Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP - Certified Information Systems Security Professional > 4 - Laws, Regulations, and Compliance > Flashcards

4 - Laws, Regulations, and Compliance Flashcards

1
Q

What are the 3 categories of laws?

A
  • Criminal Law: Contains prohibitions against acts such as murder, assualt, and robbery with penalties ranging from community service, monetary fines, to prison sentences. Police and law enforcement agenices concern themselves with these laws.
  • Civil Law: Governs matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations such as contract disputes and real estate transactions. It is incumbent upon the person/organization to obtain leagal counsel and file a lawsuit.
  • Administrative Law: Policies, procedures, and regulations that govern the daily operations of an agency. These laws are published in the Code of Federal Regulations (CFR) and must comply with existing laws passed by legislature and the US Constitution.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an Info-Sec program defined as according to FISMA?

A
  • Periodic assessments of risk
  • Policies and procedures based on risk assessments
  • Subordinate plans for providing adequate info security for systems
  • Security awareness training for personnel.
  • Periodic testing of policies and controls
  • A process for planning, implementing and documenting to remediate deficiencies in the security of organization.
  • Process for security incidents
  • BCP in place.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some better known computer crime laws?

A
  • Computer Fraud and Abuse Act (CFAA): Covers any computer used by the Federal government, Financial Institution, or computers used to commit an offense when they are all not located in the same state.
  • CFAA Amendments: Various amendments that include the coverage of any computer system that was used in interstate commerce. Outlawed the creation of any type of malicious code that might cause damage to a computer system. Allowed imprisonment of offenders, regardless of intent, as well as provided legal authority for victims to pursue civil action.
  • Federal Sentencing Guidelines: Provides punishment guidelines for judges:
    • Prudent Man Rule: Requires executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would excercise in the same situation.
    • Allowed orgs and executives to minimize punishment by demonstrating that they used due dilligence in the conduct of their duties.
    • Burdens of proof for negligence: Did the person have a legal obligation? Did the person fail to comply with recognized standards? Is there a causal relationship between the act of negligence and subsequent damages?
  • National Information Infrastructure Protection Act of 1996: Amendments to CFAA, which broadens coverage for systems used in international commerce, extended protections to national infrastructure (railroads, bridges), treats any act that causes damage to national infrastructure as a felony.
  • Federal Information Security Management Act (2002 FISMA): Requires that federal agencies implement an info-sec program that covers the agency’s operations.
  • Federal Cybersecurity Laws of 2014:
    • Centralizes federal cybersecurity responsibility with the department of homeland security except for defense-related and intelligence-related cybersecurity (Federal Information Systems Modernization Act - 2014 FISMA).
    • Charges NIST with coordinating nationwide work on developing cyber standards (Cybersecurity Enhancement Act).
    • Charges the Department of Homeland Security with establishing a national cybersecurity and communications integration center (National Cybersecurity Protection Act)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can ISPs (Internet Service Providers) limit their liability on DMCA (Digital Millenium Copyright Act) protected works?

A
  • Transmission must be initiated by another person
  • Activity must be carried out by an automated technical process without input of ISP
  • ISP must not determine recipients of material
  • Intermediate copies must not be accessible to anyone other than anticipated recipeints
  • Material must be transmitted with no modifications to its content.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some intellectual property laws?

A
  • Copyright and the Digital Millenium Copyright Act:
    • Copyright law guarantees the creators of “original works of authorship” protection against the unauthorized duplication of their work (Categories: Literary, Musical, Dramatic, Pantomimes/choreographic, pictorial/graphical/sculptural, motion pictures/audiovisuals, sound recordings, and architectural)
    • DMCA prohibits attempts to circumvent copyright protection mechanisms placed on a protected work.
  • Trademarks: Words, slogans, and logos used to identify a company and its products or services are protected.
    • Does not need official registration, if you use trademark in the course of your public atcivites, you are automatically protected under any relevant trademark law and can use the “TM” symbol to show you intend protect words or slogans as trademarks.
    • The “R” symbol denotes the mark has been trademarked.
    • Rules:
      • Trademark must not be confusingly similar to another trademark
      • Trademark should not be descriptive of the goods and services that you will offer (“Mikes Software Company”)
    • Trademarks are granted for initial period of 10 years and can be renewed for unlimited successive 10-year periods.
  • Patents: Protects the intellectual property rights of inventors. Provides a period of 20 years from date of initial application during which the inventor is granted exclusive rights to use the invention.
    • 3 requirements:
      • Invention must be new, original ideas
      • Must be useful, work and and accomplish some task
      • Must not be obvious
  • Trade Secrets: Intellectual property that is absolutely critical to their business and significant damage would result if it were disclosed to competitors and/or the public.
    • To preserve trade secret status:
      • you must implement adequate controls within your organization to ensure that only authorized personnel with a need to know have access
      • These employees must have NDA
      • You must take steps to show that you value and protect your intellectual property.
  • Licensing: Four common types:
    • Contractual: written agreement between vendor and customer outlining responsibilities of each.
    • Shrink-wrap: written on the outside of software packaging (terms and conditions)
    • Click-Through: Written on either the box or included in the software documentation
    • Cloud Services: Generally provide a link or flash wording on the screen. Can bind a whole organization to an agreement unwittingly.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some Import/Export Laws?

