Domain 1 - Laws and Regulations Flashcards
<p>Administrative law</p>
<p>Govt- mandated compliance measures. i.e. FCC regs, CDC regs.</p>
<p>Attestation</p>
<p>3 party attests that the service provider is meeting requirements of SLA. Security or otherwise. ISO 27001 is commonly used for audit guide.</p>
Business Records Exception/exemption
Business records, such as logs on a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice.
Must be accompanied by testimony of individual qualified to show these criteria were met.
California Senate bill 1386
First state-based data-breach notification law in 2002.
Requires organizations experiencing a data breach to notify California residencts who might be affected.
Circumstantial evidence
establishes the circumstances of a crime.
evidence which serves to establish the circumstances related to particular points or even other evidence
Civil law (National System of law)
Leverages codified laws or statues to determine what is within the bounds of law. Most common type of national law across the world.
Not to be confused with sub-section of common law, also called ‘civil law’ - referencing tort law.
<p>CoCom</p>
<p>Cold War era export control agreement - Coordinating Committee for Multilaterar Export Controls</p>
Common law
Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others. The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws.
Computer ethics institute 10 commandments
a. Thou shalt not use a comp to harm others
b. Not interfere with others’ comp. work.
c. Thou shalt not snoop
d. Not use comp. to steal
e. Not use a comp. to bear false witness
f. Not copy or use proprietary software for which you haven’t paid
g. Not use other’s comp resources without authori or proper compensation
h. Not appropriate others intellectual output.
i. You should think about social consequences of the program or system you’re engineering
j. Always use PC in a way to ensure consideration and respect for fellow humans.
<p>Computer Fraud and Abuse act – title 18, section 1030</p>
<p>i. One of the first us laws about computer crime<br></br>ii. Attacks on computer systems with damages above $5000 are criminalized<br></br>iii. Foreign and interstate commerce portion covers many more computers than originally intended.<br></br>iv. Drafted 1984. Amended 2001, 2008</p>
corroborative evidence
Provides additional evidence for a fact that may be called into question.
Is supporting evidence used to help prove an idea or point. It cannot stand on its own
The Council of Europe’s Convention on Cybercrime of 2001
international cooperation in computer crime policy. Signed by 65 countries, including the US (signed 2006)
Criminal law
Defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public
Direct Evidence
Testimony of direct witness
<p>Due care</p>
<p>AKA Prudent man rule. Means you do what a reasonable person would do in a given situation.</p>
<p>due diligence</p>
<p>management of due care.</p>
Electronic Communications Privacy Act – ECPA
Brings same level of search and seizure protection to non-telephony electronic communications.
PATRIOT act reversed this to a degree
<p>Entrapment vs enticement</p>
<p>Entrapment = law enforcement persuades someone to commit a crime when they otherwise wouldn't have.<br></br><br></br>Enticement = Law enforcement makes chance of crime favorable, but the criminal was already going to do the criminal thing.</p>
<p>EU US Safe Harbor (EU-US)</p>
<p>US orgs can share data with EU branches, if and only if they follow EU Data Protection Directive</p>
Gramm-Leach Bliley Act
Requires financial institutions to protect the CIA of consumer financial info. Forced them to notify consumers of privacy practices.
Gross negligence
If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.
h. Payment Card Industry Data Security Standards PCI-DSS
The standard applies to cardholder data for both credit and debit cards.
Requires merchants and others to meet a minimum set of security requirements.
Mandates security policy, devices, control techniques, and monitoring.
Hearsay Evidence
Second hand evidence Not first and knowledge – normally inadmissible in a case.
Can be secondary witnesses, or computer logs that don’t meet the Business Records Exception/exemption.
HIPAA
HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards.
Risk Analysis is required.
HITECH act of 2009 makes HIPPA Privacy and Security provisions apply to business associates of covered entities as well. Passed in 1996
Import/export restriction
generally related to crypto technology. Export restrictions from US. Import restrections in countries with low human rights
ISC2 code of ethics, number of Canons and Preamble statements
4 Canons
2 Preamble statements
Real Evidence
tangible/physical objects. Bloody Knife. Documentation, etc.
Religious/customary law
Self explanatory
SLA, service level agreement.
Identifies key expectations between two business parties, ensures general performance expectations, increasingly also includes security requirements.
US Breach Notification laws
Purpose to notify end users when their personal data is lost/stolen/released. Many states have safe harbor rules w/other states. Still very complex though, as each state has different rules.
US Privacy Act of 1974
Codifies protection of personal data in use by fed govt. Individuals can access personal data used by govt
