Database compliance, automated

Organizations MUST maintain detailed records of all personal data processing activities, including access logs.

REQUIRES appropriate technical measures including the ability to ensure ongoing confidentiality and integrity of processing systems.

Data breaches MUST be reported to authorities within 72 hours. Requires real-time detection capabilities.

High-risk processing REQUIRES documented impact assessments with evidence of security measures.

Consumers can request disclosure of specific personal information collected. REQUIRES ability to locate and report all consumer data.

MUST delete consumer data upon request and verify deletion across all systems.

Businesses MUST implement reasonable security procedures. Failure creates private right of action.

Enhanced protections REQUIRED for sensitive data including precise geolocation and financial information.

Controllers and processors MUST maintain records of personal data processing operations.

REQUIRES technical and administrative measures to protect personal data from unauthorized access.

Security incidents MUST be communicated to the national authority and data subjects in reasonable time.

MUST provide access to data, correction, deletion, and portability upon request.

Personal information MUST be protected by security safeguards appropriate to the sensitivity of the information.

Upon request, individuals MUST be informed of the existence, use, and disclosure of their personal information.

Organizations MUST report breaches that pose real risk of significant harm to the Privacy Commissioner and affected individuals.

Organizations are ACCOUNTABLE for personal information under their control.

Organizations MUST protect personal data with reasonable security arrangements.

Upon request, organizations MUST provide individuals access to their personal data and information about its use.

Notifiable breaches MUST be reported to PDPC within 3 calendar days of assessment.

Organizations MUST cease retention when no longer necessary for legal or business purposes.

Personal information handlers MUST adopt necessary measures to ensure processing activities comply with laws and prevent unauthorized access.

REQUIRES personal information protection impact assessment before processing sensitive personal information.

In case of data breach, handlers MUST immediately take remedial measures and notify authorities and individuals.

Cross-border data transfers REQUIRE security assessment, certification, or standard contracts.

CEO and CFO MUST personally certify financial reports. REQUIRES verifiable audit trails proving data integrity.

Companies MUST assess and report on internal control effectiveness. REQUIRES documented evidence of controls over financial data.

Knowingly altering or destroying records is a federal crime. REQUIRES tamper-evident audit logging.

Audit records MUST be retained for 7 years. REQUIRES long-term, immutable log storage.

MUST implement audit trails to link all access to system components to each individual user.

MUST implement automated audit trails for all system components to reconstruct events.

All critical system clocks MUST be synchronized. Audit logs MUST have accurate timestamps.

Audit trail history MUST be retained for at least one year, with minimum 3 months immediately available.

Financial institutions MUST develop, implement, and maintain a comprehensive security program.

MUST implement access controls on customer information systems, including monitoring of access.

MUST monitor systems and procedures to detect actual and attempted attacks or intrusions.

MUST implement procedures to respond to security incidents affecting customer information.

Financial entities MUST have ICT risk management framework including monitoring of ICT systems.

MUST classify ICT-related incidents and report major incidents to competent authorities.

Major ICT incidents MUST be reported within specified timeframes with root cause analysis.

MUST maintain register of third-party ICT service providers and monitor their access.

Covered entities MUST implement hardware, software, and/or procedural mechanisms that record and examine activity in systems containing ePHI.

MUST implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking.

MUST implement policies and procedures to protect ePHI from improper alteration or destruction.

MUST implement policies and procedures to identify, respond to, and mitigate security incidents.

Organization MUST determine auditable events and ensure the system generates audit records for defined events.

Audit records MUST contain: what type of event, when it occurred, where it occurred, source, outcome, and identity of individuals/subjects.

Organization MUST review and analyze audit records for indications of inappropriate or unusual activity.

System MUST protect audit information and audit tools from unauthorized access, modification, and deletion.

Federal systems MUST audit: successful/failed account logons, account management, object access, policy changes, privilege functions.

Agencies MUST implement continuous monitoring programs for security controls.

Organizations MUST monitor systems to detect attacks and indicators of potential attacks.

Systems MUST undergo annual security assessments with documented evidence.

Cloud services MUST implement audit controls based on FedRAMP baseline requirements.

Providers MUST maintain continuous monitoring and submit monthly/annual reports.

