DATA PROTECTION LEGISLATION
INFORMATION SECURITY REGULATIONS
LAWS AND REGULATIONS RELATING TO
DATA SECURITY AND INFORMATION PROTECTION
PRIVACY AND CONSUMER PROTECTION LEGISLATION HOLDS BUSINESSES ACCOUNTABLE
Your business is responsible for upholding strict data privacy and protection laws as determined by governing bodies for the sake of consumer protection. If your company is breached, the legal ramifications that you will be held accountable for may include fines due to non-compliance, class action lawsuits, etc. and do not include the damage to your reputation that follows such events. The monetary and operational costs associated with a post-data breach event are equally as significant as the legal ramifications, which can extend beyond the initial attack. The type of data that has been compromised, the data that have been leaked exfiltrated, the specific sector of a business operation that was directly affected, etc. all relate to the type of fines that a business
may be subject to due to not complying with governing legislation's.
PAYMENT CARD INDUSTRY
DATA SECURITY STANDARD (PCI DSS)
ONE OF THE MAJOR SECURITY MEASURES THAT THE PCI DSS REGARDS AS PIVOTAL FOR BUSINESSES IS THE SECURITY ASSESSMENT OF BOTH NETWORKS AND APPLICATIONS
Specifically, this includes using vulnerability management programs, engaging in regular monitoring and testing of company networks, hardening your business systems via layered security, and the utilization of appropriate security controls. It also includes using Network Access Control for company systems, maintaining corporate policies associated with incident response and information security, having black-box and white-box penetration tests done on company networks, regularly using patch management, and more. Your company should make sure to comply with all of the PCI DSS guidelines, and in doing so you can better protect your customers, yourself, and your organization.
Using both in-house and external security engineers allows for a multi-faceted security assessment that can give a more complete picture of your security posture while ensuring compliance. For ease of use and legal compliance your business should become intimately acquainted with the PCI DSS guidelines and should seek to carry out thorough security assessments regularly.
OXLEY ACT (SOX)
THIS ACT IS RELEVANT BECAUSE IT STIPULATES THAT COMPANIES MUST CREATE, MAINTAIN AND UPDATE COMPREHENSIVE SECURITY POLICIES THAT SHOULD GLOBALLY ENCOMPASS THE ECOSYSTEM OF THE CORPORATION'S IT SECTOR
- Application and network assessments
- Network monitoring and auditing
- Implementing network access controls (nac) and security controls
- Encrypting data and using best practices for data-storage
- Maintaining incidence response protocols and patch management
- Securing all systems using authorization and authentication-services
(E.G. GRAMM–LEACH–BLILEY ACT, NEW BASEL CAPITAL ACCORD (BASEL II) – QUANTITATIVE STANDARDS, ETC.)
Specifically, this act dictates that financial companies must reveal to their customers exactly how their information will be shared among different business networks, and that these companies take sufficient steps to safeguard their customer's information. This includes providing security training to employees and implementing risk management programs, as well as monitoring, updating and testing business systems, evaluating security-control efficacy and identifying, assessing and mitigating threats to customer information.
& THE FEDERAL SENTENCING GUIDELINES
PERHAPS AS IMPORTANT AS THE SERVICE PROVIDED - AND THE REVENUE OBTAINED - IS THE BRAND REPUTATION OF A BUSINESS
It is imperative for you to be aware of all governing information security regulations, and to implement corporate-wide security policies (such as regular security assessments) in order to provide proof of due diligence such that if a breach should occur you and your company will be legally covered.