The seven domains of a typical IT infrastructure were presented earlier in this chapter. When evaluating legal and compliance implications, the impact on each of these domains should be examined:

• User Domain—Most compliance issues affect the User Domain in some way. Users need to be trained to ensure they comply with the procedures. For example, HIPAA requires users to understand what data they can give out, CIPA requires librarians to know how to turn off the TPM for an adult, and PCI DSS requires users to have unique logons.
• Workstation Domain—If employees will access covered data with their workstations, the workstations need to be examined. If HIPAA or SOX data is stored on the systems, that data needs to be protected with access controls. Many small companies use desktop PCs as point-of-sale (POS) systems. A POS system is an electronic cashier, and it needs to be compliant with PCI DSS guidelines. Any desktop system needs antivirus software installed.
• LAN Domain—The LAN needs to be secure to prevent attackers from capturing data, which includes HIPAA, SOX, and PCI DSS data. Encryption technologies may be required to ensure transmitted data is secure and is especially true if the organization uses wireless networks. In the past, attackers captured details of wireless transactions while sitting in the parking lot of the business.
• LAN-to-WAN Domain—A firewall protects a LAN from potential WAN attacks, and PCI DSS specifically requires a firewall. A library may use a proxy server as a TPM to comply with CIPA. A proxy server has access to the Internet and the intranet and therefore would need additional security to protect it from external attacks.
• WAN Domain—Some PCI DSS systems may have direct access to the Internet to transmit transaction data; therefore, they need additional protection. For example, transmissions need to be encrypted, and the systems need to be protected from attackers who may try to access stored data.
• Remote Access Domain—Many organizations use VPNs to connect a main and a remote office. Many laws mandate protection of data transmissions. If users transmit sensitive data over the VPN, the VPN must be verified to be secure. For example, if users transmit HIPAA data over the VPN, the data should be encrypted.
• System/Application Domain—Both health data and financial data that are governed by HIPAA and SOX are often hosted on database servers, which need to be examined to ensure they comply with these laws. Access controls should ensure that least privilege principles are implemented. Proxy servers used as TPMs to meet CIPA requirements must include a method to disable the TPM when adults use the service.