- Two main categories of legal systems in World. Many systems mix those:
- Common law
- Unwritten laws based on legal precedents established by the courts.
- E.g. USA, UK, India and Canada
- Two main branches:
- Civil law (in common law)
- Between individuals, organizations, or between the two
- Focuses on dispute resolution and victim compensation
- Criminal law
- Includes the punishment and rehabilitation
- Proscribes conduct threatening, harmful, or otherwise endangering to the property, health, safety, and moral welfare of people inclusive of one's self
- Civil law (in common law)
- Civil law
- Codified statutes and legal codes predominate
- E.g. majority of countries including Germany, France, Spain, Sweden, Turkey..
- Common law
- Payment Card Industry Data Security Standard
- Applies to organizations that card payments and all entities involved in the process of card payment.
- Global data security standard
- Common sense steps presenting best security practices
- 📝 Requires tester to notify organization if cardholder data is accessed during a penetration test
"If cardholder data is accessed during the penetration test, it is important that the tester notify the organization immediately" PCI DSS Guidance recommends:
- See also the official guide, or the simpler version.
- Build and maintain a secure network
- (1) Install and maintain a firewall
- (2) Do not use vendor-supplied defaults for any security parameters (e.g. passwords)
- 📝 Protect cardholder data
- (3) Protect stored data
- Storing cardholder data is discouraged, but if stored it must be encrypted or hashed.
- Never store sensitive data on the magnetic stripe or chip including PIN and CAV2 / CVC2 / CVV2 / CID.
- (4) Encrypt transmission of cardholder data across public networks
- (3) Protect stored data
- Maintain a vulnerability management program
- (5) Use and regularly update anti-virus software
- (6) Develop and maintain secure systems and applications
- 📝 Implement strong access control measures
- (7) Restrict access to cardholder data by business need-to-know
- (8) Assign a unique ID to each person with computer access
- (9) Restrict physical access to cardholder data
- Store media back-ups in a secure location, preferably off site.
- Review and confirm that back-up media is secure at least annually.
- 📝 Regularly monitor and test networks
- (10) Track and monitor all access to network resources and cardholder data
- (11) Regularly test security systems and processes
- (11.1) Test presence of wireless access points on a quarterly basis
- (11.2) Network vulnerability scans at least quarterly and after any significant change
- (11.3) Penetration testing at least once a year and after any significant change
- Maintain an information security policy
- (12) Maintain a policy that addresses information security
- Set of worldwide information security standards
- Also known as ISMS Family of Standards or ISO27K
- ISO/IEC stands for
- "The International Standard for Standardization (ISO)"
- and "The International Electrotechnical Commission (IEC)"
- Titled as "Information technology - Security Techniques - Information security management systems — Requirements"
- Defines requirements for the organization's information security management system.
- Applies a risk management process
- Used
- To create security requirements and objectives
- To ensure the cost efficiency of managing the security risks
- To ensure that laws and regulations are followed
- For defining new information security processes
- For identifying and clarifying existing information security processes.
- For determining the status of information security management activities in an organization
- For implementing business information security
- For providing relevant security information to customers
- Titled as "Information technology – Security techniques – Code of practice for information security controls".
- Information security controls to enforce best-practices
- Includes controls for e.g. • Access Control • Cryptography • Access Control • Physical and environmental security...
- Health Insurance Portability and Accountability Act
- 📝 Provides data privacy and protection of medical information.
- Specifies administrative, physical, and technical protection for all entities involved.
- 🤗 Initially created to protect people from losing their health insurance e.g. when changing jobs.
- Extended to reduce costs and administrative burdens of healthcare transactions.
- Healthcare transaction
- A transaction is an electronic exchange of information between two parties to carry out financial or administrative activities related to health care
- Usually represented by claims and enrollment data
- E.g. a health care provider will send a claim to a health plan to request payment for medical services.
- 📝 Standard transactions
- Adopted standard by HSA (U.S. Health & Human Services) under HIPAA
- Include • payment and remittance advice • claims status • eligibility • premium payment • enrollment and disenrollment • referrals and authorizations.
- Electronic transaction and code sets standards
- Every provider who performs electronic transactions needs to use the same health care transactions, codes, and identifiers.
- Security rule
- Ensures the confidentiality, integrity, and security of health information
- Enforcement rule
- Details provisions in regard to the compliance, investigations, violations, and hearing procedures.
- Privacy rule
- Protects a person's health information and defines who has the access to the information.
