CCSP Laws and Regulations

(ISC)2 - International Information System Security Certification

• A security certification granting organization that has a long history of certifications that were difficult to get. 

• This difficulty has made their certificates seen as having higher value in the industry.

American Institute of Certified Public Accountants (AICPA)   

Provides standards, guidance, and resources for the accounting profession

Biba Model

Focuses on preventing unauthorized modification of data

Capability Maturity Model (CMM)

a framework for assessing and improving the maturity of an organization’s processes, especially in software development and IT management.

Child Online Protection Act (COPA)

a U.S. federal law passed in 1998 that was designed to restrict access by minors to harmful material on the Internet.

Cloud Security Alliance (CSA)

a not-for-profit organization dedicated to promoting best practices for cloud computing security.

Control Objectives for Information and Related Technologies (COBIT)

• Initially used to achieve compliance with Sarbanes-Oxley and focused on IT controls. 

• Since 2019 the emphasis has shifted to information governance.

• It is focused on these 5  principles: 

• 1: Meeting Stakeholder Needs; 

• 2: Covering the Enterprise End-to-End;

• 3: Applying a Single Integrated Framework;

• 4: Enabling a Holistic Approach; and

• 5: Separating Governance from Management.

ENISA  - European Union Agency for Cybersecurity

• Cybersecurity Expertise

  • Provides advice, guidance, and best practices on cybersecurity issues for the EU and member states

• Risk Assessment and Threat Analysis

  • Conducts studies on cyber threats, incidents, and vulnerabilities

Family Education Rights and Privacy Act (FERPA)

• It is a U.S. federal law passed in 1974

• Protects the privacy of student education records

• Applies to all schools and institutions that receive federal funding

Federal Information Processing Standard (FIPS) 140-2

• It is a U.S. government standard that defines security requirements for cryptographic modules used to protect sensitive data

• Published by NIST (National Institute of Standards and Technology)

• Ensures that hardware and software that perform encryption meet strict security standards

Level	Description
1	Basic encryption with minimal physical security
2	Adds tamper-evident coatings or seals, role-based authentication
3	Adds tamper-resistant hardware and identity-based authentication
4	Highest level, detects and responds to environmental attacks (e.g., voltage, temperature)

Federal Information Systems Management Act (FISMA)

a U.S. law requiring federal agencies and contractors to implement risk-based information security programs, follow NIST standards, and report on the effectiveness of their security controls.

International Standards Organization (ISO)

a global body that develops and publishes standards to ensure quality, safety, efficiency, and best practices across industries, including IT and information security.

ISO/IEC 27001 

• Specifies requirements for establishing, implementing, maintaining, and improving an ISMS.

• Focuses on what an organization must do to manage information security.

ISO/IEC 27002 

• Provides best-practice guidelines for selecting and implementing information security controls.

• Focuses on how an organization should implement the controls.

Wassenaar Arrangement

An international agreement that regulates the export of dual-use technologies, including encryption and advanced computing tools.

National Institute of Standards and Technology (NIST)

a U.S. federal agency that develops technology standards, guidelines, and best practices, particularly for cybersecurity, IT risk management, and cryptography.

Open Web Application Security Project (OWASP)

a non-profit organization that provides free resources, tools, and guidance to improve the security of web applications, including the widely recognized OWASP Top 10 vulnerabilities list.

European Union Agency for Network and Information Security (ENISA)

the EU agency that provides guidance, expertise, and coordination to strengthen cybersecurity across member states and support EU cybersecurity policies.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act

• allows U.S. law enforcement agencies to:

  • Request data from U.S.-based companies, even if the data is stored abroad

  • Override foreign laws that would prevent disclosure

• Goal: Ensure federal officials can access evidence for investigations without waiting for complicated international agreements

Sarbanes-Oxley (SOX) Act

• Purpose: Corporate financial accountability

• Scope: Public companies in the U.S.

• Requirements:

  • Accurate financial reporting

  • Internal controls for accounting systems

  • CEO/CFO must certify financial statements

General Data Protection Regulation (GDPR)

• Purpose: Protect personal data of EU citizens

• Scope: Any company processing data of EU residents, regardless of location

• Requirements:

  • Obtain consent before processing personal data

  • Right to access, correct, or delete personal data

  • Restrictions on transferring data outside the EU without adequate safeguards

Gramm-Leach-Bliley Act (GLBA)

• Purpose: Protect privacy of financial information in the U.S.

• Scope: Financial institutions (banks, insurance, credit)

• Requirements:

  • Inform customers about data collection and sharing practices

  • Implement safeguards for customer financial information

Generally Accepted Privacy Principles (GAPP)

a framework of privacy guidelines developed to help organizations collect, use, store, and disclose personal information responsibly.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Canada’s federal law that regulates how private-sector organizations collect, use, and disclose personal information, emphasizing consent, accountability, and data protection.

Risk Management Framework (RMF) 

a NIST-defined process for managing information system risk by selecting, implementing, assessing, authorizing, and monitoring security controls throughout the system lifecycle.

STRIDE Model  

a threat modeling framework that classifies security threats into six categories—Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege—to help identify and mitigate risks in systems and applications.

NIST 800-53

a U.S. government security framework that defines standardized security and privacy controls for federal information systems and organizations.

Federal Risk and Authorization Management Program (FedRAMP)

• a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services

• Ensures:

  • Cloud vendors meet federal security requirements

  • Data is handled according to federal regulations

  • Ongoing monitoring and compliance are maintained

• Mandatory for any cloud service used by federal agencies

ECPA (Electronic Communication Privacy Act)

a U.S. law that protects the privacy of electronic communications while in transit or stored by service providers.

DMCA (Digital Millennium Copyright Act)

a U.S. law that protects copyrighted digital content and criminalizes circumventing digital rights management (DRM) technologies.