Principles of Information Security, 5th Edition, Chapter 3

Policy vs. Law

Ignorance of a policy is an acceptable defense, whereas ignorance of law is not

5 Criteria of Enforceable Policies

Dissemination, Review, Comprehension, Compliance, and Uniform Enforcement

Civil Law

Comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizations and people

Criminal Law

Addresses activities and conduct harmful to society, and is actively enforced by the state

Private Law

Encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and organizations

Public Law

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law

Computer Fraud and Abuse Act of 1986 (CFAA)

The cornerstone of many computer-related federal laws and enforcement efforts. The punishment for offenses prosecuted under this statute includes fines, imprisonment of up to 20 years, or both.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act of 2001)

Provides law enforcement agencies with broader latitude to combat terrorism-related activities.

Computer Security Act of 1987

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. NIST is responsible for developing these standards in cooperation with the National Security Agency (NSA).

Federal Information Security Management Act (FISMA)

Enacted by Congress in 2002, it mandates that all federal agencies establish information security programs to protect their information assets Effectively brought the federal government in line with the private sector.

Requirements of FISMA

1)Periodic assessments
2)Develop policies and procedures based on risk assessments
3)Subordinate plans to provide security for network facilities
4)Provide security awareness training
5)Periodic testing and evaluation
6)Remedial actions to address IS defi

Clipper Chip

Proposed to monitor private communications, used an algorithm with a two-part key that was to be managed by two separate government agencies. Was reportedly designed to protect individual communications while allowing the government to decrypt suspect tra

Privacy of Customer Information Section

Part of common carrier regulation, states that any proprietary information shall be used explicitly for providing services, and not for marketing purposes. Carriers cannot disclose this information, except when providing services

Federal Privacy Act of 1974

Regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission

Electronic Communications Privacy Act of 1986

Informally referred to as the wiretapping act, is a collection of statutes that regulates the interception of wire, electronic, and oral communications. Works in conjunction with the 4th Amendment of the Constitution to protect against unlawful search and

Health Insurance Portability and Accountability Act of 1966 (HIPAA)

AKA Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange

HIPPA's 5 Fundamental Principles

1) Consumer control of medical information
2) Boundaries on the use of medical information
3) Accountability to maintain the privacy of specified types of information
4) Use of medical information for the greater good VS. impact to the individual
5) Secur

American Recovery and Reinvestment Act of 2009

Updated and broadened the scope of HIPAA in a section referred to as Health Information Technology for Economic and Clinical Health Act (HITECH), provided bounties for investigators, monetary incentives to pursue violators

Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999

This act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. Also requires due notice to customers so they can request their information not be shared with third parties.

Fraud and Related Activity in Connection with Identification Documents, Authentication Features,
and Information

The primary legislation at the federal level regarding Identity Theft. Criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment

FTC Recommended Steps when people suspect they are victims of Identity Theft

1) Place an initial fraud alert
2) Order your credit reports
3) Create an identity theft report
4) Monitor and document progress

Identity Theft Enforcement and Restitution Act of 2008

Specifically addressed the malicious use of spyware or keyloggers to steal PII.

Economic Espionage Act of 1996

This law attempts to prevent trade secrets from being illegally shared

Security and Freedom through Encryption Act of 1999

Provides guidance for the use of encryption and provides protection from government intervention.

Key Escrow

AKA Key registration, the storage of a cryptographic key with another party for breaking the encryption of data.

U.S. Copyright Law

Protects Intellectual property and published works, including electronic formats. Fair use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities

Sarbanes-Oxley Act of 2002

This law seeks to improve the reliability and accuracy of financial reporting, and increase the accountability of corporate governance in publicly traded companies

Freedom of Information Act (FOIA) of 1966

Allows any person to request access to federal agency records or information not determined to be a matter of national security. However, some information is protected from disclosure.

PCI Security Standards Council

Designed to enhance the security of customers' account data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data

Council of Europe Convention on Cybercrime

This convention advocates prosecution for copyright infringement. The overall goal of the convention is to simplify the acquisition of information for law enforcement agencies in certain types of international crimes and to simplify the extradition proces

Digital Millennium Copyright Act (DMCA)

1) Prohibits the circumvention of protections and countermeasures implemented by copyright owners
2) Prohibits the manufacturer of devices to circumvent protections and countermeasures
3) Bans trafficking in devices manufactured to circumvent protections

Three general causes of unethical or illegal behavior

Ignorance, accident, and intent

Required for laws, policies, and associated penalties to provide deterrence

Fear of penalties
Probability of being apprehended
Probability of penalty being applied

