IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [regulation]

A rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority's control.

A rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority's control.

45 questions
83
votes
7 answers

How many digits of a Visa card number can vendors disclose on receipts?

I visited a local McDonald's, and I noticed part of my Visa number repeated on the receipt like this: NNNN NN__ ____ NNNN. (So out of a total of 16 digits it breaks down like this: First six digits revealed, middle six digits hidden, final four…
SimZal
  • 903
  • 1
  • 6
  • 5
22
votes
3 answers

Direct access to databases

Some of the non-DBA workers like Developers (for crises handling), Fraud (with read permissions only) analysts (with read permissions only) and a few more that's needs direct access to databases to write their own queries. I cant reduce the…
BokerTov
  • 539
  • 4
  • 10
16
votes
2 answers

Which factors should I consider for devices that accept handwritten digital signatures?

These days many locations ask you to give your signature on a digital signature pad/device. As I am situated in Europe, the EU directive 1999/93/EC seems to regulate it. From what I have found out so far from a device's perspective, to comply with…
Indrek
  • 173
  • 9
15
votes
6 answers

Regulations that specify password length?

I have read: PCI DSS 1.2 SOX 404 AR 25-2 ISO 27001 But only PCI DSS specifies a minimum password length. Are there any other regulations that dictate password lengths for any industry? NIST documents talk about the impacts of certain lengths…
schroeder
  • 123,438
  • 55
  • 284
  • 319
11
votes
1 answer

Does SOC-2 compliance require password rotation

For convenience and security I find password rotation requirements harmful. Our SOC 2 auditor seems to still require them. Does SOC 2 actually require password rotation in 2020? I would think(hope) meeting NIST password guidelines and TOTP MFA…
Meir Maor
  • 1,652
  • 1
  • 9
  • 12
10
votes
2 answers

HIPAA compliance without PII

I have a web site where people fill medical syndrome questioners. They can see how their condition changes during the time period. I am not storing ANY PII information, just user name. I can store in encrypted (if I have to). My question is – Do I…
AaronS
  • 2,575
  • 5
  • 22
  • 26
10
votes
1 answer

What are the privacy differences with Azure trustee delegates in China, Germany, and other locations?

Azure has different privacy agreements set up with different datacenters as mentioned in this footnote Azure is now available in China through a unique partnership between Microsoft and 21Vianet, one of the country’s largest Internet providers.…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
10
votes
2 answers

Cloud-specific standards and regulations

Not specific to any particular industry or requirements, but in general - are there currently commonly accepted standards regarding cloud-based applications? I* am developing a system that will be deployed in the "cloud" (i.e. hosted by an…
AviD
  • 72,138
  • 22
  • 136
  • 218
9
votes
1 answer

PSD2 compliant two factor authentication

According to PSD2 the elements of the multi-factor authentication must be independent so the compromise of one element does not compromise the other. Here is the article from the directive: *Article 9 Independence of the elements, Payment service…
Richard Leonard Kirner
  • 195
  • 2
  • 5
8
votes
1 answer

What compliance problem does "Common Criteria Certification" solve?

It has been said Common Criteria solves a "Compliance problem, and not a security problem". Can someone explain where CC certification is required or benefits an industry? Is it simply a marketing angle that helps sell a product to less-informed…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
1 answer

Is BitLocker on a virtual machine FIPS 140-2 security level 1 compliant?

BitLocker can be used as a cryptographic module to fulfill FIPS 140-2 security level 1 compliance. What if the encrypted drive is on a virtual machine, is that still FIPS 140-2 compliant? In one BitLocker virtual machine setup, one of the drives or…
Mark Rogers
  • 508
  • 3
  • 18
6
votes
2 answers

What security standards and regulations are in place for bank ATM?

Are there any international or US mandated standards and regulations that apply to communications between automatic teller machines and bank's central office? Are banks or ATM operators subjected to periodic audits that include ATM security…
Drew Lex
  • 2,013
  • 2
  • 19
  • 24
6
votes
1 answer

What governing body is responsible for the use of GSM SMS alphanumeric SenderID's?

Currently, I am writing a paper about GSM sender spoofing and how this flaw is possible with the use of different techniques and attack pattern in the GSM 2G implementation both technically and operationally. The topic is specifically concentrated…
John Santos
  • 633
  • 3
  • 9
6
votes
1 answer

UK or EU regulations that require Security Awareness Training

I was completing a survey of the various regulations and standards that require Privacy or Security Awareness training, and have compiled the following list from various sources: FEDERAL LAWS AND REGULATIONS HIPAA GLBA FISMA FTC Red Flags…
schroeder
  • 123,438
  • 55
  • 284
  • 319
5
votes
2 answers

Retention periods for web logs

I work for an ASP that provides banking solutions Card Services Payments ACH Online Banking And others Back Story: Our company provides an "all in one" solution or parts thereof, we are constrained by regulatory agencies. One of the issues that…
Leptonator
  • 117
  • 1
  • 8
1
2 3