The Center for the Study of Ethics in the Professions at the Illinois Instiute of Technology has published a great set of Resources for Writing a Code of Ethics.
Author: Doug Cornelius
Business Ethics Organizations
The Markkula Center for Applied Ethics at Santa Clara University published an annotated list of business ethics resources.
Ethical Relativism
Ethical Relativism is a theory that morality is relative to the norms of one’s culture. The same action may be morally right in one society but may be morally wrong in another.
One of the arguments against ethical relativism is that universal moral standards can exist even if some moral beliefs vary among societies.
In the case of compliance, US laws are mandating high levels of business practices. The problem is often what to do in other societies. In Japan you have to think about what to do with the Yakuza, in Russia you need to worry about everyone. How do you operate a business with high ethical standards in these countries? Should you?
Is There More White Collar Crime Today?
Sam E. Antar, the convicted felon and former CEO of Crazy Eddie, puts forth the theory that the bad economy is accusing white collar crimes to float to the surface: Is there really more white collar crime today? No.
The Madoff scheme is an example of a scheme that fell apart whent he markets went south. A combination of decreased asset value (at least the few that he actually had) and increased redemptions due to the declining markets prevented him from being able to cover up the scheme.
Mr. Antar draws the parallel to the NYPD pulling more bodies out of the water during the spring months than other months. The warmer spring water just makes them float. The bodies sink in the colder winter months.
The current crash in economic markets is going to cause more bodies to float.
Siemens to Pay Huge Fine in Bribery Inquiry
The DOJ’s Information charging Siemens in the biggest FCPA enforcement action ever tells of more than 4,000 payments worth at least $1.4 billion to foreign officials to obtain or retain business. Siemens also had systematic and intentional violations of the internal controls and books and records provisions that might have prevented or detected the corrupt payments.
Unfortunately, the DOJ is not charging Siemens under the anti-bribery provisions of the FCPA. This would have barred them as a government contractor.
See:
- Siemens: Systemic Global Corruption by Richard Cassin of the FCPA Blog
- Siemens to Pay Huge Fine in Bribery Inquiry by Mike Esterl and David Crawford of the Wall Street Journal
- DOJ’s Information charging Siemens AG .
- DOJ’s Sentencing Memorandum Against Siemens.
- Joint Statement of DOJ and Siemens on the Iraq Oil for Food Program.
Red Flags in the Madoff Case
Gregory Zuckerman of the Wall Street Journal put together a story on the Multiple Red Flags in Madoff Case.
- Steady returns in every kind of market
- Operated as a broker dealer with an asset management division. Why not simply act as a hedge fund and pocket big gains, rather than profit from trading commissions. “Why work your magic for pennies on the dollar?”
- No independent custodian involved who could prove the existence of assets
- Blatant conflict of interest with a manager using a related-party broker-dealer
- The size of the fund was enormous compared the market in which it operated
- Questions about where the assets were
- Used a small auditing firm
- Inadequate number of employees in relation to the purported size of the operation
- Inadequate office space in relation to the purported size of the operation
- Clients did not have electronic access to their trading files
- Clients experienced delays in getting their money back
- Madoff would tell you nothing about how he achieved his returns
- Lack of transparency
See:
- SEC Complaint hosted at JD supra
- Criminal Complaint hosted at JD supra
The Contribution Revolution
The October issue of the Harvard Business Review has an article by Scott Clark: The Contribution Revolution – Letting Volunteers Build Your Business. Mr. Clark challenges companies to tap into the contributions of people beyond their organizations. (He has clearly driven the Kool-Aid offered by Don Tapscott in Wikinomics.)
One section caught my attention:
I also began to see that user contributions are fueling some of the world’s fastest-growing and most competitively advantaged organizations—in some cases revolutionizing the economics of entire industries by radically shrinking their cost structures. Think of eBay, which opened as an online store with no inventory, leaving it up to customers to fill its “shelves” with goods to sell. Or Wikipedia, which gutted the value proposition of 230-year-old Encyclopaedia Britannica by offering a free encyclopedia written and updated frequently by unpaid amateurs. [I added the emphasis on these last two words.]