Security posture MUST be verified by approved third-party assessment organizations.

Authorization MUST be renewed annually with evidence of maintained compliance.

Organizations MUST create system audit logs and records to enable monitoring, analysis, and investigation.

MUST ensure actions can be traced to individual users uniquely.

MUST alert in the event of an audit logging process failure.

MUST monitor organizational systems including inbound/outbound communications for attacks.

Entity MUST implement logical access security software, infrastructure, and architectures to protect against threats.

Entity MUST monitor system components for anomalies indicative of malicious acts or system failures.

Entity MUST evaluate security events to determine whether they could impact ability to meet objectives.

Entity MUST authorize, design, develop, configure, test, approve, and implement changes to meet objectives.

Event logs recording user activities, exceptions, faults and information security events MUST be produced, kept and regularly reviewed.

System administrator and operator activities MUST be logged and the logs protected and regularly reviewed.

Formal user registration and de-registration process MUST be implemented to enable assignment of access rights.

Information security events MUST be reported through appropriate management channels as quickly as possible.

The network is monitored to detect potential cybersecurity events.

Personnel activity is monitored to detect potential cybersecurity events.

Monitoring for unauthorized personnel, connections, devices, and software is performed.

Data-at-rest is protected with appropriate controls.

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Use processes and tools to create, assign, manage, and revoke access credentials and privileges.

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Operate processes and tools to establish and maintain comprehensive network monitoring and defense.

Essential and important entities MUST take appropriate technical and organizational measures to manage security risks.

Entities MUST have policies and procedures regarding use of cryptography and encryption.

Significant incidents MUST be reported to CSIRT within 24 hours, with full report within 72 hours.

Entities MUST address security in supplier relationships and direct suppliers.

Systems MUST use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions.

REQUIRES use of authority checks to ensure only authorized individuals can use the system, access operations, or sign records.

Systems MUST enforce permitted sequencing of steps and events, as appropriate.

Electronic signatures MUST be linked to their respective electronic records to ensure signatures cannot be removed or transferred.

Systems MUST be capable of auditing successful and unsuccessful account logon events, account management, and object access.

Audit records MUST contain type of event, when occurred, where occurred, source, outcome, and identity of individuals.

Organizations MUST manage information system accounts including identifying account types and establishing conditions for membership.

Organizations MUST review and analyze system audit records for indications of inappropriate or unusual activity.

Organizations MUST establish documented procedures to define controls needed for approval, review, updating, and identification of documents.

Records MUST remain legible, readily identifiable, and retrievable. Retention times MUST be established.

Production processes MUST be validated and controlled with documented procedures and traceability.

Organization MUST monitor and measure product characteristics to verify requirements have been met.

Health data access bodies MUST log all queries and data access for secondary use purposes.

REQUIRES complete provenance tracking of health data from source through all processing stages.

Organizations MUST implement technical measures to ensure only authorized researchers access data.

REQUIRES appropriate technical and organizational measures to protect health data during secondary use.

Organization MUST identify events requiring logging and establish frequency of audit log reviews.

Audit records MUST contain what type of event, when occurred, where occurred, source, outcome, and user identity.

Organization MUST review and analyze audit records for indications of inappropriate or unusual activity.

System MUST protect audit information and audit tools from unauthorized access, modification, and deletion.

Systems processing FTI MUST audit successful and unsuccessful system access attempts and account management events.

Audit records MUST contain: type of event, when occurred, where occurred, source of event, outcome, and identity.

Organization MUST review and analyze audit records weekly for unusual, unexpected, or suspicious activity.

Audit records containing FTI MUST be protected from unauthorized access and retained for 7 years.

Systems MUST generate audit records for successful and unsuccessful access attempts to CJI.

Audit records MUST contain date/time, component, type of event, user identity, and outcome.

Agency MUST implement procedures for monitoring and analyzing audit records to detect inappropriate activity.

Audit records MUST be retained for a minimum of one year and available for review.

Controllers MUST keep logs of collection, alteration, consultation, disclosure, combination, or erasure of personal data.

Controllers MUST implement appropriate technical measures including access logging from the outset.

Personal data breaches MUST be reported to the ICO within 72 hours of becoming aware.

