Government & Industry Information Security Regulations

Modified 08 September 2007

HIPAA (Health Insurance Portability and Accountability Act)

A U.S. act, issued in final form in 2003, regulates protection for for "EPHI", Electronic Protected Health Information, which is private health information in electronic form.

It becomes a special concern when dealing with health insurance, since that requires the otherwise forbidden linking of three types of sensitive information:
— Personal identity
— Medical information
— Financial information

Useful overviews for infosec people: — http://www.sans.org/reading_room/whitepapers/hipaa/
http://en.wikipedia.org/wiki/HIPAA

Sarbanes-Oxley

It's informally known as "Sarbox" or "SOX", or more formally as the Public Company Accounting Reform and Investor Protection Act of 2002.

It's a U.S. federal law created in response to major corporate and accounting scandals (Enron, Tyco, Peregrine Systems, WorldCom, etc).

The obvious purpose has to do with corporate-level honesty and openness. But the immediate infosec impact has to do with the careful handling of financial and personal information.

Useful overviews for infosec people: — http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
— http://www.sans.org/reading_room/whitepapers/auditing/

Payment Card Industry (PCI) Data Secruity

The Payment Card Industry (PCI), which is pretty much just MasterCard and Visa, has defined the PCI Data Security Standard. This came out of Visa's Cardholder Security Program (CISP) and Account Information Security (AIS), and MasterCard's Site Data Protection (SDP) program.

Merchant Level Selection Criteria Validation Action Validated By
Level One Any one of:
  • Process more than 6,000,000 transactions per year
  • Any merchant that has suffered an attack that resulted in account data compromise
  • Any merchant identified as Level One by any card association
  • Annual on-site security audit
  • Quarterly network scan
 Audit by either:
  • Independent security assessor
  • Internal audit if signed by company officer
Scan by qualified independent scan vendor
Level Two 1,000,000 to 6,000,000 transactions per year
  • Annual PCI self-assessment questionnaire
  • Quarterly network scan
 Scan by qualified independent scan vendor
Level Three 20,000 to 1,000,000 e-commerce transactions per year
  • Annual PCI self-assessment questionnaire
  • Quarterly network scan
 Scan by qualified independent scan vendor
Level Four Either of:
  • Less than 20,000 e-commerce transactions per year, or
  • Up to 1,000,000 transactions per year
  • Recommended annual PCI self-assessment questionnaire
  • Recommended annual network scan
 Scan by qualified independent scan vendor

For more details see:

Security auditing in general: — http://www.sans.org/reading_room/whitepapers/auditing/

Back to the main Security Page

Click here to inquire about advertising on this or any page on this site.
Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact
Use /bin/vi! Manipulate images with ImageMagick! Hosted on OpenBSD
Hosted on Apache This site is viewable with any browser Valid XHTML 1.1! Valid CSS!
© Bob Cromwell Sep 2010. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here, privacy policy here.