Compliance, Laws, and Regulations Flashcards
What is compliance in cybersecurity?
Adherence to rules and regulations that govern information security within an industry.
What are the two main types of compliance?
Regulatory Compliance – Mandated by law (e.g., HIPAA, GDPR).
Industry Compliance – Best practices not legally required (e.g., PCI DSS).
What are the consequences of noncompliance with regulatory laws?
Fines, lawsuits, loss of business, or even criminal penalties (e.g., jail time).
What are the consequences of noncompliance with industry standards?
Loss of certifications, inability to do business, and reputational damage.
What are the three main types of security controls?
Physical Controls – Protect physical security (e.g., locks, cameras, guards).
Administrative Controls – Policies and procedures (e.g., security training, audits).
Technical Controls – Security technologies (e.g., firewalls, IDS, encryption).
What is the difference between key controls and compensating controls?
Key Controls – Primary security measures that must not fail (e.g., antivirus on payment systems).
Compensating Controls – Alternative controls when key controls are not feasible (e.g., extra monitoring if MFA isn’t available).
What are four key actions to maintain compliance?
Monitoring – Continuously check if controls are working.
Reviewing – Periodically assess effectiveness.
Documenting – Keep records of compliance efforts.
Reporting – Communicate compliance status to leadership.
What is FISMA (Federal Information Security Management Act)?
A 2002 law requiring U.S. federal agencies to secure government information systems.
What is FedRAMP (Federal Risk and Authorization Management Program)?
A 2011 program that sets security standards for cloud services used by federal agencies.
What does HIPAA (Health Insurance Portability and Accountability Act, 1996) protect?
The privacy and security of protected health information (PHI).
What does SOX (Sarbanes-Oxley Act, 2002) regulate?
Financial data integrity for publicly traded companies.
What does GLBA (Gramm-Leach-Bliley Act, 1999) require?
Financial institutions must protect customer financial data.
What is the purpose of CIPA (Children’s Internet Protection Act, 2000)?
Requires schools and libraries to filter harmful online content for minors.
What is COPPA (Children’s Online Privacy Protection Act, 1998)?
Protects the privacy of children under 13 by limiting data collection from websites.
What does FERPA (Family Educational Rights and Privacy Act, 1974) protect?
The privacy of student educational records.
What is GDPR (General Data Protection Regulation, 2018)?
A European Union law that protects personal data and privacy of EU citizens.
What are the key ISO (International Organization for Standardization) standards for security compliance?
ISO 27000 – Security management terminology.
ISO 27001 – Security management requirements.
ISO 27002 – Best practices for implementing security controls.
What are the two key NIST (National Institute of Standards and Technology) publications for compliance?
SP 800-37 – Risk Management Framework (RMF) for federal systems.
SP 800-53 – Security and Privacy controls for federal systems.
What are the three main cloud service models?
Infrastructure as a Service (IaaS) – Provides virtual machines and storage (e.g., AWS, Google Cloud).
Platform as a Service (PaaS) – Provides prebuilt server environments (e.g., Azure, Heroku).
Software as a Service (SaaS) – Provides full applications (e.g., Microsoft 365, Google Docs).
Which cloud model requires the most responsibility for security?
IaaS (Infrastructure as a Service) – The customer must secure operating systems, apps, and data.
Which cloud model requires the least responsibility for security?
SaaS (Software as a Service) – The provider secures everything except user access.