I understand the use of “unpaid” or “amateur”, but not both. People are clearly volunterring their time and energy using web 2.0 tools. Authors and editors do not get paid to contribute to wikipedia. I do not get paid to write this blog. That does not mean I am an “unpaid amateur.” Many of the contributers to wikipedia are experts in those fields. They are not “amateurs.”
Legal Insider Trading
Bruce Carton of Compliance Week and Securities Docket put together examples of “Legal Insider Trading” on his Enforcement Action blog.
What Is Your Scope of Compliance?
Unified Compliance Framework put together this list of compliance requirement and regulatory schemes that may need to be part of your compliance program.
Below is a long list of regulatory schemes that may need to be part of your compliance framework:
Sarbanes Oxley Guidance
- Sarbanes-Oxley Act (SOX)
- PCAOB Auditing Standard No. 2
- AICPA SAS 94
- AICPA/CICA Privacy Framework
- AICPA Suitable Trust Services Criteria
- Retention of Audit and Review Records, SEC 17 CFR 210.2-06
- Controls and Procedures, SEC 17 CFR 240.15d-15
- Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3
- COSO Enterprise Risk Management (ERM) Framework
- OMB Circular A-123 Management’s Responsibility for Internal Control
- Securities Exchange Act of 1934
- Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control
- PCAOB Audit Standard No. 3
- PCAOB Audit Standard No. 5
- SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
- SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
Banking and Finance Guidance
- Basel II: International Convergence of Capital Measurement and Capital Standards – A Revised Framework
- BIS Sound Practices for the Management and Supervision of Operational Risk
- Gramm-Leach-Bliley Act (GLB)
- Standards for Safeguarding Customer Information, FTC 16 CFR 314
- Privacy of Consumer Financial Information, FTC 16 CFR 313
- Safety and Soundness Standards, Appendix of OCC 12 CFR 30
- FFIEC IT Examination Handbook – Information Security
- FFIEC IT Examination Handbook – Development and Acquisition
- FFIEC IT Examination Handbook – Business Continuity Planning
- FFIEC IT Examination Handbook – Audit
- FFIEC IT Examination Handbook – Management
- FFIEC IT Examination Handbook – Operations
- ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58
- Bank Secrecy Act (aka Currency and Foreign Transaction Reporting Act)
- Check 21 (Check Clearing for the 21st Century) Act
- FCRA (Fair Credit Reporting Act)
- FDIC and FFIEC Guidance on Authentication in an Internet Banking Environment
- FFIEC IT Examination Handbook – Outsourcing Technology Services
- FFIEC IT Examination Handbook – Supervision of Technology Service Providers
- FFIEC IT Examination Handbook – Wholesale Payment Systems
- FFIEC IT Examination Handbook – Retail Payment Systems
- FFIEC IT Examination Handbook – E-Banking
NASD NYSE Guidance
- NASD Manual
- Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1
- Records to be made by certain exchange members SEC 17 CFR 240.17a-3
- Records to be preserved by certain exchange members SEC 17 CFR 240.17a-4
- Recordkeeping SEC 17 CFR 240.17Ad-6
- Record retention SEC 17 CFR 240.17Ad-7
- NYSE Listed Company Manual
- Securities Act of 1933
- Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management’s Report on Internal Control Over Financial Reporting; Final Rule
Healthcare and Life Science Guidance
- HIPAA (Health Insurance Portability and Accountability Act)
- HIPAA HCFA Internet Security Policy
- Introductory Resource Guide for HIPAA NIST (800-66)
- CMS Core Security Requirements (CSR)
- CMS Information Security Acceptable Risk Safeguards (ARS)
- SYSTEM SECURITY PLANS (SSP) METHODOLOGY
- CMS Info Security Business Risk Assessment
- CMS Business Partners Systems Security Manual
- FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1
Energy Guidance
- FERC Security Program for Hydropower Projects
- North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards
Payment Card Guidance
- PCI DSS (Payment Card Industry Data Security Standard) 1.1 [Redacted: Q3 07]
- Payment Card Industry (PCI) Data Security Standard Security Audit Procedures 1.1 [Redacted: Q3 08]
- Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 [Released: Q4 08]
- PCI DSS Security Scanning Procedures [Released: Q3 07]
