Examples of Regulations and Compliance
Examples of Regulations and Compliance

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of security policies and regulations.

Learning Objectives

  • Obtain a general understanding of security policies, regulations, and compliance
  • Understand the legal and privacy issues that these regulations aim to address
  • Learn about a variety of security frameworks and standards
  • Learn about trusted computed principles and how they underpin security frameworks
  • Understand the security implications of acquiring software

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification, or for anyone interested in the topics it covers.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at



Take, for example, the Federal Information Security Management Act, known as FISMA 1, that was passed into law in 2002. This established a program framework and objectives regarding risk assessment, security accreditation, planning, testing, and incident management. Now, as the Federal Information Security Management Act name begins to indicate, this is of course a law that was passed specifically to apply to federal organizations of all types. As such, it was set into documentation form and functionally implementable by the NIST standards that formed its foundation. Following this, the Federal Information Security Systems Modernization Act, known as FISMA 2, brought all of this under the umbrella with federal cybersecurity guidance and oversight under the Department of Homeland Security.

Now, in recent years, we've heard a lot about the risk management framework called the RMF. And it has been committed to several NIST publications, such as the 800-14, 800-30, - 37, -39, and the -100, to provide the necessary details for successful implementation. But the principles discussed in these laws are equally applicable to civilian and other non-governmental organizations, should they choose to do so.

Continuing our discussion on regulations, we have the Sarbanes-Oxley Act of 2002. This was passed as a legislative reaction to the corporate scandals present at that time, such as with Enron and the Arthur Andersen. Now, within Sarbanes-Oxley Section 404, it stated and restated practices that are common for accounting. And it restated this requirement for strong internal controls to ensure convention at security that protects the integrity of the information used in external financial reporting. Prior to that, the Gramm-Leach-Bliley Act of 1999 did for personal financial information what the HIPAA Act, preceding it by yet another three years in 1996, did for personal health information. These laws served as the basis for their respective industries to establish policy, the legislative foundation for their enforcement, and the discipline that follows with compliance violations, should the entity in question not measure up.

So we have HIPAA, the Health Insurance Portability and Accountability Act of 1996, that at the time was the most pervasive, federal level privacy law passed in this country. And many have followed it that have followed its model. This was amended by the HITECH Act passed as part of the American Recovery and Reinvestment Act of 2009. And it added additional controls over the privacy and security of protected health information to make them stronger, ensure that enforcement was formalized and more aggressive, and adding technology in the form of encryption as a required control to protect the information from unauthorized and unwanted exposure.

Now, unlike those things listed on the previous slides, which were laws, we also have the Payment Card Industry Data Security Standards, known as PCI DSS. Now these are not laws or regulations, but they are very strong and very important industry security standards that govern the protection and use of the information captured in payment card transactions. These industry standards brought about by the PCI DSS Standards Board, place requirements on vendors and processors, as well as other entities involved in in-person and online payment card transactions to ensure the end-to-end protection of cardholder data in all of these different states.

Now there are, of course, other regulations that exist around the world that govern the collection, use, and disclosure of personally identifiable information at both the state and federal levels within the US and internationally. A prime example would be the General Data Protection regulation we find in the European Union. As in their particular case, a federal type of standard applying to all member states at the EU, but also for the laws that exist in each of the member countries.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.