1. /
  2. Security Response/
  3. Symantec Control Compliance Suite

Security Updates

Security Updates give you the most recent protection content for your Symantec security products.

Symantec Control Compliance Suite

Regulations and Frameworks

15 April 2014

Symantec™ Control Compliance Suite Regulations and Frameworks


The following government regulations and best practice frameworks are supported in Control Compliance Suite (CCS).

Note: All regulations and best practice frameworks are supported in CCS 11.0 unless specified otherwise.

Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and security functions that must be performed,

Frameworks are published best practices such as COBIT, COSO, and the ISO series. These frameworks provide implementation guidance to help organizations to set up and assess the Risk Management and Governance and compliance programs.

Legends:

Out of box Mandate compliance reports: Displays Yes if the title is mapped to Technical Controls and Platforms in CCS

Assessment Questionnaires: Displays Yes if the title is mapped to Procedural Controls Questionnaire in CCS

 

Regulations and Statutes

 

Regulations

CCS Support

Title

Source

Region

Out of box Mandate compliance reports

Assessment Questionnaires

Comments

ARRA-HITECH Guidance from the Department of Health and Human Services

US Congress

North America

Yes

Yes

 

Australian Government Information Security Manual (AUS-ISM)

Australian Government - Department of Defense

Australia

Yes

Yes

 

FCC 47 CFR Part 64 Subpart U - Customer Proprietary Network Information (CPNI)

US  Federal Communications Commission (FCC)

North America

Yes

Yes

 

FDA 21 CFR Part 11 - Electronic Records; Electronic Signatures

US Food and Drug Administration

North America

Yes

Yes

 

FDA 21 CFR Part 820 - Quality System Regulation

US Food and Drug Administration

North America

Yes

Yes

 

FISMA

US Congress

North America

Yes

Yes

 

FISMA using NIST SP 800-53 rev1

National Institute of Standards and Technology

Global

No

Yes

 

NIST SP 800-53 based on FISMA

National Institute of Standards and Technology

Global

 No

Yes

 

GLBA CFTC 17 CFR Sec. 160.30 - Procedures to safeguard customer records and information.

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FDIC 12 CFR Part 364 App. B - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FRB 12 CFR Part 208 App. D-2 - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FRB 12 CFR Part 225 App. F - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA FTC 16 CFR Part 314 - Standards for Safeguarding Customer Information

US Federal Trade Commission

North America

Yes

Yes

 

GLBA NCUA 12 CFR Part 748 App. A and App. B - Guidelines for Safeguarding Member Information and Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

US Federal Trade Commission

North America

Yes

Yes

 

GLBA OCC 12 CFR Part 30 App. B - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA OTS 12 CFR Part 570 App. B - Interagency Guidelines Establishing Information Security Standards

US Federal Trade Commission

North America

Yes

Yes

 

GLBA SEC 17 CFR Sec. 248.30 - Procedures to safeguard customer records and information; disposal of consumer report information.

US Federal Trade Commission

North America

Yes

Yes

 

Interagency Guidelines Establishing Information Security Standards

 US Federal Reserve

North America

  No

Yes

 

OTS Small-Entity Compliance Guide

US Securities and Exchange Commission

North America

  No

Yes

 

HIPAA 45 CFR Part 164 - Security Rule

US Congress

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - FDIC

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - FRB (Board)

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - FTC

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - NCUA

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - OCC

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Identity Theft Red Flags and Address Discrepancies Under the FACT Act - OTS

US Federal Trade Commission (FTC)

North America

Yes

Yes

 

Massachusetts: 201 CMR 17.00 - Standards for The Protection of Personal Information of Residents of the Commonwealth

US - Commonwealth of Massachusetts

North America

Yes

Yes

 

Sarbanes-Oxley - The Sarbanes-Oxley Act of 2002 (SOX)

US Congress

North America

Yes

Yes

 

UK: Data Protection Act 1998

UK Parliament

Europe

Yes

Yes

 

China - The Basic Standard for Enterprise Internal Control and Supplemental Guidelines

 China -Ministry of Finance.

