Today’s business environment for both private sector and public sector organizations has brought upon new business challenges in the era of governance, risk, and compliance. This is especially true for organizations within the USA that are now under recent compliance laws. These compliance laws are creating new business drivers and priorities for all USA-based companies and organizations to incorporate and implement security controls, countermeasures, and best practices to ensure the confidentiality, integrity, and availability of information and privacy information. It is this mandate that is driving companies and organizations to implement governance, risk, and compliance initiatives.

FERPA – Federal Education Rights and Privacy Act. This is a USA federal law that was enacted in 1974 that gives parents access to their child’s education and transcript records. Education and higher-education institutions must implement data security standards and requirements as defined by FERPA to ensure the confidentiality and privacy of student educational records and privacy data.


VERTICAL: K-12, Higher-Ed

FISMA – Federal Information Security Management Act. This is a USA federal law that was enacted in 2002 that recognized the importance of information security to the economic and national security interests of the USA. This act requires all US federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and IT infrastructures that support that information.

Government icon

VERTICAL: US Federal Government (Civilian Agencies)

GLBA – Gramm-Leach-Bliley Act. This is a USA federal law that was enacted in 1999 to ensure the privacy and consumer protection right (e.g. identity theft) for all consumers of financial services from banks, insurance companies, brokerage firms, etc. GLBA compliance is mandatory and includes security and integrity solutions to comply with the Financial Privacy Rule, Safeguards Rule, and Pretexting Protection.


VERTICAL: US Federal Government (Civilian Agencies)

HIPAA – Healthcare Insurance Portability and Accountability Act. This is a USA federal law that was enacted in 1996. Under HIPAA law, there is a Security Rule, Privacy Rule, and Business Plan requirement that must be achieved for Covered Entities engaged in the practice of healthcare services for patients. HIPAA compliance is mandatory and includes security, privacy, administrative and technical safeguards, and implementation of business plans to maintain HIPAA compliance on an annual basis.


VERTICAL: Healthcare (Can be public or private)

Hi-Tech Act – Health Information Technology for Economic and Clinical Health Act. This was part of the USA American Recovery and Reinvestment Act of 2009. Under the Hi-Tech Act, the US Department of Health & Human Services allocated $25.9B+ to promote and expand the adoption of health information technology. The Meaningful Use (MU) grant fund program under the Center for Medicare & Medicaid provided Covered Entities with incentive monies to adopt and expand patient services within an Electronic Medical Records (EMR) or Electronic Health Records (EHR) system and application.

Hospital icon

VERTICAL: Healthcare (Can be public or private)

PPACA – Patient Protection and Affordable Care Act. This is a USA federal law that was enacted in 2010 to provide affordable healthcare services for uninsured US citizens and permanent residents. It requires that Covered Entities and Business Associates comply with the creation of a Compliance & Ethics program that includes training for all staff members who directly interface with patients and Protected Health Information (PHI). Compliance and ethics for ensuring the accuracy, confidentiality, and integrity of medical services and medical coding, medical billing, and collection of monies from insurance companies and individuals regarding payment for healthcare services is a federal law that must be abided by.


VERTICAL: Healthcare (Can be public or private)

PCI DSS – Payment Card Industry Data Security Standard.   This is not a USA federal law; however, it is a standard released by the Payment Card Industry Security Standards Council to increase controls around the handling of cardholder data to reduce the risk of credit card fraud via its exposure. Validation of compliance with the PCI DSS standard is required on an annual basis by a Qualified Security Assessor (QSA) that must create a Report of Compliance (ROC) for organizations that handle large quantities of credit card transaction processing.


VERTICAL: Retail & any vertical that accepts credit card payments

SOX – Sarbanes – Oxley Act. This is a USA Federal law that requires CEOs and CFOs to produce accurate financial information and reporting which requires both the CEO and CFO to officially sign-off and submit proper financial reports to the Securities Exchange Commission (SEC) as required. From a security controls perspective, SOX requires that this financial information and data be kept confidential and within the insider executive management team only. Maintaining the confidentiality, integrity, and availability of financial information and reporting for publicly traded companies is a mandated requirement under SOX.


VERTICAL: Publicly traded companies in any vertical that has a market cap of $75M+ or greater must comply

Privacy Laws – Privacy Laws and Identify Theft Laws are emerging throughout the 50 states. Each state is enacting its own State Laws regarding citizen privacy data, citizen data breaches, and citizen identity theft. Specific attention must be addressed for individuals and companies that operate within a specific or multiple states.

VERTICAL: State Government


GRC Solutions

GRC Service Products PDF-download-icon

ISSA Curriculum Overview