Security 1.7 governance, regulation and compliance Flashcards
Compliance
Compliance is based on the type of data held and stored by the company and what regulatory requirements (frameworks) apply to its protection. Compliance means ensuring that the organization complies with the minimum security-related requirements.
Security
Security is a clear set of technological programs and tools and processes in place to protect and secure business information and technology assets.
PCI DSS
the Payment Card
Industry Data Security Standard (PCI DSS), also establish their own cybersecurity standards and best practices for businesses and organizations operating under their purview.
This complex regulatory environment is further complicated by the fact that many laws and regulations are obsolete, ambiguous, not uniformly supported by international communities, and/or inconsistent with other applicable laws and regulations, thus requiring legal interpretation to determine relevance, intent, and/or precedence. As a result, businesses and organizations in every industry struggle to achieve and maintain compliance.
Protected health information (PHI)
Protected health information (PHI) is defined by HIPAA as information about
an individual’s health status, provision of healthcare, or payment for healthcare
that includes identifiers such as names, geographic identifiers (smaller than a
state), dates, phone and fax numbers, email addresses, Social Security numbers,
medical record numbers, and photographs.
A covered entity
A covered entity is defined by HIPAA as a healthcare provider that
electronically transmits PHI. These entities include doctors, clinics,
psychologists, dentists, chiropractors, nursing homes, pharmacies, a health plan
(such as a health insurance company, health maintenance organization,
company health plan, or government program, including Medicare, Medicaid,
military and veterans’ healthcare), or a healthcare clearinghouse.
A zero-day threat
A zero-day threat is the window of vulnerability that exists from the time a new
(unknown) threat is released until security vendors release a signature file or
security patch for the threat.
Personally identifiable information (PII)
Personally identifiable information (PII) is defined by the U.S. National
Institute of Standards and Technology (NIST) as “any information about an
individual maintained by an agency, including (1) any information that can be
used to distinguish or trace an individual’s identity … and (2) any other
information that is linked or linkable to an individual….” Examples of PII include:
o Name (such as full name, maiden name, mother’s maiden name, or
alias)
o Personal identification number (such as Social Security number,
passport number, driver’s license number, and financial account
number or credit card number)
o Address information (such as street address or email address)
o Telephone numbers (such as mobile, business, and personal numbers)
o Personal characteristics (such as photographs, X-rays, fingerprints, and
biometric data)
o Information about personally owned property (such as vehicle
registration number and title information)
o Information that is linked or linkable to any of the preceding PII
examples (such as birthdate, birthplace, and religion, and employment,
medical, education, and financial records)
