|
154 | 154 | "description": "The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.\r\n\r\nSuperseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data's owner. The data owner has the right to revoke this permission at any time.", |
155 | 155 | "reference": "https://www.eugdpr.org/" |
156 | 156 | } |
| 157 | + }, |
| 158 | + { |
| 159 | + "model": "dojo.regulation", |
| 160 | + "pk": 14, |
| 161 | + "fields": { |
| 162 | + "name": "System and Organization Controls", |
| 163 | + "acronym": "SOC2", |
| 164 | + "jurisdiction": "United States", |
| 165 | + "category": "finance", |
| 166 | + "reference": "https://en.wikipedia.org/wiki/System_and_Organization_Controls", |
| 167 | + "description": "System and Organization Controls (SOC, also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, \"Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting\", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3." |
| 168 | + } |
| 169 | + }, |
| 170 | + { |
| 171 | + "model": "dojo.regulation", |
| 172 | + "pk": 15, |
| 173 | + "fields": { |
| 174 | + "name": "Information Security Standard 27001", |
| 175 | + "acronym": "ISO 27001", |
| 176 | + "jurisdiction": "International", |
| 177 | + "category": "security", |
| 178 | + "reference": "https://en.wikipedia.org/wiki/ISO/IEC_27001", |
| 179 | + "description": "ISO/IEC 27001 is an international information security standard. The aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. It was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, and was revised in 2013. The current version of the standard is ISO/IEC 27001:2022." |
| 180 | + } |
| 181 | + }, |
| 182 | + { |
| 183 | + "model": "dojo.regulation", |
| 184 | + "pk": 16, |
| 185 | + "fields": { |
| 186 | + "name": "CISA Secure Software Development Attestation", |
| 187 | + "acronym": "CISA-SSDA", |
| 188 | + "jurisdiction": "United States", |
| 189 | + "category": "government", |
| 190 | + "reference": "https://www.cisa.gov/secure-software-attestation-form", |
| 191 | + "description": "To ensure a safe and secure digital ecosystem for all Americans, CISA released the Secure Software Development Attestation Form on March 11, 2024, taking a major step in the implementation of its requirement that producers of software used by the Federal Government attest to the adoption of secure development practices. CISA developed this form in close consultation with the Office of Management and Budget (OMB) and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF). The release of the secure software development attestation form reinforces secure by design principles advanced by CISA, Federal government partners, and international allies. As a step on this journey, Executive Order 14028 and the OMB M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, and OMB M-23-16, Update to Memorandum M-22-18, required development of an attestation form in which software producers serving the federal government will be required to confirm implementation of specific security practices." |
| 192 | + } |
| 193 | + }, |
| 194 | + { |
| 195 | + "model": "dojo.regulation", |
| 196 | + "pk": 17, |
| 197 | + "fields": { |
| 198 | + "name": "FEDRAMP", |
| 199 | + "acronym": "FEDRAMP", |
| 200 | + "jurisdiction": "United States", |
| 201 | + "category": "government", |
| 202 | + "reference": "https://en.wikipedia.org/wiki/FedRAMP", |
| 203 | + "description": "The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment. Per the OMB memorandum, any cloud services that hold federal data must be FedRAMP authorized. FedRAMP prescribes the security requirements and processes that cloud service providers must follow in order for the government to use their service." |
| 204 | + } |
| 205 | + }, |
| 206 | + { |
| 207 | + "model": "dojo.regulation", |
| 208 | + "pk": 18, |
| 209 | + "fields": { |
| 210 | + "name": "Supply Chain Levels for Software Artifacts", |
| 211 | + "acronym": "SLSA", |
| 212 | + "jurisdiction": "International", |
| 213 | + "category": "security", |
| 214 | + "reference": "https://slsa.dev/", |
| 215 | + "description": "Supply-chain Levels for Software Artifacts, or SLSA (\"salsa\"). It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from \"safe enough\" to being as resilient as possible, at any link in the chain." |
| 216 | + } |
| 217 | + }, |
| 218 | + { |
| 219 | + "model": "dojo.regulation", |
| 220 | + "pk": 19, |
| 221 | + "fields": { |
| 222 | + "name": "NIST 800-218 Security Software Development Framework", |
| 223 | + "acronym": "SSDF", |
| 224 | + "jurisdiction": "United States", |
| 225 | + "category": "security", |
| 226 | + "reference": "https://csrc.nist.gov/pubs/sp/800/218/final", |
| 227 | + "description": "Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Because the framework provides a common vocabulary for secure software development, software purchasers and consumers can also use it to foster communications with suppliers in acquisition processes and other management activities." |
