-
There are four main types of compliance obligations that security professionals must be familiar with:
-
Criminal Law
-
Laws designed to:
- Deter actions that would be detrimental to society
- Punish those who take such actions
-
Criminal offenses include:
- Murder
- Robbery
- Hacking
- Insider Trading
- Espionage
- Criminal laws must be created by a legislative government body.
-
Criminal laws share one important characteristic, not found in any other type of law:
-
Violations of criminal law may be punished with the Deprivation of Liberty:
- Probation
- Incarceration
- Capital Punishment
-
Civil Law
- Laws designed to resolve disputes.
-
Civil laws cover almost any matter not addressed by criminal law, including:
- Liability Claims
- Estate Probation
- Contractual Disputes
- As with criminal laws, civil laws must be passed by a legislative body.
- Civil laws cannot be punished by the Deprivation of Liberty.
-
The most common outcomes of a successful civil lawsuit are:
- Monetary damages
- Orders by the court that a party refrain from an action.
-
Administrative Law
- Laws designed to allow government agencies to operate effectively. Agencies accomplish this by promulgating (putting into effect) regulations to affect existing laws.
-
Administrative Regulations facilitate an agency as it carries out its duties, by providing:
- Clarifying details missing from the original law.
- Procedural rules, outlining the operation of government, or parties over which government has authority, in specific instances.
-
Example: HIPAA
- The Health Insurance Portability and Accountability Act
-
The original law governs the uses of health information in these two realms of law:
- Criminal Law
- Civil Law
-
The Centers for Medicare and Medicaid Services publishes security and privacy regulations that provide the specific requirements that covered entities must follow. Those security and privacy regulations are an example of:
- Administrative Law
- At the federal level, administrative law is found in the Code of Federal Regulations (CFR).
-
Private Regulations
- Private Regulations are not laws issued by a single sovereign nation. Instead, trade groups for a specific industry agree on standards and practices to be met.
- Compliance with private regulations are enforced through civil law, typically citing the civil laws of the nation in which the contract was created, and the nations in which the business took place. These terms are defined in the contract.
-
Example: PCI DSS
- Payment Card Industry Data Security Standard
- PCIDSS was created by a consortium of companies without the involvement of a government agency.
- In order to accept and process payment cards (Debit and/or Credit Cards), businesses must sign a contract, stating their willingness to comply with the terms of PCIDSS.
-
Cyber Security and Constitutional Law:
-
The Fourth Amendment:
- The most common intersection between information security professionals and United States Constitutional Law occurs due to conflicts involving the Fourth Amendment
- Part of the Bill of Rights, the Fourth Amendment reads, "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated".
- The Fourth Amendment protects citizens in cases where government agents, including law enforcement officers, wish to collect private information from computer systems without the information owner's consent.
- Evidence obtained without a warrant violates the Fourth Amendment, and is inadmissible in court.
-
FISMA:
- The Federal information Security Management Act
-
FISMA governs information security matters for federal agencies and government contractors:
- Requires the creation of security programs throughout the federal government.
-
Provides details on the controls necessary to run information systems. Controls are categorized as:
- FISMA High
- FISMA Moderate
- FISMA Low