IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [regulation]

A rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority's control.

A rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority's control.

45 questions
5
votes
3 answers

Are there any regulations against financial companies storing passwords in plaintext?

A bank that I use stores my password in cleartext or perhaps using reverisible encryption, which is just as bad. I know this because when you click "Forgot your password?" (or similar) link, it sends you an email with your password in cleartext.…
user606723
  • 822
  • 5
  • 10
5
votes
2 answers

What cryptographic module does Sql Server 2008 use to run in Fips 140-2 compliant mode by default?

One can configure Sql Server 2008 to run in FIPS 140-2 compliant mode, in the same manner as running Bitlocker in FIPS 140-2 compliant mode. Which is to activate FIPS 140-2 compliant mode in the Local Group Policy Editor dialog. From Instructions…
Mark Rogers
  • 508
  • 3
  • 18
4
votes
1 answer

HITECH : New United States Federal Act on Data Security

Has anyone heard of the new HITECH Federal Act? I understand that it is an underscore of the HIPAA Federal Act but am unclear of the requirements that they are requesting. It targets companies that deal with the storage or movement of medical and…
Anthony Miller
  • 257
  • 1
  • 8
4
votes
2 answers

WHOIS Contact Details Abused

The system for the internet and the way people can abuse it is getting worse and worse. I am having several issues with people abusing the information within my WHOIS, which if I remember is protected by international laws, or at least should…
Traven
  • 866
  • 1
  • 9
  • 19
4
votes
1 answer

Is there a specification for the color values representing information classification levels for the United States?

Executive Order 13526 section 1.2.⁠ Specifies Information may be classified as Top Secret, Secret, and Confidential. The absense of a classification is Unclassified. US Classification Levels are used to mark the classification level of documents and…
Nicholas Pappas
  • 165
  • 1
  • 1
  • 5
3
votes
1 answer

How can I prove that I adhere to stated privacy policy? What audits are effective for voluntary compliance?

I have a website and mobile app that doesn't store data or PII. Suppose I'm not subject to any special privacy laws. How can I voluntarily submit myself to an audit to ensure that I'm acting true to my word? What regulations are recognized by…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
3
votes
3 answers

Can a card issuing company store CVV number, expiry date and 16 digits card number?

I have a limited amount plastic card issued by a certain company. When I log into my online account of the same company, I can see complete details - 16 digits card number, name, expiry date and CVV number visible there. The login is protected via…
ISGuy
  • 61
  • 7
3
votes
1 answer

What is the minimal security standard needed for this type of software product

Actions described in security standards (like ISO 27002, PCI-DSS, HIPAA, Common Criteria) greatly vary according to the domain data that they store, process, transmit and report. We have a product which collects metrics from a network/wifi enabled…
user134083
  • 33
  • 2
2
votes
5 answers

Questions about in-scope information assets for an ISO27001 ISMS

I am in the process of writing a Scope for the information assets - in preparation for writing an ISO27001 compliant ISMS. I am confused as to if a VPN network is considered to be in Scope? as well as things like the Wireless access point for…
KingJohnno
  • 1,155
  • 2
  • 11
  • 19
2
votes
4 answers

How do you build a secure web application that is also COPPA compliant?

If you are building a web application to be used by US schools, you will probably have to worry about COPPA compliance. Children's Online Privacy Protection or COPPA is new to me, probably because it was passed in 1998 and then quickly forgotten. …
rook
  • 46,916
  • 10
  • 92
  • 181
2
votes
1 answer

Can an indie apps developer get fined if they unintentionally didn't protect users' data from hackers?

I'm currently developing an app, which the users will store sensitive data in, and this data will be stored in the internet (I'll use Firebase or a similar service). I'll try to secure the data as much as I can (and send it via a secure connection…
Azzam Alsharafi
  • 21
  • 2
2
votes
1 answer

Reason for lack of asymmetric cryptography in AWS KMS for regions in China

In the documentation of the AWS Key Management Service (KMS) I found this interesting sentence: Asymmetric CMKs and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports except for China (Beijing) and China…
mat
  • 1,243
  • 7
  • 14
2
votes
0 answers

Compliance/ FCA regulations

First of all, please accept my apology for being ingnorant to compliance/FCA regulations as I have been digging out everywhere to get the answer of a very specific question: SCENARIO I am planning to start an online business (lets say…
9 Digit
  • 21
  • 1
2
votes
1 answer

Can a user login credentials and/or secret questions be considered PII under EU regulations?

European Union is one of the most regulated places on how to deal with Personally Identifiable Information. I was going to answer this question by saying that he had to hash the user password because of EU regulations, but I am not so sure. So, of…
Mindwin
  • 1,118
  • 1
  • 8
  • 15
2
votes
1 answer

Unable to completely enforce password policy

PCI DSS has a few requirements regarding the password policy (like remember last four passwords, change password every 90 days, use at least seven numeric and alphabetic characters and more). These requirements are easily enforced as soon as the…
BokerTov
  • 539
  • 4
  • 10
1
2
3