Domain 1 - Laws and Regulations Flashcards

1
Q

<p>Administrative law</p>

A

<p>Govt- mandated compliance measures. i.e. FCC regs, CDC regs.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

<p>Attestation</p>

A

<p>3 party attests that the service provider is meeting requirements of SLA. Security or otherwise. ISO 27001 is commonly used for audit guide.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Business Records Exception/exemption

A

Business records, such as logs on a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice.

Must be accompanied by testimony of individual qualified to show these criteria were met.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

California Senate bill 1386

A

First state-based data-breach notification law in 2002.

Requires organizations experiencing a data breach to notify California residencts who might be affected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Circumstantial evidence

A

establishes the circumstances of a crime.

evidence which serves to establish the circumstances related to particular points or even other evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Civil law (National System of law)

A

Leverages codified laws or statues to determine what is within the bounds of law. Most common type of national law across the world.

Not to be confused with sub-section of common law, also called ‘civil law’ - referencing tort law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

<p>CoCom</p>

A

<p>Cold War era export control agreement - Coordinating Committee for Multilaterar Export Controls</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Common law

A

Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others. The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Computer ethics institute 10 commandments

A

a. Thou shalt not use a comp to harm others
b. Not interfere with others’ comp. work.
c. Thou shalt not snoop
d. Not use comp. to steal
e. Not use a comp. to bear false witness
f. Not copy or use proprietary software for which you haven’t paid
g. Not use other’s comp resources without authori or proper compensation
h. Not appropriate others intellectual output.
i. You should think about social consequences of the program or system you’re engineering
j. Always use PC in a way to ensure consideration and respect for fellow humans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

<p>Computer Fraud and Abuse act – title 18, section 1030</p>

A

<p>i. One of the first us laws about computer crime<br></br>ii. Attacks on computer systems with damages above $5000 are criminalized<br></br>iii. Foreign and interstate commerce portion covers many more computers than originally intended.<br></br>iv. Drafted 1984. Amended 2001, 2008</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

corroborative evidence

A

Provides additional evidence for a fact that may be called into question.

Is supporting evidence used to help prove an idea or point. It cannot stand on its own

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The Council of Europe’s Convention on Cybercrime of 2001

A

international cooperation in computer crime policy. Signed by 65 countries, including the US (signed 2006)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Criminal law

A

Defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Direct Evidence

A

Testimony of direct witness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

<p>Due care</p>

A

<p>AKA Prudent man rule. Means you do what a reasonable person would do in a given situation.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

<p>due diligence</p>

A

<p>management of due care.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Electronic Communications Privacy Act – ECPA

A

Brings same level of search and seizure protection to non-telephony electronic communications.

PATRIOT act reversed this to a degree

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

<p>Entrapment vs enticement</p>

A

<p>Entrapment = law enforcement persuades someone to commit a crime when they otherwise wouldn't have.<br></br><br></br>Enticement = Law enforcement makes chance of crime favorable, but the criminal was already going to do the criminal thing.</p>

19
Q

<p>EU US Safe Harbor (EU-US)</p>

A

<p>US orgs can share data with EU branches, if and only if they follow EU Data Protection Directive</p>

20
Q

Gramm-Leach Bliley Act

A

Requires financial institutions to protect the CIA of consumer financial info. Forced them to notify consumers of privacy practices.

21
Q

Gross negligence

A

If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.

22
Q

h. Payment Card Industry Data Security Standards PCI-DSS

A

The standard applies to cardholder data for both credit and debit cards.

Requires merchants and others to meet a minimum set of security requirements.

Mandates security policy, devices, control techniques, and monitoring.

23
Q

Hearsay Evidence

A

Second hand evidence Not first and knowledge – normally inadmissible in a case.

Can be secondary witnesses, or computer logs that don’t meet the Business Records Exception/exemption.

24
Q

HIPAA

A

HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards.
Risk Analysis is required.

HITECH act of 2009 makes HIPPA Privacy and Security provisions apply to business associates of covered entities as well. Passed in 1996

25
Q

<p>Import/export restriction</p>

A

<p>generally related to crypto technology. Export restrictions from US. Import restrections in countries with low human rights</p>

26
Q

<p>ISC2 code of ethics, number of Canons and Preamble statements</p>

A

<p>4 Canons<br></br><br></br>2 Preamble statements</p>

27
Q

NIST 800-30 Risk mgmt guide

A

Guide for Conducting Risk Assessments

9 steps

  1. System charecterization
  2. Threat identify
  3. Vuln. Identify
  4. Control (safeguard) analysis
  5. Liklihood determination
  6. Impact analysis
  7. Risk determination
  8. Control recommendations
  9. Results documentation
28
Q

OECD Privacy Guidelines

A

8 Principles1. Collection limitation 2. Data Quality3. Purpose Specification4. Use limitation5. Security Safeguards 6. Openness PRinciple7. Individual participation8. Accountability principle

29
Q

PATRIOT act

A

i. Expanded law enforcement electronic monitoring capabilities. Provided broader coverage for wiretaps. Allowed search and seizure without immediate disclosure
ii. Amends the ECPA so that 2nd offenders can get up to 20 years prison

30
Q

<p>Real Evidence</p>

A

<p>tangible/physical objects. Bloody Knife. Documentation, etc.</p>

31
Q

<p>Religious/customary law</p>

A

<p>Self explanatory</p>

32
Q

Right to penetration test, audit.

A

Common requirements put in an SLA. Requests the right to penetration test and/or audit the provider.

33
Q

Sarbanes Oxley 2002

A

i. Requires regulatory compliance for publicly traded companies.ii. Primary goal of SOX was to ensure good financial disclosure and auditor independence.

34
Q

Secondary evidence

A

This is common in cases involving IT.
Logs and documents from the systems are considered secondary evidence.

Copies of original documents, or oral description of said documents.

35
Q

<p>SLA, service level agreement.</p>

A

<p>Identifies key expectations between two business parties, ensures general performance expectations, increasingly also includes security requirements.</p>

36
Q

<p>US Breach Notification laws</p>

A

<p>Purpose to notify end users when their personal data is lost/stolen/released. Many states have safe harbor rules w/other states. Still very complex though, as each state has different rules.</p>

37
Q

<p>US Privacy Act of 1974</p>

A

<p>Codifies protection of personal data in use by fed govt. Individuals can access personal data used by govt</p>

38
Q

Wassenaar Arrangement

A

Current export control agreement. Less restrictive than CoCom.

39
Q

EU Data Protection Directive - Principle 1

A

Aggressive pro privacy law. 4 principles.

1. notify individ. how data is collected and used

40
Q

EU Data Protection Directive - Principle 2

A
  1. Allow indiv. to opt out of sharing with 3rd parties
41
Q

EU Data Protection Directive - Principle 3

A
  1. Require invid. to opt in for the most sensitive data
42
Q

EU Data Protection Directive - Principle 4

A
  1. Provide reasonable protections on personal data
43
Q

Civil Law (sub section of Common law)

A

Not to be confused with the national type of law also called ‘civil law’

Tort law. deals with injury, resulting from someone violating their responsibility of duty of care. Burden of proof = beyond a reasonable doubt.