List of Security Compliance/Regulations standards by Industry
There are basically two reasons to think about security in your website: because you feel it's important and because of industry regulations that force you to think about it. The following list, broken down by industry and site-type show which kinds of security issues and regulations you should consider when planning your site.
All sites gathering "private" data from end users
Personally Identifiable Information - even things like e-mail address, name, address, should be protected. Personal information should always be encrypted "in flight" (while being transmitted, e.g. https) and "at rest" (before being stored into the database or onto the file system). There are a multitude of region, nation and state regulations pertaining to securing personal information; these regulations may be applicable depending on which country or state the person whose information is collected resides, where the data is stored or transmitted, and what type of personal data is collected. A good reference can be found http://www.informationshield.com/usprivacylaws.html (United States) and http://www.informationshield.com/intprivacylaws.html (international). In addition to addressing how personal data should be secured, they also may address notification requirements if a breach of that data occurs.
Health Care Sites
The biggest regulation in the United States pertaining to health care data is HIPAA or the Health Insurance Portability and Accountability Act. The Security Rule of HIPAA addresses administrative, technical and physical security requirements for health care data.
If you have an e-commerce site which accepts credit cards, even if the card number is not stored on your server, then your site must meet PCI-DSS regulations or Payment Card Industry Data Security Standard. There are multiple levels of standards depending on the number of transactions and volume of revenue your organization processes.
Government: FISMA, DIACAP and FedRAMP
In the United States, federal government agencies are required to follow a certification and accreditation process which requires baseline security standards are met, as defined by the National Institue of Standards and Technology (NIST). For non-Defense agencies the process is known as FISMA, which was codified as law in the Federal Information Security Management Act of 2002. For Department of Defense related agencies the accreditation is Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). The certification and accreditation process (often referred to as "C & A") requires extensive documentation of the control environment defined by NIST publication 800-53 revision 3. The level of security controls determined by the classification of the data and purpose of the web site (low, moderate or high) as determined by completing NIST's FIPS 199 template. Finally a new accreditation process is currently being established called FedRAMP (the Federal Risk and Authorization Management Program), which is designed to streamline the C & A process for cloud computing providers and is also based on NIST standards, expanded to include additional controls pertinent to cloud environments.
Worldwide: ISO/IEC 27001
Around the world, many organizations, both private and public, utilize ISO (International Organization for Standards) best practices standards as defined by ISO/IEC 27002, the Information technology - Security techniques - Code of practice for information security management. This set of standards is similar to NIST 800-53 standards, and also very involved. Organizations may leverage ISO/IEC 27002 for their control environment and additionally may choose to be certified as being in compliant with the standard by an independent auditor.
Financial Sector: BITS Shared Assessment Program
The financial sector is coalescing around the BITS Shared Assessment program (http://sharedassessments.org) which is designed to provide a framework financial institutions leverage to conduct risk assessments of service providers. Like NIST, ISO and other standards for best practices the Shared Assessment program itemizes best practices for security across a wide range of domains such as corporate, data center and web site security. Vendors whom would like to leverage the Shared Assessment program should download and complete the Standard Information Gathering questionnaire (SIG). Organizations may also be audited against the standards, the audit is called an Agreed Upon Procedure.
Mapping NIST, ISO, BITS, HIPAA and PCI
These various standards for best practices, while different, have many similarities. As organizations meet one standard they are also becoming in line with other standards. The Cloud Security Alliance has published a vary handy spreadsheet which maps the controls of the various standards to each other. Organizations may leverage the CSA's spreadsheet to quantify that they are meeting best practices for multiple standards at the same time. CSA's control matrix spreadsheet may be found on CSA's web site at https://cloudsecurityalliance.org/.
Other Cyber security standards
More information on cyber security standards is available in a Wikipedia article.