CIS377 Chapter 3 Other

Laws

are rules that mandate or prohibit certain behavior in society. They are drawn from
ethics, which define socially acceptable behaviors.

Ethics

in turn, are based on cultural mores, which are the fixed moral attitudes or
customs of a particular group. Some ethics are recognized as universal among cultures.

Policy versus Law

Policies: body of expectations that describe acceptable and unacceptable employee behaviors in the workplace
Policies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone
D

Civil law

represents a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizational entities and people.

Criminal law

addresses violations harmful to society and is actively enforced by the
state.

Private law

regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law.

Public law

regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments, providing careful checks
and balances. Examples of public law include criminal, administrative, and constitutional
l

Computer Fraud and Abuse Act of 1986 (CFA Act)

The cornerstone of many computer-related federal laws and
enforcement efforts. Defines and formalizes laws to counter
threats from computer-related acts and offenses.

National Information Infrastructure Protection Act of 1996

An act that modified several sections of the Computer
Fraud and Abuse Act and increased penalties for selected
crimes.

* USA PATRIOT Improvement and
Reauthorization Act

Made permanent 14 of the 16 expanded powers of the Department
of Homeland Security, and the FBI in investigating terrorist
activity.

Computer Security Act of 1987

One of the first attempts to protect federal computer systems by establishing minimum
acceptable security practices by following standards and
guidelines created by the National Bureau of Standards and
the National Security Agency.

Privacy of Customer Information Section

Part of the common carrier regulation that specifies that any proprietary information shall be used explicitly for providing service, and not for any marketing purposes, and that carriers cannot disclose this information except when necessary to provide t

Federal Privacy Act of 1974

An act that regulates the government in the protection of individual privacy. Created to insure that government agencies protect the privacy of individual and business information and to hold those agencies responsible if any portion of this information i

Electronic Communications Privacy Act of 1986

Synonymous with the Federal Wiretapping Act. A collection of statutes that regulate the interception of wire, electronic, and oral communication. These statutes work in conjunction with the Fourth Amendment of the U.S. Constitution, which
provides protect

Fourth Amendment of the U.S. Constitution

U.S. law that protects from unlawful search and seizure, cited in various other laws such as Electronic Communications Privacy Act of 1986.

* Health Insurance Portability & Accountability Act Of 1996 (HIPAA)

Synonymous with the Kennedy-Kassebaum
Act. This act protects the confidentiality and security of
health-care data by establishing and enforcing standards and
by standardizing electronic data interchange.

Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Synonymous
with the Gramm-Leach-Bliley Act of 1999. This act contains
provisions on facilitating affiliation among banks, securities
firms, and insurance companies. The act has significant
impact on the privacy of personal information used by these
indust

Fraud And Related Activity In Connection With Identification

A federal law which criminalizes creation, reproduction,
transfer, possession, or use of unauthorized or false identification documents or document-making equipment.

Documents, Authentication Features, And Information (Title 18, U.S.C. � 1028)

A federal law which criminalizes creation, reproduction,
transfer, possession, or use of unauthorized or false identification documents or document-making equipment.

Export and Espionage Laws

...

Security and Freedom through Encryption Act of 1999 (SAFE)

provides guidance on the use of
encryption and provides protection from government intervention.

U.S. Copyright Law

Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats
With proper acknowledgment, permissible to include portions of others' work as reference

* Sarbanes-Oxley Act of 2002

Affects executive management of publicly traded corporations and public accounting firms
Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance
Penalties for noncompliance range from fines

Freedom of Information Act of 1966 (FOIA)

Allows access to federal agency records or information not determined to be matter of national security
U.S. government agencies required to disclose any requested information upon receipt of written request
Some information protected from disclosure

Freedom of Information Act

Allows access to federal agency records or information not determined to be matter of national security
U.S. government agencies required to disclose any requested information upon receipt of written request
Some information protected from disclosure

State and Local Regulations

Restrictions on organizational computer technology use exist at international, national, state, local levels
Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations

European Council Cyber-Crime Convention

Establishes international task force overseeing Internet security functions for standardized international technology laws
Attempts to improve effectiveness of international investigations into breaches of technology law
Well received by intellectual prop

Agreement on Trade-Related Aspects of Intellectual Property Rights

...

Digital Millennium Copyright Act (DMCA)

U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement
A response to European Union Directive 95/46/EC,
Prohibits
Circumvention of protections and countermeasures
Manufacture and trafficking of devices

United Nations Charter

...

