CISSP certification: Rules, laws and regulations (US).

Rules, Regulations and Laws you should know for the exam (US):

  • HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
    • Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
    • HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
    • The rules mandate Administrative, Physical and Technical safeguards.
    • Risk Analysis is required.
  • Security Breach Notification Laws.
    • NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota).
    • They normally require organizations to inform anyone who had their PII compromised.
    • Many have an encryption clause, lost encrypted data may not require disclosure.
  • Electronic Communications Privacy Act (ECPA):
    • Protection of electronic communications against warrantless wiretapping.
    • The Act was weakened by the Patriot Act.
  • PATRIOT Act of 2001:
    • Expands law enforcement electronic monitoring capabilities.
    • Allows search and seizure without immediate disclosure.
  • Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030:
    • Most commonly used law to prosecute computer crimes.
    • Enacted in 1986 and amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT Act), and 2008 (Identity Theft Enforcement and Restitution Act).
  • Payment Card Industry Data Security Standard (PCI-DSS) – Technically not a law, created by the payment card industry.
    • The standard applies to cardholder data for both credit and debit cards.
    • Requires merchants and others to meet a minimum set of security requirements.
    • Mandates security policy, devices, control techniques, and monitoring.
  • Gramm-Leach-Bliley Act (GLBA):
    • Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB.
    • Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
  • Sarbanes-Oxley Act of 2002 (SOX):
    • Directly related to the accounting scandals in the late 90’s.
    • Regulatory compliance mandated standards for financial reporting of publicly traded companies.
    • Intentional violations can result in criminal penalties.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

You may also like

Leave a Reply