Regulations

Regulations track the progress of requirements and Countermeasures against certain internal and external policies. Users can update the default set of regulations, or create their own.

For example, you may want to augment regulations to include your organization’s best practices and guidelines. To do this, create custom Countermeasures (see Add a custom Countermeasure) and add a new section to the regulation containing your custom Countermeasures.

Default regulations

The following regulations are included in SD Elements by default:

RegulationDescription
AmericanNationalStandardsInstitute/InternationalStandardofAutomation(ANSI/ISA)62443-3-3DefinesdetailedtechnicalrequirementsforIndustrialAutomationandControlSystems(IACS).
AmericanNationalStandardsInstitute/InternationalStandardofAutomation(ANSI/ISA)62443-4-2Providesdetailedtechnicalrequirementsfordifferentcontrolsystemcomponents.
CloudSecurityAllianceCloudControlMatrix(CSACCM)Providesfundamentalsecurityprinciplestoguidecloudvendorsandtoassistprospectivecloudcustomersinassessingtheoverallsecurityriskofacloudprovider.
NISTCybersecurityMaturityModel(CMMC)DevelopedbytheDepartmentofDefense(DoD)tocertifythatcontractorshavetheappropriatelevelsofcybersecuritycontrolstoprotectfederalcontrolledunclassifiedinformation(CUI).
DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP)USDepartmentofDefense(DoD)processforcertificationandaccreditationoftheirinformationsystemspublishedastheDoDI-8500.2document.
FedRAMPFedRAMPisaUSgovernmentprogramthatprovidesastandardapproachtosecurityassessment,authorization,andmonitoringforcloudservicesandproducts(CSPs)usedbyUSfederalagencies.
Gramm-Leach-BlileyAct(GLBA)USregulationforprotectingnon-publicfinancialdata.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)USregulationforsafeguardingprotectedhealthinformation.
ISO27001/SarbanesOxleyISO27001isaninternationalstandardforinformationsecuritywithsomespecificsectionsthataffectapplicationsecurity.SarbanesOxley(SOX)isaUSregulationforensuringaccuracyoffinancialreportingofpubliclytradedcompanies.
ISO27001:2005/SOXInformationSecurityManagementSystem(ISMS)standardbytheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC).
ISO27001:2013/SOXSpecifiestherequirementsfortheinformationsecuritymanagementsystem(ISMS)inanorganization.
NISTCybersecurityFramework(CSF)TheNISTCybersecurityFrameworkisvoluntaryguidancebasedonexistingstandards,guidelines,andpracticesfororganizationstobettermanageandreducecybersecurityrisk.
NewYorkDepartmentofFinancialServicesCybersecurityRegulation(NYDFS)Asetofcybersecurityregulationsthatplacescybersecurityrequirementsonallcoveredfinancialinstitutionsprocessingnon-publicinformationregulatedbytheNewYorkDepartmentofFinancialServices(NYDFS),aswellastheirserviceproviders.
ThePaymentApplicationDataSecurityStandard(PA-DSS)v3.2GlobalsecuritystandardcreatedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).
PaymentCardIndustryDataSecurityStandard(PCIDSS)v3.2Internationalstandardfororganizationsthatstore,process,ortransmitcreditcarddata.
PaymentCardIndustrySecureSoftwareLifeCycle(PCI-SSLC)RequirementsandAssessmentProceduresdocumentisapartofPCISSF(SoftwareSecurityFramework)thatprovidesabaselineofrequirementswithcorrespondingassessmentproceduresandguidance.
AmericanInstituteofCertifiedPublicAccountants(AICPA)SOC2TrustServicesCriteriaTheAICPATrustServicesCriteriaforSecurity,Availability,ProcessingIntegrity,Confidentiality,andPrivacy,areintendedforusebyCPAstoprovideadvisoryorattestationservicestoevaluatethecontrolswithinanentity’scyberriskmanagementprogram,orforSOC2andSOC3engagements.
Anti-SpamGuidelines/CanadianAnti-SpamLegislation(CASL)CASLprotectsconsumersandbusinessfromthemisuseofdigitaltechnologyincludingspam.
BrazilianLGPDTheBrazilianGeneralDataProtectionLaw(LeiGeraldeProteçãodeDados-LGPD)providesrulesandregulationsfortheprocessingofpersonaldatainBrazil,orofBrazilianpeople.
CaliforniaConsumerPrivacyAct(CCPA)ThefirstmajorconsumerprivacylawenactedattheUS-statelevel.ItiseffectiveasofJanuary1,2020anditspurposeistoenhanceconsumerprivacyrightsandprivacynoticerequirementsforresidentsinthestateofCalifornia.
CaliforniaOnlinePrivacyProtectionAct(CalOPPA)ACaliforniaStateLaw,effectiveasofJuly1,2004.ThelawappliestooperatorsofcommercialwebsitesthatcollectpersonallyidentifiableinformationfromCalifornia'sresidents.
Children'sOnlinePrivacyProtectionAct(COPPA)USregulationforprotectingpersonallyidentifiableinformationofchildrenundertheageof13.
EuropeanBankingAuthority(EBA)SecurityofInternetPaymentsGuidelinesbyEuropeanForumandDirective2007/64/EC3PaymentServicesDirective(PSD)enactedbyEuropeanParliament.
GenerallyAcceptedPrivacyPrinciples(GAPP)Privacyframeworkdesignedtoassistmanagementincreatinganeffectiveprivacyprogramthataddressesprivacyrisksandbusinessopportunities.
TheGeneralDataProtectionRegulation(GDPR)Regulation(EU)2016/679isaregulationdesignedtostrengthenandunifydataprotectionforindividualswithintheEuropeanUnion(EU).
GDPR:AgileDevelopmentReportIntegratesGeneralDataProtectionRegulation(GDPR)complianceintotheAgilemethodologyforsoftwaredevelopment.
NewYorkStopHacksandImproveElectronicDataSecurityAct(NYSHIELD)RequiresentitiesconductingbusinessinthestateofNewYorkandinpossessionof"privateinformation"ofNewYorkresidentstodiscloseanysecuritybreachfollowingdiscoveryofthebreachwhereprivateinformationwasaccessedoracquiredwithoutvalidauthorization.
NIST800-53PrivacyControlsAcatalogofsecuritycontrolsforallU.S.federalinformationsystemsexceptthoserelatedtonationalsecurity.
PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA)Canadianregulationforprotectingpersonallyidentifiableinformation.
ApplicationSecurityandDevelopmentSecurityTechnicalImplementationGuide(ASD-STIG)PublishedasatooltoimprovethesecurityofDepartmentofDefense(DoD)informationsystems.
OWASPApplicationSecurityVerificationStandard(ASVS4)Providesanopenstandardforsecuredevelopmentandtestingofwebapplications.
CWE/SANSTop25Listofthemostcriticalerrorsinsoftwaredevelopmentthatcancreateseriousvulnerabilitiesinthefinalproduct.
Manufacturerdisclosurestatementformedicaldevicesecurity(MDS2)Providesasetofsecurity/privacyrelatedquestionsthatareansweredforparticularmedicalproductsorsystems.
OWASPTop10(2017)Representsabroadconsensusonthemostcriticalwebapplicationsecurityflawsupdatedfor2017.
OWASPAPITop10(2019)Designedtoaddresstheever-increasingnumberoforganizationsthataredeployingpotentiallysensitiveAPIsaspartoftheirsoftwareofferings.
OWASPIoTAttackSurfaceAreasDesignedtohelpmanufacturersanddevelopersbetterunderstandthesecurityissuesassociatedwiththeInternetofThings(IoT).
OWASPIoTTop10(2014)DesignedtohelpmanufacturersanddevelopersbetterunderstandthesecurityissuesassociatedwiththeInternetofThings(IoT).
OWASPMobileTop10(2016)Centralizedresourceintendedtogivedevelopersandsecurityteamstheresourcestheyneedtobuildandmaintainsecuremobileapplications.
MonetaryAuthorityofSingaporeTechnologyRiskManagementGuidelines(MAS-TRMG)Guidelinesthatsetoutriskmanagementprinciplesandbestpracticestandards.
NationalInstituteofStandardsandTechnologySpecialPublication800-53(NIST800-53)ApublicationthatcatalogssecuritycontrolsforUSfederalinformationsystems.
NationalInstituteofStandardsandTechnologySpecialPublication(NIST800-171)ProvidesfederalagencieswithrecommendedrequirementsforprotectingtheconfidentialityofControlledUnclassifiedInformation.
NationalInstituteofStandardsandTechnologySpecialPublication(NIST800-82)ProvidesguidanceforconfiguringITsecuritycontrolsforindustrialcontrolsystems(ICS)andothers.