- Controls include
- Administrative safeguards such as • performing risk analysis • employee training • security policies and procedures • business associate agreements
- Physical safeguards such as • access controls • policies for workstations (e.g. laptops) • workstation security
- Technical safeguards such as • access control • audit control • integrity control • transmission security
- 📝 National identifier requirements
- National Provider Identifier (NPI): A 10-digit number used for covered healthcare providers
- National Health Plan Identifier (NHI): An identifier that is used for identifying health plans.
- Employer Identifier Standard: A number that identifies employers on standard transactions.
- Federal Information Security Management Act
- 📝 US legislation that regulates federal data security standards and guidelines.
- Protects government information, operations and assets against various threats.
- Provides
- Standards for
- categorizing information and information systems by mission impact
- minimum security requirements for information and information systems
- Guidance for
- choosing appropriate security controls for information systems
- assessing security controls in information systems
- the security authorization of information systems
- Standards for
- Shorthand for National Institute of Standards and Technology Special Publication 800-53
- 📝 Security and privacy controls for federal information systems and organization
- Guidelines to assist in FISMA compliance
- Also known as SOX or Sarbanes Oxley act.
- US federal law
- Protect investors by making corporate disclosures more reliable and accurate
- Regulates what records organizations must keep and for how long
- E.g. banks need to save financial reports for a very long time
- The act contains 11 titles
- Public company accounting oversight board
- Auditor independence
- Corporate responsibility
- Enhanced financial disclosures
- Analyst conflicts of interest
- Commission resources and authority
- Studies and reports
- Corporate and criminal fraud accountability
- White-collar-crime penalty enhancement
- Corporate tax returns
- Corporate fraud accountability
- Digital Millennium Copyright Act
- Copyright laws in the USA
- Implements
- WIPO (World Intellectual Property Organization) Copyright Treaty
- WIPO Performances and Phonograms Treaty
- Against theft of intellectual property
- E.g. platforms must act as they can not benefit from what is yours, most platforms have copyright notice that you can issue.
- Act contains five titles:
- WIPO Treaty Implementation
- Online Copyright Infringement Liability Limitation
- Computer maintenance or repair
- Miscellaneous provisions
- Protection of certain original designs
- Framework created by ISACA for information technology (IT) management and IT governance.
- Helps companies follow law, be more agile and earn more.
- Links business and IT.
- Ties in with COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK.
- Defines processes for the management of IT
- Evaluate, Direct and Monitor (EDM)
- Align, Plan and Organize (APO)
- Build, Acquire and Implement (BAI)
- Deliver, Service and Support (DSS)
- Monitor, Evaluate and Assess (MEA)
- Components include
- Framework: Link IT objective and best practices to business requirements.
- Process descriptions: Process model to build common language for planning, building, running and monitoring.
- Control objectives: High-level requirements to be considered by management.
- Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
- Maturity models: Assesses maturity and capability per process and helps to address gaps.
- Standard Contractual Clauses
- Contract between an EU based data exporters and a non-EU-based data importers
- Protects personal data sent from the European Union (EU) to countries with lower level of data protection rights
- Ensures GDPR requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects
- Also known as PrivacyShield
- Framework for regulating exchanges of personal data for commercial purposes between the European Union and the United States
- Enables US companies to more easily receive personal data from EU entities
- Became invalid in 16 July 2020 as it did not protect EU citizens on government snooping
- Also known as International Safe Harbor Privacy Principles, Safe Harbour Privacy Principles, Safe Harbour decision
- Signed between US and EU to prevent customer data leakage from private organizations
- Seven principles include: notice, choice (can opt out), onward transfer (only share with compliant companies), security, data integrity, access (can be accessed and deleted by individuals), enforcement
- Abolished in October 2015 and replaced with EU–US Privacy Shield
- Regulates data processing of EU citizens
- Applies in EU and outside of EU if personal data is collected from EU
- Requires consent to collect data
- Privacy by design: Enforces privacy and security measures
- Gives rights such as: • right to be informed • right of access • right to rectification • right to erasure (right to be forgotten) • right to restrict processing • right to data portability • right to object • right in relation to automated decision making and profiling.
- Also known as ISO/IEC 15408
- Standard for computer security certification
- Tests to evaluate vendor claims of security about its products
- Four aspects to the of evaluation
- TOE: the system being tested
- ST (security target): he documentation describing the TOE and requirements)
- PP (protection profile)
- The requirements for the type of product being tested)
- The evaluation assurance level (EAL, the rating level, ranked from 1 to 7).
- RFC 1918: Private IP Standard
- RFC 3227: Collecting and storing data
- CAN-SPAM act: Email marketing
- GLBA
- Gramm-Leach-Bliley Act
- Requires financial institutions to take steps to protect customer information
- FERPA: Education Records