China

Yes

Yes

Added in SCU 2012-4

US State Privacy Statutes

Alaska - Sec. 45.48.010 et seq. Disclosure of breach of security

US Statute

North America

 Yes

 No

 

Arizona - 44-7501. Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions

US Statute

North America

Yes

No

 

Arkansas - A.C.A. § 4-110-101 et seq. Personal Information Protection Act

US Statute

North America

Yes

No

 

California - Civil Code §§ 1798.29, 1798.82

US Statute

North America

Yes

No

 

Colorado - Rev. Stat. § 6-1-716 Notification of security breach

US Statute

North America

Yes

No

 

Connecticut - Sec. 36a-701b. Breach of security re computerized data containing personal information. Disclosure of breach. Delay for criminal investigation. Means of notice. Unfair trade practice.

US Statute

North America

Yes

No

 

Delaware - § 12B-101 et seq.

US Statute

North America

Yes

No

 

District of Columbia - DC ST § 28-3851 et seq.

US Statute

North America

Yes

No

 

Florida - 817.5681  Breach of security concerning confidential personal information in third-party possession; administrative penalties.--

US Statute

North America

Yes

No

 

Hawaii - § 487N-2  Notice of security breach.

US Statute

North America

Yes

No

 

Illinois - 815 ILCS 530/1 Personal Information Protection Act

US Statute

North America

Yes

No

 

Indiana - IC 24-4.9 et seq. Disclosure of Security Breach, IC 4-1-11et seq. Notice of Security Breach

US Statute

North America

Yes

No

 

Kansas - Stat. 50-7a01, 50-7a02 Protection of Consumer Information

US Statute

North America

Yes

No

 

Lousiana - RS 51:3071 et.seq. Database Security Breach Notification Law

US Statute

North America

Yes

No

 

Maine - Chapter 210-B: the Notice of Risk to Personal Data Act

US Statute

North America

Yes

No

 

Michigan -  § 445.72 Notice of security breach; requirements.

US Statute

North America

Yes

No

 

Minnesota - 325E.61 DATA WAREHOUSES; NOTICE REQUIRED FOR CERTAIN DISCLOSURES.

US Statute

North America

Yes

No

 

Missouri - § 407.1500

US Statute

North America

Yes

No

 

Montana - 30-14-1704 Computer security breach

US Statute

North America

Yes

No

 

Montana - H.B. 155, Chapter 163

US Statute

North America

Yes

No

 

Nebraska - § 87-801 et seq. Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006

US Statute

North America

Yes

No

 

Nevada - CHAPTER 603A SECURITY OF PERSONAL INFORMATION

US Statute

North America

Yes

No

 

New Hampshire - Sec. 359-C:19 et seq. Notice of Security Breach

US Statute

North America

Yes

No

 

New Jersey - 56:8-161 et seq.

US Statute

North America

Yes

No

 

New York - N.Y. General Business Law 899-aa

US Statute

North America

Yes

No

 

North Dakota - CHAPTER 51-30 NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION

US Statute

North America

Yes

No

 

Ohio - § 1349.19 Private disclosure of security breach of computerized personal information data.

US Statute

North America

Yes

No

 

Oregon - Sec. 646A.604 Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement

US Statute

North America

Yes

No

 

Pennsylvania - Chapter 43 - Breach of Personal Information Notification Act

US Statute

North America

Yes

No

 

Rhode Island - 11-49.2-1 et seq. Rhode Island Identity Theft Protection Act of 2005

US Statute

North America

Yes

No

 

South Carolina - § 39-1-90 Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division.

US Statute

North America

Yes

No

 

Tennessee - 47-18-2107. Release of personal consumer information

US Statute

North America

Yes

No

 

Texas - Sec. 521.053 NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED DATA

US Statute

North America

Yes

No

 

Utah - Sec. 13-44-101 et seq. Protection of Personal Information Act

US Statute

North America

Yes

No

 

Vermont - § 2435 Security Breach Notice Act

US Statute

North America

Yes

No

 

Washington - RCW 19.255.010 - Disclosure, notice - Definitions - Rights, remedies

US Statute

North America

Yes

No

 

Wisconsin - 134-98 Notice of unauthorized acquisition of personal information

US Statute

North America

Yes

No

 

 

Best Practice Frameworks and Standards

 