Regulation details

A regulation is the high-level overview of a policy or standard. The regulation contains multiple regulation sections. It has the following details:

  • Name: Regulation name.

  • Slug: Short unique identifier for the regulation.

  • Description: Regulation description.

Regulation section details

A regulation section tracks the detail of a policy or standard against a set of requirements or Countermeasures. It is composed of the following:

  • Name: Section name.

  • Description: Section description.

  • Countermeasures: Select the Countermeasures to include in the section. Custom Countermeasures start with CT and Countermeasures provided with SD Elements start with T.

Create a custom regulation

Create a custom regulation by following the steps below.

Prerequisites:
  • The user has the permission Global Roles→Customization→Customize content.

Steps:
  1. Open the Library→Regulations page.

  2. Click Add Regulation.

  3. Fill in the required fields.

  4. Click Create Regulation.

The regulation is added to the system and can be reported against in the project report section.

Add a regulation section

Add a section to a custom or default regulation by following the steps below.

Prerequisites:
  • The user has the permission Global Roles→Customization→Customize content.

Steps:
  1. Open the Library→Regulations page.

  2. Search for the regulation and select it.

  3. Click Add Section.

  4. Fill in the required information.

  5. Click Create Section.

The new section is added to the default regulation.

Update a section of a default regulation

Update a section of a default regulation by following the steps below.

Prerequisites:
  • The user has the permission Global Roles→Customization→Customize content.

Steps:
  1. Open the Library→Regulations page.

  2. Search for the regulation and select it.

  3. Search for the section to update.

  4. Select the new Countermeasures to add to the section.

  5. Click Save Section.

The existing section now contains the new Countermeasures.

View a regulation in read-only mode

Examine a read-only version of a library regulation by following the steps below.

Prerequisites:
  • The user has the permission Global Roles→User Management→Modify own user settings.

  • The user does not have the permission Global Roles→Customization→Customize content.

Steps:
  1. Open the Library→Regulations page.

  2. Click on the magnifying glass icon on the left side of the page.

  3. Search for specific regulations by name.

Regulations matching the filter are displayed in the list view. A regulation you select is presented in full detail, but you cannot modify it in this view.

results matching ""

    No results matching ""