Cheat Sheet: Legal, Regulations, Compliance in Security
My cheat sheet I used to prepare for CISSP about how I understand and memorize legal and regulations in cybersecurity. I publish it because I use it, and you can use it too.
I wrote it quickly down during one of my ad-hoc conversations with a colleague. I had been preparing to CISSP that time, and I used it later in my preparations to CSSLP. From time to time, I come back to this cheat sheet. I decided to put it here for my and everyone's convenience. Enjoy!
- 4th amendment
Nobody can be unreasonably seized and attacked by police. - ECPA
No unwarranted wiretapping. - PATRIOT Act
But if you're maybe Alcaida, then the CIA can wiretap you (without a warrant). - CFAA
If you access any computer, you are a bad guy, you are committing a crime... If you made a loss of $5000 and higher, I can sue you. - DMCA
If you violate copyright, you are committing a crime. It applies to reverse engineering as well. But if copyrighted data is at rest, or in transit via ISP facilities, ISP is not liable (but you are). - SOX
It is a security of accounting of public companies. - Privacy act of 1974
Federal agencies must protect PII of U.S. people. - FISMA
Federal agencies must establish security according to NIST SP 800-53 controls. - GLBA
Security of PFI (personal financial info). Annual "Privacy Notice" by email.
- PCI DSS
Credit card data touches your infrastructure? Take care about security and be compliant. More transactions and money - more fines if you fucked up. - GDPR
Do you handle PII of European people? These people own their data. Be friendly and compliant! - CCPA
Do you handle PII of California folks? Don't sell their data!.. Without concent.