2.c. Laws and Regulations Flashcards
Regulatory Compliance
Adherence to the laws specific to the industry in which you’re operating (LAW). Involves cyclical audits and assessments
Industry Compliance
Adherence to regulations that aren’t mandated by law, but can have severe impacts on your ability to conduct business
Ex: Payment Card Industry Data Security Standard (PCI DSS)
Types of Controls (3)
Physical - MITIGATE risks
Administrative - Implement certain processes/procedures to MITIGATE risks
Technical - MANAGE risks
Key Controls (3 points)
- Provide reasonable degree of assurance that risk will be mitigated
- If control fails, it’s unlikely that another control could take over for it
- Failure of this control will affect an entire process
Compensating Controls
Replace impractical or unfeasible key controls
Maintaining Compliance Steps (4)
Monitor > Review > Document > Report
NIST
US National Institute of Standards and Technology
FISMA
Federal Information Security Management Act (Risk-based approach)
A.T.O.
Authority to operate
FedRAMP
Federal Risk and Authorization Management Program - Rules for government agencies contracting with cloud providers
Ex: AWS, Azure
Single A.T.O. for business w/ any number of federal agencies
HIPAA
Health Insurance Portability and Accountability Act - CONGRESS LAW
SOX
Sarbanes-Oxley Act - Regulates financial data, operations, and assets for publically held companies
GLBA
Gramm-Leach-Bliley Act - Protects personal identifiable info (PII) and financial data of customers of financial institutions
CIPA
Children’s Internet Protection Act - Requires schools to prevent access to obscene/harmful content
COPPA
Children’s Online Privacy Protection Act - Protect privacy of minors younger than 13
FERPA
Family Educational Rights and Privacy Act - Protects student’s records
GDPR
General Data Protection Regulation (EU Regulation)
ISO
International Organization for Standardization - more than 21000 standards
ISO 27000
“Information security management systems-overview and vocabulary”
ISO 27001
“Information technology-Security techniques-information management systems-Requirements”
ISO 27002
“Code of practice for information security controls”
SP
National Institute of Standards and Technology
SP 800-37
“Guide for applying the risk management framework to federal information systems”S
SP 800-53
“Security and Privacy controls for federal information systems and organizations”
Privacy Act
CONGRESS LAW
Steps? of Controls. (6)
CATEGORIZE system based on info it handles and the impact of exposing/losing data
SELECT controls based on system’s categorization
IMPLEMENT the controls and document implementation
ASSESS the controls to ensure they are properly implemented and performing as expected
AUTHORIZE or ban the use of the system based on the risk it faces and the controls implemented to mitigate that risk
MONITOR the controls to ensure they continue to mitigate risk
Compliance in the cloud (3 tier pyramid)
Less Control —->
IaaS PaaS SaaS
<—- More responsibility
IaaS
Infrastructure as a service - Virtual servers and storage
PaaS
Platform as a service - Prebuilt servers (database)
SaaS
Software as a service - specific application/application suite
Blockchain
A distributed and uneditable digital ledger
Cryptocurrency
Typically based on the use of blockchain
USA Patriot Act
To deter and punish terrorist acts
E FOIA
Electronic Freedom of Information Act - requires agencies to provide the public w/ electronic access to their “Reading Room” records
CFAA
Computer Fraud and Abuse Act - To reduce the hacking of government computer systems
CAN SPAM
Controlling the Assault of Non-Solicited Porn and Marketing - Gives recipients the right to spot entities from emailing them