Are Intrusive Detection Systems a legal requirement for organizations to have? I know that majority of organization have IDS to avoid any legality in case their systems do get breached and the information on the IDS is also submitted as forensic evidence. There has been a lot of discussion on cyber security policy for implementing this requirement, but I have not seen any legal document making this a requirement. I know there are three current regulations that mandate that organizations have protection for their system and information: HIPAA, 1999 Gramm-Leach-Bliley Act and the 2002 Homeland Security Act but, it doesn't specific what type of security implementation and its really vague. Please direct me to resources where i can find more information on the question.