Cheat Sheet: Legal, Regulations, Compliance in Security

My cheat sheet I used to prepare for CISSP about how I understand and memorize legal and regulations in cybersecurity. I publish it because I use it, and you can use it too.

Cheat Sheet: Legal, Regulations, Compliance in Security

I wrote it quickly down during one of my ad-hoc conversations with a colleague. I had been preparing to CISSP that time, and I used it later in my preparations to CSSLP. Sometimes I return back to this cheat sheet, so I decided to put it here for convenience. Enjoy!

  1. 4th amendment
    Nobody can be unreasonably seized and attacked by police.
  2. ECPA
    No unwarranted wiretapping.
  3. PATRIOT Act
    But if you're maybe Alcaida, then the CIA can wiretap you (without a warrant).
  4. CFAA
    If you access any computer, you are a bad guy, you are committing a crime... If you made a loss of 5000$ and higher, the company can sue you.
  5. DMCA
    If you violate copyright, you are committing a crime. It applies to reverse engineering as well. But if copyrighted data is at rest, or in transit via ISP facilities, ISP is not liable (but you are).
  6. SOX
    It is a security of accounting of public companies.
  7. Privacy act of 1974
    Federal agencies must protect PII of U.S. people.
  8. FISMA
    Federal agencies must establish security according to NIST SP 800-53 controls.
  9. GLBA
    Security of PFI (personal financial info). Annual "Privacy Notice" by email.

  1. PCI DSS
    Credit card data touches your infrastructure? Take care about security and be compliant. More transactions and money - more fines if you fucked up.
  2. GDPR
    Do you handle PII of European people? These people own their data. Be friendly and compliant!
  3. CCPA
    Do you handle PII of California folks? Don't sell their data!.. Without concent.