Ethics & Law Part 1

Question 1

To minimize liabilities/reduce risks, the information security practitioner must:

Answer 1

Understand current legal environment, stay current with laws and regulation, watch out for new issues that emerge, be aware that laws change based on your field

Question 2

What are laws?

Answer 2

Rules, enforced by government agencies, that mandate or prohibit certain societal behavior.

Question 3

What are ethics?

Answer 3

Rules and practices, enforced by society and personal interaction, which define socially acceptable behavior

Question 4

True or False: Laws carry the authority of a governing authority; ethics do not.

Answer 4

True

Question 5

What is a liability?

Answer 5

The legal obligation of an entity extending beyond criminal or contract law. Includes the legal obligation to make restitution.

Question 6

What is restitution?

Answer 6

The legal obligation to compensate an injured party for wrongs committed.

Question 7

What is “Right to work” ?

Answer 7

Not force to join a union

Question 8

What does “At Will” mean?

Answer 8

if no contract either party may sever a relationship for any reason

Question 9

What’s a salary?

Answer 9

paid fixed amount regardless of hours worked

Question 10

What does Exempt mean (from Fair Labor Standards Act)?

Answer 10

not paid overtime (must meet minimum requirements)

Question 11

What is a jurisdiction?

Answer 11

Court’s right to hear a case if the wrong was committed in its territory or involved its citizenry.

Question 12

What is Long-arm jurisdiction?

Answer 12

Application of laws to those residing outside a court’s normal jurisdiction; usually granted when a person acts illegally within the jurisdiction and leaves (oroperates virtually).

Question 13

What is due care?

Answer 13

Taking steps to ensure is in compliance with a law, regulation, or requirement.

Question 14

What is due diligence?

Answer 14

Ensure org continues to meet obligations – the management of due care

Question 15

What does Indemnification mean?

Answer 15

Not held liable

Question 16

What is a “get out of jail card”?

Answer 16

Authorization to violate corporate policies

Question 17

What are some traits of policies?

Answer 17

managerial directives that specify acceptable and unacceptable employee behavior in the workplace, function as organizational “laws”, and must be crafted and implemented with care to ensure they are complete, appropriate, and fairly applied to everyone.

Question 18

To be enforceable in court, a policy must be:

Answer 18

• Not be itself illegal
• Distributed to all expected to comply
• Uniformly enforced regardless of position
• Readily available as a reference
• Easily understood by all affected
• Formally acknowledged
• Have a formal, regular review process

Question 19

True or False: Policies can never require you to break a law.

Answer 19

True

Question 20

True or False: Ignorance of a policy is an acceptable defense if no training , but ignorance of law is not

Answer 20

True

Question 21

What are different types of law?

Answer 21

• Constitutional: Org operating under terms of formal written doc
• Statutory: written laws enacted by legislative body (Civil, Tort or Criminal)
• Regulatory or Administrative
• Common, Case, and Precedent
• Private vs Public

Question 22

What is the Computer Fraud and Abuse Act of 1986 (CFA Act):

Answer 22

Cornerstone of many computer-related federal laws and enforcement efforts

Question 23

What is the National Information Infrastructure Protection Act of 1996:

Answer 23

• Modified several sections of the previous act and increased the penalties for selected crimes
• Severity of the penalties was judged on the value of the information and the
  purpose, for example: for purposes of commercial advantage, for private financial gain, and in furtherance of a criminal act.

Question 24

Whart are some general computer crimes/laws applicable for these crimes?

Answer 24

• Accessing computers without authorization or in excess of authorization
• Faking identity
• Distribution of malicious code
• Denial of service attacks
• Trafficking in passwords
• Knowingly transmitting a malicious program, code, command or other malicious
  information
• Using electronic methods to probe, disable or compromise a system or to make use
  of it outside of its intended purpose (“hacking”)

Question 25

What is the USA PATRIOT Act of 2001?

Answer 25

broader latitude in order to combat terrorism-related activities.

Question 26

What is the USA PATRIOT Improvement and Reauthorization Act?

Answer 26

**made many expanded powers permanent** and **expanded powers of DHS and the FBI in investigating terrorist activity**.

Question 27

What is the USA FREEDOM Act?

Answer 27

inherited select USA PATRIOT functions as the PATRIOT act expired in 2015.

Question 28

What is the Computer Security Act of 1987?

Answer 28

One of the first attempts to protect federal computer systems

Question 29

What is the Federal Information Security Management Act?

Answer 29

Passed in 2002, and mandates all federal agencies establish information security programs to protect their information assets.

Question 30

What was the FISMA Reform?

Answer 30

- Federal Information Security Modernization Act of 2014 - Focused on enhancing the federal government’s ability to respond to security attacks on government agencies and departments.

Question 31

What’s privacy?

Answer 31

The right to protect from unauthorized access, providing confidentiality

Question 32

What are some U.S privacy regulations?

Answer 32

- Privacy of Customer Information Section of the Common Carrier regulation - Federal Privacy Act of 1974 - Electronic Communications Privacy Act of 1986 - Health Insurance Portability and Accountability Act of 1996 (HIPAA), or the Kennedy-Kassebaum Act - Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Question 33

What is information aggregation?

Answer 33

Information assembles from multiple sources

Question 34

Identity theft can occur when…

Answer 34

Someone steal’s victims personally identifiable information and poses as the victim to make purchases

Question 35

Which body oversees ID theft and fosters coordination to prosecute criminal and increase victim’s restitution?

Answer 35

FTC

Question 36

What does the FTC recommend you do if you are a victim of Identity theft?

Answer 36

Place an initial fraud alert, order credit reports, create and identity theft report, monitor your progress

Question 37

What does the Economic Espionage Act of 1996 (EEA) and the Security and Freedom through Encryption Act of 1999 (SAFE) say about encryption?

Answer 37

**Reinforce the right to use or sell encryption algorithms, without concern of key registration, prohibit the federal government from requiring it, make it not probable cause to suspect criminal activity, relax export restrictions, additional penalties for using it in a crime**.

Question 38

What is the Sarbanes- Oxley Act of 2002?

Answer 38

- Affects the executive management of publicly traded corporations and public accounting firms. - Seeks to improve the reliability and accuracy of financial reporting and increase the accountability of corporate governance in publicly traded companies. - It provides penalties for noncompliance ranging from fines to jail terms.

Question 39

What is the Freedom of Information Act of 1966 (FOIA)

Answer 39

Allows access to fed agency records that are not deemed to be a matter of national security. U.S. gov agencies required to disclose and requested info. This act doesn’t apply to local for state gov.

Question 40

What are Ohio Sunshine Laws or Ohio Public Record Act?

Answer 40

- Records of the government are “the people’s records” - Provides citizens steps to request records - Protects some records from being withheld - Record management determines time to keep records

Question 41

What is the Payment Card Industry Data Security Standards (PCI DSS)?

Answer 41

- Developed to enhance cardholder data security - provides baseline of technical requirements to protect account data - applies to entities involved in payment card processing such as merchants, processors, etc. - applies to entities such as store, process, or transmit cardholder data

Question 42

What are the PCI DSS areas and requirements in these areas?

Answer 42

Build and maintain secure network and system-> install and maintain firewall to protect card holder data Protect cardholder data-> encrypt transmission of card holder data Maintain vulnerability management-> protect all systems against malware Implement strong access control measures-> restrict access to cardholder data by business Regularly monitor and test networks-> track all access to network resources and cardholder data Maintain info security policy-> maintain policy that addresses info security for all personnel