Security Compliance & Standards
The Payment Card Industry Data Security Standard (PCIDSS)
In addition to the foregoing laws and regulations, the payment card industry recently created a private contractual compliance requirement: the Payment Card Industry Data Security Standard (PCIDSS). The PCIDSS requires that all merchants, including colleges and universities, that use credit cards comply with a number of technical, physical, and administrative requirements. Failure to comply with the PCIDSS could result in large penalties and suspension of the right to use credit cards for payment purposes.
The Health Insurance Portability and Accountability Act (HIPAA)
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contain both security and privacy provisions. HIPAA applies to covered entities that use certain electronic transactions—entities such as most health care providers, health plans, and health care clearinghouses.
The Sarbanse-Oxley Act of 2002 (SOX)
The Sarbanes-Oxley Act of 2002 (SOX), specifically section 302 and 404, requires Information Technology (IT) departments to clearly understand their organization’s financial reporting requirements and the people, process and technology required to support and protect the financial data and the financial reporting process. It’s not enough to have documented policies and procedures in place that explain how they protect their financial data and reporting processes. They must monitor and maintain logs to provide evidence that their policies and procedures are being followed and are operating effectively.
ISO 27000 series
The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ‘ISO27k’ for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and theInternational Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming’s “plan-do-check-act” approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
Search the site
Security Breaking News
- Vuln: Linux Kernel CVE-2013-2094 Local Privilege Escalation Vulnerability
- Vuln: OpenStack Keystone Tokens Validation Security Bypass Vulnerability
- Vuln: RETIRED: ownCloud Multiple Security Vulnerabilities
- Vuln: OpenStack Compute (Nova) CVE-2013-2096 Denial of Service Vulnerability
- Bugtraq: CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!
- Bugtraq: [slackware-security] ruby (SSA:2013-136-02)
- Bugtraq: [slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)