Information Security Legal and Regulatory Issues

Question 1

What is intellectual propery and how can it be protected?

Answer 1

• intangible assets created through intellectual efforts
• can be protected through:
  
  • Patent
  • Trademark
  • Copyright
  • Trade Secret
  • Licensing

Question 2

Describe Patent

Answer 2

• form of legal protection granted to inventors for their inventions or discoveries
• provides exclusive rights to the inventor for a limited period, typically 20 years from the date of filing, to prevent others from making, using, selling, or importing the patented invention without permission

Question 3

Describe Trademark

Answer 3

• recognizable sign, symbol, design, word, phrase, logo or combination thereof that distinguishes goods or services of one business from those of others
• serves as an identifier of the source of the goods or services and helps build brand recognition and customer trust

Question 4

Describe Copyright

Answer 4

• legal protection granted to authors, artists, musicians, and creators of original works
• automatically applies upon creation of an original work in a fixed tangible form, such as literature, music, software, paintings, photographs, or films
• duration of copyright protection varies depending on the country, but in general, it lasts for the lifetime of the author plus a certain number of years after their death

Question 5

Describe Trade Secret

Answer 5

• confidential and valuable business information that is absolutely critical to the business, as it provides a competitive advantage to its owner
• can include formulas, recipes, manufacturing processes, customer lists, marketing strategies, or any other information that is not generally known or readily accessible to others
• unlike patents or trademarks, trade secrets are not publicly disclosed

Question 6

Describe Licensing

Answer 6

• granting of rights to use, distribute, or modify software according to the terms outlined in a software license agreement
• define the terms of use, such as the number of installations, permitted usage, limitations, support provisions, and restrictions on copying or modification

Question 7

What are the 4 types of licensing?

Answer 7

1. Contractual License
2. Shrink-Wrap License
3. Click-Through License
4. Cloud Services License

Question 8

Describe Contractual License

Answer 8

• software licensing agreement that is negotiated and agreed upon through a formal contract between the software vendor and the user or organization
• the terms and conditions of the license, including usage rights, limitations, and fees, are outlined in the contract
• typically used for custom software solutions or specialized software tailored to specific business needs

Question 9

Describe Shrink-Wrap License

Answer 9

• type of software license that is packaged with the software product and is presented to the user upon opening the shrink-wrapped package
• typically printed inside the package or included as a separate document

Question 10

Describe Click-Through License

Answer 10

• type of software license agreement that is presented to the user during the installation or download process of the software
• user is required to read and accept the terms and conditions of the license agreement by clicking an “Accept” or “Agree” button before proceeding with the installation or use of the software

Question 11

Describe Cloud Services License

Answer 11

• licensing models used for software or services delivered through cloud computing platforms
• typically outline the usage rights, data ownership, service level agreements (SLAs), and any restrictions or limitations on the use of the cloud services

Question 12

What are Import and Export Controls?

Answer 12

regulations and measures imposed by governments to manage the cross-border movement of goods, services, technologies, and information

Question 13

What is the Purpose of Import and Export Controls? (3)

Answer 13

• National Security
• Non-Proliferation
• Economic Interests

Question 14

What might be the regulated items for import/export?

Answer 14

• physical goods, software, technologies, technical data, encryption devices, or cryptographic materials
• may also cover the transfer of services, such as consulting or technical assistance, related to controlled items

Question 15

What are Dual-Use Technologies?

Answer 15

goods, software, or technologies that have both civilian and military applications

Question 16

What is Wassenaar Arrangement?

Answer 16

international export control regime that focuses on the non-proliferation of conventional arms and dual-use goods and technologies

Question 17

What does Wassenaar Arrangement cover?

Answer 17

covers a wide range of items, including firearms, military equipment, and certain dual-use goods and technologies that have both civilian and military applications

Question 18

What is the impact of Wassenaar Arrangement on information security?

Answer 18

may require security professionals to be aware of and comply with export control regulations when dealing with certain software, encryption technologies, intrusion software, or other technologies that could have military or security implications

Question 19

Data Privacy is protection of what?