Best Practice Frameworks and Standards

CCS Support

Title

Source

Region

Out of box Mandate compliance reports

Assessment Questionnaires

Comments

AICPA Trust Services Principles and Criteria- SAS 70 / SSAE 16  (AT section 101 - SOC 2 and SOC 3)

American Institute of Certified Public Accountants

North America

Yes

Yes

 

Basel Committee - Sound Practices for the Management and Supervision of Operational Risk

Bank for International Settlements

Global

Yes

Yes

 

California: Recommended Practices on Notice of Security Breach Involving Personal Information (2007)

US - State Law

North America

Yes

No

 

California: Recommended Practices on Notice of Security Breach Involving Personal Information (2008)

US - State Law

North America

Yes

No

 

CMS Information Security ARS – Appendix A – CMSR High Impact Level Data

Centre for Medicare & Medicaid Services  

North America

Yes

Yes

 

CobiT 3rd Edition

ISACA/ITGI

Global

Yes

No

 

CobiT 4.0

ISACA/ITGI

Global

Yes

Yes

 

CobiT 4.1

ISACA/ITGI

Global

Yes

Yes

 

COSO Enterprise Risk Management - Integrated Framework

American Institute of Certified Public Accountants

North America

Yes

Yes

 

CSA Cloud Controls Matrix v1.1 (CSM)

The Cloud Security Alliance

Global

Yes

No

 

DISA STIG - Access Control  In Support Of Information Systems

US Defense Information Systems Agency

North America

Yes

Yes

 

FIEL Guidance for J-SOX for IT

Financial Services Agency, The Japanese Government

Japan

Yes

Yes

 

ISO/IEC 31000:2009

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 20000-1:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 20000-2:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 27001:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 27002:2005

International Organization for Standardization (ISO)

Global

Yes

Yes

 

ISO/IEC 27005:2008

International Organization for Standardization (ISO)

Global

Yes

Yes

 

IT Control Objectives for Sarbanes-Oxley 2nd Edition

ISACA/ITGI

North America

Yes

Yes

 

NERC 1300

North American Electric Reliability Corporation

North America

 No

Yes

 

NERC CIP 002-009

North American Electric Reliability Corporation

North America

Yes

Yes

 

NERC CIP-002-4 - CIP-009-04

North American Electric Reliability Corporation

North America

Yes

Yes

 

NERC CIP 002-009-2

North American Electric Reliability Corporation

North America

 No

Yes

 

NIST SP 800-122

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-30

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-53 Rev. 1

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-53 Rev. 3

National Institute of Standards and Technology

Global

Yes

Yes

 

NIST SP 800-66 Rev. 1

National Institute of Standards and Technology

Global

Yes

Yes

 

PCI DSS v1.1

PCI Security Standards Council

Global

Yes

Yes

 

PCI DSS v1.2

PCI Security Standards Council

Global

Yes

Yes

 

PCI DSS v2.0

PCI Security Standards Council

Global

Yes

 No

 

SANS 20 Critical Security Controls - Version 3.0

SANS

Global

Yes

Yes

 

MAS IBTRMV3 - Monetary Authority of Singapore Internet Banking and Technology Risk Management Guidelines.

Monetary Authority of Singapore

Singapore

Yes

Yes

Added in SCU 2012-4

FEDRAMP - Federal Risk and Authorization Management Program V1.0

US - General Services Administration

North America

Yes

Yes

Added in SCU 2012-4

Criminal Justice Information Services (CJIS) Security Policy Version 5.0

US - Federal Bureau of Investigation (FBI)

North America

Yes

Yes

Added in SCU 2012-4

The World Bank Technology Risk Checklist 7.3

The World Bank

Global

Yes

Yes

 

VMware vSphere 4.1 Security Hardening

VMWARE

Global

Yes

Yes

 

VMware Hardening Guidelines ESXi 5.1 via vCenter

VMWARE

Global

Yes

No

Added in SCU 2013-3

US-CCU Cyber Security Checklist


US Cyber Consequences Unit

North America

No

Yes

 

TRUSTe Security Guidelines 2.0

TRUSTe

Global

 

Yes

 

SOX IT using CobiT 4.0

ISACA/ITGI

Global

No

Yes

 

SOX Compliance Toolkit - Corporate Governance Compliance Checklist

 

