How can one easily determine which IT Security related regulations apply?

Core questions you need to ask - and these are covered by some of the answers in the questions @AviD has linked to and at high level by @Beth:

  • Are you handling payment card data? If so, PCI-DSS
  • Are you handling medical info? If so HIPAA in the US, DPA in UK
  • Are you handling personal info? If so DPA in the UK
  • Are you handling the personal data of any European subjects? If so, GDPR from May 25 2018
  • Are you a financial org? GLBA in the US, FSA regs in the UK
  • Do you trade on NYSE? SOX in US, JSOX in Japan - but similar requirements globally
  • Are you a retail bank? BASEL II (soon BASEL III)
  • Are you a European Insurer? Solvency II

There are equivalents for these in many jurisdictions


Knowing every country your data will be in is a good start. There aren't that many globally enforced laws in this area, so you'll end up wanting to get acquainted with all relevant country laws. The book "Who Controls the Internet?" was a really interesting read on that topic (for me, it was a great audio book).

From there, it's helpful to be able to categorize what type of data you have on your hands. Laws & regulations can generally be categorized into groups based on the industry and the type of data. A good way to start is to first look at what your company's processes are - what's it selling, what's it buying, what types of information has to move around to make that happen. Be sure you keep track of both external data needed to make your products or services happen, and internal data that is typical for any company - like personnel records.

In general (and a lot of coming from Shon Harris' CISSP exam guide - not the best in any single subject, but a good catch all) - there's the following basic types of law:

  • Intellectual property laws - protecting your company's trade secrets, copyrights, trademarks, patents and other intellectual property. Certainly if your company is of any larger size, you already have at least one lawyer on hand who is somewhat versed in this.

  • Privacy law - a collection of laws that protect people, companies, employees and others from the disclosure of information that should not be made public. Everything from personal information, health related information, correct reporting of accounting, protection from hacking and corporate espionage, and employee privacy issues. Some applies to almost every company in the US and some is particular to a given industry or type of information.

  • Prosecution law - not something you generally get into until you have to prosecute, but if you're ardent about it, knowing at least a little about chains of evidence and what has to be done to protect you can help you with establishing recovery procedures that don't cause a corruption in your ability to track down and prosecute someone who's attacked your company.

  • Ethics specific to your particular industry

  • There's also some special areas of law if your company receives federal funds for anything and yet more areas of law if you develop or are involved in anything relating to national security. Those are pretty easy - if you haven't signed any sort of contract with federal, state or local government, these laws are not likely to apply to you.

As far as I know, there's no great online Q&A site where you can answer, say, a series of questions and get information about EVERY law in the US that would apply to your situation. You generally have to take it as it comes and figure out what your data looks like and what laws apply to you. Generally, I'd start with your industry, because you're likely to find other people concerned about the same things you should be worrying about in industry based forums. For example, the defense contractors are birds of a feather - we know almost nothing about health care laws like HIPPA, but we know far too much about the laws surrounding classified systems. :)