2.c. Laws and Regulations

Question 1

Regulatory Compliance

Answer 1

Adherence to the laws specific to the industry in which you’re operating (LAW). Involves cyclical audits and assessments

Question 2

Industry Compliance

Answer 2

Adherence to regulations that aren’t mandated by law, but can have severe impacts on your ability to conduct business
Ex: Payment Card Industry Data Security Standard (PCI DSS)

Question 3

Types of Controls (3)

Answer 3

Physical - MITIGATE risks
Administrative - Implement certain processes/procedures to MITIGATE risks
Technical - MANAGE risks

Question 4

Key Controls (3 points)

Answer 4

1. Provide reasonable degree of assurance that risk will be mitigated
2. If control fails, it’s unlikely that another control could take over for it
3. Failure of this control will affect an entire process

Question 5

Compensating Controls

Answer 5

Replace impractical or unfeasible key controls

Question 6

Maintaining Compliance Steps (4)

Answer 6

Monitor > Review > Document > Report

Question 7

NIST

Answer 7

US National Institute of Standards and Technology

Question 8

FISMA

Answer 8

Federal Information Security Management Act (Risk-based approach)

Question 9

A.T.O.

Answer 9

Authority to operate

Question 10

FedRAMP

Answer 10

Federal Risk and Authorization Management Program - Rules for government agencies contracting with cloud providers
Ex: AWS, Azure
Single A.T.O. for business w/ any number of federal agencies

Question 11

HIPAA

Answer 11

Health Insurance Portability and Accountability Act - CONGRESS LAW

Question 12

SOX

Answer 12

Sarbanes-Oxley Act - Regulates financial data, operations, and assets for publically held companies

Question 13

GLBA

Answer 13

Gramm-Leach-Bliley Act - Protects personal identifiable info (PII) and financial data of customers of financial institutions

Question 14

CIPA

Answer 14

Children’s Internet Protection Act - Requires schools to prevent access to obscene/harmful content

Question 15

COPPA

Answer 15

Children’s Online Privacy Protection Act - Protect privacy of minors younger than 13

Question 16

FERPA

Answer 16

Family Educational Rights and Privacy Act - Protects student’s records

Question 17

GDPR

Answer 17

General Data Protection Regulation (EU Regulation)

Question 18

ISO

Answer 18

International Organization for Standardization - more than 21000 standards

Question 19

ISO 27000

Answer 19

“Information security management systems-overview and vocabulary”

Question 20

ISO 27001

Answer 20

“Information technology-Security techniques-information management systems-Requirements”

Question 21

ISO 27002

Answer 21

“Code of practice for information security controls”

Question 22

SP

Answer 22

National Institute of Standards and Technology

Question 23

SP 800-37

Answer 23

“Guide for applying the risk management framework to federal information systems”S

Question 24

SP 800-53

Answer 24

“Security and Privacy controls for federal information systems and organizations”

Question 25

Privacy Act

Answer 25

CONGRESS LAW

Question 26

Steps? of Controls. (6)

Answer 26

CATEGORIZE system based on info it handles and the impact of exposing/losing data
SELECT controls based on system’s categorization
IMPLEMENT the controls and document implementation
ASSESS the controls to ensure they are properly implemented and performing as expected
AUTHORIZE or ban the use of the system based on the risk it faces and the controls implemented to mitigate that risk
MONITOR the controls to ensure they continue to mitigate risk

Question 27

Compliance in the cloud (3 tier pyramid)

Answer 27

Less Control —->

IaaS PaaS SaaS

<—- More responsibility

Question 28

IaaS

Answer 28

Infrastructure as a service - Virtual servers and storage

Question 29

PaaS

Answer 29

Platform as a service - Prebuilt servers (database)

Question 30

SaaS

Answer 30

Software as a service - specific application/application suite

Question 31

Blockchain

Answer 31

A distributed and uneditable digital ledger

Question 32

Cryptocurrency

Answer 32

Typically based on the use of blockchain

Question 33

USA Patriot Act

Answer 33

To deter and punish terrorist acts

Question 34

E FOIA

Answer 34

Electronic Freedom of Information Act - requires agencies to provide the public w/ electronic access to their “Reading Room” records

Question 35

CFAA

Answer 35

Computer Fraud and Abuse Act - To reduce the hacking of government computer systems

Question 36

CAN SPAM

Answer 36

Controlling the Assault of Non-Solicited Porn and Marketing - Gives recipients the right to spot entities from emailing them