Security - Regulated Data Flashcards
What is the PCI DSS and what does it do?
Payment Card Industry Data Security Standards
- PCI DSS defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, any other type of payment cards.
- Any organization that accepts payment cards must ensure it complies with the PCI DSS to avoid fines or possible restriction from processing payment cards.
What are the 6 goals of PCI DSS?
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
What is the PCI DSS Goal of building and maintaining a secure network?
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
What is the PCI DSS goal of protecting cardholder data?
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
What is the PCI DSS goal of maintaining a vulnerability management program?
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
What is the PCI DSS goal of implementing strong access control measures?
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
What is the PCI DSS goal of regularly monitoring and testing networks?
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
What is the PCI DSS goal of maintaining an information security policy?
An organization is required to maintain a policy that addresses information security for all personnel.
What is SOX?
The Sarbanes-Oxley Act (SOX) was enacted in 2002. It applies to any company publicly traded on the stock market. The goal of SOX is to increase transparency and formalize a system of checks and balances. It regulates how companies maintain financial records and secure financial data.
What is GLBA?
The Gramm-Leach-Bliley Act (GLBA) applies to any institution that offers loans, investment advice, or insurance. The GLBA requires these institutions to safeguard customer information and detail the practices for sharing consumer information. The FTC enforces GLBA.
Personal information falls under what two categories?
- Personal government-issued information is anything that is assigned by the government including driver’s license and social security number.
- Personally identifiable information (PII) can include credit scores, address history, student records, and any information not assigned by the government that can identify a person.
What is FERPA and what does it do?
Family Education Rights and Privacy Act
All educational institutions must keep detailed student records. The sensitive information kept in these files must be kept secure. FERPA provides institutions with procedures to secure this information including defining:
1. How to store the information.
2. Who the information can be shared with.
3. How long the data must be retained.
What is the CCPA and what does it do?
California Consumer Privacy Act
The CCPA allows California citizens to have control over their personal information that businesses collect. Key components of the CCPA include:
1. The right to know the information that a business collects about an individual.
2. The right to delete collected personal information.
3. The right to opt-out of the sale of an individual’s personal information.
4. The right to non-discrimination for exercising an individual’s CCPA rights.
Even though the CCPA applies to California citizens, many larger organizations allow citizens of other states to exercise these rights. These organizations find it too cost prohibitive to develop and apply the processes only to California residents.
What is the GDPR and what does it do?
General Data Protection Regulation
The GDPR applies to citizens in the European Union and provides many of the same rights as the CCPA. Like the CCPA, many organizations that operate in both the EU and other countries provide these rights to all users regardless of location.
What is HIPAA and what does it do?
Health Insurance Portability and Accountability Act
It is the primary law defining how healthcare information should be kept secure