Unformatted text preview: and
• Security systems and processes must be regularly tested.
• A policy must be maintained that addresses information security.
PCI DSS is a private-sector industry initiative. It is not a law. Noncompliance or violations of the PCI DSS may result in financial penalties or possible revocation of merchant status within the credit card industry, but not jail time. However, Minnesota
became the first state to mandate PCI compliance as a law, and other states, as well as
the United States federal government, are implementing similar measures.
NOTE As mentioned before, privacy is being dealt with through laws,
regulations, self-regulations, and individual protection. PCI is an example of
a self-regulation approach. It is not a regulation that came down from the
government and that is being governed by a government agency. It is an
attempt by the credit card companies to reduce fraud and govern themselves
so the government does not have to get involved. ch10.indd 871 12/4/2009 11:39:09 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 872
The Computer Security Act of 1987
The Computer Security Act of 1987 requires U.S. federal agencies to identify computer
systems that contain sensitive information. The agency must develop a security policy
and plan for each of these systems and conduct periodic training for individuals who
operate, manage, or use these systems. Federal agency employees must be provided
with security-awareness training and be informed of how the agency defines acceptable
computer use and practices.
Because the U.S. federal government deals with a lot of important, confidential,
and secret information, it wants to make sure all individuals and systems within all
federal government agencies meet a certain level of awareness and protection. The Economic Espionage Act of 1996
Prior to 1996, industry and corporate espionage was taking place with no real guidelines for who could properly investigate the events....
View Full Document