Information security professionals often find themselves navigating a maze of legal and regulatory compliance issues. In this video, learn how information security compliance is affected by criminal law, civil law, administrative law, and private regulations. This includes a discussion of PCI DSS, HIPAA, FISMA, and the US Constitution.
- [Narrator] Information security professionals increasingly find themselves becoming legal and regulatory compliance experts. As governments and other regulators become more aware of the impact that information security may have on the confidentiality, integrity, and availability of information, these agencies continue to create laws and regulations that seek to enforce security safeguards. There are four main types of compliance obligations that you all need to be familiar with: criminal law, civil law, administrative law, and private regulations.
Criminal law is designed to deter people from taking actions that would be detrimental to society and to punish those who do take such actions. Criminal offenses include a wide range of unacceptable activities, such as murder, robbery, hacking, insider trading, and espionage. Criminal laws have one important characteristic that is not found in any other type of law. Violations of criminal law may be punishable by the deprivation of liberty, such as a jail sentence or probation.
Criminal laws must be created by a legislative body at the national, state, or local level, such as the United States Congress. Civil law is designed to resolve disputes among individuals, organizations, and/or government agencies. Civil laws cover almost any matter that is not addressed by criminal law, including liability claims, estate probate, contractual disputes, and other matters. As with criminal laws, civil laws must be passed by a legislative body, but civil laws do not provide for the possibility of jail time.
The most common outcomes of a successful civil lawsuit are monetary damages or orders by the court that someone perform or refrain from an action. Administrative law allows for the effective operation of government by allowing executive branch agencies to promulgate regulations that facilitate carrying out their duties. These regulations often provide details missing from the law or provide procedural rules for the operation of government. For example, the Health Insurance Portability and Accountability Act, HIPAA, provides criminal and civil law governing the uses of health information but doesn't go into great detail.
The Center for Medicare and Medicaid Services publishes security and privacy regulations that provide the specific requirements that covered entities must follow. Those security and privacy regulations are an example of administrative law. At the federal level, administrative law is found in the Code of Federal Regulations, or CFR. Private regulations also govern many activities of individuals and organizations. These regulations don't have the force of law on their own but compliance is often requires by contract.
The most common example of a private regulation in the world of cybersecurity is the Payment Card Industry Data Security Standard, or PCIDSS. PCIDSS was created by a consortium of companies without the involvement of a government agency. This consortium then included language in the contracts for those accepting and processing credit cards that requires compliance with PSIDSS. Remember that in the United States the highest form of law is the US Constitution.
The most common intersection between security professionals and constitutional law involves the Fourth Amendment to the Constitution. Part of the Bill of Rights, it reads, in part, "The right of the people to be secure "in their persons, houses, papers, and effects, "against unreasonable searches and seizures, "shall not be violated." The Fourth Amendment comes into play any time that government agents, including law enforcement officers, wish to collect private information from computing systems without the owner's consent.
If they do this without a warrant, they run the risk of the evidence being inadmissible in court. The Federal Information Security Management Act, FISMA, is a law that governs information security matters for federal agencies and government contractors. It requires the creation of security programs throughout the federal government and provides details on the controls necessary to run information systems that are categorized as FISMA High, FISMA Moderate, or FISMA Low.
Want more CySA+ test prep tips? Visit certmike.com to join Mike's free study group.
- Security governance
- Security roles and responsibilities
- Security policies
- Complying with laws and regulations
- Auditing and assessing security
- Personnel security
- Security training
- Vendor management