June 30th, 2005 10:43 PM
List of Certifications and Regulations
I'd like to share the basics behind commonly encountered regulations and compliance efforts we see, professionally. I've got a decent list I plaguerized from some slides, with a few added from my own experience at the bottom (Payment Card Industry stuff).
Please add any more you know of, particularly NON-US regulations (I have limited experience in this area, but would like to learn.) I'll try to use a standard format to help make it easier to compare them (too bad we can't make Table's with the AO site code).
- Sarbanes-Oxley Act of 2002
- Mandating Organization - US Securities and Exchange Commission (SEC)
- Security requirements built on CobiT framework - authentication, access controls, user account management, credential lifecycle management, non-repudiation and audit controls
- Affects companies publicly traded on US exchanges
- Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB
- US Office of the Comptroller of the Currency (OCC)
- Security requirements include authentication, access controls, encryption, data integrity controls, and audit controls
- Affects all financial institutions regulated by the OCC
- HIPAA, the Health Insurance Portability and Accountability Act of 1996
- US Department of Health and Human Services (DHHS)
- Focused on authentication, access controls, transmission security, audit controls, and data integrity
- Healthcare organizations in the US
- Basel II
- Basel Committee on Banking Supervision
- FFIEC framework - access rights administration, authentication, network access, operating system access, application access, remote access, logging and data collection
- Affects global financial service organizations
- Directive 95/46/EC of the European Parliament
- Mandated by European Union (EU) Parliament and of the Council of 24 October 1995
- Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
- Affects companies conducting business in EU member nations
- Federal Information Security Management Act of 2002 (FISMA)
- US Federal Government
- Requires federal agencies to develop, document and implement agency wide programs to secure data and information systems that support agency operations and assets, including those managed by other agencies or contractors. Direction from NIST
- US federal agencies and government contractors
- Payment Card Industry (PCI) Data Security Standards (DSS), usually referred to as PCI or Visa PCI (although, to be honest DSS is more acurate, since PCI is the organization acronym)
- Visa, Mastercard, American Express, Diners Club, any credit card issuer (who is a member of the Payment Card Industry group)
- Formerly known as CISP for Visa, and SDP for MasterCard...
- Data encryption, access controls, data integrity, auditing, firewalls, and many other standards (12 points, each with many sub requirements) to protect credit card data
- Private, Industry Standard. Organizations who don't comply risk losing access to doing business with PCI members, and can have substantial fines levied by credit companies for breaches and incidents
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
July 1st, 2005 01:40 AM
July 6th, 2005 10:37 AM
Biggies for me and those who work nearby:
Data Protection Act (DPA) 1998
Applies across the EU, 8 Principles:
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relations to the processing of personal data.
Freedom of Information Act (FOIA) /Freedom of Information Act Scotland (FOISA)
Similar to each other but not the same.
Freedom of Information creates a statutory right of access to information held by public bodies, while protecting information that should remain confidential. Subject to certain conditions and exemptions, any person who makes a request to a public authority for information will be entitled to receive it. Any organisation working for a public body is also subject to FOIA/FOISA for that work.
Regulation of Investigatory Powers Act /Scotland (RIPA/RIPSA) 2000
Again same but different.
The Regulation of Investigatory Powers Act 2000 (RIPA) provides for, and regulates the use of, a range of investigative powers, by a variety of public authorities. It updates the law on the interception of communications to take account of technological change such as the growth of the Internet. It also puts other intrusive investigative techniques on a statutory footing for the very first time; provides new powers to help combat the threat posed by rising criminal use of strong encryption; and ensures that there is independent judicial oversight of the powers in the Act.
RIPA is consistent with the Human Rights Act 1998 and creates a system of safeguards, reflecting the requirements of Article 8 of the European Convention on Human Rights (ECHR). It contains 5 parts providing for powers in relation to specific investigative techniques or establishing systems of scrutiny, oversight and redress.
Part I relates to the interception of communications and the acquisition and disclosure of communications data.
Part II relates to the use of covert surveillance, agents, informants and undercover officers.
Part III covers the investigation of electronic data protected by encryption.
Part IV provides for independent judicial oversight of the powers in the Act.
Part V covers miscellaneous and supplemental matters such as consequential amendments, repeals and interpretation
[edited]For terrible typing[/edited]
July 6th, 2005 06:32 PM
DoD Information Technology Security Certification & Accreditation Process (DITSCAP)
Mandating Organization - Department of Defense(DoD)
Implements policy, assigns responsibilities, and prescribes procedures under
reference (a) for Certification and Accreditation (C&A) of information technology
(IT), including automated information systems, networks, and sites in the Department
Central document for certifying and accrediting Department of Defense systems
|-----|Alcohol is my anti-drug |-----|