Questions tagged [regulation]
A rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority's control.
46 questions
2
votes
0
answers
76
views
Use Cases for Fully Homomorphic Encryption Within an Organization
I would like to know if and what are the practical use-cases for Fully Homomorphic Encryption within an organization?
I understand that FHE allows you to delegate processing of data without giving ...
- 287
0
votes
0
answers
210
views
eIDAS qualified timestamp on email
Every document that needs to be eIDAS compliant needs to have a qualified timestamp. If we take an email as a document, then the email, based on eIDAS regulations, needs to have an qualified timestamp ...
1
vote
0
answers
162
views
What would be the logical approach in breaking down the following scenario in regard to CISSP Domains?
I'm currently doing my Cyber Security Certification program, I along with my fellow classmates are in Beginner stages. Over the past few weeks we have been writing up variety of Discussions using ...
12
votes
1
answer
5k
views
Does SOC-2 compliance require password rotation
For convenience and security I find password rotation requirements harmful.
Our SOC 2 auditor seems to still require them. Does SOC 2 actually require password rotation in 2020?
I would think(hope) ...
- 1,682
2
votes
1
answer
172
views
Can an indie apps developer get fined if they unintentionally didn't protect users' data from hackers? [closed]
I'm currently developing an app, which the users will store sensitive data in, and this data will be stored in the internet (I'll use Firebase or a similar service).
I'll try to secure the data as ...
2
votes
1
answer
382
views
Reason for lack of asymmetric cryptography in AWS KMS for regions in China
In the documentation of the AWS Key Management Service (KMS) I found this interesting sentence:
Asymmetric CMKs and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports ...
- 1,282
-1
votes
1
answer
169
views
Security requirements for commingling systems
Are there federal regulations/requirements that prohibit such commingling of Private systems and CUI(CUI - Controlled Unclassified Information) storage systems? I am looking at CFR-2017 title32, vol6,...
- 107
0
votes
1
answer
241
views
Do users data from europe have to be stored in the EU? [closed]
I read recently that facebook could be moving 1.5 billion EU users data outside of the EU to get round the new EU regulations on GDPR.
Is this legal and how could it be stopped?
Source: https://www....
- 5
9
votes
1
answer
743
views
PSD2 compliant two factor authentication
According to PSD2 the elements of the multi-factor authentication must be independent so the compromise of one element does not compromise the other.
Here is the article from the directive:
*Article ...
1
vote
2
answers
2k
views
How to timestamp a document without electronic signature under eIDAS
I need to timestamp a file to prove data integrity, not authorship. I will use a RFC3161 qualified timestamping service.
From the EU Regulation Section 6, Article 41, I understand that I can use a ...
- 423
4
votes
1
answer
24k
views
Is there a specification for the color values representing information classification levels for the United States? [closed]
Executive Order 13526 section 1.2. Specifies Information may be classified as Top Secret, Secret, and Confidential. The absense of a classification is Unclassified.
US Classification Levels are used ...
- 165
1
vote
2
answers
632
views
Credit Card details shown in full after payment on online store
A large and reputable online store shows the credit card details of the customer in full on the order confirmation and receipt page (after payment has been processed).
This is the first time I have ...
user141100
3
votes
1
answer
175
views
How can I prove that I adhere to stated privacy policy? What audits are effective for voluntary compliance?
I have a website and mobile app that doesn't store data or PII.
Suppose I'm not subject to any special privacy laws. How can I voluntarily submit myself to an audit to ensure that I'm acting true to ...
- 51.1k
2
votes
0
answers
168
views
Compliance/ FCA regulations
First of all, please accept my apology for being ingnorant to compliance/FCA regulations as I have been digging out everywhere to get the answer of a very specific question:
SCENARIO
I am planning ...
- 21
1
vote
0
answers
130
views
certification to get in order to save PHI for European businesses
I work in a digital health company that will likely save personal Health information.
I am conflicting what certification I best get in order to best meet the needs of business partners from Europe.
...