- Payment Card Industry (PCI) Payment Application Data Security Standard 1.1 [Redacted: Q3 08]
- MasterCard Wireless LANs – Security Risks and Guidelines [Released: Q3 07]
- Payment Card Industry Self-Assessment Questionnaire A [Released: Q4 07]
- Payment Card Industry Self-Assessment Questionnaire B [Released: Q4 07]
- Payment Card Industry Self-Assessment Questionnaire C [Released: Q4 07]
- Payment Card Industry Self-Assessment Questionnaire D [Released: Q4 07]
- VISA CISP: What to Do If Compromised [Released: Q3 07]
- Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008 [Released: Q4 08]
- VISA Incident Response Procedure for Account Compromise [Released: Q3 07]
- Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
- Visa Payment Application Best Practices (PABP) [Redacted: Q4 07]
- Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 [Released: Q4 08]
- VISA E-Commerce Merchants Guide to Risk Management [Released: Q3 08]
- Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 [Released: Q4 08]
- MasterCard Electronic Commerce Security Architecture Best Practices [Released: Q3 07]
- American Express Data Security Standard (DSS) [Released: Q3 07]
- BBB Online Code of Business Practices [Released: Q3 07]
US Federal Security Guidance
- FTC Electronic Signatures in Global and National Commerce Act (ESIGN) [Released: Release 1]
- Uniform Electronic Transactions Act (UETA) [Released: Release 1]
- FISMA (Federal Information Security Management Act) [Released: Release 1]
- FISCAM (Federal Information System Controls Audit Manual) [Released: Release 1]
- FIPS 140-2, Security Requirements for Cryptographic Modules [Released: Release 1]
- FIPS 191, Guideline for the Analysis of LAN Security [Released: Release 1]
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems [Released: Release 1]
- FIPS 200, Minimum Security Requirements for Federal Information and Information Systems [Released: Q3 07]
- Clinger-Cohen Act (Information Technology Management Reform Act) [Released: Release 1]
- DoD 5220.22-M, National Industrial Security Program Operating Manual [Released: Q3 07]
- The National Strategy to Secure Cyberspace [Released: Release 1]
- GAO Financial Audit Manual [Released: Release 1]
- Standard for Electronic Records Management Software, DOD 5015.2 [Released: Release 1]
- Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives [Released: Release 1]
- CISWG Information Security Program Elements [Released: Q3 07]
- Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources [Released: Release 1]
- NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 [Released: Release 1]
- CT-PAT Best Practices Guide [Released: Q4 07]
- US Export Administration Regulations [Released: Q4 07]
- US The International Traffic in Arms Regulations [Released: Q4 07]
US Internal Revenue Guidance
- IRS Revenue Procedure: Retention of books and records, 97-22 [Released: Release 1]
- IRS Revenue Procedure: Record retention: automatic data processing, 98-25 [Released: Release 1]
- IRS Internal Revenue Code Section 501(c)(3) [Released: Release 1]
Records Management Guidance
- Federal Rules of Civil Procedure [Released: Release 1]
- Uniform Rules of Evidence [Released: Release 1]
- ISO 15489-1, Information and Documentation: Records management: General [Released: Release 1]
- ISO 15489-2, Information and Documentation: Records management: Guidelines [Released: Release 1]
- The DIRKS Manual: A Strategic Approach to Managing Business Information [Released: Release 1]
- The Sedona Principles Addressing Electronic Document Production [Released: Release 1]
- 16 CFR Part 682 Disposal of consumer report information and records [Released: Q3 08]
NIST Guidance
- Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 [Released: Release 1]
- Developing Security Plans for Federal Information Systems, NIST SP 800-18 [Released: Release 1]
- Security Self-Assessment Guide, NIST SP 800-26 [Released: Release 1]
- Risk Management Guide, NIST SP 800- 30 [Released: Release 1]
- Underlying Technical Models for Information Technology Security [Released: Release 1]
- Contingency Planning Guide for Information Technology Systems, NIST SP 800-34 [Released: Release 1]
- Creating a Patch and Vulnerability Management Program, NIST SP 800-40 [Released: Release 1]
- Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 [Released: Release 1]
- Recommended Security Controls for Federal Information Systems, NIST SP 800-53 [Released: Release 1]
- Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 [Released: Release 1]
- Computer Security Incident Handling Guide, NIST SP 800-61 [Released: Release 1]
- Security Considerations in the Information System Development Life Cycle, NIST SP 800-64 [Released: Release 1]
- Guide for Developing Performance Metrics for Information Security, NIST SP 800-80 [Released: Q4 07]
- Security Metrics Guide for Information Technology Systems, NIST SP 800-55 [Released: Q4 07]
- Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A [Released: Q3 08]
- Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1 [Released: Q4 08]
ISO Guidance
- ISO 73:2002, Risk Management – Vocabulary [Released: Release 1]
- ISO 17799:2000, Code of Practice for Information Security Management [Released: Release 1]
- ISO 17799:2005 Code of Practice for Information Security Management [Released: Q1 08]
- ISO 27001:2005, Information Security Management Systems – Requirements [Released: Q1 08]
- ISO/IEC 20000-12:2005 Information technology – Service Management Part 1 [Released: Release 1]
- ISO/IEC 20000-2:2005 Information technology – Service Management Part 2 [Released: Release 1]
- ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1 [Released: Q1 08]
- ISO/IEC 15408-2:2005 Common Criteria for Information Technology Security Evaluation Part 2 [Released: Q1 08]
- ISO/IEC 15408-3:2005 Common Criteria for Information Technology Security Evaluation Part 3 [Released: Q1 08]
- ISO/IEC 27002-2005 Code of practice for information security management [Released: Q1 08]
- ISO/IEC 18045:2005 Common Methodology for Information Technology Security Evaluation Part 3 [Released: Q3 08]
- ISO 13335-1:2004, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management [Released: Q1 08]
- ISO 13335-3:1998, Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security [Released: Q1 08]
- ISO 13335-4:2000, Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards [Released: Q1 08]
- ISO 13335-5:2001, Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security [Released: Q1 08]
ITIL Guidance
- OGC ITIL: Planning to Implement Service Management [Released: Release 1]
- OGC ITIL: ICT Infrastructure Management [Released: Release 1]
- OGC ITIL: Service Delivery [Released: Release 1]
- OGC ITIL: Service Support [Released: Release 1]
- OGC ITIL: Application Management [Released: Release 1]
- OGC ITIL: Security Management [Released: Release 1]
- CobiT 3rd Edition [Redacted: Release 1]
- CobiT 4.1 [Released: Release 1]
- ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals [Released: Release 1]
- Disaster / Emergency Management and Business Continuity, NFPA 1600 [Released: Release 1]
- ISF Standard of Good Practice for Information Security [Redacted: Release 1]
- ISF Security Audit of Networks [Released: Release 1]
- A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM [Released: Release 1]
- Business Continuity Institute (BCI) Good Practice Guidelines [Released: Release 1]
- ISSA Generally Accepted Information Security Principles (GAISP) [Released: Release 1]
- CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) [Released: Release 1]
- The GAIT Methodology [Released: Release 1]
- AICPA Incident Response Plan: Template for Breach of Personal Information [Released: Release 1]
- IIA Global Technology Audit Guide (GTAG): Information Technology Controls [Released: Release 1]
- The Standard of Good Practice for Information Security [Released: Q4 08]
US Federal Privacy Guidance
- Cable Communications Privacy Act Title 47 § 551 [Released: Release 1]
- Telemarketing Sales Rule (TSR), 16 CFR 310 [Released: Release 1]
- CAN SPAM Act [Released: Release 1]
- Children’s Online Privacy Protection Act (COPPA), 16 CFR 312 [Released: Release 1]
- Driver’s Privacy Protection Act (DPPA), 18 USC 2721 [Released: Release 1]
- Family Education Rights Privacy Act (FERPA), 20 USC 1232 [Released: Release 1]
- Privacy Act of 1974, 5 USC 552a [Released: Release 1]
- Video Privacy Protection Act (VPPA), 18 USC 2710 [Released: Release 1]
- Specter-Leahy Personal Data Privacy and Security Act [Released: Release 1]
- Amendments to the FTC Telemarketing Sales Rule [Released: Release 1]
- Children’s Online Privacy Protection Act [Released: Release 1]
- FACT Act (Fair and Accurate Credit Transactions Act of 2003) [Released: Q3 08]
US State Laws Guidance
- Arkansas Personal Information Protection Act AR SB 1167 [Released: Release 1]
- Arizona Amendment to Arizona Revised Statutes 13-2001, AZ HB 2116 [Released: Release 1]
- California Information Practice Act, CA SB 1386 [Released: Release 1]
- California General Security Standard for Businesses CA AB 1950 [Released: Release 1]
- California Public Records Military Veteran Discharge Documents, CA AB 1798 [Released: Release 1]
- California OPP Recommended Practices on Notification of Security Breach [Released: Release 1]
- Colorado Prohibition against Using Identity Information for Unlawful Purpose, CO HB 1134 [Released: Release 1]
- Colorado Consumer Credit Solicitation Protection, CO HB 1274 [Released: Release 1]
- Colorado Prohibiting Inclusion of Social Security Number, CO HB 1311 [Released: Release 1]
- Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650 [Released: Release 1]
- Connecticut law Concerning Nondisclosure of Private Tenant Information, CT HB 5184 [Released: Release 1]
- Delaware Computer Security Breaches DE HB 116 [Released: Release 1]
- Florida Personal Identification Information/Unlawful Use, FL HB 481 [Released: Release 1]
- Georgia Consumer Reporting Agencies, GA SB 230 [Released: Release 1]
- Georgia Public employees; Fraud, Waste, and Abuse, GA HB 656 [Released: Release 1]
- Hawaii Exempting disclosure of Social Security numbers HI HB 2674 [Released: Release 1]
- Illinois Personal Information Protection Act IL HB 1633 [Released: Release 1]
- Indiana Release of Social Security Number, Notice of Security Breach IN SB 503 [Released: Release 1]
- Louisiana Database Security Breach Notification Law, LA SB 205 Act 499 [Released: Release 1]
- Maine law To Protect Maine Citizens from Identity Theft, ME LD 1671 [Released: Release 1]
- Minnesota Data Warehouses; Notice Required for Certain Disclosures, MN HF 2121 [Released: Release 1]
- Missouri War on Terror Veteran Survivor Grants, MO HB 957 [Released: Release 1]
- Montana bill to Implement Individual Privacy and to Prevent Identity Theft, MT HB 732 [Released: Release 1]
- New Jersey Identity Theft Prevention Act, NJ A4001/S1914 [Released: Release 1]
- New York Information Security Breach and Notification Act [Released: Release 1]
- Nevada Security Breach Notification Law, NV SB 347 [Released: Release 1]
- North Carolina Security Breach Notification Law (Identity Theft Protection Act) , NC SB 1048 [Released: Release 1]
- North Dakota Personal Information Protection Act, ND SB 2251 [Released: Release 1]
- Ohio Personal information – contact if unauthorized access, OH HB 104 [Released: Release 1]
- Rhode Island Security Breach Notification Law, RI HB 6191 [Released: Release 1]
- Tennessee Security Breach Notification, TN SB 2220 [Released: Release 1]
- Texas Identity Theft Enforcement and Protection Act, TX SB 122 [Released: Release 1]
- Vermont Relating to Identity Theft , VT HB 327 [Released: Release 1]
- Virginia Identity theft; penalty; restitution; victim assistance, VA HB 872 [Released: Release 1]
- Washington Notice of a breach of the security, WA SB 6043 [Released: Release 1]
- § 1724 California Civil Code [Released: Q3 07]
- Texas Business and Commerce Code, secs. 48.102, 48.103 [Released: Q3 07]
- Minnesota Plastic Card Security Act (H.F. 1758 [Released: Q3 07]
- California Personal Information: Disclosure to Direct Marketers Act (SB 27) [Released: Q3 08]
EU Guidance
- EU Directive on Privacy and Electronic Communications, 2002/58/EC [Released: Release 1]
- EU Directive on Data Protection, 95/46/EC [Released: Release 1]
- US Department of Commerce EU Safe Harbor Privacy Principles [Released: Release 1]
- Consumer Interests in the Telecommunications Market, Act No. 661 [Released: Release 1]
- OECD / World Bank Technology Risk Checklist [Released: Release 1]
- OECD Guidelines on Privacy and Transborder Flows of Personal Data [Released: Release 1]
- UN Guidelines for the Regulation of Computerized Personal Data Files (1990) [Released: Release 1]
- ISACA Cross-Border Privacy Impact Assessment [Released: Release 1]
