Chapter 4 Flashcards
3 Categories of Laws
Criminal Law
Civil Law
Administrative Law
Which type of law does this describe?
preserve peace; involve police and other law enforcement agencies
Criminal Law
Which type of law does this describe?
provide for an orderly society; settled between individuals and organizations
Civil Law
what type of law does this describe?
rules and procedures that should be followed in every possible situations
executive orders, policies, procedures, and regulations
Administrative Law
Where are administrative Laws published?
Code of Federal Regulations (CFR)
Computer Fraud and Abuse Act (CFAA)
first cyber-crime-specific legislation in US
expansion of Comprehensive Crime Control Act
National Information Infrastructure Protection Act of 1996
covers computer systems used in international commerce and interstate commerce
extends protections beyond computer systems like railroads, pipelines, electric grids, etc.
damage to critical portions of national infrastructure as a felony
Federal Sentencing Guidelines (1991)
formalized prudent person rule
three burdens of proof for negligence
prudent person rule
requires senior executives to take personal responsibility for ensuring due care
3 burdens of proof for negligence
- person must have legally recognized obligation
- must have failed to comply with recognized standards
- must be a causal relationship between negligence and damages
FISMA - Federal Information Security Management Act
requires federal agencies implement an infosec profram that covers the agency’s ops - to include contractors
replaced Computer Security Act of 1987 and the Government Information Security Reform Act of 2000
Which organization is responsible for developing the FISMA implementation guidelines?
NIST
Federal Cybersecurity Laws of 2014
Federal Information Systems Modernization Act
Cybersecurity Enhancement Act
National Cybersecurity Protection Act
Federal Information Systems Modernization Act
modified 2002 FISMA by centralizing federal cybersecurity responsibility with the DHS
except:
defense-related cybersecurity remain responsibility of SecDef
intelligence-related cybersec remains responsibility of director of national intel
Cybersecurity Enhancement Act
NIST is responsible for coordination nationwide work on voluntary cybersec standards
National Cybersecurity Protection Act
DHS establishes a national cybersec and commo integration center to be the interface between federal agencies and civilian orgs to share cyber risks, incidents, analysis, and warnings
4 types Intellectual Property
copyrights
trademarks
patents
trade secrets
Copyright law - primary purpose
guarantees the creators of “original works of authorship” protection against duplication of their work
8 categories of copyright protection
Literary
Musical
Dramatic
Pantomimes/Choreography
Pictorial, graphical, sculptural
Motion pictures
Sound recordings
Architectural
What category of copyright does source code fall under?
literary works
Digital Millennium Copyright Act (DMCA)
prohibits attempts to circumvent copyright protection mechanisms
limits liabilities of ISPs when circuits are used by criminals violating copyright law
streaming audio/video over the internet is “eligible nonsubscription transmissions” - not illegal
Trademarks
words, slogans, and logos used to identify a company and its products or services
™ (TM)
shows you intend to protect works or slogans as trademarks
® (R)
symbolizes a trademark registered with the USPTO - United States Patent and Trademark Office
Patents
protect IP rights of inventors for 20 years - after which they become public domain
3 requirements for Patents
- must be new
- must be useful
- must not be obvious
trade secrets
IP that is critical to business, and would cause significant damage if disclosed to competitors
Protecting Trade Secrets
make employees with access sign NDAs
implement adequate access controls
what is one of the best ways to protect source code?