Global

No

Yes

 

SOX Compliance Toolkit - Audit Committee SOX Compliance Checklist

 

Global

No

Yes

 

SOX - The IT Dimension

 

Global

No

Yes

 

IT Control Objectives for SOX - Company-level Questionnaire

 

Global

No

Yes

 

IT Control Objectives for SOX - Assessing the Readiness of IT

 

Global

No

Yes

 

AICPA SOX Assessment - Other Questions for Management

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Guidelines for Hiring CAE

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Evaluation of the Independent Auditor

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Evaluation of Internal Audit Team

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - COSO Framework

American Institute of Certified Public Accountants

North America

No

Yes

 

AICPA SOX Assessment - Conducting an Executive Session

American Institute of Certified Public Accountants

North America

No

Yes

 

SB1386- Recommended Practices on Notice of Security Breach

US - State Law

North America

No

Yes

 

Treasury Board of Canada - Privacy Impact Assessment Guidelines

Canada - Treasury Board

Canada

No

Yes

 

Business pandemic influenza planning checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Business Pandemic Influenza Planning for Overseas Operations Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Child Care and Preschool Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Colleges and Universities Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Correctional Facilities Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Emergency Med Services and Non-Emergent Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Faith-based and Community Org Pandemic Influenza Preparedness Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Health Insurer Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Home Health Care Services Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Hospital Pandemic Influenza Planning Checklist

U.S. Department of Health & Human Services

 

North America

No

Yes

 

Law Enforcement Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

Long-Term Care Facilities Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

Medical Offices and Clinics Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

School district (K-12) Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

Travel Industry Pandemic Influenza Planning Checklist

 U.S. Department of Health & Human Services

 

North America

No

Yes

 

FFIEC Authentication Guidance

US - FFIEC

North America

No

Yes

 

FFIEC IT Examination Handbook Audit Booklet

US - FFIEC

North America

No

Yes

 

FFIEC IT Examination Handbook Information Security Booklet

US - FFIEC

North America

No

Yes

 

DoD Instruction 8500.2 Information Assurance (IA) Implementation-5.7.

US - Department of Defense

North America

No

Yes

 

CSA Consensus Assessments Initiative

Cloud Security Alliance

Global

No

Yes

 

C-TPAT - Importer Self-Assessment Questionnaire

US - Customs

North America

No

Yes

 

C-TPAT - Internal Control Management

US - Customs

North America

No

Yes

 

Email review

Symantec

Global

No

Yes

 

Physical Security

Symantec

Global

No

Yes

 

Security Assessment Checklist

Symantec

Global

No

Yes

 

Security Awareness Culture

Symantec

Global

No

Yes

 

Security Awareness Monthly Quizes

Symantec

Global

No

Yes

 

U.S Dep of Ag Food Sec Assessment

US - FDA

North America

No

Yes

 

IT Service Management Assessment

 Symantec

Global

No

Yes

 

BSI German Govt- IT_Security_Guidelines

German Govt

Germany

No

Yes

 

Cobit 5.0

ISACA/ITGI

Global

Yes

Yes

Added in SCU 2013-1

SANS 20 Critical Security Controls - Version 4.0

SANS

Global

Yes

Yes

Added in SCU 2013-1

NIST Special Publication 800-53 Revision 4

NIST

Global

Yes

Yes

Added in SCU 2013-2

Australian Government Information Security Manual v2.0 September 2012 Release

Australian Government (DSD)

Australia

Yes

Yes

Added in SCU 2013-2

Australian Prudential Regulation Authority (APRA) –

Prudential Practice Guide for Managing Data Risk

Prudential Practice Guide for Management of Security Risk in Information and Information Technology

Australian financial services industry

Australia

Yes

Yes

Added in SCU 2013-3

ISO/IEC 27001:2013

International Organization for Standardization (ISO)

Global

Yes

Yes

Added in SCU 2013-3

PCI DSS 3.0

The Payment Card Industry Data Security Standard (PCI DSS)

Global

Yes

Yes

Added in SCU 2014-1

NIST Cybersecurity Framework Core Version 1.0

The Commerce Department's National Institute of Standards and Technology (NIST)

Global

Yes

Yes

Added in SCU 2014-1

 

 

Security Response Blog
The State of Spam