Page031
Trans-border Data Flow
The concept of trans-border data flow was discussed tangentially with respect to privacy (see Privacy: OECD Privacy Guidelines above). While the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was issued in 1980, the need for considering the impact of data being transferred between countries has greatly increased in years since. In general, the OECD recommends the unfettered flow of information, albeit with notable legitimate exceptions to the free information flow. The most important exceptions to unfettered data transfer were identified in the Privacy and Transborder Flows of Personal Data. Five years after the privacy guidance, the OECD issued their Declaration on Transborder Data Flows, which further supported efforts to support unimpeded data flows.
Important Laws and Regulations
An entire book could easily be filled with discussions of both US and international laws that directly or indirectly pertain to issues in information security. This section is not an exhaustive review of these laws. Instead only those laws that are represented on the CISSP® examination will be included in the discussion. Table 2.2 provides a quick summary of laws and regulations that are commonly associated with information security.
Table 2.2 Common Information Security Laws and Regulations
| Laws | Noteworthy points |
|---|---|
| HIPAA — Health Insurance Portability and Accountability Act | The Privacy and Security portions seek to guard Protected Health Information (PHI) from unauthorized use or disclosure. The Security Rule provides guidance on Administrative, Physical, and Technical safeguards for the protection of PHI. HIPAA applies to covered entities that are typically healthcare providers, health plans, and clearinghouses. Also, the HITECH Act of 2009 makes HIPAA’s privacy and security provisions apply to business associates of covered entities as well. |
| Computer Fraud and Abuse Act — Title 18 Section 1030 | One of the first US laws pertaining to computer crimes. Attacks on protected computers, which include government and financial computers as well as those engaged in foreign or interstate commerce, which resulted in $5000 in damages during 1 year, were criminalized. The foreign and interstate commerse portion of the protected computer definition allowed for many more computers than originally intended to be covered by this law. |
| Electronic Communications Privacy Act (ECPA) | This law brought the similar level of search and seizure protection to non-telephony electronic communications that were afforded to telephone communications. Effectively, the ECPA protected electronic communications from warrantless wiretapping. The PATRIOT Act weakened some of the ECPA restrictions. |
| Sarbanes-Oxley Act (SOX) | As a direct result of major accounting scandals in the United States, the Sarbanes-Oxley Act, more commonly referred to simply as SOX, was passed. SOX created regulatory compliance mandates for publicly traded companies. The primary goal of SOX was to ensure adequate financial disclosure and financial auditor independence. SOX requires financial disclosure, auditor independence, and internal security controls such as a risk assessment. Intentional violation of SOX can result in criminal penalties. |
| Payment Card Industry Data Security Standard (PCI-DSS) | The major vendors in the payment card portion of the financial industry have attempted to achieve adequate protection of cardholder data through self-regulation. By requiring merchants that process credit cards to adhere to the Payment Card Industry Data Security Standard (PCI-DSS), the major credit card companies seek to ensure better protection of cardholder data through mandating security policy, security devices, control techniques, and monitoring of systems and networks comprising cardholder data environments. |