Laws & Regulations Flashcards
The concept of industry and mandatory laws to comply
what is PCI DSS?
is a set of rules created by a group of credit card issuers for processing credit card transactions. The standard defines requirements for a security program, specific criteria for protecting data and necessary security controls.
Types of compliance controls?
- Physical controls mitigate risks to physical security. These controls usually physically prevent or deter unauthorized access to or through specific area.
- Administrative controls mitigate risks by implementing certain processes and procedures. Whenever you accept, avoid, or transfer risk, you are likely using administrative controls because you’re using processes, procedures, and standards in place to prevent your organization from hurting itself by taking on too much risk. Documenting your administrative controls by keeping records of policies, procedures, and standards is necessary to prove you follow them.
- Technical Controls manage risks using technical measures. You might mitigate risks by putting firewalls, intrusion detection systems, access control lists, and other technical measures in place to prevent attackers from getting into your system.
4 maintaining compliances stages?
Monitor -> review -> document -> report
HIPAA
Health Insurance Portability and Accountability Act
SOX
Sarbanes-Oxley Act. It regulates financial data, operations, and assets for publicly held companies.
GLBA
Gramm-Leach-Blieley Act. It aims to protect information such as PII(personally identifiable information) and
financial data belonging to customers of financial institutions. GLBA defines financial institution broadly to include “banks, savings and loans, credit unions, insurance companies and
securities firms…some retailers and automobile dealers that collect and share
personal information about customers to whom they extend or arrange credit” as well as businesses that use financial data to collect debts from customers.
CIPA
Children’s Internet Protected Act. It requires schools and libraries to prevent children from accessing harmful and obscene content.
COPPA
Children’s Online Privacy Protection Act. their PII. It requires the organizations to post a privacy policy online, make reasonable efforts to obtain parental consent, and notify parents that information is being collected.
FERPA
Family Educational Rights and Privacy Act. It protects students’ records. FERPA applies to students at all levels and when the student turns 18, the rights to these records shift from the parents to the students.
Types of Compliance
-Regulatory compliance is adherence to the laws specific to the industry in which you are operating.
- Industry compliance is adherence to regulations that aren’t mandated by law but that can nonetheless have severe impacts upon your ability to conduct business.
FISMA
Federal information Security Management Act. It applies to all US federal government agencies, all state agencies that administer federal
programs (such as Medicare) and all private companies that support, sell to, or
receive grant money from the federal government.
FedRAMP
Federal Risk and Authorization Management Program. It defines rules for government agencies contracting with cloud providers. This applies to
both cloud platform providers such as AWS and Azure and companies providing
software as a service (SaaS) tools that are based in the cloud.
