Domain 1 - Laws and Regulations Flashcards
<p>Administrative law</p>
<p>Govt- mandated compliance measures. i.e. FCC regs, CDC regs.</p>
<p>Attestation</p>
<p>3 party attests that the service provider is meeting requirements of SLA. Security or otherwise. ISO 27001 is commonly used for audit guide.</p>
Business Records Exception/exemption
Business records, such as logs on a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice.
Must be accompanied by testimony of individual qualified to show these criteria were met.
California Senate bill 1386
First state-based data-breach notification law in 2002.
Requires organizations experiencing a data breach to notify California residencts who might be affected.
Circumstantial evidence
establishes the circumstances of a crime.
evidence which serves to establish the circumstances related to particular points or even other evidence
Civil law (National System of law)
Leverages codified laws or statues to determine what is within the bounds of law. Most common type of national law across the world.
Not to be confused with sub-section of common law, also called ‘civil law’ - referencing tort law.
<p>CoCom</p>
<p>Cold War era export control agreement - Coordinating Committee for Multilaterar Export Controls</p>
Common law
Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others. The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws.
Computer ethics institute 10 commandments
a. Thou shalt not use a comp to harm others
b. Not interfere with others’ comp. work.
c. Thou shalt not snoop
d. Not use comp. to steal
e. Not use a comp. to bear false witness
f. Not copy or use proprietary software for which you haven’t paid
g. Not use other’s comp resources without authori or proper compensation
h. Not appropriate others intellectual output.
i. You should think about social consequences of the program or system you’re engineering
j. Always use PC in a way to ensure consideration and respect for fellow humans.
<p>Computer Fraud and Abuse act – title 18, section 1030</p>
<p>i. One of the first us laws about computer crime<br></br>ii. Attacks on computer systems with damages above $5000 are criminalized<br></br>iii. Foreign and interstate commerce portion covers many more computers than originally intended.<br></br>iv. Drafted 1984. Amended 2001, 2008</p>
corroborative evidence
Provides additional evidence for a fact that may be called into question.
Is supporting evidence used to help prove an idea or point. It cannot stand on its own
The Council of Europe’s Convention on Cybercrime of 2001
international cooperation in computer crime policy. Signed by 65 countries, including the US (signed 2006)
Criminal law
Defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public
Direct Evidence
Testimony of direct witness
<p>Due care</p>
<p>AKA Prudent man rule. Means you do what a reasonable person would do in a given situation.</p>
<p>due diligence</p>
<p>management of due care.</p>
Electronic Communications Privacy Act – ECPA
Brings same level of search and seizure protection to non-telephony electronic communications.
PATRIOT act reversed this to a degree
<p>Entrapment vs enticement</p>
<p>Entrapment = law enforcement persuades someone to commit a crime when they otherwise wouldn't have.<br></br><br></br>Enticement = Law enforcement makes chance of crime favorable, but the criminal was already going to do the criminal thing.</p>
<p>EU US Safe Harbor (EU-US)</p>
<p>US orgs can share data with EU branches, if and only if they follow EU Data Protection Directive</p>
Gramm-Leach Bliley Act
Requires financial institutions to protect the CIA of consumer financial info. Forced them to notify consumers of privacy practices.
Gross negligence
If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.
h. Payment Card Industry Data Security Standards PCI-DSS
The standard applies to cardholder data for both credit and debit cards.
Requires merchants and others to meet a minimum set of security requirements.
Mandates security policy, devices, control techniques, and monitoring.
Hearsay Evidence
Second hand evidence Not first and knowledge – normally inadmissible in a case.
Can be secondary witnesses, or computer logs that don’t meet the Business Records Exception/exemption.
HIPAA
HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards.
Risk Analysis is required.
HITECH act of 2009 makes HIPPA Privacy and Security provisions apply to business associates of covered entities as well. Passed in 1996
<p>Import/export restriction</p>
<p>generally related to crypto technology. Export restrictions from US. Import restrections in countries with low human rights</p>
<p>ISC2 code of ethics, number of Canons and Preamble statements</p>
<p>4 Canons<br></br><br></br>2 Preamble statements</p>
NIST 800-30 Risk mgmt guide
Guide for Conducting Risk Assessments
9 steps
- System charecterization
- Threat identify
- Vuln. Identify
- Control (safeguard) analysis
- Liklihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentation
OECD Privacy Guidelines
8 Principles1. Collection limitation 2. Data Quality3. Purpose Specification4. Use limitation5. Security Safeguards 6. Openness PRinciple7. Individual participation8. Accountability principle
PATRIOT act
i. Expanded law enforcement electronic monitoring capabilities. Provided broader coverage for wiretaps. Allowed search and seizure without immediate disclosure
ii. Amends the ECPA so that 2nd offenders can get up to 20 years prison
<p>Real Evidence</p>
<p>tangible/physical objects. Bloody Knife. Documentation, etc.</p>
<p>Religious/customary law</p>
<p>Self explanatory</p>
Right to penetration test, audit.
Common requirements put in an SLA. Requests the right to penetration test and/or audit the provider.
Sarbanes Oxley 2002
i. Requires regulatory compliance for publicly traded companies.ii. Primary goal of SOX was to ensure good financial disclosure and auditor independence.
Secondary evidence
This is common in cases involving IT.
Logs and documents from the systems are considered secondary evidence.
Copies of original documents, or oral description of said documents.
<p>SLA, service level agreement.</p>
<p>Identifies key expectations between two business parties, ensures general performance expectations, increasingly also includes security requirements.</p>
<p>US Breach Notification laws</p>
<p>Purpose to notify end users when their personal data is lost/stolen/released. Many states have safe harbor rules w/other states. Still very complex though, as each state has different rules.</p>
<p>US Privacy Act of 1974</p>
<p>Codifies protection of personal data in use by fed govt. Individuals can access personal data used by govt</p>
Wassenaar Arrangement
Current export control agreement. Less restrictive than CoCom.
EU Data Protection Directive - Principle 1
Aggressive pro privacy law. 4 principles.
1. notify individ. how data is collected and used
EU Data Protection Directive - Principle 2
- Allow indiv. to opt out of sharing with 3rd parties
EU Data Protection Directive - Principle 3
- Require invid. to opt in for the most sensitive data
EU Data Protection Directive - Principle 4
- Provide reasonable protections on personal data
Civil Law (sub section of Common law)
Not to be confused with the national type of law also called ‘civil law’
Tort law. deals with injury, resulting from someone violating their responsibility of duty of care. Burden of proof = beyond a reasonable doubt.