| 228 | + } |
| 229 | + }, |
| 230 | + { |
| 231 | + "model": "dojo.regulation", |
| 232 | + "pk": 20, |
| 233 | + "fields": { |
| 234 | + "name": "CIS Controls & Benchmarks", |
| 235 | + "acronym": "CIS Benchmark", |
| 236 | + "jurisdiction": "United States", |
| 237 | + "category": "security", |
| 238 | + "reference": "https://en.wikipedia.org/wiki/Center_for_Internet_Security", |
| 239 | + "description": "The CIS Critical Security Controls, the CIS Controls as they are called today is a set of 18 prioritized safeguards to mitigate the most prevalent cyber-attacks against today's modern systems and networks. The CIS Controls are grouped into Implementation Groups (IGs), which allow organizations to use a risk assessment in order to determine the appropriate level of IG (one through three) that should be implemented for their organization." |
| 240 | + } |
| 241 | + }, |
| 242 | + { |
| 243 | + "model": "dojo.regulation", |
| 244 | + "pk": 21, |
| 245 | + "fields": { |
| 246 | + "name": "NIST Cybersecurity Framework", |
| 247 | + "acronym": "CSF", |
| 248 | + "jurisdiction": "United States", |
| 249 | + "category": "security", |
| 250 | + "reference": "https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework", |
| 251 | + "description": "The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management." |
| 252 | + } |
| 253 | + }, |
| 254 | + { |
| 255 | + "model": "dojo.regulation", |
| 256 | + "pk": 22, |
| 257 | + "fields": { |
| 258 | + "name": "OWASP Application Security Verification Standard", |
| 259 | + "acronym": "ASVS", |
| 260 | + "jurisdiction": "International", |
| 261 | + "category": "security", |
| 262 | + "reference": "https://owasp.org/www-project-application-security-verification-standard/", |
| 263 | + "description": "The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications." |
| 264 | + } |
| 265 | + }, |
| 266 | + { |
| 267 | + "model": "dojo.regulation", |
| 268 | + "pk": 23, |
| 269 | + "fields": { |
| 270 | + "name": "OWASP Top 10", |
| 271 | + "acronym": "OWASP T10", |
| 272 | + "jurisdiction": "International", |
| 273 | + "category": "security", |
| 274 | + "reference": "https://owasp.org/www-project-top-ten/", |
| 275 | + "description": "The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code." |
| 276 | + } |
| 277 | + }, |
| 278 | + { |
| 279 | + "model": "dojo.regulation", |
| 280 | + "pk": 24, |
| 281 | + "fields": { |
| 282 | + "name": "OWASP API Security Top 10", |
| 283 | + "acronym": "OWASP API T10", |
| 284 | + "jurisdiction": "International", |
| 285 | + "category": "security", |
| 286 | + "reference": "https://owasp.org/www-project-api-security/", |
| 287 | + "description": "The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations. This awareness document was first published back in 2019. Since then, the API Security industry has flourished and become more mature. We strongly believe this work has positively contributed to it, due to it being quickly adopted as an industry reference." |
| 288 | + } |
| 289 | + }, |
| 290 | + { |
| 291 | + "model": "dojo.regulation", |
| 292 | + "pk": 25, |
| 293 | + "fields": { |
| 294 | + "name": "California Consumer Privacy Act", |
| 295 | + "acronym": "CCPA", |
| 296 | + "jurisdiction": "United States", |
| 297 | + "category": "privacy", |
| 298 | + "reference": "https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act", |
| 299 | + "description": "The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The intentions of the Act are to provide California residents with the right to: (1)Know what personal data is being collected about them. (2)Know whether their personal data is sold or disclosed and to whom. (3)Say no to the sale of personal data. (4)Access their personal data. (5)Request a business to delete any personal information about a consumer collected from that consumer. (6)Not be discriminated against for exercising their privacy rights." |
| 300 | + } |
| 301 | + }, |
| 302 | + { |
| 303 | + "model": "dojo.regulation", |
| 304 | + "pk": 26, |
| 305 | + "fields": { |
| 306 | + "name": "California Privacy Rights Act", |
| 307 | + "acronym": "CPRA", |
| 308 | + "jurisdiction": "United States", |
| 309 | + "category": "privacy", |
| 310 | + "reference": "https://en.wikipedia.org/wiki/California_Privacy_Rights_Act", |
| 311 | + "description": "The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters in California. This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations. The proposition enshrines more provisions in California state law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses' usage of \"sensitive personal information\", which includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information." |
| 312 | + } |
157 | 313 | } |
158 | 314 | ] |
0 commit comments