- Information Technology Security Evaluation Manual (ITSEM) [Released: Release 1]
- Information Technology Security Evaluation Criteria (ITSEC) [Released: Release 1]
- Directive 2003/4/EC Of The European Parliament [Released: Release 1]
- EU 8th Directive (European SOX) [Released: Q4 08]
- OECD Principles of Corporate Governance [Released: Q4 08]
UK and Canadian Guidance
- Financial Reporting Council, Combined Code on Corporate Governance [Released: Q4 08]
- Turnbull Guidance on Internal Control, UK FRC [Released: Release 1]
- Smith Guidance on Audit Committees, UK FRC [Released: Release 1]
- UK Data Protection Act of 1998 [Released: Release 1]
- IT Service Management Standard , BS 15000-1 [Released: Release 1]
- IT Service Management Standard – Code of Practice, BS 15000-2 [Released: Release 1]
- British Standards Institute PAS 56, Guide to Business Continuity Management [Released: Release 1]
- Canada Keeping the Promise for a Strong Economy Act, Bill 198 [Released: Release 1]
- Canada Personal Information Protection Electronic Documents Act (PIPEDA) [Released: Release 1]
- Canada Privacy Policy and Principles [Released: Release 1]
- Canadian Marketing Association Code of Ethics and Standards of Practice [Released: Q4 08]
Other European and African Guidance
- Austria Data Protection Act [Released: Release 1]
- Austria Telecommunications Act [Released: Release 1]
- Bosnia Law on Protection of Personal Data [Released: Release 1]
- Czech Republic Personal Data Protection Act [Released: Release 1]
- Denmark Act on Competitive Conditions and Consumer Interests [Released: Release 1]
- Finland Personal Data Protection Act [Released: Release 1]
- Finland act on the amendment of the Personal Data Act (986/2000) [Released: Release 1]
- France Data Protection Act [Released: Release 1]
- German Federal Data Protection Act [Released: Release 1]
- IT Baseline Protection Manual Germany [Released: Release 1]
- Greece Law on the Protection of Individuals with Regard to the Processing of Personal Data [Released: Release 1]
- Hungary Protection of Personal Data and Disclosure of Data of Public Interest [Released: Release 1]
- Iceland Protection of Privacy as regards the Processing of Personal Data [Released: Release 1]
- Ireland Data Protection Act of 1988 [Released: Release 1]
- Ireland Data Protection Amendment 2003 [Released: Release 1]
- Italy Personal Data Protection Code [Released: Release 1]
- Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data [Released: Release 1]
- Lithuania Law on Legal Protection of Personal Data [Released: Release 1]
- Luxembourg Data Protection Law [Released: Release 1]
- Netherlands Personal Data Protection Act [Released: Release 1]
- Poland Protection of Personal Data Act [Released: Release 1]
- Slovak Republic Protection of Personal Data in Information Systems [Released: Release 1]
- Personal Data Protection Act of the Republic of Slovenia of 2004 [Released: Release 1]
- South Africa Promotion of Access to Information Act [Released: Release 1]
- ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data [Released: Release 1]
- Sweden Personal Data Act [Released: Release 1]
- Switzerland Federal Act on Data Protection [Released: Release 1]
- German Corporate Governance Code (“The Code”) [Released: Q4 08]
- The Dutch corporate governance code, Principles of good corporate governance and best practice provisions [Released: Q4 08]
- The King Committee on Corporate Governance, Executive Summary of the King Report 2002 [Released: Q4 08]
- Swedish Code of Corporate Governance; A Proposal by the Code Group [Released: Q4 08]
Asia and Pacific Rim Guidance
- Australia Better Practice Guide – Business Continuity Management [Released: Release 1]
- Australia Spam Act [Released: Release 1]
- Australia Spam Act 2003: A practical guide for business [Released: Release 1]
- Australia Privacy Act [Released: Release 1]
- Australia Telecommunications Act [Released: Release 1]
- Hong Kong Personal Data (Privacy) Ordinance [Released: Release 1]
- Japan ECOM Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) [Released: Release 1]
- Japan Handbook Concerning Protection Of Personal Data [Released: Release 1]
- Japan Personal Information Protection Act (Law No. 57 of 2003) [Released: Release 1]
