Regulations and Standards Flashcards
Computer Security Act of 1987
The Computer Security Act was enacted to improve the security and privacy of sensitive information in federal computer systems It requires federal agencies to identify their systems that contain sensitive information, establish security plans, and train personnel in security measures. The act also empowered the National Institute of Standards and Technology (NIST) to develop standards and guidelines to ensure the security of federal computer systems.
GDPR General Data Protection Regulation
The GDPR is a European Union regulation that came into effect in 2018, aimed at protecting the personal data and privacy of individuals within the EU It applies to all organizations processing the personal data of EU residents, regardless of where the organization is located. GDPR gives individuals control over their personal data and imposes strict requirements on data handling, with hefty penalties for non-compliance.
California Consumer Privacy Act (CCPA)
The CCPA is a state law in California that enhances privacy rights and consumer protection for residents of California. It gives consumers the right to know what personal data is being collected about them, the right to request deletion of their data, and the right to opt out of the sale of their data. The law also imposes obligations on businesses to safeguard personal data and to be transparent about data practices.
Family Educational Rights and Privacy Act (FERPA)
FERPA is a U.S. federal law that protects the privacy of student education records. It gives parents certain rights with respect to their children’s education records, which transfer to the students themselves when they reach 18 years of age or attend a school beyond the high school level. Schools must have written permission from the parent or eligible student to release any information from a student’s education record.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Developed by major credit card companies, PCI DSS** aims to protect cardholder data and reduce credit card fraud** through stringent security controls across all systems that handle payment information.
Gramm-Leach-Bliley Act (GLBA)
The GLBA, also known as the Financial Services Modernization Act of 1999, requires financial institutions in the United States to explain their information-sharing practices to customers and safeguard sensitive data. The act includes provisions for protecting personal financial information and preventing unauthorized access to or use of such data.
Sarbanes-Oxley Act (SOX)
SOX is a U.S. federal law enacted in 2002 to protect investors from fraudulent accounting activities by corporations. It mandates strict reforms to improve financial disclosures and prevent accounting fraud, including requirements for internal controls and procedures for financial reporting, as well as certifications of financial statements by CEOs and CFOs.
Federal Information Security Management Act (FISMA)
FISMA is a U.S. federal law that requires federal agencies and their contractors to develop, document, and implement programs to secure their information systems. It emphasizes the importance of risk management and aims to protect federal data from threats by setting security standards and guidelines for information systems.
Federal Information Processing Standards (FIPS)
FIPS are publicly available standards developed by the U.S. federal government for use in computer systems by non-military government agencies and contractors. They cover various aspects of information security, including cryptographic standards, to ensure secure processing, storage, and transmission of sensitive data.
ISO/IEC 27001
ISO/IEC 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its primary purpose is to help organizations protect their information systematically by managing risks related to data security, confidentiality, integrity, and availability.
ISO/IEC 27002
ISO/IEC 27002 provides a set of best practices and guidelines for implementing the information security controls outlined in ISO/IEC 27001. It serves as a reference for selecting controls within the ISMS, offering a detailed explanation of how to implement security controls to mitigate risks and enhance overall security posture.
ISO/IEC 27017
ISO/IEC 27017 is a standard that provides guidelines for information security controls specifically for cloud services. It extends the ISO/IEC 27002 standard to include cloud-specific information security controls, addressing the unique risks and challenges associated with cloud computing environments, including both cloud service providers and customers.
ISO/IEC 27018
ISO/IEC 27018 focuses on the protection of personally identifiable information (PII) in public cloud computing environments. It provides guidelines to cloud service providers for implementing security controls that safeguard PII, ensuring that personal data is handled in compliance with applicable privacy regulations and with transparency regarding data processing activities.
ISO 27701
ISO 27701 is an** extension of ISO/IEC 27001** and ISO/IEC 27002 that provides guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It is designed to help organizations manage privacy risks and comply with data protection regulations such as GDPR by integrating privacy into their ISMS.
ISO 31000
ISO 31000 is an international standard for risk management that provides principles, a framework, and a process for managing risk. It is applicable to any organization, regardless of size, industry, or sector, and helps organizations identify, assess, and manage risks effectively to improve decision-making, governance, and resilience.