Chapter 3 Flashcards
– Is the Nation’s cryptologic organization
– Protects US information systems
– Produces foreign intelligence information
– Responsible for signal intelligence and information system security
National Security Agency (NSA)
Major IT Professional Organizations
- Association of Computing Machinery
- International Information Systems Security Certification Consortium, Inc
- System Administration, Networking, Security Institute
- Information Systems Audit and Control Association
- Information Systems Security Association
The leader in development and implementation of information security legislation?
United States of America
– Established in 1947 as “the world’s first educational and scientific computing society”
– Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
*Association of Computing Machinery (ACM)
Certification Consortium, Inc. (ISC)2
– Nonprofit organization focusing on development and implementation of information security certifications and credentials
– Code primarily designed for information security
professionals who have certification from (ISC)2
– Code of ethics focuses on four mandatory canons
International Information Systems Security
body of expectations that describe
acceptable and unacceptable employee behaviors
in the workplace
Policies
regulates structure/administration of
government agencies and relationships with
citizens, employees, and other governments
Public
Seeks to improve reliability and accuracy of
financial reporting and increase the accountability of corporate governance.
Sarbanes-Oxley Act of 2002
rules that mandate or prohibit certain
societal behavior
Law
fixed moral attitudes or customs of
a particular group; ethics based on these.
Cultural Mores
addresses violations harmful to society;
actively enforced by the state
Criminal
What is the difference of law and policy?
Ignorance of a
policy is an acceptable defense.
regulates relationships between individuals
and organizations.
Private
– Maintains an intrusion alert network
– Maintains a secure Web site for communication
about suspicious activity or intrusions
– Sponsors local chapter activities
– Operates a help desk for questions
Federal Bureau of Investigation’s National
InfraGard Program
– Professional association with focus on auditing, control, and security
– Concentrates on providing IT control practices and standards
– ISACA has code of ethics for its professionals
Information Systems Audit and Control Association (ISACA)
5 issues covered by Agreement on Trade-Related Aspects of Intellectual Property Rights
– Application of basic principles of trading system and international intellectual property agreements
– Giving adequate protection to intellectual property rights
– Enforcement of those rights by countries in their own territories
– Settling intellectual property disputes
– Transitional arrangements while new system is being introduced
“occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes”
Identity Theft
provides law enforcement agencies with broader latitude in order to combat terrorism-related activities
USA PATRIOT Act of 2001
Export and Espionage Laws
- Economic Espionage Act of 1996 (EEA)
- Security And Freedom Through Encryption Act of 1999 (SAFE)
- The acts include provisions about encryption that:
– Reinforce the right to use or sell encryption
algorithms, without concern of key registration
– Prohibit the federal government from requiring it
– Make it not probable cause in criminal activity
– Relax export restrictions
– Additional penalties for using it in a crime
Examples of Criminal Cases
- Murder.
- Robbery.
- Treason.
- Rape.
- Kidnapping.
- Establishes international task force overseeing
Internet security functions for standardized
international technology laws - Attempts to improve effectiveness of international
investigations into breaches of technology law - Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution - Lacks realistic provisions for enforcement
European Council Cyber-Crime
Convention
legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
Liability
best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical
controls
Deterrence
General Computer Crime Laws
- Computer Fraud and Abuse Act of 1986
- National Information Infrastructure Protection act of 1996
- USA PATRIOT Act of 2001
4.USA PATRIOT Improvement and Reauthorization Act - Computer Security Act of 1987
– Made up of five directorates, or divisions
– Mission is to protect the people as well as the
physical and informational assets of the US
Department of Homeland Security (DHS)
governs nation or state; manages
relationships/conflicts between organizational
entities and people.
Civil
Key Federal Agency
- Department of Homeland Security (DHS)
- Federal Bureau of Investigation’s National
InfraGard Program - National Security Agency (NSA)
- U.S. Secret Service
– Modified several sections of the previous act and
increased the penalties for selected crimes
– Severity of penalties judged on the purpose
* For purposes of commercial advantage
* For private financial gain
* In furtherance of a criminal act
National Information Infrastructure Protection Act of 1996
define socially acceptable behavior.
