Hex dump of Gibe-F worm.

Government & Industry Information Security Regulations

HIPAA (Health Insurance Portability and Accountability Act)

A U.S. act, issued in final form in 2003, regulates protection for "EPHI", Electronic Protected Health Information, which is private health information in electronic form.

It becomes a special concern when dealing with health insurance, since that requires the otherwise forbidden linking of three types of sensitive information:

Useful overviews for infosec people include the SANS HIPAA whitepapers and a general-purpose explanation of HIPAA.

Sarbanes-Oxley

It's informally known as "Sarbox" or "SOX", or more formally as the Public Company Accounting Reform and Investor Protection Act of 2002.

It's a U.S. federal law created in response to major corporate and accounting scandals (Enron, Tyco, Peregrine Systems, WorldCom, etc).

The obvious purpose has to do with corporate-level honesty and openness. But the immediate infosec impact has to do with the careful handling of financial and personal information.

Useful overviews for infosec people include the SANS Sarbanes-Oxley white papers and a general purpose explanation of Sarbanes-Oxley.

Payment Card Industry (PCI) Data Secruity

The Payment Card Industry (PCI), which is pretty much just MasterCard and Visa, has defined the PCI Data Security Standard. This came out of Visa's Cardholder Security Program (CISP) and Account Information Security (AIS), and MasterCard's Site Data Protection (SDP) program.

Merchant Level Selection Criteria Validation Action Validated By
Level One Any one of:
  • Process more than 6,000,000 transactions per year
  • Any merchant that has suffered an attack that resulted in account data compromise
  • Any merchant identified as Level One by any card association
  • Annual on-site security audit
  • Quarterly network scan
Audit by either:
  • Independent security assessor
  • Internal audit if signed by company officer
Scan by qualified independent scan vendor
Level Two 1,000,000 to 6,000,000 transactions per year
  • Annual PCI self-assessment questionnaire
  • Quarterly network scan
Scan by qualified independent scan vendor
Level Three 20,000 to 1,000,000 e-commerce transactions per year
  • Annual PCI self-assessment questionnaire
  • Quarterly network scan
Scan by qualified independent scan vendor
Level Four Either of:
  • Less than 20,000 e-commerce transactions per year, or
  • Up to 1,000,000 transactions per year
  • Recommended annual PCI self-assessment questionnaire
  • Recommended annual network scan
Scan by qualified independent scan vendor

For more details see:
PCI Security Standards Council MasterCard Site Data Protection Program Visa Cardholder Information Security Program

SANS has some papers on security auditing in general.

Back to the main Security Page