- 129
1
vote
0
answers
206
views
What is EU-US security shield certificate means in term of EU PHI compliance
I'm facing a regulation issue.
My servers are hosted on Google Cloud.
I see that Google is HIPAA and Privacy Shield approved.
If my database servers are hosted with Google
and I'm storing personal ...
- 129
0
votes
1
answer
251
views
Differences in classified data handling
Is the difference in the strength of the cryptographic algorithms the only difference between handling TOP SECRET and SECRET information? Say in NSA Suite B, the following is recommended:
- SECRET: ...
- 1
10
votes
1
answer
528
views
What are the privacy differences with Azure trustee delegates in China, Germany, and other locations?
Azure has different privacy agreements set up with different datacenters as mentioned in this footnote
Azure is now available in China through a unique partnership between Microsoft and 21Vianet, one ...
- 51.1k
3
votes
3
answers
2k
views
Can a card issuing company store CVV number, expiry date and 16 digits card number?
I have a limited amount plastic card issued by a certain company. When I log into my online account of the same company, I can see complete details - 16 digits card number, name, expiry date and CVV ...
- 61
3
votes
1
answer
208
views
What is the minimal security standard needed for this type of software product
Actions described in security standards (like ISO 27002, PCI-DSS, HIPAA, Common Criteria) greatly vary according to the domain data that they store, process, transmit and report.
We have a product ...
- 33
82
votes
7
answers
28k
views
How many digits of a Visa card number can vendors disclose on receipts?
I visited a local McDonald's, and I noticed part of my Visa number repeated on the receipt like this: NNNN NN__ ____ NNNN. (So out of a total of 16 digits it breaks down like this: First six digits ...
- 903
1
vote
2
answers
1k
views
scans for WIFI access points
PCI DSS requirement 11.1:
"Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a ...
- 539
22
votes
3
answers
6k
views
Direct access to databases
Some of the non-DBA workers like Developers (for crises handling), Fraud (with read permissions only) analysts (with read permissions only) and a few more that's needs direct access to databases to ...
- 539
2
votes
1
answer
3k
views
Can a user login credentials and/or secret questions be considered PII under EU regulations?
European Union is one of the most regulated places on how to deal with Personally Identifiable Information.
I was going to answer this question by saying that he had to hash the user password because ...
- 1,138
2
votes
1
answer
1k
views
Unable to completely enforce password policy
PCI DSS has a few requirements regarding the password policy (like remember last four passwords, change password every 90 days, use at least seven numeric and
alphabetic characters and more).
These ...
- 539
2
votes
1
answer
160
views
Security requirements of storing ID numbers in database EU/USA?
I am dealing with a client (an official organization in one EU country) who is storing all clients' ID numbers in an Excel spreadsheet. They need those numbers to present their clients once per year i....
5
votes
1
answer
372
views
UK or EU regulations that require Security Awareness Training
I was completing a survey of the various regulations and standards that require Privacy or Security Awareness training, and have compiled the following list from various sources:
FEDERAL LAWS AND ...
- 132k
1
vote
0
answers
139
views
Compliant login process
Working with a developer to update a login system through a web-UI:
Currently, we use:
Enter login ID
Goes through Challenge/Step-up
Based on results: Challenge/Step-up User is presented the ...
- 117
4
votes
2
answers
668
views
WHOIS Contact Details Abused
The system for the internet and the way people can abuse it is getting worse and worse. I am having several issues with people abusing the information within my WHOIS, which if I remember is protected ...
- 906
5
votes
2
answers
3k
views
Retention periods for web logs
I work for an ASP that provides banking solutions
Card
Services
Payments
ACH
Online Banking
And others
Back Story: Our company provides an "all in one" solution or parts thereof, we are constrained ...
- 117
2
votes
5
answers
6k
views
Questions about in-scope information assets for an ISO27001 ISMS
I am in the process of writing a Scope for the information assets - in preparation for writing an ISO27001 compliant ISMS. I am confused as to if a VPN network is considered to be in Scope? as well ...
