B.1.3. SOX and HIPAA

Aside from the laws directly concerned with privacy, fraud and computer abuse you may have to consider the more recent legal complexities introduced by two sets of legislation: Sarbanes–Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). These acts fall more into the category of things you should be aware of as testers rather than laws that will have much direct bearing on how you conduct testing itself, other than the fact that the scope of a test may be to determine an organization's compliance to these standards.

SOX was introduced in 2002 following accounting scandals at Enron, WorldCom and elsewhere. It is federal legislation that is officially known as the Public Company Accounting Reform and Investor Protection Act of 2002; it is commonly known as Sarbanes–Oxley after its sponsors, the US Senators Paul Sarbanes (Democrat, Maryland) and Michael G. Oxley (Republican, Ohio). Broadly, the purpose of SOX is to enhance accounting standards for all US public companies and accounting firms (it has no bearing on privately held firms of any kind). Despite criticisms from various quarters that SOX was intrusive and unnecessary, it has been largely successful and other countries have developed equivalent legislation such as J-SOX in Japan and Bill 198 in Canada.

The aspects of SOX most applicable to security consultants are Section 302 (Internal Controls) and Section 404 (Assessment of Internal Control). Section 404 requires annual ...

Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.