Organizations MUST provide individuals with access to their personal data and processing information.

Records of every trade and trade-related database modification MUST be preserved for at least 6 years.

Electronic records MUST be preserved in WORM (Write Once Read Many) format with audit trail.

Broker-dealers MUST verify automatically the quality and accuracy of electronic storage.

MUST maintain a separate audit system that accounts for input and preserves entries with timestamps.

Licensees MUST design information security program to identify risks to nonpublic information and assess safeguards.

REQUIRES implementation of access controls including monitoring of access to nonpublic information.

Licensees MUST conduct investigation of cybersecurity events and determine scope, affected individuals, and root cause.

Insurers MUST annually certify in writing that they maintain a compliant information security program.

Crypto-asset service providers MUST keep records of all services, orders, and transactions for 5 years.

Custodians MUST maintain audit trails for wallet-custody databases with complete transaction history.

REQUIRES complete traceability of crypto-asset transfers including originator and beneficiary information.

Providers MUST implement systems to ensure business continuity and access to transaction records.

Data Fiduciaries MUST implement appropriate technical and organizational measures to protect personal data.

Personal data breaches MUST be reported to the Board and affected individuals without delay.

Organizations MUST provide data principals with access to their personal data and processing information.

Personal data MUST be erased when purpose is achieved or upon data principal request. Logs retained for 180 days minimum.

Business operators MUST take necessary and appropriate measures to prevent leakage, loss, or damage of personal data.

Significant data breaches MUST be reported to the PPC and affected individuals without delay.

Business operators MUST disclose retained personal data to individuals upon request.

Transfer of personal data outside Japan REQUIRES consent or equivalent protection confirmation.

Organizations MUST log every single instance a staff member accesses or shares customer personal information.

REQUIRES Privacy Impact Assessment for any project involving personal information.

Confidentiality incidents MUST be reported to the CAI and affected individuals.

Organizations MUST implement and audit anonymization techniques for personal information.

PII controllers MUST ensure processing is limited to identified purposes with audit trail evidence.

Organizations MUST record access to PII including who accessed, when, and for what purpose.

PII processors MUST ensure personnel are bound by confidentiality and log all processing activities.

Organizations MUST have procedures to notify authorities and data subjects of PII breaches.

Responsible entities MUST adopt and maintain a critical infrastructure risk management program.

Critical cyber security incidents MUST be reported to the Australian Signals Directorate within 72 hours.

Entities MUST maintain records of access to critical infrastructure systems for forensic investigation.

Ransomware payments MUST be reported within 72 hours of making or becoming aware of the payment.

Organizations MUST audit access to source code repositories and development databases.

REQUIRES maintaining software inventory including binary and code provenance logs.

Organizations MUST track and monitor changes to development and deployment configurations.

REQUIRES collecting and publishing security metrics including audit log analysis.

Responsible entities MUST log events at BES Cyber System level including login attempts.

Security event logs MUST be retained for at least 90 days and available for immediate review.

Responsible entities MUST review logs of BES Cyber Systems at least once every 15 days.

MUST log all administrative actions and configuration changes on BES databases.

Operators MUST implement 24/7 monitoring of signaling and interlocking databases for operational anomalies.

Cybersecurity incidents MUST be reported to CISA within 24 hours of discovery.

REQUIRES implementation of access controls for critical operational technology systems.

Security logs MUST be retained for at least 1 year and available for TSA review.

Operators MUST implement measures to protect safety databases from unauthorized access or modification.

REQUIRES audit trails for flight manifest, weight/balance, and operational databases.

Maintenance databases MUST have complete audit trails to reconstruct any safety-data change.

Security-related data MUST be protected with access logging and monitoring.

Maritime operators MUST address cyber risks in their Safety Management Systems.

Safety Management System including cyber controls MUST be verified annually by auditors.

REQUIRES logging of bridge navigation, ballast control, and engine room data access.

Organizations MUST have procedures for responding to and recovering from cyber incidents.

Critical entities MUST carry out risk assessments including cyber threats to operational systems.

Entities MUST implement measures to ensure resilience including access control and logging.

Significant incidents MUST be notified to competent authorities within 24 hours.

