Information security professionals often find themselves navigating a maze of legal and regulatory compliance issues. In this video, learn how information security compliance is affected by criminal law, civil law, administrative law, and private regulations. This includes a discussion of PCI DSS, HIPAA, FISMA, and the U.S. Constitution.
- [Narrator] Information security professionals increasingly find themselves becoming legal and regulatory compliance experts. As governments and other regulators become more aware of the impact that information security may have on the confidentiality, integrity and availability of information, these agencies continue to create laws and regulations that seek to enforce security safeguards. There are four main types of compliance obligations that you'll need to be familiar with: criminal law, civil law, administrative law and private regulations.
Criminal law is designed to deter people from taking actions that would be detrimental to society and to punish those who do take such actions. Criminal offenses include a wide range of unacceptable activities, such as, murder, robbery, hacking, insider trading and espionage. Criminal laws have one important characteristic that is not found in any other type of law. Violations of criminal law may be punishable by the deprivation of liberty, such as a jail sentence or probation.
Criminal laws must be created by a legislative body at the national, state or local level, such as the United States Congress. Civil law is designed to resolve disputes among individuals, organizations and or governments agencies. Civil laws cover almost any matter that is not addressed by criminal law, including liability claims, estate probate, contractual disputes and other matters. As with criminal laws, civil laws must be passed by a legislative body, but civil laws due not provide for the possibility of jail time.
The most common outcomes of a successful civil lawsuit are monetary damages or orders by the court that someone perform or refrain from an action. Administrative law allows for the effective operation of government by allowing executive branch agencies to promulgate regulations that facilitate carrying out their duties. These regulations often provide details missing from the law or provide procedural rules for the operation of government. For example, the Health Insurance Portability and Accountability Act, HIPAA, provides criminal and civil law, governing the uses of health information but doesn't go into great detail.
The Center for Medicare and Medicaid Services publishes security and privacy regulations that provide the specific requirements that covered entities must follow. Those security and privacy regulations are an example of administrative law. At the federal level, administrative law is found in the Code of Federal Regulations or CFR. Private regulations also govern many activities of individuals and organizations. These regulations don't have the force of law on their own, but compliance is often required by contract.
The most common example of a private regulation in the world of cyber security, is the Payment Card Industry Data Security Standard or PCIDSS. PCIDSS was created by a consortium of companies without the involvement of a government agency. This consortium then included language in the contracts for those excepting and processing credit cards that requires compliance with PCIDSS. Remember, that in the United States, the highest form of law is the U.S. Constitution.
The most common intersection between security professionals and constitutional law involves the Fourth Amendment to the Constitution. Part of the Bill of Rights, it reads, in part, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated..." The Fourth Amendment comes into play any time that government agents, including law enforcement officers, wish to collect private information from computing systems without the owners consent.
If they do this without a warrant, they run the risk of the evidence being inadmissible in court. The Federal Information Security Management Act, FISMA, is a law that governs information security matters for federal agencies and government contractors. It requires the creation of security programs throughout the federal government and provides details on the controls necessary to run information systems that are categorized as FISMA High, FISMA Moderate or FISMA Low.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Planning for business continuity
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness
- Conducting security training