Policy vs. Law
Ignorance of a policy is an acceptable defense, whereas ignorance of law is not
5 Criteria of Enforceable Policies
Dissemination, Review, Comprehension, Compliance, and Uniform Enforcement
Civil Law
Comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizations and people
Criminal Law
Addresses activities and conduct harmful to society, and is actively enforced by the state
Private Law
Encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and organizations
Public Law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law
Computer Fraud and Abuse Act of 1986 (CFAA)
The cornerstone of many computer-related federal laws and enforcement efforts. The punishment for offenses prosecuted under this statute includes fines, imprisonment of up to 20 years, or both.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act of 2001)
Provides law enforcement agencies with broader latitude to combat terrorism-related activities.
Computer Security Act of 1987
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. NIST is responsible for developing these standards in cooperation with the National Security Agency (NSA).
Federal Information Security Management Act (FISMA)
Enacted by Congress in 2002, it mandates that all federal agencies establish information security programs to protect their information assets Effectively brought the federal government in line with the private sector.
Requirements of FISMA
1)Periodic assessments
2)Develop policies and procedures based on risk assessments
3)Subordinate plans to provide security for network facilities
4)Provide security awareness training
5)Periodic testing and evaluation
6)Remedial actions to address IS defi
Clipper Chip
Proposed to monitor private communications, used an algorithm with a two-part key that was to be managed by two separate government agencies. Was reportedly designed to protect individual communications while allowing the government to decrypt suspect tra
Privacy of Customer Information Section
Part of common carrier regulation, states that any proprietary information shall be used explicitly for providing services, and not for marketing purposes. Carriers cannot disclose this information, except when providing services
Federal Privacy Act of 1974
Regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission
Electronic Communications Privacy Act of 1986
Informally referred to as the wiretapping act, is a collection of statutes that regulates the interception of wire, electronic, and oral communications. Works in conjunction with the 4th Amendment of the Constitution to protect against unlawful search and
Health Insurance Portability and Accountability Act of 1966 (HIPAA)
AKA Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange
HIPPA's 5 Fundamental Principles
1) Consumer control of medical information
2) Boundaries on the use of medical information
3) Accountability to maintain the privacy of specified types of information
4) Use of medical information for the greater good VS. impact to the individual
5) Secur
American Recovery and Reinvestment Act of 2009
Updated and broadened the scope of HIPAA in a section referred to as Health Information Technology for Economic and Clinical Health Act (HITECH), provided bounties for investigators, monetary incentives to pursue violators
Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
This act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. Also requires due notice to customers so they can request their information not be shared with third parties.
Fraud and Related Activity in Connection with Identification Documents, Authentication Features,
and Information
The primary legislation at the federal level regarding Identity Theft. Criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment
FTC Recommended Steps when people suspect they are victims of Identity Theft
1) Place an initial fraud alert
2) Order your credit reports
3) Create an identity theft report
4) Monitor and document progress
Identity Theft Enforcement and Restitution Act of 2008
Specifically addressed the malicious use of spyware or keyloggers to steal PII.
Economic Espionage Act of 1996
This law attempts to prevent trade secrets from being illegally shared
Security and Freedom through Encryption Act of 1999
Provides guidance for the use of encryption and provides protection from government intervention.
Key Escrow
AKA Key registration, the storage of a cryptographic key with another party for breaking the encryption of data.
U.S. Copyright Law
Protects Intellectual property and published works, including electronic formats. Fair use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities
Sarbanes-Oxley Act of 2002
This law seeks to improve the reliability and accuracy of financial reporting, and increase the accountability of corporate governance in publicly traded companies
Freedom of Information Act (FOIA) of 1966
Allows any person to request access to federal agency records or information not determined to be a matter of national security. However, some information is protected from disclosure.
PCI Security Standards Council
Designed to enhance the security of customers' account data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data
Council of Europe Convention on Cybercrime
This convention advocates prosecution for copyright infringement. The overall goal of the convention is to simplify the acquisition of information for law enforcement agencies in certain types of international crimes and to simplify the extradition proces
Digital Millennium Copyright Act (DMCA)
1) Prohibits the circumvention of protections and countermeasures implemented by copyright owners
2) Prohibits the manufacturer of devices to circumvent protections and countermeasures
3) Bans trafficking in devices manufactured to circumvent protections
Three general causes of unethical or illegal behavior
Ignorance, accident, and intent
Required for laws, policies, and associated penalties to provide deterrence
Fear of penalties
Probability of being apprehended
Probability of penalty being applied
Policy vs. Law
Ignorance of a policy is an acceptable defense, whereas ignorance of law is not
5 Criteria of Enforceable Policies
Dissemination, Review, Comprehension, Compliance, and Uniform Enforcement
Civil Law
Comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizations and people
Criminal Law
Addresses activities and conduct harmful to society, and is actively enforced by the state
Private Law
Encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and organizations
Public Law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law
Computer Fraud and Abuse Act of 1986 (CFAA)
The cornerstone of many computer-related federal laws and enforcement efforts. The punishment for offenses prosecuted under this statute includes fines, imprisonment of up to 20 years, or both.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act of 2001)
Provides law enforcement agencies with broader latitude to combat terrorism-related activities.