Critical roles MUST be subject to background verification with access logging.

Space systems MUST implement Zero-Trust logging for all ground and space operations.

REQUIRES traceability of command-and-control (C2) database telemetry and access.

Ground segment operations MUST implement comprehensive access logging and monitoring.

Operators MUST maintain incident response capabilities with forensic-ready logging.

Organizations MUST enable and protect logs for systems processing sensitive information.

Audit logs MUST be protected from unauthorized access, modification, and deletion.

Organizations MUST regularly review logs and generate reports on security events.

All systems MUST be synchronized to authoritative time sources for accurate logging.

High-risk AI systems MUST automatically log inputs, outputs, and agentic actions with immutable audit trails.

REQUIRES traceability enabling human understanding of AI system decision-making.

Systems MUST enable human monitoring and intervention with complete audit trails.

Providers MUST implement quality management with documented procedures and logging.

Organizations MUST assess AI system risks including bias, drift, and data quality issues.

REQUIRES continuous monitoring of AI model performance and data interactions.

Organizations MUST monitor, measure, analyze, and evaluate AI system performance.

AI failures MUST be documented, investigated, and corrected with audit trail.

Platforms MUST report on content moderation activities with supporting audit data.

REQUIRES audit trails for algorithm training data and recommendation decisions.

Very large platforms MUST provide vetted researchers access to data with usage logging.

Annual independent audits MUST verify platform compliance including audit log integrity.

Entity MUST monitor AI system components for anomalies including model performance and data drift.

REQUIRES validation and logging of all AI system inputs to prevent adversarial attacks.

AI model updates MUST be authorized, tested, and documented with complete audit trails.

Entity MUST implement controls to ensure AI output integrity and detect manipulation.

Control systems MUST generate audit records for security-relevant events.

REQUIRES sufficient storage and protection for audit logs from PLCs and SCADA systems.

Systems MUST alert upon audit processing failure and protect audit integrity.

Authorized personnel MUST be able to access and review audit logs.

Computer-based systems MUST log security-relevant events for forensic investigation.

REQUIRES implementation of access controls with audit logging for OT systems.

Log integrity MUST be verified by classification society surveyor during inspections.

Organizations MUST have incident response procedures with forensic evidence preservation.

Manufacturers MUST have capability to analyze attempted or successful cyber attacks with data collection.

REQUIRES audit logs for Over-the-Air (OTA) update databases and vehicle telemetry.

Organizations MUST detect and respond to cyber attacks with evidence preservation.

Forensic data MUST be retained for 10 years to support post-incident analysis.

Organizations MUST implement appropriate physical, organizational, and technological security safeguards.

REQUIRES maintaining records of every breach of security safeguards involving personal information.

Individuals MUST be able to request and receive their personal information and processing details.

Organizations MUST be able to reconstruct the journey of personal data from ingestion to deletion.

Organizations MUST maintain audit logs of access to personal health information.

REQUIRES auditing of billing codes versus clinical access records for fraud prevention.

Organizations MUST implement technical safeguards to protect health information.

Systems MUST enable correlation of billing submissions with clinical record access patterns.

Educational agencies MUST maintain records of each disclosure of personally identifiable information.

REQUIRES prior written consent for disclosure with exceptions requiring disclosure logging.

Parents and eligible students MUST be able to inspect and review education records.

Disclosure records MUST be maintained for the life of the education record.

Organizations MUST implement access control with detailed logging of all access events.

REQUIRES detailed CRUD (Create/Read/Update/Delete) logs for sensitive government data.

Security incidents MUST be logged, investigated, and reported to relevant authorities.

Tamper-proof logs MUST be stored centrally and protected from modification.

Entities MUST address security risks in supplier relationships with auditing of logistics databases.

REQUIRES proof of business continuity logs and data integrity verification.

Security in network and information system acquisition MUST be documented and audited.

Supply chain incidents MUST be reported within 24 hours with supporting audit data.

Gaming operators MUST implement secure logging of user account data and payment information.

REQUIRES ability to erase player data while maintaining financial audit trails.

Game systems MUST be designed with privacy controls and access logging from inception.

Data breaches affecting player data MUST be reported within 72 hours.