Compliance Regulations Resources

• Payment Card Industry Data Security Standard (PCI DSS): Information security standard for organizations that handle branded credit cards

• Health Insurance Portability and Accountability Act (HIPAA): HIPAA legislation, which was enacted in 1996, required the U.S. Department of Health and Human Services to develop a set of national standards for the electronic transfer of confidential patient information.

• Sarbanes-Oxley (SOX) Act: The SOX Act of 2002 is legislation that was passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices creatred in response to Enron, Tyco International, Peregrine Systems, and WorldCom security incidents. 

• General Data Protection Regulation (GDPR): The GDPR law applies to any organization that holds and uses personal data on European Union (EU) citizens. 

• Public Sector Information (PSI) Directive, or 'Open Data Directive', governs the reuse of public sector information throughout the European Union.
  PSI Reference: https://ec.europa.eu/digital-single-market/en/implementation-public-sector-information-directive-member-states
  PSI Reference: https://ec.europa.eu/digital-single-market/en/public-sector-information-psi-directive-open-data-directive

• Federal Information Security Management Act (FISMA): Requiring yearly audits. FISMA brought attention within the U.S. government to cybersecurity threats that were previously neglected.

• Gramm-Leach-Bliley Act (GLBA): The GLBA of 1999 -  Companies must tell their customers what kinds of data they plan to share and with whom, and they must give their customers a chance to opt out of that data sharing.

• Personal Information Protection and Electronic Documents Act (PIPEDA): The PIPEDA, or the PIPED Act, is a Canadian law governing how private sector organizations collect, use, and disclose personal information while conducting commercial business.

• Data Protection Directive (95/46/EC): Regulated the processing of personal data within the European Union.

• Basel II: Basel Accords Committee on Banking Supervision intended to create an international standard for banking regulators to control how much capital banks need to put aside to guard against the types of financial and operational risks banks face.

• Digital Millennium Copyright Act (DMCA): Criminalizes production and dissemination of technology, devices, or services that are intended to circumvent measures (digital rights management or DRM) that control access to copyrighted works. Criminalizes the act of circumventing an access control, regardless of actual infringement of copyright itself. Penalties for copyright infringement on the Internet.

• Safe Harbor Act: Organization for Economic Co-operation and Development (OECD) is the regulatory framework of the Safe Harbor Agreement. Facilitates data transfer, to enable international trade, and to bridge any privacy differences, the EU, and United States, through the Department of Commerce, have developed a Safe Harbor framework and regulations that satisfy the privacy adequacy requirement.

Advanced References

CBP Leverages Blockchain Innovation to Protect American Business

https://www.hybrid-analysis.com/

Reference: https://www.nist.gov/publications/sha-3-standard-permutation-based-hash-and-extendable-output-functions

Note

Reference: https://www.nist.gov/news-events/news/2015/08/nist-releases-sha-3-cryptographic-hash-standard

Many vendors offer CA servers as a managed service or as an end-user product: VeriSign, Entrust Technologies, and GoDaddy are some examples. Organizations may also implement private PKIs using Microsoft Server or Open SSL.

Many legacy cipher suites available in TLS are insecure (for example, cipher suites using DES or RC4 encryption or MD5 message authentication code algorithm). While these legacy cipher suites may still be supported by the browser, their use is not recommended.

Note

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

The latest TLS version is v1.3, which is a working IETF draft (https://tools.ietf.org/html/draft-ietf-tls-tls13-15). Major changes from TLS v1.2 include removing support of RSA for authentication and key exchange, removing support of MD5 for integrity, and removing support for weak and lesser-used elliptic curves algorithms. Removing features that are no longer needed helps reduce the attack surface.

For example, cipher suites that use RSA for authentication and key exchange are protected solely by the server's RSA private key. If the server's private key is compromised now or in the future, all handshakes using these cipher suites will be compromised. RSA certificates will still be allowed in TLS v1.3, but key establishment will be done using DH or ECDH, ensuring perfect forward secrecy (PFS) because a new key is negotiated for each TLS handshake.