Information warfare (IW)

...

Ethical Differences Across Cultures

Cultural differences create difficulty in determining what is and is not ethical
Difficulties arise when one nationality's ethical behavior conflicts with ethics of another national group
Scenarios are grouped into:
Software License Infringement
Illicit U

Deterrence to Unethical and Illegal Behavior

Three general causes of unethical and illegal behavior: ignorance, accident, intent
Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are pres

Association of Computing Machinery (ACM) (www.acm.org)

is a respected professional society, originally established in 1947, as "the world's first educational and scientific computing society.

International Information Systems Security Certification Consortium, Inc. (ISC)2
(ISC)2 (www.isc2.org)

is a nonprofit organization that focuses on the development
and implementation of information security certifications and credentials.

SANS (www.sans.org)

is a professional organization with a large membership dedicated
to the protection of information and systems. SANS offers a set of certifications called
the Global Information Assurance Certification or GIAC.

Information Systems Audit and Control Association (ISACA)
ISACA (www.isaca.org)

is a professional association with a focus on auditing, control,
and security. Although it does not focus exclusively on information security, the Certified
Information Systems Auditor (CISA) certification does contain many information
security components

ISSA (www.issa.org)

is a nonprofit society of information security professionals.
As a professional association, its primary mission is to bring together qualified
practitioners of information security for information exchange and educational
development.

Key U.S. Federal Agencies

-Federal Bureau of Investigation's -National Infrastructure Protection Center (NIPC)
-National Security Administration
-U.S. Secret Service.
-Department of Homeland Security (DHS)
-National Security Agency (NSA)

Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC)

was established in 1998 and serves as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against critical U.S. infrastructures.

National Security Administration

...

U.S. Secret Service.

In addition to protective services, charged with the detection and arrest of persons committing a federal office relating to computer fraud or false identification

Department of Homeland Security (DHS)

September 11, 2001. DHS is made
up of five directorates, or divisions, through which it carries out its mission of protecting the
people as well as the physical and informational assets of the United States.

� National Security Agency (NSA)

the Nation's cryptologic organization. It coordinates, directs, and performs
highly specialized activities to protect U.S. information systems and produce
foreign intelligence information ... It is also one of the most important centers
of foreign languag

Laws

are rules that mandate or prohibit certain behavior in society. They are drawn from
ethics, which define socially acceptable behaviors.

Ethics

in turn, are based on cultural mores, which are the fixed moral attitudes or
customs of a particular group. Some ethics are recognized as universal among cultures.

Policy versus Law

Policies: body of expectations that describe acceptable and unacceptable employee behaviors in the workplace
Policies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone
D

Civil law

represents a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizational entities and people.

Criminal law

addresses violations harmful to society and is actively enforced by the
state.

Private law

regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law.

Public law

regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments, providing careful checks
and balances. Examples of public law include criminal, administrative, and constitutional
l

Computer Fraud and Abuse Act of 1986 (CFA Act)

The cornerstone of many computer-related federal laws and
enforcement efforts. Defines and formalizes laws to counter
threats from computer-related acts and offenses.

National Information Infrastructure Protection Act of 1996

An act that modified several sections of the Computer
Fraud and Abuse Act and increased penalties for selected
crimes.

* USA PATRIOT Improvement and
Reauthorization Act

Made permanent 14 of the 16 expanded powers of the Department
of Homeland Security, and the FBI in investigating terrorist
activity.

Computer Security Act of 1987

One of the first attempts to protect federal computer systems by establishing minimum
acceptable security practices by following standards and
guidelines created by the National Bureau of Standards and
the National Security Agency.

Privacy of Customer Information Section

Part of the common carrier regulation that specifies that any proprietary information shall be used explicitly for providing service, and not for any marketing purposes, and that carriers cannot disclose this information except when necessary to provide t

Federal Privacy Act of 1974

An act that regulates the government in the protection of individual privacy. Created to insure that government agencies protect the privacy of individual and business information and to hold those agencies responsible if any portion of this information i

Electronic Communications Privacy Act of 1986

Synonymous with the Federal Wiretapping Act. A collection of statutes that regulate the interception of wire, electronic, and oral communication. These statutes work in conjunction with the Fourth Amendment of the U.S. Constitution, which
provides protect

Fourth Amendment of the U.S. Constitution

U.S. law that protects from unlawful search and seizure, cited in various other laws such as Electronic Communications Privacy Act of 1986.

* Health Insurance Portability & Accountability Act Of 1996 (HIPAA)

Synonymous with the Kennedy-Kassebaum
Act. This act protects the confidentiality and security of
health-care data by establishing and enforcing standards and
by standardizing electronic data interchange.

Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Synonymous
with the Gramm-Leach-Bliley Act of 1999. This act contains
provisions on facilitating affiliation among banks, securities
firms, and insurance companies. The act has significant
impact on the privacy of personal information used by these
indust

Fraud And Related Activity In Connection With Identification

A federal law which criminalizes creation, reproduction,
transfer, possession, or use of unauthorized or false identification documents or document-making equipment.

Documents, Authentication Features, And Information (Title 18, U.S.C. � 1028)

A federal law which criminalizes creation, reproduction,
transfer, possession, or use of unauthorized or false identification documents or document-making equipment.

Export and Espionage Laws

...

Security and Freedom through Encryption Act of 1999 (SAFE)

provides guidance on the use of
encryption and provides protection from government intervention.

U.S. Copyright Law

Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats
With proper acknowledgment, permissible to include portions of others' work as reference

* Sarbanes-Oxley Act of 2002

Affects executive management of publicly traded corporations and public accounting firms
Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance
Penalties for noncompliance range from fines

Freedom of Information Act of 1966 (FOIA)

Allows access to federal agency records or information not determined to be matter of national security
U.S. government agencies required to disclose any requested information upon receipt of written request
Some information protected from disclosure

Freedom of Information Act

Allows access to federal agency records or information not determined to be matter of national security
U.S. government agencies required to disclose any requested information upon receipt of written request
Some information protected from disclosure

State and Local Regulations

Restrictions on organizational computer technology use exist at international, national, state, local levels
Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations

European Council Cyber-Crime Convention

Establishes international task force overseeing Internet security functions for standardized international technology laws
Attempts to improve effectiveness of international investigations into breaches of technology law
Well received by intellectual prop

Agreement on Trade-Related Aspects of Intellectual Property Rights

...

Digital Millennium Copyright Act (DMCA)

U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement
A response to European Union Directive 95/46/EC,
Prohibits
Circumvention of protections and countermeasures
Manufacture and trafficking of devices

United Nations Charter

...

Information warfare (IW)

...

Ethical Differences Across Cultures

Cultural differences create difficulty in determining what is and is not ethical
Difficulties arise when one nationality's ethical behavior conflicts with ethics of another national group
Scenarios are grouped into:
Software License Infringement
Illicit U

Deterrence to Unethical and Illegal Behavior

Three general causes of unethical and illegal behavior: ignorance, accident, intent
Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are pres

Association of Computing Machinery (ACM) (www.acm.org)

is a respected professional society, originally established in 1947, as "the world's first educational and scientific computing society.

International Information Systems Security Certification Consortium, Inc. (ISC)2
(ISC)2 (www.isc2.org)

is a nonprofit organization that focuses on the development
and implementation of information security certifications and credentials.

SANS (www.sans.org)

is a professional organization with a large membership dedicated
to the protection of information and systems. SANS offers a set of certifications called
the Global Information Assurance Certification or GIAC.

Information Systems Audit and Control Association (ISACA)
ISACA (www.isaca.org)

is a professional association with a focus on auditing, control,
and security. Although it does not focus exclusively on information security, the Certified
Information Systems Auditor (CISA) certification does contain many information
security components

ISSA (www.issa.org)

is a nonprofit society of information security professionals.
As a professional association, its primary mission is to bring together qualified
practitioners of information security for information exchange and educational
development.

Key U.S. Federal Agencies

-Federal Bureau of Investigation's -National Infrastructure Protection Center (NIPC)
-National Security Administration
-U.S. Secret Service.
-Department of Homeland Security (DHS)
-National Security Agency (NSA)

Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC)

was established in 1998 and serves as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against critical U.S. infrastructures.

National Security Administration

...

U.S. Secret Service.

In addition to protective services, charged with the detection and arrest of persons committing a federal office relating to computer fraud or false identification

Department of Homeland Security (DHS)

September 11, 2001. DHS is made
up of five directorates, or divisions, through which it carries out its mission of protecting the
people as well as the physical and informational assets of the United States.

� National Security Agency (NSA)

the Nation's cryptologic organization. It coordinates, directs, and performs
highly specialized activities to protect U.S. information systems and produce
foreign intelligence information ... It is also one of the most important centers
of foreign languag