Regulations
Regulations track the progress of requirements and tasks against certain internal and external policies. Users can update the default set of regulations, or create their own.
For example, you may want to augment regulations to include your organization’s best practices and guidelines. To do this, create custom tasks (see Add a custom task) and add a new section to the regulation containing your custom tasks.
Default regulations
The following regulations are included in SD Elements by default:
Regulation | Description |
AmericanNationalStandardsInstitute/InternationalStandardofAutomation(ANSI/ISA)62443-3-3 | DefinesdetailedtechnicalrequirementsforIndustrialAutomationandControlSystems(IACS). |
AmericanNationalStandardsInstitute/InternationalStandardofAutomation(ANSI/ISA)62443-4-2 | Providesdetailedtechnicalrequirementsfordifferentcontrolsystemcomponents. |
CloudSecurityAllianceCloudControlMatrix(CSACCM) | Providesfundamentalsecurityprinciplestoguidecloudvendorsandtoassistprospectivecloudcustomersinassessingtheoverallsecurityriskofacloudprovider. |
NISTCybersecurityMaturityModel(CMMC) | DevelopedbytheDepartmentofDefense(DoD)tocertifythatcontractorshavetheappropriatelevelsofcybersecuritycontrolstoprotectfederalcontrolledunclassifiedinformation(CUI). |
DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP) | USDepartmentofDefense(DoD)processforcertificationandaccreditationoftheirinformationsystemspublishedastheDoDI-8500.2document. |
FedRAMP | FedRAMPisaUSgovernmentprogramthatprovidesastandardapproachtosecurityassessment,authorization,andmonitoringforcloudservicesandproducts(CSPs)usedbyUSfederalagencies. |
Gramm-Leach-BlileyAct(GLBA) | USregulationforprotectingnon-publicfinancialdata. |
HealthInsurancePortabilityandAccountabilityAct(HIPAA) | USregulationforsafeguardingprotectedhealthinformation. |
ISO27001/SarbanesOxley | ISO27001isaninternationalstandardforinformationsecuritywithsomespecificsectionsthataffectapplicationsecurity.SarbanesOxley(SOX)isaUSregulationforensuringaccuracyoffinancialreportingofpubliclytradedcompanies. |
ISO27001:2005/SOX | InformationSecurityManagementSystem(ISMS)standardbytheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC). |
ISO27001:2013/SOX | Specifiestherequirementsfortheinformationsecuritymanagementsystem(ISMS)inanorganization. |
NISTCybersecurityFramework(CSF) | TheNISTCybersecurityFrameworkisvoluntaryguidancebasedonexistingstandards,guidelines,andpracticesfororganizationstobettermanageandreducecybersecurityrisk. |
NewYorkDepartmentofFinancialServicesCybersecurityRegulation(NYDFS) | Asetofcybersecurityregulationsthatplacescybersecurityrequirementsonallcoveredfinancialinstitutionsprocessingnon-publicinformationregulatedbytheNewYorkDepartmentofFinancialServices(NYDFS),aswellastheirserviceproviders. |
ThePaymentApplicationDataSecurityStandard(PA-DSS)v3.2 | GlobalsecuritystandardcreatedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC). |
PaymentCardIndustryDataSecurityStandard(PCIDSS)v3.2 | Internationalstandardfororganizationsthatstore,process,ortransmitcreditcarddata. |
PaymentCardIndustrySecureSoftwareLifeCycle(PCI-SSLC) | RequirementsandAssessmentProceduresdocumentisapartofPCISSF(SoftwareSecurityFramework)thatprovidesabaselineofrequirementswithcorrespondingassessmentproceduresandguidance. |
AmericanInstituteofCertifiedPublicAccountants(AICPA)SOC2TrustServicesCriteria | TheAICPATrustServicesCriteriaforSecurity,Availability,ProcessingIntegrity,Confidentiality,andPrivacy,areintendedforusebyCPAstoprovideadvisoryorattestationservicestoevaluatethecontrolswithinanentity’scyberriskmanagementprogram,orforSOC2andSOC3engagements. |
Anti-SpamGuidelines/CanadianAnti-SpamLegislation(CASL) | CASLprotectsconsumersandbusinessfromthemisuseofdigitaltechnologyincludingspam. |
BrazilianLGPD | TheBrazilianGeneralDataProtectionLaw(LeiGeraldeProteçãodeDados-LGPD)providesrulesandregulationsfortheprocessingofpersonaldatainBrazil,orofBrazilianpeople. |
CaliforniaConsumerPrivacyAct(CCPA) | ThefirstmajorconsumerprivacylawenactedattheUS-statelevel.ItiseffectiveasofJanuary1,2020anditspurposeistoenhanceconsumerprivacyrightsandprivacynoticerequirementsforresidentsinthestateofCalifornia. |
CaliforniaOnlinePrivacyProtectionAct(CalOPPA) | ACaliforniaStateLaw,effectiveasofJuly1,2004.ThelawappliestooperatorsofcommercialwebsitesthatcollectpersonallyidentifiableinformationfromCalifornia'sresidents. |
Children'sOnlinePrivacyProtectionAct(COPPA) | USregulationforprotectingpersonallyidentifiableinformationofchildrenundertheageof13. |
EuropeanBankingAuthority(EBA)SecurityofInternetPayments | GuidelinesbyEuropeanForumandDirective2007/64/EC3PaymentServicesDirective(PSD)enactedbyEuropeanParliament. |
GenerallyAcceptedPrivacyPrinciples(GAPP) | Privacyframeworkdesignedtoassistmanagementincreatinganeffectiveprivacyprogramthataddressesprivacyrisksandbusinessopportunities. |
TheGeneralDataProtectionRegulation(GDPR) | Regulation(EU)2016/679isaregulationdesignedtostrengthenandunifydataprotectionforindividualswithintheEuropeanUnion(EU). |
