A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards

ABSTRACT Information security today is the focus of both the public and private sector in the United States and worldwide. In an effort to protect data and information, private organizations and federal, state, and local agencies spend billions of dollars and go to great lengths to protect their digital assets while at the same time trying to comply with legislation that mandates the implementation of security measures, and to produce the substantiated appearance of the organizations' due diligence in this domain. The present paper will discuss two legislative acts (HIPAA and FISMA) that focus on information security for U.S. government agencies and on two private-sector standards (PCI-DSS and ISO 27000) that address the information security needs of a wider range of information technology (IT) institutional users. It will provide a brief description of all four entities, provide a high-level comparison of suggested and/or mandated guidelines to point out gaps and overlaps, and suggest a possible threshold model that could incorporate security settings that satisfy requirements from all four entities.