Answer 19

• Personal Information (PI)
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)

Question 20

What is Personal Information (PI)?

Answer 20

• any information that can identify an individual, either directly or indirectly
• can be sensitive and must be protected to maintain individuals’ privacy and prevent unauthorized use or disclosure

Question 21

What is the key distinction between Personal Information (PI) and Personally Identifiable Information (PII)?

Answer 21

• ambiguity and direct identification
• PII directly and unambiguously identifies an individual, whereas PI may require some additional effort, context, or data correlation to link the information to a specific person

Question 22

What is Personally Identifiable Information (PII)?

Answer 22

• specifically refers to information that can be used to identify an individual
• protecting PII is crucial to prevent identity theft, fraud, and unauthorized access to individuals’ personal data
• subset of Personal Information

Question 23

What is Protected Health Information (PHI)?

Answer 23

• individually identifiable health information that is created, received, stored, or transmitted by healthcare providers, health plans, or healthcare clearinghouses
• includes personal details related to an individual’s physical or mental health, healthcare services received, medical history

Question 24

What is Right to be Forgotten?

Answer 24

• individual’s right to request the removal or deletion of their personal data from online platforms or search engine results
• individuals have the right to have their personal data erased, made inaccessible, or no longer linked to their identity when certain conditions are met

Question 25

What is Transborder Data Flow?

Answer 25

• movement or transfer of personal data across national borders or jurisdictional boundaries
• data privacy laws and regulations often impose restrictions and requirements on such cross-border data transfers to ensure the protection and privacy of individuals’ personal information

Question 26

Transborder Data Flow has legal constraints over where data can be what?

Answer 26

• processed
• stored
• accessed

Question 27

What are the different typs of law?

Answer 27

• Criminal Law
• Common Law
• Civil (Statutory) Law
• Administrative Law
• Customary Law
• Religious Law
• Maritime Law
• Contract and Tort Law

Question 28

What’s Criminal Law?

Answer 28

• contains prohibitions against acts such as murder, assault, robbery and arson
• crime against society as a whole

Question 29

What’s Common Law?

Answer 29

• based on legal precedents, or decisions made by judges in previous cases
• originated in England and expanded through the British Empire and later to countries influenced by English legal traditions

Question 30

What are the primary sources of common law?

Answer 30

• primary sources of common law are court decisions (case law) and legal customs
• judicial decisions are considered binding on future cases with similar facts or legal issues, creating a doctrine of stare decisis (to stand by things decided)

Question 31

What is Civil (Statutory) Law?

Answer 31

• based on codified legal systems that rely on comprehensive written codes of law enacted by legislatures
• traces its roots back to ancient Rome and continental Europe

Question 32

What is the role of courts in Civil Law?

Answer 32

• courts in civil law systems play a narrower role compared to common law systems
• they primarily interpret and apply legislation rather than establishing legal principles through case law

Question 33

What is Customary Law?

Answer 33

also known as traditional or indigenous law, is a legal system based on customs, traditions, and practices of specific communities or groups

Question 34

What’s Administrative Law?

Answer 34

• branch of law that governs the activities and operations of administrative agencies, regulatory bodies, and government departments
• establishes the legal framework for the functioning of administrative bodies and the relationship between these agencies and the public

Question 35

What’s Maritime Law?

Answer 35

specialized branch of law that governs legal matters and activities related to navigation, shipping, maritime commerce, and marine affairs

Question 36

What’s Contract Law?

Answer 36

• deals with agreements between parties that create legally enforceable obligations
• governs the creation, interpretation, performance, and breach of contracts
• provides remedies and legal recourse if one party fails to fulfill their contractual obligations

Question 37

What’s Tort Law?

Answer 37

• deals with civil wrongs that cause harm or injury to individuals or their property
• unlike contract law, tort law does not require a pre-existing agreement between parties
• aims to compensate the injured party for the harm suffered and may also serve as a deterrent to prevent similar wrongful conduct in the future

Question 38

What’s Copyright and the Digital Millennium Copyright Act?