Policy vs. Law

Ignorance of a policy is an acceptable defense, whereas ignorance of law is not

5 Criteria of Enforceable Policies

Dissemination, Review, Comprehension, Compliance, and Uniform Enforcement

Civil Law

Comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizations and people

Criminal Law

Addresses activities and conduct harmful to society, and is actively enforced by the state

Private Law

Encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and organizations

Public Law

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law

Computer Fraud and Abuse Act of 1986 (CFAA)

The cornerstone of many computer-related federal laws and enforcement efforts. The punishment for offenses prosecuted under this statute includes fines, imprisonment of up to 20 years, or both.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act of 2001)

Provides law enforcement agencies with broader latitude to combat terrorism-related activities.

Computer Security Act of 1987

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. NIST is responsible for developing these standards in cooperation with the National Security Agency (NSA).

Federal Information Security Management Act (FISMA)

Enacted by Congress in 2002, it mandates that all federal agencies establish information security programs to protect their information assets Effectively brought the federal government in line with the private sector.

Requirements of FISMA

1)Periodic assessments
2)Develop policies and procedures based on risk assessments
3)Subordinate plans to provide security for network facilities
4)Provide security awareness training
5)Periodic testing and evaluation
6)Remedial actions to address IS defi

Clipper Chip

Proposed to monitor private communications, used an algorithm with a two-part key that was to be managed by two separate government agencies. Was reportedly designed to protect individual communications while allowing the government to decrypt suspect tra

Privacy of Customer Information Section

Part of common carrier regulation, states that any proprietary information shall be used explicitly for providing services, and not for marketing purposes. Carriers cannot disclose this information, except when providing services

Federal Privacy Act of 1974

Regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission

Electronic Communications Privacy Act of 1986

Informally referred to as the wiretapping act, is a collection of statutes that regulates the interception of wire, electronic, and oral communications. Works in conjunction with the 4th Amendment of the Constitution to protect against unlawful search and

Health Insurance Portability and Accountability Act of 1966 (HIPAA)

AKA Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange

HIPPA's 5 Fundamental Principles

1) Consumer control of medical information
2) Boundaries on the use of medical information
3) Accountability to maintain the privacy of specified types of information
4) Use of medical information for the greater good VS. impact to the individual
5) Secur

American Recovery and Reinvestment Act of 2009

Updated and broadened the scope of HIPAA in a section referred to as Health Information Technology for Economic and Clinical Health Act (HITECH), provided bounties for investigators, monetary incentives to pursue violators

Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999

This act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. Also requires due notice to customers so they can request their information not be shared with third parties.

Fraud and Related Activity in Connection with Identification Documents, Authentication Features,
and Information

The primary legislation at the federal level regarding Identity Theft. Criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment

FTC Recommended Steps when people suspect they are victims of Identity Theft

1) Place an initial fraud alert
2) Order your credit reports
3) Create an identity theft report
4) Monitor and document progress

Identity Theft Enforcement and Restitution Act of 2008

Specifically addressed the malicious use of spyware or keyloggers to steal PII.

Economic Espionage Act of 1996

This law attempts to prevent trade secrets from being illegally shared

Security and Freedom through Encryption Act of 1999

Provides guidance for the use of encryption and provides protection from government intervention.

Key Escrow

AKA Key registration, the storage of a cryptographic key with another party for breaking the encryption of data.

U.S. Copyright Law

Protects Intellectual property and published works, including electronic formats. Fair use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities

Sarbanes-Oxley Act of 2002

This law seeks to improve the reliability and accuracy of financial reporting, and increase the accountability of corporate governance in publicly traded companies

Freedom of Information Act (FOIA) of 1966

Allows any person to request access to federal agency records or information not determined to be a matter of national security. However, some information is protected from disclosure.

PCI Security Standards Council

Designed to enhance the security of customers' account data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data

Council of Europe Convention on Cybercrime

This convention advocates prosecution for copyright infringement. The overall goal of the convention is to simplify the acquisition of information for law enforcement agencies in certain types of international crimes and to simplify the extradition proces

Digital Millennium Copyright Act (DMCA)

1) Prohibits the circumvention of protections and countermeasures implemented by copyright owners
2) Prohibits the manufacturer of devices to circumvent protections and countermeasures
3) Bans trafficking in devices manufactured to circumvent protections

Three general causes of unethical or illegal behavior

Ignorance, accident, and intent

Required for laws, policies, and associated penalties to provide deterrence

Fear of penalties
Probability of being apprehended
Probability of penalty being applied