As noted in Section 4.1, many security laws and regulations merely require “reasonable” or “appropriate” security, without any specification as to what security controls are required. Other security laws and regulations, however, do specify a variety of security controls that must be addressed by a company’s security program. But in almost all cases they list only the categories of security controls that must be addressed, without requiring that any specific security controls or technologies be implemented. As explained in Section 5.3, the company selects which security controls to implement (so as to be legally compliant) by reference to the risk assessment.

This chapter identifies and explains the categories ...