CHAPTER SUMMARY
This chapter described how important it is to conform to U.S. compliance laws and examined how technology and the Internet are driving globalization. With broad use of the Internet comes new threats. You also learned the importance of compliance to the economy and how it serves the public interest. The chapter examined a number of major compliance regulations. From these examples, you can see an increasing government need to regulate. Sometimes regulations result from public pressure when something goes wrong. The chapter examined these pressures and the motivations of both the government and the industry. The chapter also discussed how the industry tries to self-regulate to avoid government regulation to keep costs down and retain flexibility. The United States faces new threats continuously from nation-states trying to attack the country’s critical infrastructure.
This chapter also examined how security policies, controls, and procedures need to align with regulations, and demonstrated how to create this alignment. The chapter also examined how to show evidence of compliance to a regulator. You read about the challenges to comply with regulation and industry standards, as well as the need to align security policies to both legal requirements and the company’s core values. Finally, a key lesson in this chapter is not to chase laws by building specific security policies and controls tailored to each new regulation. Rather, you should base policies on key concepts that address a broad range of regulatory concerns such as consumer protection and privacy.
Also, this chapter touched on several international laws. Obviously, it is not possible to cover every law in every country. One will need to consult the laws in one’s own nation. However, a brief introduction to international laws was covered.
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
- When creating laws and regulations, the government’s sole concern is the privacy of the individual.
- True
- False
- Which of the following are pressures on creating security policies?
- Shareholder value
- Regulations
- Technology vulnerabilities and limitations
- B and C only
- A, B, and C
- Which of the following laws require(s) proper security controls for handling privacy data?
- HIPAA
- GLBA
- FERPA
- B and C only
- A, B, and C
- Which of the following are control objectives for PCI DSS?
- Maintain an information security policy
- Protect cardholder data
- Alert when credit cards are illegally used
- A and B only
- None of the above
- Nation-state attacks that try to disrupt the country’s critical infrastructure are sometimes referred to as ________.
- Healthcare providers are those that process and facilitate billing.
- True
- False
- The law that attempts to limit children’s exposure to sexually explicit material is ________.
- The only consideration in protecting personal customer information is legal requirements.
- True
- False
- You should always write new security policies each time a new regulation is issued.
- True
- False
- What should you ask for to gain confidence that a vendor’s security controls are adequate?
- An SSAE16 Type I audit
- An SSAE16 Type II audit
- A list of all internal audits
- All of the above
- Why is it important to map regulatory requirements to policies and controls?
- To demonstrate compliance to regulators
- To ensure regulatory requirements are covered
- To demonstrate the importance of a security control
- All of the above
- Who typically writes a report to the board of directors on the current state of information security within a company?
- Chief risk officer
- Chief information officer
- Chief information security officer
- A and B
- B and C
- A, B, and C
ENDNOTES
1. Internet World Stats, https://www.internetworldstats.com/stats.htm accessed December 2019
2. Kemp, Simon, “Digital 2019: Global Internet Use Accelerates,” We Are Social, https://wearesocial.com/blog/2019/01/digital-2019-global-internet-use-accelerates, accessed April 10, 2020.
3. “Internet Stats and Facts (2020),” HostingFacts, https://hostingfacts.com/internet-facts-stats/, accessed April 10, 2020.
4. Harress, Christopher, “Obama Says Cyberterrorism Is Country’s Biggest Threat, U.S. Government Assembles ‘Cyber Warriors,’” International Business Times, February 18, 2014, http://www.ibtimes.com/obama-says-cyberterrorism-countrys-biggest-threat-us-government-assembles-cyber-warriors-1556337, accessed March 9, 2014.
5. Goodin, Dan, “New Advanced Malware, Possibly Nation Sponsored, Is Targeting US Utilities,” Ars Technica, https://arstechnica.com/information-technology/2019/08/new-advanced-malware-possibly-nation-sponsored-is-targeting-us-utilities/, accessed April 10, 2020.
6. Center for Strategic and International Studies, “Significant Cyber Incidents,” https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents, accessed April 10, 2020.
7. “Executive Order—Improving Critical Infrastructure Cybersecurity,” The White House, Office of the Press Secretary, February 12, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity, accessed April 11, 2020.
8. U.S. Securities and Exchange Commission, Office of Inspector General, Office of Audits, “Audit of the SEC’s Compliance with the Federal Information Security Modernization Act for Fiscal Year 2017,” https://www.sec.gov/files/Audit-of-the-SECs-Compliance-with-FISMA-for-Fiscal-Year-2017.pdf, accessed April 10, 2020.
9. American Speech-Language-Hearing Association, “Health Information Technology for Economics and Clinical Health (HITECH) Act,” https://www.asha.org/Practice/reimbursement/hipaa/HITECH-Act/, accessed April 10, 2020.
10. ITIL, http://www.itil-officialsite.com/home/home.asp, accessed March 22, 2010.
11. ETSI, “Cyber,” https://www.etsi.org/committee/1393-cyber, accessed April 11, 2020.
12. Asia-Pacific Economic Cooperation, “APEC Privacy Framework,” https://www.apec.org/Publications/2005/12/APEC-Privacy-Framework, accessed April 11, 2020.