Laws and Regulations

Baseline of technical and operational requirements to protect account data. Applies to all organizations with operations related to payment card processing, storage or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD). Its goal is to reduce the risk of compromise of account data. The PCI Security Standards Council issued this overview:

Sponsored by two US Senators "Sarbanes" and "Oxley" in 2002. Legislates that publicly traded companies must protect investors' interest by adhering to the following 11 titles/headings that divide into sections.

  1. Public Accounting Oversight Board - Creates an independent Public Accounting Oversight Board under the oversight of the Securities and Exchange Commission. It is self-funded by the fees it may charge.

  2. **Auditor Independence **- Auditing firms may not carry out other profitable business services with the auditees.

  3. **Corporate Responsibility **- Mandates creation of audit committees made of independent members, misconduct forfeits CEO/CFO bonuses.

  4. **Enhanced Financial Disclosures **- increased visibility of financial transactions (Enron), relationships with entities with undue influence in the financial posture of the company and forbid practices such as money loans to directors and executives (WorldCom).

  5. **Analyst Conflicts of Interest **- Securities analysts may not recommend the purchase of securities to the general public.

  6. **SEC Role and Studies **- Appropriations for a given fiscal year (2003) to the SEC for a few special measures including additional staff compensation, higher oversight of auditors and the services they provide and staff augmentation for risk management, fraud prevention, market regulation and investment management.

  7. **Also, SEC Role and Studies **- Report to congress on events regarding the securities firms markets and their impact on securities markets.

  8. **Corporate and Criminal Fraud Accountability **- It is a felony to destroy documents and create fraudulent documents to thwart federal investigations. Paper trail must be archived for 5 years. Punishable by prison < 10 years + fines.

  9. **White Collar Crime Penalty Enhancements **- financial reports for the SEC must include the CEO and CFO's signature as well as include all material evidence of the company's finances. $USD500K fine and prison < 5 years.

  10. **Corporate Tax Returns **- CEO must sign corporate income tax returns.

  11. **Corporate Fraud and Accountability **- tampering with records/interfering with judicial proceedings is a crime punishable by prison < 20 years.

"COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance.

The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model." according to Wikipedia

"Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature." according to

"_Standards for electronic health information transactions. Within 18 months of enactment, the Secretary of HHS is required to adopt standards from among those already approved by private standards developing organizations for certain electronic health transactions, including claims, enrollment, eligibility, payment, and coordination of benefits. These standards also must address the security of electronic health information systems. _

_**Mandate on providers and health plans, and timetable. **Providers and health plans are required to use the standards for the specified electronic transactions 24 months after they are adopted. Plans and providers may comply directly, or may use a health care clearinghouse. Certain health plans, in particular workers compensation, are not covered. _

_Privacy. The Secretary is required to recommend privacy standards for health information to Congress 12 months after enactment. If Congress does not enact privacy legislation within 3 years of enactment, the Secretary shall promulgate privacy regulations for individually identifiable electronic health information. _

_**Pre-emption of State Law. **The bill supersedes state laws, except where the Secretary determines that the State law is necessary to prevent fraud and abuse, to ensure appropriate state regulation of insurance or health plans, addresses controlled substances, or for other purposes. If the Secretary promulgates privacy regulations, those regulations do not preempt state laws that impose more stringent requirements. These provisions do not limit a State's ability to require health plan reporting or audits. _

_ Penalties. The bill imposes civil money penalties and prison for certain violations._" according to the Office of the Assistant Secretary for Planning and Evaluation

Aims to produce key security standards and guidelines required by Congressional legislation. This body of work provides organizations the guidelines needed to raise, integrate and sustain organization-wide risk-based decisions and information security programs.

FISMA goal is to develop key risk management criteria and industry approach.

  • Standards for categorizing information and systems by mission impact

  • Standards for minimum security requirements for information and systems

  • Guidance for selecting appropriate controls for systems

  • Guidance for assessing controls in systems and determining control effectiveness

  • Guidance for the authorization of systems

  • Guidance for monitoring the controls and the authorization of systems

Its stated goal is:_ "to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes."_

Enacted by the Senate and House of Representatives of the US, this law is comprised of 10 distinct titles:

  1. **Enhancing Domestic Security Against Terrorism **- Creation of a "Counter-terrorism fund"

  2. **Enhanced Surveillance Procedures: **

  3. International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001

  4. **Protecting the border **

  5. Removing Obstacles to Investigating Terrorism

  6. Providing For Victims of Terrorism, Public Safety Officers, and their families

  7. Increased Information Sharing for Critical Infrastructure Protection

  8. Strengthening the Criminal Laws Against Terrorism

  9. Improved Intelligence

  10. Miscellaneous

The Privacy Act of 1974, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.

Requires that agencies give the public notice of their systems of records by publishing them in the Federal Register. Here you can find a list of DOJ systems of records and their Federal Register citations. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Focuses on the protection, prevention, mitigation, response and recovery from cyber related incidents in the context of the federal government by encouraging sharing of information on cyber threats between all federal cyber operations centers.

Enables for cooperative allegiances between the intelligence and private sectors amending the National Security Act of 1947 by using security clearances and appropriate certifications.

Goal is to improve the security and privacy of sensitive information posture in Federal computer systems as it pertains to the public interest. Aims to develop standards and guidelines for Federal computer systems as well as cost effective security measures.

Last updated