Information Security Legislation
As the value of information increases, the number of cyber crimes goes up too. The more cyber crimes are committed, the more regulatory agencies try to prevent them by creating new laws and regulations which companies storing sensitive data are obliged to comply with. Here you can find the most important U.S. regulatory acts regarding information security.
Sarbanes-Oxley Act (SOX)Who it is for: Public company boards, public accounting, and management firms. What it covers: After accounting scandals at Enron, Tyco and Worldcom corporations, which lead to stock market collapse, Sarbanes-Oxley Act (SOX) was created. It is aimed to prevent investors from accounting fraud by assuring that all the reports on financial activities contain reliable information that can be verified by independent auditors. The Act sets standards and rules for audit reports and implies greater financial disclosures. A special agent inspects, investigates and enforces compliance with the requirements. Non-compliance comes with significant penalties.
Payment Card Industry Data Security Standard (PCI DSS)Who it is for: Any company handling credit card data, the standard is in force not only in the US but in most of the countries.What it covers: PCI DSS was instituted by major payment card brands (Visa, MasterCard, American Express, JCB and Discover). It is a set of requirements for reducing fraud and protecting customer credit card information.Main requirements:
- Install a firewall and router configuration to protect cardholder data.
- Default system passwords supplied by the vendor must be changed.
- Protect stored cardholder data. In general, no cardholder data should ever be stored unless it’s essential for business purposes.
- Encrypt transmission of cardholder data across open, public networks. Encryption is a technology used to encode data in a way that only authorized person can read it.
- Anti-virus software must be installed and regularly updated.
- Licensed security software must be installed.
- Restrict access to cardholder data by need-to-know access.
- Assign a unique ID to each person with the computer.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder.
- Regularly test security systems and processes.
- Build a security system addressing information security for all employees.
Health Insurance Portability and Accountability Act (HIPAA)Who it is for: Health insurance companies, health care providers, and medical clearinghouses.What it covers: HIPAA is United States legislation that requires data privacy and security provisions for medical information. According to the Act subjects have to protect health information (ePHI) from being misused or exposed by unauthorized individuals. Main requirements and provisions:
- Providers who do business electronically are required to use the same health care transactions, code sets, and identifiers
- Federal protection for personal health information is provided. The disclosure of personal health information is permitted only if required for patient care or other important purposes.
- The act specifies administrative, physical, and technical safeguards for affected entities for assuring the integrity, availability, and confidentiality of electronic protected health information.
- Health care providers, health plans, and employers are required to have standard national numbers that identify them on standard transactions.
The Gramm-Leach-Bliley Act (GLB)Who it is for: Financial institutions (banks, stock exchange companies, insurance companies); companies providing financial services, such as lending, brokering, transferring money, preparing tax returns, providing financial advice, etc.What it covers: GBL Act is a federal law enacted to protect consumers' personal financial information held by financial institutions. According to the privacy component, financial institutions are obliged to provide their customers an annual notice of their privacy practices and give the opportunity to choose not to share that information. The Safeguards Rule requires that financial institutions establish a comprehensive security system for the confidentiality and integrity protection of private financial data in their records.
Electronic Fund Transfer Act, Regulation EWho it is for: Financial institutions holding consumer accounts or providing EFT services; payees and merchants.What it covers: This Act protects customers engaging in electronic fund transfers from errors and fraud. It establishes basic rights, responsibilities, and liabilities of financial institutions that offer EFT services and their consumers. EFT’s include point-of-sale terminal transfers in stores, ATM transfers, telephone bill-payment services, and preauthorized transfers to or from a consumer's account.
Federal Information Security Management Act (FISMA)Who it is for: federal agenciesWhat it covers: This Act deals with matters of national security and obliges federal agencies to develop a method of protecting the information systems.Main requirements/provisions:
- Information needed to be protected must be categorized
- Periodic risk assessment procedures
- Continuous monitoring of security controls and assess their effectiveness
- Select minimum base controls
- Security awareness training for the personnel
- Take measures for detecting, reporting, and responding to security incidents
- Subordinate plans for networks and facilities information security