- Korea Act on Promotion of Information & Communication Network Utilization and Information Protection, etc [Released: Release 1]
- Korea Act on the Protection of Personal Information Maintained by Public Agencies 1994 [Released: Release 1]
- Korea Act Relating to Use and Protection of Credit Information [Released: Release 1]
- New Zealand Privacy Act 1993 [Released: Release 1]
- Taiwan Computer-Processed Personal Data Protection Law 1995 [Released: Release 1]
- India Information Technology Act (ITA-2000) [Released: Release 1]
- Australian Government ICT Security Manual (ACSI 33) [Released: Q3 08]
- Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 [Released: Q4 08]
- Corporate Governance in listed Companies – Clause 49 of the Listing Agreement [Released: Q4 08]
- CODE OF CORPORATE GOVERNANCE 2005 [Released: Q4 08]
- Argentina Personal Data Protection Act [Released: Release 1]
- Mexico Federal Personal Data Protection Law [Released: Release 1]
System Configuration Guidance
- CI Security Persistent Identifiers [Released: Q3 07]
- CI Security Solaris Benchmark v2.1 [Released: Q3 07]
- CI Security Solaris Benchmark v1.3 [Released: Q3 07]
- CI Security HP-UX Benchmark v1.3 [Released: Q3 07]
- CI Security Red Hat Enterprise Linux Benchmark v1.0 [Released: Q3 07]
- CI Security Red Hat Enterprise Linux Benchmark v1.0.5 [Released: Q3 07]
- CI Security SuSE Linux Enterprise Server Benchmark v1.0 [Released: Q3 07]
- CI Security Slackware Linux Benchmark v1.1 [Released: Q3 07]
- CI Security AIX Benchmark v1.0 [Released: Q3 07]
- CI Security FreeBSD Benchmark v1.0 [Released: Q3 07]
- Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2 [Released: Q4 07]
- Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 5 Release 1 [Released: Q4 07]
- CI Security Windows XP Professional SP1/SP2 [Released: Q3 07]
- Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 [Released: Q4 07]
- NSA Guide to Security Microsoft Windows XP [Released: Q4 07]
- CI Security Windows 2000 Professional [Released: Q4 07]
- DISA Windows XP Security Checklist Version 6 [Released: Q1 08]
- CI Security Windows 2000 Server [Released: Q3 07]
- CI Security Windows Server 2003 [Released: Q4 07]
- CI Security Windows 2000 [Released: Q4 07]
- CI Security Windows NT [Released: Q4 07]
- DISA Windows VISTA Security Checklist Version 6 [Released: Q1 08]
- NSA Guide to Securing Microsoft Windows 2000 Group Policy [Released: Q4 07]
- Center for Internet Security Mac OS X Tiger Level I Security Benchmark
- Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings
- Mac OS X Security Configuration for version 10.4 or later, second edition]
- Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings
- DISA Windows Server 2003 Security Checklist Version 6
DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 1.2 - DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2
Guidance Concerning the National Security Review Conducted by the Committee on Foreign Investment in the United States
On December 8, the Committee on Committee on Foreign Investment in the United States published a notice in the Federal Register of that provides guidance to U.S. businesses and foreign persons that are parties to transactions that are covered by section 721 of the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007, and the regulations at 31 CFR part 800.
Section 721 requires CFIUS to review covered transactions notified to it ‘‘to determine the effects of the transaction[s] on the national security of the United States,’’ but does not define ‘‘national security,’’ other than to note that the term includes issues relating to homeland security. Instead, section 721 provides an illustrative list of factors, listed below, for CFIUS to consider.
This notice provides examples and insight into what types of transaction could trigger a CFIUS review.
CFIUS notes that a just because a transaction presents national security considerations does not mean that CFIUS will necessarily determine that the transaction poses national security risk.
See:
- Guidance Concerning the National Security Review Conducted by the Committee on Foreign Investment in the United States
Federal Register Vol. 73, No. 236 Monday, December 8, 2008, pp. 74567-74572 - CFIUS Guidance Concerning National Security Considerations
Davis Polk & Wardwell memo, December 10, 2008