Paper2
Part 1: Compare and contrast the following laws, regulations, and standards
|
|
HIPAA |
FERPA |
Sarbanes-Oxley |
FISMA |
PCI/DSS |
NIST SP800-53 |
OWASP[footnoteRef:1] [1: Use Application Security Verification Standard (ASVS) of OWASP; can be downloaded here https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf ] |
|
Is it a regulation? If yes, provide the year of enactment. |
|
|
|
|
|
|
|
|
Target Industry / Audience |
|
|
|
|
|
|
|
|
Information Security Requirements (Scope) |
|
|
|
|
|
|
|
|
Are there specific requirements for Data breach disclosures? |
|
|
|
|
|
|
|
|
Are there specific requirements for subcontractors? |
|
|
|
|
|
|
|
|
Give a non-compliance example specific to the target industry. |
|
|
|
|
|
|
|
|
Voluntary or Required for the Target Industry / Audience |
|
|
|
|
|
|
|
|
Who is the responsible body? |
|
|
|
|
|
|
|
|
Is there a certification scheme? |
|
|
|
|
|
|
|
|
How is compliance demonstrated? |
|
|
|
|
|
|
|
|
Are there different compliance levels/tiers depending on the features of the audience |
|
|
|
|
|
|
|
Part 2: Compare and contrast the creation and change processes of OWASP ASVS standard and FISMA
Resources for ASVS:
· OWASP Application Security Verification Standard
· https://github.com/OWASP/ASVS
Resources for FISMA:
· FISMA Implementation Project - Background
· FISMA Implementation Project - Overview
Part 3: Select one of the legal/regulatory standards listed at the table above, describe the impact of the standard on the security of an IT system.
Part 4: Select one of the standards listed in the table, then describe how the selected standard can be applied and assessed for contractors/sub-contractors or citizens/customers.
Part 5: For standards listed in the table, describe the specifications and requirements common in all or most of the standards.