111
6
The Law
It takes 20 years to build a reputation and ve minutes to ruin it. If you
think about that you’ll do things differently.
—Warren Buffett
6.1 Introduction
Technology has positively inuenced our world in many innovative ways:
medicine, aviation, education, business, engineering, and, as an added
bonus, a smartphone can tell you how long the wait is for your favorite ride
at Disney. However, technology obviously has spawned many negative side
effects discussed in this book. It is safe to say that with every technological
advancement comes a new vulnerability that a hacker can exploit. In addition,
this rapid advancement causes gaps with security compliance rules, digital
evidence handling, and the law. In this chapter, you will be introduced to the
prevalent compliance standards, evidence rules, laws for acquiring evidence,
case law, and e-discovery. These are all topics security professionals need to
understand to do their job effectively.
6.2 Compliance
Compliance is a major concern for the chief security ofcers (CSOs) of today.
This refers to implementing a specic legislation related to the type of data
your company collects, accesses, stores, and transmits. For the most part,
the legislation affects the way in which data are handled to help maximize
condentiality. Hence, this directly affects the ways in which security pro-
fessionals do their jobs as these laws are essentially standards that require
the implementation of technology in a way that facilitates the security of
sensitive data. In this section, I will present an overview of the technology
requirements of a few of the security laws, regulations, and guidelines.
112 What Every Engineer Should Know About Cyber Security
6.2.1 The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA addresses safeguarding electronically protected healthcare infor-
mation (EPHI). EPHI includes information that a business creates, receives,
maintains, or transmits. EPHI “must be protected against reasonable antici-
pated threats, hazards, and impermissible uses or disclosures” (Scholl et al.
2008). The entities that need to follow HIPAA (healthcare providers, health
plans, healthcare clearinghouses, and Medicare prescription drug sponsors)
need to ensure that the security triad (condentiality, integrity, and avail-
ability) of the electronic healthcare information is maintained. The HIPAA
standards outlined in the National Institute of Standards and Technology
(NIST) special publication 800-66 present all of the considerations when
applying the HIPAA security rule: administrative safeguards, physical safe-
guards, technical safeguards, organizational requirements, policies and
procedures, and documentation requirements. The following list contains
tensteps to HIPAA security (Kibbe 2005):
1. Understand the importance of computer security.
2. Make sure the entire organization understands the seriousness of
securing EPHI.
3. Catalog all the information system components that interact with
EPHI.
4. Prepare so that the security triad is ensured. Do not wait for the
disaster.
5. Secure your network.
6. Update antivirus protection.
7. Consider which communication needs to be encrypted.
8. Consider the “chain of trust”
*
between business partners (insurance
companies, billing services, hospitals, labs, and ISPs).
9. Demand that your vendors (products and services used) understand
HIPAA.
10. Have a plan with your goals and needs in mind.
6.2.2 The Payment Card Industry Data Security Standard (PCI-DSS)
The goal of PCI-DSS is to optimize the security of debit and credit card trans-
actions by reducing fraud and protecting the personal identity information
of the card holders. The PCI Security Standards Council is responsible for
maintaining the PCI security standards. The PCI-DSS applies to any entity
that is involved in payment card processing. The “high-level overview”
provided by PCI is as follows (PCI Security Standards Council 2010):
*
“Chain of trust” is a term referring to the fact that each entity sharing the EPHI has the neces-
sary security protections to ensure the HIPAA requirements.
Get What Every Engineer Should Know About Cyber Security and Digital Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