GDPR:AgileDevelopmentReport | IntegratesGeneralDataProtectionRegulation(GDPR)complianceintotheAgilemethodologyforsoftwaredevelopment. |
NewYorkStopHacksandImproveElectronicDataSecurityAct(NYSHIELD) | RequiresentitiesconductingbusinessinthestateofNewYorkandinpossessionof"privateinformation"ofNewYorkresidentstodiscloseanysecuritybreachfollowingdiscoveryofthebreachwhereprivateinformationwasaccessedoracquiredwithoutvalidauthorization. |
NIST800-53PrivacyControls | AcatalogofsecuritycontrolsforallU.S.federalinformationsystemsexceptthoserelatedtonationalsecurity. |
PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA) | Canadianregulationforprotectingpersonallyidentifiableinformation. |
ApplicationSecurityandDevelopmentSecurityTechnicalImplementationGuide(ASD-STIG) | PublishedasatooltoimprovethesecurityofDepartmentofDefense(DoD)informationsystems. |
OWASPApplicationSecurityVerificationStandard(ASVS4) | Providesanopenstandardforsecuredevelopmentandtestingofwebapplications. |
CWE/SANSTop25 | Listofthemostcriticalerrorsinsoftwaredevelopmentthatcancreateseriousvulnerabilitiesinthefinalproduct. |
Manufacturerdisclosurestatementformedicaldevicesecurity(MDS2) | Providesasetofsecurity/privacyrelatedquestionsthatareansweredforparticularmedicalproductsorsystems. |
OWASPTop10(2017) | Representsabroadconsensusonthemostcriticalwebapplicationsecurityflawsupdatedfor2017. |
OWASPAPITop10(2019) | Designedtoaddresstheever-increasingnumberoforganizationsthataredeployingpotentiallysensitiveAPIsaspartoftheirsoftwareofferings. |
OWASPIoTAttackSurfaceAreas | DesignedtohelpmanufacturersanddevelopersbetterunderstandthesecurityissuesassociatedwiththeInternetofThings(IoT). |
OWASPIoTTop10(2014) | DesignedtohelpmanufacturersanddevelopersbetterunderstandthesecurityissuesassociatedwiththeInternetofThings(IoT). |
OWASPMobileTop10(2016) | Centralizedresourceintendedtogivedevelopersandsecurityteamstheresourcestheyneedtobuildandmaintainsecuremobileapplications. |
MonetaryAuthorityofSingaporeTechnologyRiskManagementGuidelines(MAS-TRMG) | Guidelinesthatsetoutriskmanagementprinciplesandbestpracticestandards. |
NationalInstituteofStandardsandTechnologySpecialPublication800-53(NIST800-53) | ApublicationthatcatalogssecuritycontrolsforUSfederalinformationsystems. |
NationalInstituteofStandardsandTechnologySpecialPublication(NIST800-171) | ProvidesfederalagencieswithrecommendedrequirementsforprotectingtheconfidentialityofControlledUnclassifiedInformation. |
NationalInstituteofStandardsandTechnologySpecialPublication(NIST800-82) | ProvidesguidanceforconfiguringITsecuritycontrolsforindustrialcontrolsystems(ICS)andothers. |
Regulation details
A regulation is the high-level overview of a policy or standard. The regulation contains multiple regulation sections. It has the following details:
-
Name: Regulation name.
-
Slug: Short unique identifier for the regulation.
-
Description: Regulation description.
Regulation section details
A regulation section tracks the detail of a policy or standard against a set of requirements or tasks. It is composed of the following:
-
Name: Section name.
-
Description: Section description.
-
Tasks: Select the tasks to include in the section. Custom tasks start with CT and tasks provided with SD Elements start with T.
Create a custom regulation
Create a custom regulation by following the steps below.
-
The user has the permission Global Roles→Customization→Customize content.
-
Open the Library→Regulations page.
-
Click Add Regulation.
-
Fill in the required fields.
-
Click Create Regulation.
The regulation is added to the system and can be reported against in the project report section.
Add a regulation section
Add a section to a custom or default regulation by following the steps below.
-
The user has the permission Global Roles→Customization→Customize content.
-
Open the Library→Regulations page.
-
Search for the regulation and select it.
-
Click Add Section.
-
Fill in the required information.
-
Click Create Section.
The new section is added to the default regulation.
Update a section of a default regulation
Update a section of a default regulation by following the steps below.
-
The user has the permission Global Roles→Customization→Customize content.
-
Open the Library→Regulations page.
-
Search for the regulation and select it.
-
Search for the section to update.
-
Select the new tasks to add to the section.
-
Click Save Section.
The existing section now contains the new tasks.
View a regulation in read-only mode
Examine a read-only version of a library regulation by following the steps below.
-
The user has the permission Global Roles→User Management→Modify own user settings.
-
The user does not have the permission Global Roles→Customization→Customize content.
-
Open the Library→Regulations page.
-
Click on the magnifying glass icon on the left side of the page.
-
Search for specific regulations by name.
Regulations matching the filter are displayed in the list view. A regulation you select is presented in full detail, but you cannot modify it in this view.