Laws, Regulations & Compliance

Question 1

12 Requirements of PCI DSS

Answer 1

1. Install + maintain firewall configuration
2. do not use vendor supplied defaults for passwords + other security parameters
3. protect stored cardholder data
4. encrypt transmission of cardholder data across open public networks
5. protect systems against malware + regularly update AV
6. develop + maintain secure systems and apps
7. restrict access to cardholder data by N2K
8. identify + authenticate access to system components
9. restrict physical access to cardholder data
10. track + monitor all access to network resources + cardholder data
11. regularly test security systems + processes
12. maintain policy that addresses information security

Question 2

Digital Millennium Copyright Act of 1998

Answer 2

prohibits circumvention of copy protection mechanisms (digital media) + limits liability for ISPs for activities of their users

Question 3

Economic Espionage Act of 1996

Answer 3

penalties for theft of trade secrets

Question 4

FERPA

Answer 4

Education

Question 5

GLBA - Graham Leach Biley Act

Answer 5

credit related PII; FIs

Question 6

ECS - Electronic Communication Service (Europe)

Answer 6

notice of breaches

Question 7

4th Amendment

Answer 7

basis for privacy rights is the 4th amendment of the US constitution

Question 8

1974 US Privacy Act

Answer 8

protection of PII on federal databases

Question 9

1980 Organization for Economic Cooperation Development (OECD)

Answer 9

provides for data collection, specifications, safeguards

Question 10

1986 (amended 1996) US Computer Fraud and Abuse Act

Answer 10

trafficking in computer passwords or information that causes a loss of USD 1000 and more or could impair medical treatment

Question 11

1986 Electronic Communications Privacy Act

Answer 11

prohibits eavesdropping or interception without distinguishing private / public

Question 12

CALEA - Communications Assistance for Law Enforecement Act 1994

Answer 12

amended the 1986 Electronic Communications Privacy Act; requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of technology in use

Question 13

1987 US Computer Security Act

Answer 13

security training, develop security plan, identify sensitive systems on governmental agencies

Question 14

1991 US Federal Sentencing Guidelines

Answer 14

responsibility on senior management with fines up to USD 290mn; invoke prudent man rule; address both individuals and organizations

Question 15

1996 US Economic and Protection Act

Answer 15

industrial and corporate espionage

Question 16

1996 US National Infrastructure Protection Act

Answer 16

encourages other countries to adopt similar framework

Question 17

HITECH - Health Information Technology for Economic and Clinical Health Act of 2009

Answer 17

update on HIPPA; data breach notification requirements; change in treatment of business associates (BAs) = organizations that handle PII on behalf of HIPPA covered entity –> written contract required