Welcome to our information security compliance fundamentals module this module will discuss regulatory compliance as a computer security professional there are three different types of law that you may have to deal with administrative law. Provides standards or regulations that companies and federal agencies are required to follow an example of administrative law are those laws put in place. By the Food and Drug Administration or the Environmental Protection Agency for dealing with hazardous materials civil law also known as tort law.
Deals with lawsuits between companies or individuals for some type of wrongdoing that results in a damage or loss these cases are. Typically handled by private parties not the government and in these cases the defendant is either found to be liable. For the damages and is required to pay for those damages and court costs or they’re found to be not liable and they are not required to. Pay any damages criminal law deals with crimes against society these laws are typically enforced by governmental agencies such as police departments and law enforcement are responsible for bringing charges against individual offenders in. Criminal cases individuals found guilty may be required to pay fines or may face imprisonment you may see a question on the CISSP examination asking which type.
Of law violation would most likely result in imprisonment and criminal law would be the type. Of law that when violated will most likely cause an individual to. Be imprisoned in order to protect our business it is important that we understand the laws and regulations facing our industry and make sure that. We comply with these requirements to reduce our risk we must be familiar with statutory laws we should be. Familiar with contracts that we have with other individuals and how they can be enforced the type of regulations that we’re required to comply with based on our industry and it’s also important. To protect individuals personal privacy or personally identifiable information or PII it is important to be familiar with the fact that laws are different based.
On jurisdiction in which your company is operating so you should be familiar with the laws. In those specific areas it’s important to make sure that you apply.
Administrative and technical controls in order to control with laws and regulations and it’s also important to make sure that you are continuously auditing your systems and your controls to make sure that they. Are functioning properly and that they are giving you the desired result it is also important to maintain written documentation to prove that you’re compliant with.
Laws and regulations and this helps to show due care and due diligence and may be important if you. End up dealing with a lawsuit or some type of criminal investigation it is very important to make sure that you. Comply with all laws in your country and any regulations that your industry requires you to follow management is ultimately responsible for making sure that laws are. Being followed and they are also responsible for proving compliance with the laws one example of.
A regulation that you may be required to comply with is the sarbanes-oxley act. Or Sox this Act requires accurate financial record-keeping for publicly traded companies the gramm-leach-bliley act or GLB pertains to the banking industry and requires maintaining the privacy of consumers information finally basel ii pertains. To international banking for the CISSP examination you should be familiar with Sox and GL be remembering that Sox relates to publicly traded. Companies and accurate financial record-keeping and GL be related to banks and consumer privacy as a computer security professional there are some other laws that you should be familiar with the. Federal Privacy Act of 1974 requires written permission by government agencies before disclosing any private information it is important to remember this Act because it is the first time.
That action was taken in the area of Technology and privacy the computer Security. Act of 1987 requires government agencies to locate sensitive systems provide security training and develop computer security plans for any. Computers that contain sensitive and for me ekta or the Electronic Communications. Privacy Act of 1986 this law makes it illegal to monitor eavesdrop or intercept oral communications wire communications or electronic communications without permission of the parties involved it is important to maintain an acceptable use. Policy and notify your employees that you will be monitoring their activities otherwise you may be violating the Electronic.
Communications Privacy Act HIPAA or the Health Insurance Portability and Accountability Act requires those in the healthcare industry to maintain the security of consumers data and protected health information HIPAA is one of the. Laws that you may see on the CISSP examination and you should be familiar with the.
Fact that it relates to health care data the Computer Fraud and Abuse Act prohibits individuals from accessing federal government computers without authorization the federal information resources management. Regulation provides a set of regulations for using managing and acquiring computer resources in the federal government the Office of Management and Budget circular a 130 have.
Security programs in place the 1991 federal sentencing guidelines provides sentencing guidelines for white-collar crimes and enhancements for using technology with those crimes and the economic Espionage Act of 1996 prohibits. Individuals from stealing or misusing trade secrets payment card industry data security standard or PCI DSS requires organizations that handle payment cards such. As credit cards to take certain steps to ensure the safe handling of this very sensitive information it provides a framework so that companies can developed account data security processes. In order to detect fraud prevent fraud and reacts to any security incidents that may occur the payment card industry security standards council encourages all businesses to comply with these standards in order to. Lower the risks that are associated with a data compromised it is very important to remember for the CISSP examination that pci-dss is not a United States law.
It is an international standard that is a recommendation if you were to see a question inquiring which is not a United. States law and providing you with several choices PCI DSS would be the best choice in that. Particular situation typically organizations will conduct audits to make sure that they are compliant with. These suggestions and regulations and instead of storing credit card numbers typically merchants will store tokens instead this way if a hacker is able to obtain a. Copy of their data they will not have users credit card numbers however when external PCI. Compliance audits are conducted many companies will fail these tests.
It is often required that organizations report data breaches or disclose the fact that a data breach occurred to the proper authorities it is very important for the CISSP. Exam to know the difference between a breach and a data. Disclosure a breach is when an individual gains access to your system and may have had. Access to private or confidential information we are seeing an increase not.
Only in the number of data security breaches each year but also in the diversity and sophistication of these breaches a. Data disclosure is when you actually have a confirmed loss of data. Where there is some proof that an individual actually stole the data and not just that it was exposed and could have been. Stolen obviously it is important to be able to tell the. Difference if this occurs in your organization but you should also be familiar with the difference for the.
CISSP examination it is important that you are conducting audits regularly because many laws require that you are completing audits to show compliance. You can either have internal auditors that work for your company and conduct audits or you can have external auditors that can verify that your company is in compliance auditors are. Responsible for checking certain elements to make sure that you are in compliance with the regulations financial audits are used. To review your financial statements and ensure that they are accurate auditors will tip we have long checklists of items that will correspond with the different legal regulatory.
And policy requirements that your organization must mean and they will go through these checklists to verify compliance you can also use audits to verify that your organization is. Following best practices and are meeting your key performance indicators or KPI you should be familiar with the term key performance indicators for. The CISSP examination this concludes our information security compliance fundamentals module thank you for watching.