An issue of major importance is the industry in which the customer organization conducts its business. The amount of legislation, regulation, and industry-related practices that influence the way organizations are run today is phenomenal. It can be a daunting task to merely keep up with the overall legislation that rapidly changes on a regular basis, let alone all the industry-specific or best-practice components that impact information security requirements. You will be asking your customer organization’s POC for this information, but he or she may not know it all. That is why we usually recommend that you create a base list of questions and ask in a yes/no format whether these specific rules or guidelines apply in the customer environment. This approach might help jog the memory or understanding of the people you are working with. Then, of course, the last question would be a little more open-ended. Here are a few examples of base issues:

- Health Insurance Portability and Accounting Act of 1996 (HIPAA)

- National Institute of Standards and Technologies (NIST)

- Sarbanes-Oxley

- Gramm-Leach-Bliley (GLB)

- Financial Management and Accountability (FMA) Act

- Federal regulations

- What other regulations, legislation, and guidelines do you follow?

- Family Education Rights and Privacy Act (FERPA)

As you can see, we have touched on only a few issues here; many more could come into play, depending on the customer organization’s industry. The federal regulations alone can fill multiple pages. Since these areas vary widely and carry a large amount of detailed information, personnel resources with the understanding of the regulations in your specific upcoming environment can often be more difficult to schedule than technical resources, so be sure to find out this information as soon as possible.