Government & Industry Information Security Regulations
International, Government, and Industry Regulations
Laws, Regulations, and StandardsI have a concise list of these as one of my (ISC)2 CCSP study guides. Those pages contain some of what you need to know to pass the Certified Cloud Security Professional exam. That exam is largely focused on regulatory compliance. The questions are in the context of cloud technology, but they aren't about cloud technology.
HIPAA (Health Insurance Portability and Accountability Act)
A U.S. act, issued in final form in 2003, regulates protection for "EPHI", Electronic Protected Health Information, which is private health information in electronic form.
It becomes a special concern when dealing with health insurance, since that requires the otherwise forbidden linking of three types of sensitive information:
- Personal identity
- Medical information
- Financial information
Useful overviews for infosec people include the SANS HIPAA whitepapers and a general-purpose explanation of HIPAA.
Health-care organizations are being hit with multi-million dollar penalties and settlements for HIPAA violations. This report from 2018 lists:
- $16,000,000 — Anthem Inc.
- $4,348,000 — University of Texas MD Anderson Cancer Center
- $3,500,000 — Fresenius Medical Care North America
- $515,000 — Massachusetts General Hospital
- $500,000 — Advanced Care Hospitalists
- $384,000 — Brigham and Women's Hospital
- $125,000 — Allergy Associates of Hartford
- $111,400 — Pagosa Springs Medical Center
- $100,000 — Boston Medical Center
- $100,000 — Filefax, Inc.
Sarbanes-Oxley
It's informally known as "Sarbox" or "SOX", or more formally as the Public Company Accounting Reform and Investor Protection Act of 2002.
It's a U.S. federal law created in response to major corporate and accounting scandals (Enron, Tyco, Peregrine Systems, WorldCom, etc).
The obvious purpose has to do with corporate-level honesty and openness. But the immediate infosec impact has to do with the careful handling of financial and personal information.
Useful overviews for infosec people include the SANS Sarbanes-Oxley white papers and a general purpose explanation of Sarbanes-Oxley.
Payment Card Industry (PCI) Data Security
The Payment Card Industry (PCI), which is pretty much just MasterCard and Visa, has defined the PCI Data Security Standard. This came out of Visa's Cardholder Security Program (CISP) and Account Information Security (AIS), and MasterCard's Site Data Protection (SDP) program.
Any one of:
- Process more than 6,000,000 transactions per year
- Any merchant that has suffered an attack that resulted in account data compromise
- Any merchant identified as Level One by any card association
- Annual on-site security audit
- Quarterly network scan
Audit by either:
- Independent security assessor
- Internal audit if signed by company officer
1,000,000 to 6,000,000 transactions per year
- Annual PCI self-assessment questionnaire
- Quarterly network scan
Scan by qualified independent scan vendor
20,000 to 1,000,000 e-commerce transactions per year
- Annual PCI self-assessment questionnaire
- Quarterly network scan
Scan by qualified independent scan vendor
Either of:
- Less than 20,000 e-commerce transactions per year, or
- Up to 1,000,000 transactions per year
- Recommended annual PCI self-assessment questionnaire
- Recommended annual network scan
Scan by qualified independent scan vendor
For more details see:
SANS has some papers on security auditing in general.
Back to the main Security Page