Below a less than complete overview of laws and regulations defining policies with regards to authentication practices, like password storage. It looks like Google and G Suite users are non-compliant...
·
International
- ISO 27001 / 27002 ch9
- ISO 27017 ch9
·
EU
- GDPR Appropriate controls Article 32, ‘security of processing’
- ENISA IAF 6, R-11 SO11
- PSD2 – Strong Customer Authentication
- eIDAS safeguard S 2.11
·
France
- SecNumCloud 9.5.a
·
Germany
- BSI C5 IDM-11
·
US
- SOX 404
- NIST SP 800-53 R3
- NIST SP 800-63b
- US DoD Instruction 8500.2
- Army Regulation 25-2
- GLBA - Gramm-Leach-Bliley Act
- CJIS Criminal Justice Information Services
- COPPA 312
· California
- Information Privacy: Connected Devices (SB-327)
·
Canada
- Pipeda Section 5
·
Ontario
- GO-ITS 25 3.1
India
- Information Technology Act
Austalia
- Protective Security Policy Framework
New Zealand
- NZISM 5.2.3 and 16.1
·
Industry specific regulations
- PCI DSS 3, 7, 8, 12
- HIPAA 45CFR164
- NERC - North American Electric Reliability -CIP-007-3
·
Best Practices
- OWASP Password Storage Cheat Sheet
- SANS Password Construction Guidelines
- CSA CCM IS07
- AICPA SOC2SM S3.2.0
- BITS AUP & SIG v6
- COBIT DS05
- HiTrust 01a
- ITAR CFR 120.17, EAR 15 CFR 736.2
- xkcd 936
Geen opmerkingen:
Een reactie posten