Chapter 4: Laws, Regulations, and Compliance Flashcards
The laws that the police and other law enforcement agencies concern themselves with
Criminal Law
Laws designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations.
Civil Law
Laws that covers topics as mundane as the procedures to be used within a federal agency to obtain a desk telephone to more substantial issues such as the immigration policies that will be used to enforce the laws passed by Congress.
Administrative law
Made it a crime to do the following:
Access classified information or financial information in a federal system without authorization or in excess of authorized privileges
Access a computer used exclusively by the federal government without authorization
Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself)
Cause malicious damage to a federal computer system in excess of $1,000
Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual
Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system
Computer Fraud and Abuse Act (CFAA)
This law
Broadens the CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce
Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits
Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony
National Information Infrastructure Protection Act of 1996
Requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.
Prudent person rule
Provided punishment guidelines to help federal judges interpret computer crime laws.
Federal Sentencing Guidelines
Federal Sentencing Guidelines has 3 burdens of proof for negligence:
First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Finally, there must be a causal relationship between the act of negligence and subsequent damages.
Requires that federal agencies implement an information security program that covers the agency’s operations
Federal Information Security Management Act (FISMA)
Organization responsible for developing the FISMA implementation guidelines
The National Institute of Standards and Technology (NIST)
The 2014 FISMA modified the rules of the 2002 FISMA by centralizing federal cybersecurity responsibility to who?
The Department of Homeland Security
This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark.
NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
Compliance with this standard’s security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171.
NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
A set of standards designed to serve as a voluntary risk-based framework for securing information and systems.
The NIST Cybersecurity Framework (CSF)
This law charged the Department of Homeland Security with establishing a national cybersecurity and communications integration center.
National Cybersecurity Protection Act
The legendary secret formula for Coca-Cola or KFC’s secret blend of herbs and spices are examples of
Intellectual property (IP)
This law guarantees the creators of “original works of authorship” protection against the unauthorized duplication of their work.
Copyright law
In 1998, Congress recognized the rapidly changing digital landscape that was stretching the reach of existing copyright law. To help meet this challenge, it enacted the hotly debated ________
Digital Millennium Copyright Act (DMCA)
Words, slogans, and logos used to identify a company and its products or services.
Trademark
Protect the intellectual property rights of inventors
Utility patents
What are the 3 requirements of a patent?
The invention must be new. Inventions are patentable only if they are original ideas.
The invention must be useful. It must actually work and accomplish some sort of task.
The invention must not be obvious. You could not, for example, obtain a patent for your idea to use a drinking cup to collect rainwater. This is an obvious solution. You might, however, be able to patent a specially designed cup that optimizes the amount of rainwater collected while minimizing evaporation.
Intellectual property that is absolutely critical to their business, and significant damage would result if it were disclosed to competitors and/or the public
Trade secrets
A written contract between the software vendor and the customer, outlining the responsibilities of each.
Contractual license agreements
Are written on the outside of the software packaging. They commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.
Shrink-wrap license agreements
The contract terms are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them
Click-through license agreements
Provides a link to legal terms and a check box for users to confirm that they read and agree to the terms.
Cloud services license agreements
Controls the export of items that are specifically designated as military and defense items, including technical information related to those items.
International Traffic in Arms Regulations (ITAR)
Cover a broader set of items that are designed for commercial use but may have military applications
Export Administration Regulations (EAR)
This organization sets forth regulations on the export of encryption products outside the United States.
The Department of Commerce’s Bureau of Industry and Security (BIS)
Designed to protect the private information the government maintains about citizens as well as key portions of the private sector such as financial, educational, and healthcare institutions.
U.S. Privacy Law
Mandates that agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government.
Privacy Act of 1974
Makes it a crime to invade the electronic privacy of an individual.
The Electronic Communications Privacy Act of 1986 (ECPA)
Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.
The Communications Assistance for Law Enforcement Act (CALEA) of 1994
Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage.
The Economic Espionage Act of 1996
Requires strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.
Health Insurance Portability and Accountability Act (HIPAA)
This law updated many of HIPAA’s privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013. HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the secretary of health and human services and the media when the breach affects more than 500 individuals.
Health Information Technology for Economic and Clinical Health Act of 2009
COPPA makes a series of demands on websites that cater to children or knowingly collect information from children.
Children’s Online Privacy Protection Act of 199
Banks, insurance companies, and credit providers were severely limited in the services they could provide and the information they could share with each other.
Gramm–Leach–Bliley Act (GLBA) became law in 1999
Allows authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant.
USA PATRIOT Act of 2001
Specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools).
The Family Educational Rights and Privacy Act (FERPA)
Makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.
Identity Theft and Assumption Deterrence Act
Outlines privacy measures that must be in place for protecting personal data processed by information systems.
European Union Data Protection Directive (DPD)
Provide a single, harmonized law that covers data throughout the European Union, bolstering the personal privacy protections originally provided by the DPD.
European Union General Data Protection Regulation
Governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions.
Payment Card Industry Data Security Standard (PCI DSS)
