Information Security Legislation
As the value of information increases, the number of cyber crimes goes up too. The more cyber crimes are committed, the more regulatory agencies try to prevent them by creating new laws and regulations which companies storing sensitive data are obliged to comply with. Here you can find the most important U.S. regulatory acts regarding information security.
Sarbanes-Oxley Act (SOX)
Who it is for: Public company boards, public accounting, and management firms.
What it covers: After accounting scandals at Enron, Tyco and Worldcom corporations, which lead to stock market collapse, Sarbanes-Oxley Act (SOX) was created. It is aimed to prevent investors from accounting fraud by assuring that all the reports on financial activities contain reliable information that can be verified by independent auditors. The Act sets standards and rules for audit reports and implies greater financial disclosures. A special agent inspects, investigates and enforces compliance with the requirements. Non-compliance comes with significant penalties.
Payment Card Industry Data Security Standard (PCI DSS)
Who it is for: Any company handling credit card data, the standard is in force not only in the US but in most of the countries.
What it covers: PCI DSS was instituted by major payment card brands (Visa, MasterCard, American Express, JCB and Discover). It is a set of requirements for reducing fraud and protecting customer credit card information.
- Install a firewall and router configuration to protect cardholder data.
- Default system passwords supplied by the vendor must be changed.
- Protect stored cardholder data. In general, no cardholder data should ever be stored unless it’s essential for business purposes.
- Encrypt transmission of cardholder data across open, public networks. Encryption is a technology used to encode data in a way that only authorized person can read it.
- Anti-virus software must be installed and regularly updated.
- Licensed security software must be installed.
- Restrict access to cardholder data by need-to-know access.
- Assign a unique ID to each person with the computer.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder.
- Regularly test security systems and processes.
- Build a security system addressing information security for all employees.
Health Insurance Portability and Accountability Act (HIPAA)
Who it is for: Health insurance companies, health care providers, and medical clearinghouses.
What it covers: HIPAA is United States legislation that requires data privacy and security provisions for medical information. According to the Act subjects have to protect health information (ePHI) from being misused or exposed by unauthorized individuals.
Main requirements and provisions:
- Providers who do business electronically are required to use the same health care transactions, code sets, and identifiers
- Federal protection for personal health information is provided. The disclosure of personal health information is permitted only if required for patient care or other important purposes.
- The act specifies administrative, physical, and technical safeguards for affected entities for assuring the integrity, availability, and confidentiality of electronic protected health information.
- Health care providers, health plans, and employers are required to have standard national numbers that identify them on standard transactions.
The Gramm-Leach-Bliley Act (GLB)
Who it is for: Financial institutions (banks, stock exchange companies, insurance companies); companies providing financial services, such as lending, brokering, transferring money, preparing tax returns, providing financial advice, etc.
What it covers: GBL Act is a federal law enacted to protect consumers’ personal financial information held by financial institutions. According to the privacy component, financial institutions are obliged to provide their customers an annual notice of their privacy practices and give the opportunity to choose not to share that information. The Safeguards Rule requires that financial institutions establish a comprehensive security system for the confidentiality and integrity protection of private financial data in their records.
Electronic Fund Transfer Act, Regulation E
Who it is for: Financial institutions holding consumer accounts or providing EFT services; payees and merchants.
What it covers: This Act protects customers engaging in electronic fund transfers from errors and fraud. It establishes basic rights, responsibilities, and liabilities of financial institutions that offer EFT services and their consumers. EFT’s include point-of-sale terminal transfers in stores, ATM transfers, telephone bill-payment services, and preauthorized transfers to or from a consumer’s account.
Federal Information Security Management Act (FISMA)
Who it is for: federal agencies
What it covers: This Act deals with matters of national security and obliges federal agencies to develop a method of protecting the information systems.
- Information needed to be protected must be categorized
- Periodic risk assessment procedures
- Continuous monitoring of security controls and assess their effectiveness
- Select minimum base controls
- Security awareness training for the personnel
- Take measures for detecting, reporting, and responding to security incidents
- Subordinate plans for networks and facilities information security
North American Electric Reliability Corp. (NERC) standards
Who it is for: North American electric utility systems.
What it covers: The current set of NERC standards was developed to establish reliability standards for the bulk power system of North America, as well as protect the industry’s critical infrastructure from physical and cyber threats.
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Who it is for: All FDA-regulated industries regulated activities of which stipulate using computers, both in the U.S. and outside the country.
What it covers: Part 11, as it is commonly called, imposes guidelines on electronic records and electronic signatures with the purpose of upholding their reliability and trustworthiness. It was issued in 1997 and is monitored by the U.S. Food and Drug Administration.
European Union Data Protection Directive
Who it is for: European organizations and non-European companies to which data is exported.
What it covers: European Union Data Protective Directive sets strict limits on the collection and use of personal data and obliges each member state set up an independent national body responsible for the data protection.
Safe Harbor Act
Who it is for: U.S. companies having business in Europe.
What it covers: The Safe Harbor Act prohibits the transfer of personal data to non-European Union nations if they do not meet the standard for privacy protection established by the European Union Data Protection Directive. It was enacted to bridge the different privacy approaches of Europe and the U.S.A., enabling U.S.A. companies to engage in trans-Atlantic operations without facing interruptions or prosecutions by European authorities.