Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts PDF

Summary

This document discusses various regulatory frameworks, laws, and acts in cybersecurity, including payment card industry data security standards (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). It covers the need for robust standards regarding the protection of sensitive information, and specifies different requirements for various entities.

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Regulatory Frameworks, Laws, and Acts h 4 Payment Card Industry Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards PCI DSS applies to all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data PCI Data Security Standard — High Level Overview lO e Build and Maintain a figfi Secure Network ——— Maintain a Vulnerability p Implement Strong f Management Program Regularly Monitor and Test Networks U SRR R I a Access Control Measures = Maintain an Information Security Policy —— https://www.pcisecuritystondards.org Failure to meet the PCI DSS requirements may result in fines or the termination of payment card processing privileges h 4 Regulatory Frameworks, Laws, and Acts Payment Card Industry Data Security Standard (PCI-DSS) Source: https://www.pcisecuritystandards.org The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. This standard offers robust and comprehensive standards Module 05 Page 512 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data. PClI DSS comprises a minimum set of requirements for protecting cardholder data. The Payment Card Industry (PCI) Security Standards Council has developed and maintains a high-level overview of PCI DSS requirements. PCI Data Security Standard — High Level Overview Install and maintain a firewall configuration to protect Build and Maintain a Secure cardholder data Network Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Protect Cardholder Data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Maintain a policy that addresses information security for all Security Policy personnel Table 5.6: Table Showing the PCI Data Security Standard—High-Level Overview Failure to meet PCI DSS requirements may result in fines or the termination of payment-card processing privileges. Module 05 Page 513 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Health Insurance Portability and Accountability Act (HIPAA) HIPAA's Administrative Simplification Statute and Rules Electronic Transaction and Code Set Standards Specifies a series of administrative, physical, and technical safeguards Security Rule for covered entities to use to ensure the confidentiality, integrity, and availability of electronically protected health information National Identifier Enforcement Rule Requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers Provides federal protections for the personal health information held by covered entities and gives patients an array of rights with respect to that information Privacy Rule Requirements