Hello, cyber security notes and all. Details and various things.jsksjdhrjkdhdjdjdksjsbdks skgidbsks. Dudye8heueodheieheidhieheue. Sjsjsuowbsiskwbwiwngeiee wjehueowneur
2. Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Gramm-Leach-Bliley Act (GLB) Act
Electronic Fund Transfer Act, Regulation E (EFTA)
Customs-Trade Partnership Against Terrorism (C-TPAT)
Free and Secure Trade Program (FAST)
Children's Online Privacy Protection Act (COPPA)
Fair and Accurate Credit Transaction Act (FACTA), including Red
Flags Rule; Federal Rules of Civil Procedure (FRCP)
Broadly applicable laws and
regulations
3. Enacted in 2002, the Sarbanes-Oxley Act is designed to protect
investors and the public by increasing the accuracy and
reliability of corporate disclosures. It was enacted after the
high-profile Enron and WorldCom financial scandals of the early
2000s.
It is administered by the Securities and Exchange Commission,
which publishes SOX rules and requirements defining audit
requirements and the records businesses should store and for
how long.
Who is affected: U.S. public company boards, management and
public accounting firms.
Sarbanes-Oxley Act (aka Sarbox, SOX)
4. Key requirements/provisions: The Act is organized into 11 titles:
1. Public Company Accounting Oversight
2. Auditor Independence
3. Corporate Responsibility
4. Enhanced Financial Disclosures
5. Analyst Conflicts of Interest
6. Commission Resources and Authority
7. Studies and Reports
8. Corporate and Criminal Fraud Accountability
9. White-Collar Crime Penalty Enhancements
10. Corporate Tax Returns
11. Corporate Fraud Accountability
Sarbanes-Oxley Act (aka Sarbox, SOX)
5. The PCI DSS is a set of requirements for enhancing security of
payment customer account data.
It was developed by the founders of the PCI Security Standards
Council, including American Express, Discover Financial Services, JCB
International, MasterCard Worldwide and Visa to help facilitate global
adoption of consistent data security measures.
PCI DSS includes requirements for security management, policies,
procedures, network architecture, software design and other critical
protective measures.
The Council has also issued requirements called the Payment
Application Data Security Standard (PA DSS) and PCI Pin Transaction
Security (PCI PTS).
Who is affected: Retailers, credit card companies, anyone handling
credit card data.
Payment Card Industry Data
Security Standard (PCI DSS)
6. Key requirements/provisions: Currently, PCI DSS specifies 12
requirements, organized in six basic objectives:
Objective 1: Build and Maintain a Secure Retail Point of Sale
System
- Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
Objective 2: Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across
open, public networks
Payment Card Industry Data
Security Standard (PCI DSS)
7. Objective 3: Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and
applications
Objective 4: Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business
need-to-know
- Requirement 8: Assign a unique ID to each person with
computer access
- Requirement 9: Restrict physical access to cardholder data
Payment Card Industry Data
Security Standard (PCI DSS)
8. Objective 5: Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network
resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Objective 6: Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information
security
Payment Card Industry Data
Security Standard (PCI DSS)
9. Also known as the Financial Modernization Act of 1999, the GLB
Act includes provisions to protect consumers' personal financial
information held by financial institutions.
There are three principal parts to the privacy requirements: the
Financial Privacy Rule, the Safeguards Rule and pretexting
provisions.
The Gramm-Leach-Bliley Act
(GLB) Act of 19999
10. Who is affected: Financial institutions (banks, securities firms,
insurance companies), as well as companies providing financial
products and services to consumers (including lending,
brokering or servicing any type of consumer loan; transferring
or safeguarding money; preparing individual tax returns;
providing financial advice or credit counseling; providing
residential real estate settlement services; collecting consumer
debts).
The Gramm-Leach-Bliley Act
(GLB) Act of 19999
11. Key requirements/provisions: The privacy requirements of GLB
include three principal parts:
1. The Financial Privacy Rule: Requires financial institutions to give
customers privacy notices that explain its information collection
and sharing practices. In turn, customers have the right to limit
some sharing of their information. Financial institutions and other
companies that receive personal financial information from a
financial institution may be limited in their ability to use that
information.