Computer Security Act of 1987
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. NIST is responsible for developing these standards in cooperation with the National Security Agency (NSA).
Federal Information Security Management Act (FISMA)
Enacted by Congress in 2002, it mandates that all federal agencies establish information security programs to protect their information assets Effectively brought the federal government in line with the private sector.
Requirements of FISMA
1)Periodic assessments
2)Develop policies and procedures based on risk assessments
3)Subordinate plans to provide security for network facilities
4)Provide security awareness training
5)Periodic testing and evaluation
6)Remedial actions to address IS defi
Clipper Chip
Proposed to monitor private communications, used an algorithm with a two-part key that was to be managed by two separate government agencies. Was reportedly designed to protect individual communications while allowing the government to decrypt suspect tra
Privacy of Customer Information Section
Part of common carrier regulation, states that any proprietary information shall be used explicitly for providing services, and not for marketing purposes. Carriers cannot disclose this information, except when providing services
Federal Privacy Act of 1974
Regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission
Electronic Communications Privacy Act of 1986
Informally referred to as the wiretapping act, is a collection of statutes that regulates the interception of wire, electronic, and oral communications. Works in conjunction with the 4th Amendment of the Constitution to protect against unlawful search and
Health Insurance Portability and Accountability Act of 1966 (HIPAA)
AKA Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange
HIPPA's 5 Fundamental Principles
1) Consumer control of medical information
2) Boundaries on the use of medical information
3) Accountability to maintain the privacy of specified types of information
4) Use of medical information for the greater good VS. impact to the individual
5) Secur
American Recovery and Reinvestment Act of 2009
Updated and broadened the scope of HIPAA in a section referred to as Health Information Technology for Economic and Clinical Health Act (HITECH), provided bounties for investigators, monetary incentives to pursue violators
Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
This act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. Also requires due notice to customers so they can request their information not be shared with third parties.
Fraud and Related Activity in Connection with Identification Documents, Authentication Features,
and Information
The primary legislation at the federal level regarding Identity Theft. Criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment
FTC Recommended Steps when people suspect they are victims of Identity Theft
1) Place an initial fraud alert
2) Order your credit reports
3) Create an identity theft report
4) Monitor and document progress
Identity Theft Enforcement and Restitution Act of 2008
Specifically addressed the malicious use of spyware or keyloggers to steal PII.
Economic Espionage Act of 1996
This law attempts to prevent trade secrets from being illegally shared
Security and Freedom through Encryption Act of 1999
Provides guidance for the use of encryption and provides protection from government intervention.
Key Escrow
AKA Key registration, the storage of a cryptographic key with another party for breaking the encryption of data.
U.S. Copyright Law
Protects Intellectual property and published works, including electronic formats. Fair use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities
Sarbanes-Oxley Act of 2002
This law seeks to improve the reliability and accuracy of financial reporting, and increase the accountability of corporate governance in publicly traded companies
Freedom of Information Act (FOIA) of 1966
Allows any person to request access to federal agency records or information not determined to be a matter of national security. However, some information is protected from disclosure.
PCI Security Standards Council
Designed to enhance the security of customers' account data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data
Council of Europe Convention on Cybercrime
This convention advocates prosecution for copyright infringement. The overall goal of the convention is to simplify the acquisition of information for law enforcement agencies in certain types of international crimes and to simplify the extradition proces
Digital Millennium Copyright Act (DMCA)
1) Prohibits the circumvention of protections and countermeasures implemented by copyright owners
2) Prohibits the manufacturer of devices to circumvent protections and countermeasures
3) Bans trafficking in devices manufactured to circumvent protections
Three general causes of unethical or illegal behavior
Ignorance, accident, and intent
Required for laws, policies, and associated penalties to provide deterrence
Fear of penalties
Probability of being apprehended
Probability of penalty being applied