Fund IS Chapter 6 Laws and Regulations
Regulatory Compliance
Adherence to laws specific to the industry, involves audits. One of two types of compliance
Industry Compliance
Adherence to non-mandated regulations with business impacts. One of two types of compliance
Compliance
Adherence to rules and regulations governing information handling.
Global Privacy Compliance
Challenges for companies adhering to multiple laws
Information Security Laws
Challenges in tracking virtual crimes and enforcement
Cloud Audit and Assessment Rights
Contracts with cloud providers usually frown on you doing the auditing and assessing. They do their own and hate you doing penetration testing as active security testing may impact the infrastructure in use.
Privacy Concerns
Debates on handling personal information securely
Federal Risk and Authorization Management Program (FedRAMP)
Defines rules for government agencies contracting with cloud providers.
Cryptocurrency
Disruptive digital currency often based on blockchain
Information Security Policy
Document defining information security for an organization. Put in polices, make sure people comply.
Data Protection Directive
EU law protecting personally identifiable information
General Data Protection Regulation GDPR
EU regulation on data protection and privacy
Monitoring
Essential to check if controls effectively reduce risk.
Cryptocurrency Security
Example: Gerald Cotton's secured laptop loss. He died and all that money went poof because he was too secure.
Edward Snowden Case
Exposure of state surveillance leading to global concerns
International Organization for Standardization (ISO)
Framework to help compliance efforts. Information Systems is ISO 27000 which discusses IS management systems and is intended to help manage asset security and lay out the best practices for managing risk, controls, privacy, technical issues, and a wide array of other specifics
National Institute of Standards and Technology
Framework to help compliance efforts. SP 800-37 lays out the risk management framework in the following six steps, which form the basis of many security programs: Categorize the system based on the information it handles and the impact of exposing or losing such data. Select controls based on the system's categorization and any extenuating circumstances. Implement the controls and document the implementation. Assess the controls to ensure that they're properly implemented and performing as expected. Authorize or ban the use of the system based on the risk it faces and the controls implemented to mitigate that risk. Monitor the controls to ensure that they continue to appropriately mitigate risk.
Reporting
Informing leadership of results for decision-making.
Noncompliance of Regulatory Compliance
Leads to stiff penalties, including possible incarceration.
Geographic Boundaries
Legal complexities due to internet transcending borders
Noncompliance of Industry Compliance
May result in loss of privileges, hefty fines, or business restrictions.
Mitigating Physical Control
Mitigates risks through physical security measures like fences.
Mitigating Administrative Control
Mitigates risks through processes and procedures documentation.
Custom Framework
Neat but you don't need to reinvent the wheel.
Blockchain Controls
Necessary to prevent manipulation with 51% control
Reviewing
Periodic assessment of control effectiveness for current risks.
Information Security Management
Preventing unauthorized data disclosure and managing leaks
Children's Internet Protection Act CIPA
Prevents children from accessing harmful online content
Key Controls
Primary controls managing risks, essential for compliance. One of two types of importance for controls.
Gramm-Leech-Bliley Act GLBA
Protects Personally Identifiable Information (PII) and financial data in financial institutions
Children's Online Privacy Protection Act COPPA
Protects minors' privacy by restricting PII collection
Health Insurance Portability and Accountability Act (HIPAA)
Protects patient data in the US healthcare system.
Documenting
Recording reviews and control environment changes.
Sarbanes-Oxley Act (SOX)
Regulates financial data for publicly held companies. Security professionals often help design and implement systems impacted by SOX.
Compensating Controls
Replace impractical key controls, must fulfill the same intent. One of two types of importance for controls.
Federal Information Security Management Act (FISMA)
Requires risk-based approach to security controls. A type of Government-related regulatory compliance. After a government audit the company working with the government get an authority to operate (ATO)
Technical Control
Risk management using technical measures like firewalls.
Unauthorized Data Exposure
Risks leading to lawsuits, fines, and reputational damage
Cloud Computing Models
SaaS, PaaS, IaaS Offers varying levels of control
Family Educational Rights and Privacy Act FERPA
Safeguards student records and rights
PCI DSS
Standards for credit card transactions compliance
State Privacy Laws
State-specific regulations like California's SB 1386
Blockchain
Technology ensuring secure and uneditable transactions
Social Media Policies
Terms of use affecting data sharing and privacy
NIST
US National Institute of Standards and Technology. They now focus on technology promotion and innovation. Their SPs have significant impact on information security.
Federal Privacy Act of 1974
US law safeguarding personal data with procedural rights
Special Publications (SPs)
US standards forming basis for laws, created by NIST. A type of Government-related regulatory compliance
Private Blockchain
Used by some companies for enhanced control
Extradition Laws
Variances affecting international computer law
Bitcoin Mining
Verifying blocks with mathematical handshakes for rewards
Cloud Computing Model: SaaS
provides you with access to a specific application or application suite. Google Apps. Users can't modify infrastructure or servers. Cloud providers is responsible for them entirely. Users might be responsible for the data they input into the environment but not the security of the environment itself.
Cloud Computing Model: IaaS
provides you with access to virtual servers and storage. AWS. Providers owns risks related to networks and servers on which the virtual infrastructure exists. Securing and maintaining the hosts and their networks, storage arrays.
Cloud Computing Model: PaaS
provides you with pre built servers, such as database or web servers. Users can access the servers but not the infrastructure that runs the servers. Provider assumes responsibility for security of infrastructure, patching operating system, configurating the servers, backing up servers, and maintaining storage volumes.
: California's Senate Bill 1386 (SB 1386)
specifically calls out the requirements for handling unauthorized exposure of data relating to residents of that particular state.