The Gramm-Leach-Bliley Act
(GLB) Act of 19999
12. 2. The Safeguards Rule: Requires all financial institutions to
design, implement and maintain safeguards to protect the
confidentiality and integrity of personal consumer information.
3. Pretexting provisions: Protect consumers from individuals and
companies that obtain their personal financial information under
false pretenses, including fraudulent statements and
impersonation.
The Gramm-Leach-Bliley Act
(GLB) Act of 19999
13. Enacted in 1978, this law protects consumers engaging in
electronic fund transfers from errors and fraud. It carries out
the purposes of the Electronic Fund Transfer Act, which
establishes the basic rights, liabilities, and responsibilities of EFT
consumers of financial institutions that offer these services.
EFTs include ATM transfers, telephone bill-payment services,
point-of-sale terminal transfers in stores and preauthorized
transfers from or to a consumer's account (such as direct
deposit and Social Security payments).
Effective August 2010, a new provision states that institutions
may not impose dormancy, inactivity or service fees for pre-paid
products, such as gift cards, nor can they have an expiration
date of less than five years.
Electronic Fund Transfer Act,
Regulation E
14. ЗАКОН КЫРГЫЗСКОЙ РЕСПУБЛИКИ
г.Бишкек, от 21 января 2015 года № 21
О платежной системе Кыргызской Республики
(В редакции Закона КР от 1 марта 2017 года N 38)
Electronic Fund Transfer Act,
Regulation E
15. Who is affected: Financial institutions that hold consumer
accounts or provide EFT services, as well as merchants and
other payees.
Key requirements/provisions: Regulation E includes the
following provisions:
Definition of access device (debit cards, PINs, phone transfers, bill payment codes, private label cards).
Consumer acceptance of device (either through a request for the device or validation of an unsolicited
device).
Financial institution responsibilities, such as disclosure requirements and records retention.
Consumer rights and responsibilities, such as procedures for reporting lost or stolen access devices and
notifying the institution of an error.
Rules for preauthorized debits and electronic check transactions.
Error resolution process.
Unauthorized EFTs.
Electronic Fund Transfer Act,
Regulation E
16. C-TPAT is a worldwide supply chain security initiative
established in 2004.
It is a voluntary initiative run by U.S. Customs and Border
Protection, with the goals of preventing terrorists and terrorist
weapons from entering the U.S.
It is designed to build cooperative government-business
relationships that strengthen and improve the overall
international supply chain and U.S. border security.
Businesses are asked to ensure the integrity of their security
practices and communicate and verify the security guidelines of
their business partners within the supply chain.
Customs-Trade Partnership
Against Terrorism (C-TPAT)
17. Benefits for participating in C-TPAT include a reduced number
of CBP inspections, priority processing for CBP inspections,
assignment of a C-TPAT supply chain security specialist to
validate security throughout the company's supply chain and
more.
Who is affected: Trade-related businesses, such as importers,
carriers, consolidators, logistics providers, licensed customs
brokers, and manufacturers.
Customs-Trade Partnership
Against Terrorism (C-TPAT)
18. Key requirements/provisions:
C-TPAT relies on a multi-layered approach consisting of the
following five goals:
Ensure that C-TPAT partners improve the security of their
supply chains pursuant to C-TPAT security criteria.
Provide incentives and benefits to include expedited processing
of C-TPAT shipments to C-TPAT partners.
Internationalize the core principals of C-TPAT.
Support other CBP initiatives, such as Free and Secure Trade,
Secure Freight Initiative, Container Security Initiative.
Improve administration of the C-TPAT program.
Customs-Trade Partnership
Against Terrorism (C-TPAT)
19. Key requirements/provisions:
C-TPAT security criteria encompass the following areas:
Business partners
Conveyance security
Physical access control
Personnel security
Procedural security
Physical security
Security training/Threat awareness
Information technology security
Customs-Trade Partnership
Against Terrorism (C-TPAT)
20. FAST is a voluntary commercial clearance program run by U.S.
Customs and Border Protection for pre-approved, low-risk
goods entering the U.S. from Canada and Mexico.
