Chapter 4: Laws, Regulations, and Compliance

Question 1

The laws that the police and other law enforcement agencies concern themselves with

Answer 1

Criminal Law

Question 2

Laws designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations.

Answer 2

Civil Law

Question 3

Laws that covers topics as mundane as the procedures to be used within a federal agency to obtain a desk telephone to more substantial issues such as the immigration policies that will be used to enforce the laws passed by Congress.

Answer 3

Administrative law

Question 4

Made it a crime to do the following:

Access classified information or financial information in a federal system without authorization or in excess of authorized privileges

Access a computer used exclusively by the federal government without authorization

Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself)

Cause malicious damage to a federal computer system in excess of $1,000

Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual

Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system

Answer 4

Computer Fraud and Abuse Act (CFAA)

Question 5

This law

Broadens the CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce

Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits

Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony

Answer 5

National Information Infrastructure Protection Act of 1996

Question 6

Requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.

Answer 6

Prudent person rule

Question 7

Provided punishment guidelines to help federal judges interpret computer crime laws.

Answer 7

Federal Sentencing Guidelines

Question 8

Federal Sentencing Guidelines has 3 burdens of proof for negligence:

Answer 8

First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Finally, there must be a causal relationship between the act of negligence and subsequent damages.

Question 9

Requires that federal agencies implement an information security program that covers the agency’s operations

Answer 9

Federal Information Security Management Act (FISMA)

Question 10

Organization responsible for developing the FISMA implementation guidelines

Answer 10

The National Institute of Standards and Technology (NIST)

Question 11

The 2014 FISMA modified the rules of the 2002 FISMA by centralizing federal cybersecurity responsibility to who?

Answer 11

The Department of Homeland Security

Question 12

This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark.

Answer 12

NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Question 13

Compliance with this standard’s security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171.

Answer 13

NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Question 14

A set of standards designed to serve as a voluntary risk-based framework for securing information and systems.

Answer 14

The NIST Cybersecurity Framework (CSF)

Question 15

This law charged the Department of Homeland Security with establishing a national cybersecurity and communications integration center.

Answer 15

National Cybersecurity Protection Act

Question 16

The legendary secret formula for Coca-Cola or KFC’s secret blend of herbs and spices are examples of

Answer 16

Intellectual property (IP)

Question 17

This law guarantees the creators of “original works of authorship” protection against the unauthorized duplication of their work.

Answer 17

Copyright law

Question 18

In 1998, Congress recognized the rapidly changing digital landscape that was stretching the reach of existing copyright law. To help meet this challenge, it enacted the hotly debated ________

Answer 18

Digital Millennium Copyright Act (DMCA)

Question 19

Words, slogans, and logos used to identify a company and its products or services.

Answer 19

Trademark

Question 20

Protect the intellectual property rights of inventors

Answer 20

Utility patents

Question 21

What are the 3 requirements of a patent?

Answer 21

The invention must be new. Inventions are patentable only if they are original ideas.

The invention must be useful. It must actually work and accomplish some sort of task.

The invention must not be obvious. You could not, for example, obtain a patent for your idea to use a drinking cup to collect rainwater. This is an obvious solution. You might, however, be able to patent a specially designed cup that optimizes the amount of rainwater collected while minimizing evaporation.

Question 22

Intellectual property that is absolutely critical to their business, and significant damage would result if it were disclosed to competitors and/or the public

Answer 22

Trade secrets

Question 23

A written contract between the software vendor and the customer, outlining the responsibilities of each.

Answer 23

Contractual license agreements

Question 24

Are written on the outside of the software packaging. They commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.

Answer 24

Shrink-wrap license agreements

Question 25

The contract terms are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them

Answer 25

Click-through license agreements

Question 26

Provides a link to legal terms and a check box for users to confirm that they read and agree to the terms.

Answer 26

Cloud services license agreements

Question 27

Controls the export of items that are specifically designated as military and defense items, including technical information related to those items.

Answer 27

International Traffic in Arms Regulations (ITAR)

Question 28

Cover a broader set of items that are designed for commercial use but may have military applications

Answer 28

Export Administration Regulations (EAR)

Question 29

This organization sets forth regulations on the export of encryption products outside the United States.

Answer 29

The Department of Commerce’s Bureau of Industry and Security (BIS)

Question 30

Designed to protect the private information the government maintains about citizens as well as key portions of the private sector such as financial, educational, and healthcare institutions.

Answer 30

U.S. Privacy Law

Question 31

Mandates that agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government.

Answer 31

Privacy Act of 1974

Question 32

Makes it a crime to invade the electronic privacy of an individual.

Answer 32

The Electronic Communications Privacy Act of 1986 (ECPA)

Question 33

Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Answer 33

The Communications Assistance for Law Enforcement Act (CALEA) of 1994

Question 34

Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage.

Answer 34

The Economic Espionage Act of 1996

Question 35

Requires strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.

Answer 35

Health Insurance Portability and Accountability Act (HIPAA)

Question 36

This law updated many of HIPAA’s privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013. HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the secretary of health and human services and the media when the breach affects more than 500 individuals.

Answer 36

Health Information Technology for Economic and Clinical Health Act of 2009

Question 37

COPPA makes a series of demands on websites that cater to children or knowingly collect information from children.

Answer 37

Children’s Online Privacy Protection Act of 199

Question 38

Banks, insurance companies, and credit providers were severely limited in the services they could provide and the information they could share with each other.

Answer 38

Gramm–Leach–Bliley Act (GLBA) became law in 1999

Question 39

Allows authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant.

Answer 39

USA PATRIOT Act of 2001

Question 40

Specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools).

Answer 40

The Family Educational Rights and Privacy Act (FERPA)

Question 41

Makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.

Answer 41

Identity Theft and Assumption Deterrence Act

Question 42

Outlines privacy measures that must be in place for protecting personal data processed by information systems.

Answer 42

European Union Data Protection Directive (DPD)

Question 43

Provide a single, harmonized law that covers data throughout the European Union, bolstering the personal privacy protections originally provided by the DPD.

Answer 43

European Union General Data Protection Regulation

Question 44

Governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions.

Answer 44

Payment Card Industry Data Security Standard (PCI DSS)