Ethics
– Nonprofit society of information security (IS)
professionals
– Primary mission to bring together qualified IS
practitioners for information exchange and
educational development
– Promotes code of ethics similar to (ISC)2
, ISACA, and ACM
Information Systems Security Association (ISSA)
to compensate for wrongs committed
by an organization or its employees
Restitution
To minimize the risk, information practitioner should
- Understand current legal environment
– Stay current with laws and regulations
– Watch for new issues that emerge
Privacy US Regulations
– Privacy of Customer Information Section of the
common carrier regulation
– Federal Privacy Act of 1974
– Electronic Communications Privacy Act of 1986
– Health Insurance Portability and Accountability Act
of 1996 (HIPAA), aka Kennedy-Kassebaum Act
– Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
Examples of Civil Cases
- A person who is hurt in a car accident sues the driver of the other car;
- A worker sues his employer after the worker hurts his back at work and can never work again;
- A homeowner who has hired a builder to build a new kitchen sues the builder when the kitchen is badly built and has to be fixed;
- A family sues their doctor when the doctor does not discover that the mother has cancer in time for the cancer to be treated
The organization
must be able to demonstrate that the relevant policy
has been made readily available for review by the
employee. Common dissemination techniques
include hard copy and electronic distribution.
Dissemination (distribution)
Allows access to federal agency records or
information not determined to be matter of national security
Freedom of Information Act of 1966
(FOIA)
– Professional organization with a large membership
dedicated to protection of information and systems
– SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
System Administration, Networking, and Security Institute (SANS)
Examples of Private Cases
- Divorce and Infidelity Investigations. The end of a marriage often involves the loss of trust between spouses. …
- Child Custody Disputes. …
- Finding Missing Loved Ones. …
- Serving Legal Papers. …
- Trial Preparation. …
- Social Media Investigations. …
- Background Investigations.
: ensuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
Due Care
Difference between laws and ethics?
Laws carry sanctions of a governing authority;
ethics do not.
The organization must be able to
demonstrate that it disseminated the document in an intelligible form, including versions for illiterate,
non-English reading, and reading-impaired
employees. Common techniques include recordings of the policy in English and alternate languages.
Review (reading)
function as laws within an organization;
must be crafted carefully to ensure they are
complete, appropriate, fairly applied to everyone
Policy
cornerstone of many computer-related federal laws and enforcement efforts
Computer Fraud and Abuse Act of 1986
- Created by World Trade Organization (WTO)
- First significant international effort to protect
intellectual property rights - Outlines requirements for governmental oversight
and legislation providing minimum levels of
protection for intellectual property
Agreement on Trade-Related Aspects
of Intellectual Property Rights
The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Common techniques include quizzes
and other assessments
Comprehension (understanding)
court’s right to hear a case if the wrong
was committed in its territory or involved its
citizenry
Jurisdiction
The organization must
be able to demonstrate that the employee agrees to comply with the policy, through act or affirmation. Common techniques include logon banners which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.
Compliance (agreement)
Laws and policies only deter if three conditions are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered
Is a “state of being free from unsanctioned
intrusion”
Privacy
right of any court to impose
its authority over an individual or organization if it can establish jurisdiction
Long arm jurisdiction
Policy enforcement
- Dissemination
- Review
- Comprehension
- Compliance
- Uniform Enforcement
Made permanent fourteen of the sixteen
expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity
USA PATRIOT Improvement and Reauthorization Act
- Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats
U.S. Copyright Law
The organization must be
able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.
Uniform enforcement
Types of Law
- Civil
- Criminal
- Public
- Private
making a valid effort to protect
others; continually maintaining level of effort
Due Diligence
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
Computer Security Act of 1987
Protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
Three General Cause of Unethical and illegal behavior
: ignorance, accident, intent