Initiated after 9/11, the program allows for expedited processing
for commercial carriers who have completed background
checks and fulfill certain eligibility requirements.
Participation in FAST requires that every link in the supply chain
— from manufacturer to carrier to driver to importer — is
certified under the C-TPAT program (see above). Cards cost $50
and are valid for 5 years.
Free and Secure Trade Program
(FAST)
21. Benefits of using FAST and C-TPAT include:
Upon terrorist alerts, FAST/C-TPAT drivers will be allowed to
cross the border.
Dedicated lanes for greater speed and efficiency
Reduced cost of compliance with customs requirements.
Who is affected: Importers, carriers, consolidators, licensed
customs brokers, and manufacturers.
Free and Secure Trade Program
(FAST)
22. Key requirements/provisions: Highway carriers authorized to use
the FAST/C-TPAT program need to meet the following
requirements:
A demonstrated history of complying with all relevant
legislative and regulatory requirements.
Have made a commitment to security-enhancing business
practices, as required by the C-TPAT and Canada's PIP program.
Use drivers that are in possession of a valid FAST commercial
driver card when using FAST clearance.
In the case of carriers seeking FAST clearance into Canada, be
bonded and have the necessary business processes required for
the Customs Self Assessment (CSA) program.
Free and Secure Trade Program
(FAST)
23. COPPA, which took effect in 2000, applies to the online
collection of personal information from children under 13.
Monitored by the Federal Trade Commission (FTC), the rules
limit how companies may collect and disclose children's
personal information.
They codify what a Web site operator must include in a privacy
policy, when and how to seek verifiable consent from a parent
and what responsibilities an operator has to protect children's
privacy and safety online.
Who is affected:Operators of commercial Web sites and online
services directed to children under 13 that collect personal
information from children, as well as general audience Web
sites with actual knowledge they are collecting personal
Children's Online Privacy
Protection Act
24. Key requirements/provisions: Basic provisions of COPPA include:
Privacy notice, with specifics on placement and content.
A direct notice to parents, with specifics on content.
Verifiable parental consent, for internal use, public disclosure
and third-party disclosure of information.
Verification that a parent requesting access to child's
information is actually the parent.
Ability for parents to revoke consent and delete information.
The ability for industry groups and others to create self-
regulatory programs to govern compliance with COPPA.
Children's Online Privacy
Protection Act
25. Passed in December 2003, FACTA is an amendment to the Fair
Credit Reporting Act that is intended to help consumers avoid
identity theft.
Accuracy, privacy, limits on information sharing, and new
consumer rights to disclosure are included in the legislation.
The Act also says businesses in possession of consumer
information or information derived from consumer reports
must properly dispose of the information.
Fair and Accurate Credit Transaction Act
(FACTA), including Red Flags Rule
26. The Red Flags Rule establishes new provisions within FACTA
requiring financial institutions, creditors, etc. to develop and
implement an identity theft prevention program.
The Red Flags Rule has been delayed several times and is
currently scheduled for enforcement by the FTC starting
December 31, 2010.
Who is affected: Credit bureaus, credit reporting agencies,
financial institutions, any business that uses a consumer report
and creditors. As defined by FACTA, a creditor is anyone who
provides products or services and bill for payment.
Fair and Accurate Credit Transaction Act
(FACTA), including Red Flags Rule
27. Key requirements/provisions: FACTA includes the following key
provisions:
Free reports. Consumers can obtain a free credit report once every
12 months from each of the three nationwide consumer credit
reporting companies.
Fraud alerts and active duty alerts. Individuals can place alerts on
their credit histories if identity theft is suspected or if deploying
overseas in the military, thereby making fraudulent applications for
credit more difficult.
Truncation: Credit cards, debit cards, Social Security
numbers. Credit and debit card receipts may not include more than
the last five digits of the card number or the expiration date.