- 1,155
1
vote
1
answer
241
views
Incentives to Support Adoption of the Cybersecurity Framework
The US White House has just release the subject blog post link here which suggests adoption of this proposed new cyber insurance might be rewarded by liability limitations including "reduced tort ...
- 3,447
6
votes
2
answers
2k
views
What security standards and regulations are in place for bank ATM?
Are there any international or US mandated standards and regulations that apply to communications between automatic teller machines and bank's central office? Are banks or ATM operators subjected to ...
- 2,053
2
votes
4
answers
231
views
How do you build a secure web application that is also COPPA compliant?
If you are building a web application to be used by US schools, you will probably have to worry about COPPA compliance.
Children's Online Privacy Protection or COPPA is new to me, probably because ...
- 47.3k
0
votes
2
answers
182
views
Security in the breaking cloud? Storage Wars?
If access to a cloud server instance that stores personal/important information is lost or removed by the provider, is my data protected? Can the provider access my data and copy it, distribute, or ...
- 2,053
16
votes
2
answers
759
views
Which factors should I consider for devices that accept handwritten digital signatures?
These days many locations ask you to give your signature on a digital signature pad/device.
As I am situated in Europe, the EU directive 1999/93/EC seems to regulate it. From what I have found out ...
- 173
5
votes
3
answers
625
views
Are there any regulations against financial companies storing passwords in plaintext?
A bank that I use stores my password in cleartext or perhaps using reverisible encryption, which is just as bad.
I know this because when you click "Forgot your password?" (or similar) link, it ...
- 872
6
votes
1
answer
1k
views
What governing body is responsible for the use of GSM SMS alphanumeric SenderID's?
Currently, I am writing a paper about GSM sender spoofing and how this flaw is possible with the use of different techniques and attack pattern in the GSM 2G implementation both technically and ...
- 633
10
votes
2
answers
340
views
Cloud-specific standards and regulations
Not specific to any particular industry or requirements, but in general - are there currently commonly accepted standards regarding cloud-based applications?
I* am developing a system that will be ...
AviD♦
- 73.6k
1
vote
1
answer
993
views
What regulations *require* multi-factor authentication?
What industries require multi-factor authentication?
Please include the following information:
Country
Industry
Regulation name
Additional information as you see relevant.
Some additional ...
- 51.1k
7
votes
1
answer
1k
views
Is BitLocker on a virtual machine FIPS 140-2 security level 1 compliant?
BitLocker can be used as a cryptographic module to fulfill FIPS 140-2 security level 1 compliance.
What if the encrypted drive is on a virtual machine, is that still FIPS 140-2 compliant?
In one ...
- 508
5
votes
2
answers
2k
views
What cryptographic module does Sql Server 2008 use to run in Fips 140-2 compliant mode by default?
One can configure Sql Server 2008 to run in FIPS 140-2 compliant mode, in the same manner as running Bitlocker in FIPS 140-2 compliant mode. Which is to activate FIPS 140-2 compliant mode in the ...
- 508
16
votes
6
answers
21k
views
Regulations that specify password length?
I have read:
PCI DSS 1.2
SOX 404
AR 25-2
ISO 27001
But only PCI DSS specifies a minimum password length.
Are there any other regulations that dictate password lengths for any industry?
NIST ...
- 132k
8
votes
1
answer
814
views
What compliance problem does "Common Criteria Certification" solve?
It has been said Common Criteria solves a "Compliance problem, and not a security problem". Can someone explain where CC certification is required or benefits an industry?
Is it simply a marketing ...
- 51.1k
10
votes
2
answers
2k
views
HIPAA compliance without PII
I have a web site where people fill medical syndrome questioners.
They can see how their condition changes during the time period.
I am not storing ANY PII information, just user name.
I can store in ...
- 2,585
4
votes
1
answer
333
views
HITECH : New United States Federal Act on Data Security
Has anyone heard of the new HITECH Federal Act? I understand that it is an underscore of the HIPAA Federal Act but am unclear of the requirements that they are requesting.
It targets companies that ...
- 257