The three "biggest" U.S I.T Regulatory Compliance laws every Information Security professional should know by heart!


Introduction



Everyone knows how complicated regulatory laws can become, luckily for us our "good friends" over at Microsoft have put together a page that sums up what you need to know about I.T regulatory compliance laws. Microsoft summarizes each one and goes into more depth. I am just going to provide a brief overview of what federal laws, you need to focus on if your organization is part of any of the industries, mentioned on the Microsoft page I referenced and below.

Note: Some states have state law statutes surrounding regulatory compliance frameworks, such as California and my home state of Massachusetts! Microsoft does NOT mention every state law statue below (just California). The United States is one of the "few" countries in the world that has "strict" state and federal laws surrounding regulatory compliance, unlike i.e United Kingdom. Keep that in mind as you move forward, due to the fact that these laws may overlap and you might have to understand how both come into play! This MAY also in some "circumstances" apply to individual companies and organizations, who do business in other parts of the world and house their data inside the U.S! In order to put this into perspective at how complicated the overlap of all of these laws can become, just envision the Sony Data Breach from April of 2011, where the F.B.I got involved! That's why it's important to not only understand the federal laws, but your states local statutes as well!

Three of the "biggest" U.S Federal Compliance Laws



  • PCI-DSS - This law is used if your company does credit card transactions, meaning data used and stored by merchants i.e TJX, Amazon, etc [1][4]
  • HIPAA - This law is used by the Health Care industry to make sure that health information is kept confidential i.e Partners Health Care, Covidian, etc [1]
  • Serbanes-Oxley - This law was passed by then President Bush in 2002. It ensures the privacy of "publicly traded" companies i.e Barnes & Noble, Gamestop. [1]

I.T Regulatory Compliance and the need for hard-disk encryption



Those are just "three" big federal ones. There are other ones mentioned on that page that effect federal law. If you need help interpreting these laws and implementing them, it's probably best to contact your legal department or auditing team to make sure that if your a System Administrator or Information Security professional the data for your organization is in compliance, but it's good to know about these in case you get a job working in the I.T industry and the companies I.T security policy requires you to use some form of hard-disk encryption. It's recommended that if you are looking for tools in order to encrypt hard-drives and files and your running Linux (Fedora/Red Hat/Cent OS) you look into TrueCrypt 7.0A (or better) or if you are more comfortable, you can encrypt the hard-disk partition in the installation phase with LUKS (Linux Unified Key System) if you are using Red Hat/Fedora using Rijndael (AES-128), which is FIPS compliant [2][3]. If your on Windows Server 2008 R2 or Windows Server 2012, definitely look into seriously implementing Bitlocker using firmware secured with TPM (it it's available on your servers BIOS) [3]. BitLocker also uses Rijndael (AES-128) and is, also FIPS compliant. These are just some suggestions that many textbooks and professionals recommend! that's all for today. I will be back in a couple of days, when I find new stuff to write about. If you have any comments, suggestions, or inquires feel free to leave comments below or message me! Take care everyone.

References:



1. MSDN. "Regulatory Compliance Demystified: An Introduction To Compliance for Developers" http://msdn.microsoft.com/en-us/library/aa480484.aspx accessed 15 Nov 2012. Mar 2006
2. TRUECRYPT. "Free open-source on-the-fly disk encryption". http://www.truecrypt.org/docs/ accessed 15 Nov 2012. 9 May 2011.
3. Microsoft | Tech Net. "BitLocker Drive Encryption" http://technet.microsoft.com/en-us/library/cc731549%28WS.10%29.aspx accessed 15 Nov 2012. 13 May 2010.
4. PCI Compliance. "Understand and Implement Effective PCI Data Security Compliance". http://www.pcicompliancebook.info/ accessed 15 Nov 2012. 16 Mar 2010.

Comments

Post a Comment

Popular posts from this blog

Encoding Opus files in Linux with opusenc for your own collection and HTML 5

Introduction Hello everyone! I am finally back to writing a new blog entry, after taking a very long month off. I hope all of my U.S readers had a great Fourth of July and are enjoying the summer. Today, I am going to be discussing and showing you how to encode with the the new IETF working audio codec called "Opus". Briefly, Opus is a combination of Xiph.org "CELT" codec and Skype's "SILK" codec combined into one project. It's a low-latency audio codec that was designed with "scalability" in mind and does things "fundamentally" different, even though it should sound the same if not better in different situations for speech and music. The project was finally completed this past winter and standardized and will be used in the new WebRTC project (for video conferencing), Skype (for video calls), and other companies that wish to use it. Google is NOW (as of July 2013) incorporating it, into the next generation codebase of WebM, wh
Read more

Encoding Vorbis files in Linux using oggenc for your own music collection and HTML 5

Introduction In today's topic, I will be showing readers different ways you can encode your music collection, if you just moved over to Linux from Windows using open source codecs! You do not have to encode your music files with Vorbis, due to the fact that MP3 is also supported in Linux and HTML 5, but there are some substantial benefits to doing in this day and age (at least from the perspective of an open-source nerd 8-)). The first is you don't have to worry about royalty's and licensing rates (especially if you are opening up a store for indie musicians). The second is that both objectively and subjectively Vorbis sounds substantially better and has been greatly improved with the help of dedicated "audiophiles" and the open source community, since it's first public release over a decade ago, way back in 2002. Today, I will show you some tips and tricks if you are new to encoding your music collection in Linux using the oggenc command-line program in Li
Read more

Transcoding H.264 files to Google's WebM format (VP8/Vorbis) in FFMPEG 0.6 or better using Linux for your own collection and HTML 5

Introduction Note: I want to stress that I DO NOT CONDONE using this guide to encode movies that are infringing upon international and local copyright laws (which include the WIPO Treaty in Europe and the DMCA in the U.S). These examples ASSUME your encoding material in which you OWN The RIGHTS too! I will not be held responsible for individuals that are using it to encode copyrighted material in those respective countries! If there are disputes about this or any other questions please DO NOT hesitate to contact me right away! Thank you. This week I am going to focus on showing you how to transcode videos to WebM, which is playable in both VLC and most HTML 5 compatible web browsers including Firefox, Chrome, Opera, and I.E 10! If you recall way back several months ago (if you had been following my old blog) I showed you some code snippets for how to encode directly to WebM using an older version of libvpx 0.6.1 code named "Bali", that came out last year, but has since be
Read more