1.6 Information Security Laws and Standards
Payment Card Industry Data Security Standard (PCI-DSS)
- The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
- PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
- High level overview of the PCI DSS requirements developed and maintained by Payment Card Industry (PCI) Security Standards Council:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
- ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
- It is intended to be suitable for several different types of use, including the following:
- Use within organizations to formulate security requirements and objectives.
- Use within organizations as a way to ensure that security risks are cost effectively managed.
- Use within organizations to ensure compliance with laws and regulations.
- Definition of new information security management processes.
- Identification and clarification of existing information security management processes.
- Use by the management of organizations to determine the status of information security management activities.
- Implementation of business-enabling information security.
- Use by organizations to provide relevant information about information security to customers.
Health Insurance Portability and Accountability Act (HIPAA)
- HIPPA'S Administrative Simplification Statute and Rules:
- Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers.
- Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.
- Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information.
- National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions.
- Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.
PII, e.g. DPA
PFI, e.g. PCI-DSS
DHI, e.g. HIPPA
Sarbanes Oxley Act (SOX)
- Enacted in 2002, the Sarbanes Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures.
- Key requirements and provisions of SOX are organized into 11 titles:
- Title I: Public Company Accounting Oversight Board (PCAOB) establishes to provide independent oversight of public accounting firms providing audit services ("auditors").
- Title II: Auditor Independence establishes standards for external auditor independence, to limit conflicts of interest and addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements.
- Title III: Corporate Responsibility mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports.
- Title IV: Enhanced Financial Disclosures describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers.
- Title V: Analyst Conflicts of Interest consists of measures designed to help restore investor confidence in the reporting of securities analysts.
- Title VI: Commission Resources and Authority defines practices to restore investor confidence in securities analysts.
- Title VII: Studies and Reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.
- Title VIII: Corporate and Criminal Fraud Accountability describes specific criminal penalties for fraud by manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.
- Title IX: White Collar Crime Penalty Enhancement increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.
- Title X: Corporate Tax Returns state that the Chief Executive Officer should sign the company tax return.
- Title XI: Corporate Fraud Accountability identifies corporate fraud and reocrds tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments.
The Digital Millennium Copyright Act (DMCA) and Federal Information Security Management Act (FISMA)
- The Digital Millennium Copyright Act (DMCA):
- The DMCA is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO).
- It defines legal prohibitions against circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information.
- Federal Information Security Management Act (FISMA):
- The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.
- It includes:
- Standards for categorizing information and information systems by mission impact.
- Standards for minimum security requirements for information and information systems.
- Guidance for selecting appropriate security controls for information systems.
- Guidance for assessing security controls in information systems and determining security control effectiveness.
- Guidance for the security authorization of information systems.