A2 - Law and Compliance Flashcards
What is the Computer Misuse Act 1990?
UK legislation addressing crimes of unauthorized access, modification, and data integrity in computer systems, including access with intent to commit further offenses.
What was the impact of the Computer Misuse Act 1990 on penetration testing?
Legal authorization: Pentesters need explicit permission and must stay within the agreed scope to avoid legal risks
Handling tools: Tools should be used responsibly and only in authorized environments.
Documentation: Keep records of authorization, scope, and activities for compliance.
What does the Human Rights Act 1998?
Incorporates the rights set out in the European Convention on Human Rights (ECHR) into UK law. Employees have a right to privacy while in their place of work.
What is the impact of the Human Rights Act 1998 on penetration activities?
Pentesters must avoid unnecessary access to personal data, ensure activities are authorized, and comply with laws protecting sensitive information to avoid violating individual rights.
What is the Data Protection Act 1998?
Regulated how personal data was collected stored, and used, ensuring individuals privacy rights were protected.
What are the 8 principles of the Data Protection Act 1998?
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
What is the impact of the Data Protection Act 1998 on penetration testing?
Delete data when no longer required.
Pentesters must ensure that any personal data they encounter during testing is processed lawfully, fairly and securely.
Testers should only collect and use personal data that is necessary for testing purposes.
What is the Police and Justice Act 2006?
Introduced a range of measure to enhance law enforcement and criminal justice, including specific provisions related to cybercrime.
What was the impact of the Police and Justice Act 2006?
The Act amended the Computer Misuse Act, covering intent to make systems insecure, and making, supplying, or obtaining tools (e.g., viruses, worms) for unauthorized access or criminal use.
What does the PCI-DSS stand for?
Payment Card Industry Data Security System
What is PCI-DSS?
Security standard that includes requirements for security management, policies and procedures when dealing with payment cards details (debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses).
What does HIPPA stand for?
Health Insurance Portability and Accountability Act
What is HIPPA?
HIPAA security rules apply to electronic protected health information (EPHI) and require organizations to implement safeguards to protect its confidentiality, integrity, and availability from anticipated risks.
What is the ISO 127001?
ISO/IEC 27001 provides a framework for organizations to manage the security of assets such as financial information, intellectual property, employee details, and third-party data. It outlines best practices and controls for maintaining confidentiality, integrity, and availability of sensitive information, and it is widely used for achieving compliance with data protection laws and industry standards.