Laws and Regulations

---

Goals

• Define compliance, including regulatory and industry compliance
• Define privacy
• Categorize cybersecurity principles and defense concepts according to area of impact
• Identify privacy guidelines
• Identify compliance guidelines
• Compare privacy rights in different industries
• Differentiate between regulatory and industry compliance
• Define FISMA, including its purpose and main components
• Define HIPAA, including its purpose and main components
• Define FERPA, including its purpose and main components
• Define SOX, including its purpose and main components
• Define GLBA, including its purpose and main components

Compliance, Laws, and Regulations

• Compliance
  • Types of Compliance

Achieving Compliance with Controls

To comply with standards and regulatory requirements, you will typically implement physical, administrative, and technical controls.

Types of Controls

• Physical Controls
• Administrative Controls
  • Information Security Policy
• Technical Controls

Info

• No control is sufficient by itself
• Each contributes to layered defense (defense in depth)
• controls are only as good as your implementation of them

2 Levels of Importance

• Key Controls
• Compensating Controls

Maintaining Compliance

• Compliance Lifecycle

Laws and Information Security

• Government-Related Regulatory Compliance
  • Federal Information Security Management Act (FISMA)
  • Federal Risk and Authorization Management Program (FedRAMP)
• Industry-Specific Regulatory Compliance
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Sarbanes–Oxley Act (SOX)
  • Gramm–Leach–Bliley Act (GLBA)
  • Children’s Internet Protection Act (CIPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Payment Card Industry Data Security Standard (PCI DSS)

Laws Outside the US

• General Data Protection Regulation (GDPR)

Adopting Frameworks for Compliance

• use an overarching framework to guide the entire compliance effort and security program

  • helps org comply with separate, unrelated regulations

• International Organization for Standardization (ISO)

• National Institute of Standards and Technology (NIST)

Privacy

• Privacy

Privacy Regulation

• Federal
  • Privacy Act of 1974
• State
  • California’s Senate Bill 1386 (SB 1386)
  • California Consumer Privacy Act (CCPA)
• Foreign
  • EU: General Data Protection Regulation (GDPR)
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

2013, The Year of Global Surveillance Issues

2013 had a massive exposure of state-sponsored surveillance of individual citizens in the name of waging the international fight against terrorism.

• Edward Snowden leak