treat it as a trade secret
Economic Espionage Act of 1996
stealing trade secrets to sell to foreign agent fined up to $500,000 and imprisoned for 15 yrs
stealing trade secrets for other reasons fined up to $250000 and imprisoned for up to 10 yrs
4 types of license agreements
- contractural license agreement
- shrink-wrap license agreement
- click-through license agreements
- Cloud services license agreemtns
contractual license agreements
written contract b/w software vendor and customer
shrink-wrapped license agreements
written on the outside of the software packaging
click-through license agreements
during installation process, you are required to click a button indicating you have read the terms of the agreement and to abide by them
cloud services license agreements
usually a link to the legal terms and a check box to indicate user has read them
International Traffic in Arms regulations (ITAR)
controls the export of items that are specifically designed as military and defense items
Export Administration Regulations (EAR)
items appear on the commerce control list (CCL)
includes entire category covering info sec products
controls export of commercial items that may have a military application
Fourth Amendment
basis for privacy rights; protection against unreasonable search and seizure of persons, houses, papers, and effects
expanded to include protection against wiretapping
Privacy Act of 1974
applies to government agencies regarding records maintenance and access to your records
Electronic Communications Privacy Act of 1986 (ECPA)
makes it a crime to invade the electronic privacy of an individual
Communications Assistance for Law Enforcement Act (CALEA) of 1994
requires all communications carriers to make wiretaps possible for law enforcement
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
privacy and security regulations for organizations that process or store private medical information about individuals
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
updated HIPAA privacy and security requirements
Children’s Online Privacy Protection Act (COPPA)
websites that cater to children:
have a notice that indicates the type of information they collect and what its use for
parents must have ability to review and delete information permanently from the site
parents must give consent to the collection of information
Gramm-Leach_Bliley Act of 1999 (GLBA)
limits types of info that could be exchanged amongst financial institutions
USA PATRIOT Act
broadens powers of law enforcement and intelligence agencies
wiretapping authorizations are easier to obtain
Family Educational Rights and Privacy Act (FERPA)
grants privacy rights to students older than 18
right to inspect educational records
right to request corrections
schools may not release person information from student records
Identity Theft and Assumption Deterrence Act
the person whose identify was stolen is the victim
“reasonable expectation to privacy”
if you are using corporate or government equipment, you should not expect privacy so be careful what you do
European Union Data Protection Directive (DPD)
outlines privacy measures that must be in place for protecting personal data
European Union General Data Protection Regulation (GDPR)
widened scope of personal data protections to all organizations that collect data from EU residents - even if they are not based in the EU
7 key provisions of GDPR
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimizaiton
- Accuracy
- Storage Limitation
- Security
- Accountability
which key provision of GDPR does this describe?
must have a legal basis for processing personal information
lawfullness, fairness, transparency
which key provision of GDPR does this describe?
must clearly document and disclose the purposes for which you collect data
purpose limitation
which key provision of GDPR does this describe?
must ensure that the data processed is adequate for your stated purpose and limited to what is necessary
Data minimization
which key provision of GDPR does this describe?
data you collect or maintain is correct and not misleading; correct or erase inaccurate data
Accuracy
which key provision of GDPR does this describe?
keep data only for as long as it is needed
storage limitation
which key provision of GDPR does this describe?
must have appropriate integrity and confidentiality controls in place
security
which key provision of GDPR does this describe?
must take responsibility for your actions with protected data
accountability
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canadian law that restricts how commercial entities may collect, use, and disclose PI
Payment Card Industry Data Security Standard (PCI DSS)
compliance requirement dictated by contractual obligation - not by law
12 requirements of PCI DSS
- firewalls
- change default passwords
- protect cardholder data
- encrypt transmission across public networks
- protect against malware
- maintain secure systems and apps
- restrict access to cardholder data
- identity and authentication access control
- restrict physical access to cardholder data
- track and monitor access to network resources and data
- test security systems and processes
- maintain info sec policy for all personnel
Sarbanes-Oxley Act (SOX)
protects investors from fraudulent financial reporting by corporations
BIS - Bureau of Industry and Security
sets regs on the export of encryption products
GLBA - Gramm-Leach-Bliley Act
requires financial institutions protect customer records
If an organization wants to transfer data from EU residents with other agencies, what is the best way to ensure compliance with GDRP?
standard contractual clauses provided by the EU
If an organization wants to internally transfer data collected from EU residents, how can they remain compliant with GDRP?
binding corporate rules
How can organizations remain HIPAA compliant and enter a relationship with a service provider that gives them access to the PHI?
Enter a BAA - Business Associate Agreement.
It makes the service provider liable under HIPAA.