A
  • There are regulations that govern exporting sensitive hardware and software because the government recognizes it can be powerful in the hands of the military, especially technology like encryption.
  • Good to Know:
    • International Traffic in Arms Regulations (ITAR): Controls the export of items that are specifically designated as military and defense items.
    • The Export Administration Regulations (EAR): Covers a broad set of items that are designed for commercial use but may have military applications.
  • Computer Export Controls: US firms can export high-performance computing systems to virtually any country without receiving prior approval from the government with the exception of countries listed as countries of concern by the Department of Commerce due to the threat of nuclear proliferation or state sponsors of terrorism.
  • Encryption Export Controls: Regulations on the export of encryption products outside of the United States. Firms have to submit products for review by the Commerce Department.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some privacy laws?

A
  • United States:
    • 4th Amendment: Prohibits government agents from searching private property without a warrant and probable cause.
    • Privacy Act of 1974: Limits the ability of federal government agencies to disclose private info to others people or agencies with the direct written consent of affected individuals. The gov can only keep the info that is relevant and destroy the rest.
    • Electronic Communication Privacy Act of 1986 (ECPA): Makes it a crime to invade the electronic privacy of an individual (stored data, email, voicemail, and mobile telephone convos).
    • Communication Assistance for Law Enforcement Act (CALEA) of 1994: Requires all communications carriers to make wiretaps available with an appropriate court order.
    • Economic Espionage Act of 1996: Extends the definition of property to include proprietary economic information so that theft of this can be considered industrial or corporate espionage.
    • Health Insurance Portability and Accountability Act of 1996: Enforces strict measures for hospitals, insurance companies, physicians, and other organizations that process or store medical info about individuals. Also clearly defines the rights of individuals who are the subject of medical records and requires organizations that maintain these records to disclose these rights in writing.
    • Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH): Amended HIPAA by requiring business associates of health org to have a written contract known as Business Associate Agreement (BAA) which holds them to the same standard under HIPAA as the original entity. This amendment also introduced new breach notification requirements which require any HIPAA-covered entity to notify the affected individuals of the breach and notify the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals.
    • Children’s Online Privacy Protection Act of 1998 (COPPA): Applies to websites that cater to or collect info from children. There must be a disclosure on what is being collected, what its used for, and the contact info of the site operator. Parents must be provided with the opportunity to review and request to permanently delete from the site’s records. Parents must also give verifiable consent to collect info on children younger than 13.
    • Gramm-Leach-Bliley Act of 1999 (GLBA): Limited the types of info that can be exchanged among subsidiaries of the same corp and required financial institutions to provide written privacy policies to all of their customers.
    • USA Patriot Act of 2001: Created in direct response to 9/11, it greatly broadened the powers of law enforcement and intelligence agencies across a number of areas including when monitoring electronic communications.
      • Blanket authorizations for wiretaps
      • ISP’s may voluntarily provide the government with a large range of info to the government.
      • Amends CFAA with more severe penalties.
    • Family Educational Rights and Privacy Act (FERPA): Affects any educational institution that accepts any form of funding from the federal government, grants certain privacy to students older than 18 and parents of minor students.
      • Parents/students have the right to inspect any educational records maintained by the institution on the student.
      • Parents/students have the right to request correction of records they think are erroneous.
      • Schools may not release personal info from student records without written consent, except under certain circumstances
    • Identity Theft and Assumption Deterrence Act: Makes identity theft a crime.
  • Europe:
    • European Union Privacy Law (1995): Protects personal data processed by Information systems.
      • Processing of personal data must meet certain requirements: Consent, Contract, Legal Obligation, Vital Interest of the data subject, and Balance of interests between the data subject and data holder.
      • Outlines key rights of individuals about whom data is held and/or processed: Right to access data, know the source, correct inaccurate data, withhold consent to process data in some situations, and right of legal action should these rights be violated.
    • European Union General Data Protection Regulation (GDPR): Widens scope of regulation and applies to all orgs that collect data from EU residents. Key provisions:
      • Data breach notification within 72 hours.
      • Creation of centralized data protection authorities in each EU member state.
      • All individuals will have access to their own data
      • Transfer of personal information between service providers at the individual’s request.
      • The “right to be forgotten” allows people to require companies to delete their info if it is no longer needed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is PCI DSS?

A

Payment Card Industry Data Security Standard (PCI DSS): Governs the security of credit card info and is enforced through the terms of merchant agreement between a business and bank. 12 main requirements:

  1. Install and maintain a firewall config to protect cardholder data.
  2. Do not use vendor-supplied defaults for passwords and other security parameters.
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security and processes
  12. Maintain a policy that addresses info-sec for all personnel.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CISSP - Certified Information Systems Security Professional (20 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions