CompTIA Advanced Security Practitioner
(CASP) CAS-003, CH 1: Legal Requirements
The Public Company Accounting Reform and Investor Protection Act of 2002, more commonly
known as (term), affects any organization that is publicly traded in the United States. Ir regulates
the accounting methods and financial reporting for the organizations and stipulates penalties and
even jail time for executive officers. Ans: Sarbanes-Oxley (SOX) Act
Also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance
companies, and healthcare clearinghouses. It provides stands and procedures for storing, using,
and transmitting medical information and healthcare data. It also overrides state laws unless the
state laws are stricter. Ans: Health Insurance Portability and Accountability Act (HIPAA)
Affects all financial institutions, including banks, loan companies, insurance companies,
investment companies, and credit card providers. It provides guidelines for securing all financial
information and prohibits sharing of financial information with third parties. This act directly
affects the security of personally identifiable information (PII). Ans: Gramm-Leach-Billey Act
(GLBA) of 1999
Affects any entities that might engage in hacking of "protected computers" as defined in the act.
It was amended in 1989, 1994, and 1996; in 2001 by the USA PATRIOT Act; in 2002 and in
2008 by the Identity Theft Enforcement and Restitution Act. A "protected computer" is a
computer used exclusively by a financial institution or the U.S. government or used in or
affecting interstate or foreign commerce or communication, including a computer located outside
the U.S. that is used in a manner that affects interstate or foreign commerce or communication of
the U.S. Most devices are under the jurisdiction of this law. Also includes several definitions of
hacking. Ans: Computer Fraud and Abuse Act (CFAA) of 1986
Affects any computer that contains records used by a federal agency. It provides guidelines on
collection, maintenance, use, and dissemination of PII about individuals that is maintained in
systems of records by federal agencies on collection, maintaining, using, and distributing PII.
Ans: Federal Privacy Act of 1974
Was superseded by the Federal Information Security Management Act (FISMA) of 2002. This
act was the first law to require a formal computer security plan. It was written to protect and
defend any of the sensitive information in the federal government systems and to provide
security for that information. It also places requirements on government agencies to train
employees and identify sensitive systems. Ans: Computer Security Act of 1987
Affects how private-sector organizations collect, use, and disclose personal information in the
course of commercial business in Canada. Written to address European Union (EU) concerns
about the security of PII in Canada. The law requires organizations to obtain consent when they
collect, use, or disclose personal information and to have personal information policies that are
(CASP) CAS-003, CH 1: Legal Requirements
The Public Company Accounting Reform and Investor Protection Act of 2002, more commonly
known as (term), affects any organization that is publicly traded in the United States. Ir regulates
the accounting methods and financial reporting for the organizations and stipulates penalties and
even jail time for executive officers. Ans: Sarbanes-Oxley (SOX) Act
Also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance
companies, and healthcare clearinghouses. It provides stands and procedures for storing, using,
and transmitting medical information and healthcare data. It also overrides state laws unless the
state laws are stricter. Ans: Health Insurance Portability and Accountability Act (HIPAA)
Affects all financial institutions, including banks, loan companies, insurance companies,
investment companies, and credit card providers. It provides guidelines for securing all financial
information and prohibits sharing of financial information with third parties. This act directly
affects the security of personally identifiable information (PII). Ans: Gramm-Leach-Billey Act
(GLBA) of 1999
Affects any entities that might engage in hacking of "protected computers" as defined in the act.
It was amended in 1989, 1994, and 1996; in 2001 by the USA PATRIOT Act; in 2002 and in
2008 by the Identity Theft Enforcement and Restitution Act. A "protected computer" is a
computer used exclusively by a financial institution or the U.S. government or used in or
affecting interstate or foreign commerce or communication, including a computer located outside
the U.S. that is used in a manner that affects interstate or foreign commerce or communication of
the U.S. Most devices are under the jurisdiction of this law. Also includes several definitions of
hacking. Ans: Computer Fraud and Abuse Act (CFAA) of 1986
Affects any computer that contains records used by a federal agency. It provides guidelines on
collection, maintenance, use, and dissemination of PII about individuals that is maintained in
systems of records by federal agencies on collection, maintaining, using, and distributing PII.
Ans: Federal Privacy Act of 1974
Was superseded by the Federal Information Security Management Act (FISMA) of 2002. This
act was the first law to require a formal computer security plan. It was written to protect and
defend any of the sensitive information in the federal government systems and to provide
security for that information. It also places requirements on government agencies to train
employees and identify sensitive systems. Ans: Computer Security Act of 1987
Affects how private-sector organizations collect, use, and disclose personal information in the
course of commercial business in Canada. Written to address European Union (EU) concerns
about the security of PII in Canada. The law requires organizations to obtain consent when they
collect, use, or disclose personal information and to have personal information policies that are