Consumers who request a copy of their file can also request that the
first five digits of their Social Security number not be included.
Fair and Accurate Credit Transaction Act
(FACTA), including Red Flags Rule
28. Information available to victims. A business that provides
credit or products and services to someone who fraudulently
uses your identity must give you copies of the documents, such
as credit applications.
Collection agencies: If a victim of identity theft is contacted by
a collection agency about a debt that resulted from the theft,
the collector must inform the creditor of that. When creditors
are notified that the debt is the work of an identity thief, they
cannot sell the debt or place it for collection.
Fair and Accurate Credit Transaction Act
(FACTA), including Red Flags Rule
29. Red Flags Rule: Several provisions within FACTA require financial
institutions, creditors, etc. to develop and implement an identity
theft prevention program, aimed at early detection and
mitigation of fraud.
The program must include provisions to identity relevant "red
flags," detect these early warning signs, respond appropriately
and periodically update the program.
Additional provisions include guidelines and requirements to
assess the validity of a change of address request and procedures
to reconcile different consumer addresses. The deadline for
complying with the Red Flags Rule has been extended several
times and is currently December 2010. Questions remain as to
which companies need to comply with this part of FACTA.
Fair and Accurate Credit Transaction Act
(FACTA), including Red Flags Rule
30. Proper disposal of consumer reports. Consumer reporting
agencies and any business that uses a consumer report must
adopt procedures for proper document disposal to avoid
"dumpster diving" by identity thieves. This includes lenders,
insurers, employers, landlords, government agencies, mortgage
brokers, automobile dealers, attorneys and private
investigators, debt collectors, individuals who obtain a credit
report on prospective nannies, contractors or tenants.
Disputing inaccurate information. Consumers can dispute data
included in reports directly with the company that furnished it.
Fair and Accurate Credit Transaction Act
(FACTA), including Red Flags Rule
31. In place since 1938, the FRCP discovery rules govern court
procedures for civil lawsuits.
The first major revisions, made in 2006, make clear that
electronically stored information is discoverable, and they detail
what, how and when electronic data must be produced.
As a result, companies must know what data they are storing
and where it is; they need policies in place to manage electronic
data; they need to follow these policies; and they need to be
able to prove compliance with these policies, in order to avoid
unfavorable rulings resulting from failing to produce data that is
relevant to a case.
Security professionals may be involved in proving to a court's
satisfaction that stored data has not been tampered with.
Federal Rules of Civil Procedure
(FRCP)
32. Who is affected: Any company that is — or could be — involved
in a civil lawsuit within the federal courts. In addition, because
states have adopted FRCP-like rules, companies involved in
litigation within a state court system are also affected.
Federal Rules of Civil Procedure
(FRCP)
33. Key requirements/provisions: There are 13 sections to the FCRP.
The major changes pertain to Chapter 5, Rules 26-37, as these
require a detailed understanding of electronic data retention
policies and procedures, what data exists and where, as well as
the ability to search for and produce this data within the
timeframes stipulated. Here is a summary of these rules:
Rule 26 (a): Makes clear that electronically stored information is
discoverable and that companies must be able to produce
relevant data.
Federal Rules of Civil Procedure
(FRCP)
34. Rule 26 (b)(2): Clarifies limits on discoverable data; for instance,
companies are not required to produce data that would prove
to be excessively expensive or burdensome, such as from
sources that aren't reasonably accessible, like backup tapes
used for disaster recovery and obsolete media.
Rule 26 (f): Stipulates that the parties involved need to discuss
issues relating to the disclosure or discovery of electronic data
before discovery begins.
Rule 33 (d): Establishes that a reasonable opportunity is
provided to examine and audit the data provided.
Federal Rules of Civil Procedure
(FRCP)
35. Rule 34 (b): Establishes that electronic data is as important as
paper documents, and that it must be produced in a reasonably
usable format.
Rule 37 (f): Provides "safe harbor" when electronic data is lost
or unrecoverable, as long as it can be proved that good-faith
business operations were routinely followed.
Federal Rules of Civil Procedure
(FRCP)