestation and its international counterpart, ISAE 3402 Type II. We’re happy to announce that Google is one of the first major cloud providers to be certified for compliance to these new audit standards.

via Official Google Enterprise Blog: Security First: Google Apps and Google App Engine complete SSAE-16 audit.

Cost of regulatory security compliance? On average, $3.5M – CSO Online – Security and Risk

The cost of achieving regulatory security compliance is on average $3.5 million each year, according to a survey of 160 individuals leading the IT, privacy and audit efforts at 46 multinational organizations

via Cost of regulatory security compliance? On average, $3.5M – CSO Online – Security and Risk.

Healthcare Providers Receive FTC Red Flags Exemption from Congress

On Tuesday, December 7, the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of 2010.  On November 30, 2010, the Senate passed this legislation by unanimous consent.  The bill has been cleared to the White House for signature.

via HIPAA.com – Healthcare Providers Receive FTC Red Flags Exemption from Congress.

SAS 70 Is Dead!

Long live SSAE 16 and ISAE 3402!

One of the most misunderstood things about SAS 70 was the fact that it was technically only a valid auditing standard in the United States, even though SAS 70 reports are done for non-US based service providers and are relied upon by businesses and auditors worldwide.  However, on or before June 15, 2011, that will change.  As of that date, Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Attestation Engagements (ISAE) 3402 will replace the venerable SAS 70.  SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is issued by the International Federation of Accountants (IFAC).

via SAS 70 Is Dead! « PCI Guru.

NIST reduces and consolidates its labs in reorganization — Government Computer News

The National Institute of Standards and Technology has completed its first major reorganization in 20 years. It has reduced the number of laboratories, realigned the remaining ones along mission-based lines and created a more hierarchical leadership structure.

The reorganization, which became effective Oct. 1, replaces the single deputy director under NIST Director Patrick Gallagher with three career associate directors and reduces the number of laboratories from 10 to six. The Information Technology Lab, which includes the Computer Security Division, is one of the six. The realignment does not change the focus of NIST programs or the underlying missions, said IT Lab Director Cita Furlani.

via NIST reduces and consolidates its labs in reorganization — Government Computer News.