Transcript Slide 1
Brief Synopsis of Computer Security Standards Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards and legislation have been created to support the tenets of information systems security. 1968 NBS National Bureau of Standards does a study of US Government's computer security needs. 1972 NBS & ACM NBS in collaboration with ACM (Association for Computing Machinery) sponsor their first conference on computer security 1974 TEMPEST Establishes standards for shielding eminations 1977 NBS & ANSI NBS sponsors workshops to audit and evaluate computer system security. ANSI (American National Standards Institute) adopts DES, the data encryption standard. This is the official standard encryption for unclassified data 1986 NSA no longer endorses DES 1980 Computer Security Center Department of Defense establishes the Computer Security Center within the NSA 1983 TCSEC Orange Book Release DOD releases the “Trusted Computer System Evaluation Criteria”, TCSEC Affectionately known as the “Orange Book”, because of its orange cover. Revised in 1985 Retired in 2002 1984 NSTISSP National Security on Telecommunications and Automated Information Systems Security, gave the NSA the authority to advise the private sector on computer security http://www.fas.org/irp/offdocs/nsdd145.htm 1986 Computer Fraud and Abuse Act Establishes legal action against unauthorized or fraudulent access to government computers and electronic data. 1987 Computer Security Act Government agencies must have a well defined information system security plan Common Criteria Developed during the 1990s in Europe then established later in Canada. Superseded the TCSEC (Orange Book) circa 2002. 1996 HIPAA Health Insurance Portability and Accountability Act Among other things, it establishes standards for electronic health care transactions Establishes the importance of privacy and security for health care data 1999 Gramm Leach Bliley Act Contains a financial privacy rule requires financial institutions to design, implement, and maintain safeguards to protect customer information. 2002 SOX Sarbanes-Oxley Among other things, impacts internal controls of data relevant to the auditing of records belonging to publicly traded companies. 2002 FISMA Federal Information Security Management Act Each federal agency must develop, document, and implement an agency wide security program to protect their information systems data and infrastructure. 2004 PCI SSC Payment Card Industry Security Standards Council Establishes a minimum level of security for merchants and card issuers 2009 HITECH Act Heath Information Technology for Economic and Clinical Health Designed to further support HIPAA rules. Addresses privacy and security concerns associated with the electronic transmission and storage of health information.