Information security professionals often find themselves navigating a maze of legal and regulatory compliance issues. Learn how information security compliance is affected by criminal law, civil law, administrative law, and private regulations. This includes a discussion of PCI DSS, HIPAA, FISMA, and the US Constitution.
- [Narrator] Information Security Professionals increasingly find themselves becoming legal and regulatory compliance experts. As governments and other regulators become more aware of the impact that information security may have on confidentiality, integrity and availability of information, these agencies continue to create laws and regulations that seek to enforce security safeguards. There are four main types of compliance obligations that you'll need to be familiar with: Criminal Law, Civil Law, Administrative Law and Private Regulations.
Criminal Law is designed to deter people from taking actions that would be detrimental to society and to punish those who do take such actions. Criminal offenses include a wide range of unacceptable activities such as murder, robbery, hacking, insider trading and espionage. Criminal laws have one important characteristic that is not found in any other type of law. Violations of criminal law may be punishable by The Deprivation of Liberty such as a jail sentence or probation.
Criminal laws must be created by a legislative body at the national, state, or local level such as the United States congress. Civil law is designed to resolve disputes among individuals, organizations and, or government agencies. Civil laws cover almost any matter that is not addressed by criminal law, including liability claims, estate probate, contractual disputes and other matters. As with criminal laws, civil laws must be passed by a legislative body but civil laws do not provide for the possibility of jail time.
The most common outcomes of a successful civil lawsuit are monetary damages or orders by the court that someone perform or refrain from an action. Administrative Law allows for the effective operation of government by allowing executive branch agencies to promulgate regulations that facilitate carrying out their duties. These regulations often provide details missing from the law or provide procedural rules for the operation of government. For example, the Health Insurance Portability and Accountability Act, HIPAA, provides criminal and civil law governing the uses of health information, but doesn't go into great detail.
The Centers for Medicare and Medicaid Services publishes security and privacy regulations that provide the specific requirements that covered entities must follow. Those security and privacy regulations are an example of Administrative Law. At the federal level, administrative law is found in the Code of Federal Regulations, or CFR. Private Regulations also govern many activities of individuals and organizations. These regulations don't have the force of law on their own but compliance is often required by contract.
The most common example of a private regulation in the world of cyber security is the Payment Card Industry Data Security Standard or PCIDSS. PCIDSS was created by a consortium of companies without the involvement of a government agency. This consortium then included language in the contracts for those accepting and processing credit cards that requires compliance with PCIDSS. Remember that in the United States, the highest form of law is the U.S. Constitution.
The most common intersection between security professionals and constitutional law involves the Fourth Amendment to the Constitution. Part of the Bill of Rights, it reads, in part, "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated". The Fourth Amendment comes into play any time a government agents, including law enforcement officers, wish to collect private information from computing systems without the owners consent.
If they do this without a warrant, they run the risk of the evidence being inadmissible in court. The Federal information Security Management Act (FISMA) is a law that governs information security matters for federal agencies and government contractors. It requires the creation of security programs throughout the federal government and provides details on the controls necessary to run information systems that are categorized as FISMA High, FISMA Moderate, or FISMA Low.
Instructor Mike Chapple has designed the training around the most recent version of CompTIA Security+, SY0-501, which expands coverage of mobile and cloud technologies. By learning about the topics in this course, you'll be prepared to answer questions from the latest exam—and strengthen your own organization's systems and defenses. To join one of Mike's free study groups, visit certmike.com.
- Developing security baselines
- Leveraging standards
- Delivering and measuring user training
- Designing a secure network
- Designing secure systems, from the OS to peripherals
- Secure staging and deployment
- Securing smart devices and embedded systems
- Developing secure software
- Cloud computing and virtualization
- Securing hardware, facilities, data centers, and other physical risks