Chapter 15 Flashcards
U.S. Compliance Laws
Organizations entrusted with sensitive data should take steps to protect data
U.S. doesn’t have one comprehensive data protection law
Many federal data protection laws focus on specific types of data
Require organizations to use security controls to protect the different kinds of data that they collect
Laws are not optional
Organizations collect sensitive data called personally identifiable information (PII), which includes:
First, middle, and last name Home mailing address Social Security number Driver’s license number Financial account data Health data and biometric data Authentication credentials
Privacy
A person’s right to control the use and disclosure of his or her own personal information
Control
A person can decide how his or her data can be collected, used, and shared with third parties
Information security
The process used to keep data private
____ is the process; ____ is the result
Security is the process; privacy is a result
Federal Information Security
Federal government is the largest creator and user of information in the United States
Government IT systems hold:
Data that are critical for government operations
Data that are important for running the business of the federal government
Sensitive military data
Federal Information SecurityManagement Act (FISMA) of 2002
Applies to federal agencies and their IT systems
Federal agencies fall under the executive branch of the U.S. government
The Office of Management and Budget (OMB) is responsible for FISMA compliance
FISMA: Purpose and Main Requirements (9)
Risk assessments Annual inventory Policies and procedures Subordinate plans Security awareness training Testing and evaluation Remedial actions Incident response Continuity of operations
FISMA: Purpose and Main Requirements (cont.)
An agency must:
Protect the IT systems that support its operations
Test its IT systems at least yearly
Review the information security controls on IT systems
Apply some types of controls and make sure they work
Monitor its security risk
Federal Information Security Modernization Act (FISMA) of 2014
Clearly defines the roles, responsibilities, accountabilities, requirements, and practices needed to fully implement FISMA security controls and requirements
Role of the National Institute of Standards and Technology (NIST)
Creates guidance that all federal agencies use for their information security programs
Creates standards that agencies use to classify their data and IT systems
Creates guidelines and minimum information security controls for IT systems
Creates Federal Information Processing Standards (FIPSs) and Special Publications (SPs)
National Security Systems (NSSs)
Secure using a risk-based approach
Include systems used for:
Intelligence activities
National defense
Foreign policy
Military activities
Committee on National Security Systems (CNSS) oversees FISMA activities
Use the same six-step process as the NIST RMF
Health Insurance Portability and Accountability Act (HIPAA): Purpose and Scope
Contains data protection rules that address security and privacy of personally identifiable health information
Department of Health and Human Services (HHS) responsible for rules and compliance
Protected health information (PHI) is any individually identifiable information about a person’s health
Covers health care providers and business associates
Main Requirements of the HIPAA Privacy Rule
Determines how covered entities must protect the privacy of PHI
Covered entities may not use or disclose a person’s PHI without his or her written consent
Exceptions allow a covered entity to share a person’s PHI without a person’s written consent
A covered entity must inform people about how it uses and discloses PHI
HIPAA Oversight
HHS oversees compliance with the HIPAA Privacy and Security Rules
HHS delegated this function to Office for Civil Rights (OCR)
OCR enforces HIPAA compliance
HITECH Act defined a tiered system for assessing the level of each HIPAA violation: Tiers A-D
Gramm-Leach-Bliley Act (GLBA)
Addresses privacy and security of consumer financial information
Federal Financial Institutions Examination Council (FFIEC) regulatory committee services the U.S. banking community
FFIEC Council developed a Cybersecurity Assessment Tool used to identify bank or financial institution’s cybersecurity maturity
FFIEC complements a banking or financial organization’s ongoing risk management program and cybersecurity implementations
GLBA: Purpose and Scope
Financial institutions must follow GLBA privacy and security rules to help mitigate data breaches and identity theft
GLBA requires financial institutions to protect consumers’ nonpublic financial information (NPI)
NPI is personally identifiable financial information that a consumer gives to a financial institution
Main Requirements of the GLBA Privacy Rule
Protect the security and confidentiality of customer data
Protect against threats to the security or integrity of customer data
Protect against unauthorized access to or use of customer data that could result in harm to a customer
Require a financial institution to create a written information security program
Sarbanes-Oxley (SOX) Act: Purpose and Scope
Protects investors from financial fraud
Applies to publicly traded companies that must register with the Securities and Exchange Commission (SEC)
Requires companies to verify the accuracy of their financial information
Section 404 requires an organization’s executive officers to establish, maintain, review, and report on effectiveness of the company’s internal controls over financial reporting (ICFR)
SOX Control Certification Requirements
A company must create, document, and test its ICFR
It must report on its ICFR every year
After a company makes its yearly report, outside auditors must review it to make sure the ICFR work
ICFR are processes that provide reasonable assurance that an organization’s financial reports are reliable
Family Educational Rights and Privacy Act (FERPA)
Educational institutions can collect and store student data:
Demographic information Address and contact information Parental demographic information Parental address and contact information Grade information Disciplinary information
FERPA: Main Requirements
Students (or their parents, if the student is under 18) have the following rights:
To know what data are in the student’s student record and the right to inspect and review that record To request that a school correct errors in a student record To consent to have certain kinds of student data released
CIPA: Main Requirements
Covered schools and libraries must filter offensive Internet content so children can’t get to it
Technology protection measure (TPM) is any technology that can block or filter the objectionable content
Schools and libraries must adopt and enforce an Internet safety policy to comply with CIPA
A library or school must be able to disable the TPM for any adult if that adult needs to use a computer
Payment Card Industry Data Security Standard (PCI DSS): Purpose and Scope
Assists merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from reaches and theft of cardholder data
Helps vendors understand and implement PCI standards and requirements for ensuring secure payment solutions are properly implemented