Answer 38

covers literary, musical and dramatic works

Question 39

What does GDPR mean?

Answer 39

General Data Protection Regulations

Question 40

What’s the goal of GDPR?

Answer 40

aims to protect the privacy and rights of individuals within the EU and governs the processing and handling of personal data

Question 41

What’s the Scope and Territorial Application of GDPR?

Answer 41

• applies to organizations that process personal data of individuals residing in the EU, regardless of where the organization is located
• has extraterritorial reach and can impact organizations globally

Question 42

Who are data controllers in GDPR?

Answer 42

entities that determine the purposes and means of processing

Question 43

Who are data processors in GDPR?

Answer 43

entities that process data on behalf of the controller

Question 44

What does a business need to obtain from a subject before processing their data?

Answer 44

consent

Question 45

What is Data Protection Officer (DPO)?

Answer 45

some organizations are required to appoint a Data Protection Officer, responsible for overseeing GDPR compliance, data protection impact assessments, and acting as a point of contact for individuals and supervisory authorities

Question 46

How is the Data Breach Notification defined under GDPR?

Answer 46

• organizations are required to notify the relevant supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
• notification should include details of the breach, its impact, and any mitigating measures taken

Question 47

What are the penalties for lower-level infringements under GDPR?

Answer 47

up to €10 million or 2% of global annual turnover for lower-level infringements

Question 48

What are the penalties for more severe infringements under GDPR?

Answer 48

up to €20 million or 4% of global annual turnover for more severe infringements

Question 49

What’s the point of Health Information Technology for Economic and Clinical Health (HITECH)?

Answer 49

• adoption and meaningful use of health information technology (IT) and the security of electronic health records (EHRs)
• strenghtening the privacy and security provisions of HIPAA by introducing new provisions
• introducing mandatory breach notification requirements for covered entities and business associates

Question 50

What’s the point of Communications Assistance for Law Enforcement Act (CALEA)?

Answer 50

ensure that telecommunications service providers have the necessary technical capabilities to comply with authorized law enforcement surveillance requests

Question 51

What’s a cyber crime?

Answer 51

crime committed against a computer

Question 52

What are the stages of Evidence Lifecycle and how should it be protected in each step?

Answer 52

• identification
  
  • as soon as possible, capture everything that is available at the time when the investigation starts
• seizure
  
  • once evidence is seized, it’s documented and chain of custody process is triggered
• transportation
  
  • evidence and integrity cannot be altered during the transportation process
• analysis
  
  • needs to analyze what’s there rather than what the investigators want to find
• storage
  
  • evidence needs to be properly protected and stored right until the day it’s returned to its rightful owner or destroyed

Question 53

What is addressed by the Civil Law?

Answer 53

• contract disputes, real estate transactions, employment, estate and probate
• monetary disputes

Question 54

Federal Sentencing Guidelines outlined three burdens of proof for negligence. What are they?

Answer 54

1. person accused of negligence must have a legally recognized obligation
2. person must have failed to comply with recognized standards
3. there must be a causal relationship between the act of negligence and the subsequent damages

Question 55

What’s Economic Espionage Act of 1996?

Answer 55

• changed the legal definition of theft so that it was no longer restricted by physical constraints
• made theft of proprietary economic information an act of espionage
• defines the term “economic espionage” as the theft or misappropriation of a trade secret with the intent or knowledge that the offense will benefit any foreign government, foreign instrumentality or foreign agent

Question 56

What does ITAR stand for?

Answer 56

International Traffic in Arms Regulations (ITAR)

Question 57

What’s International Traffic in Arms Regulations (ITAR)?

Answer 57

• controls the export of items that are specifically designed as military and defense items
• govern export of sensitive hardware and software products to other nations

Question 58

What does EAR stand for?

Answer 58

Export Administration Regulations

Question 59

What’s Export Administration Regulations (EAR)?

Answer 59

• covers a broader set of items that are designed for commercial use, but may have military applications
• govern export of sensitive hardware and software products to other nations

Question 60

What’s Payment Card Industry Data Security Standard?

Answer 60

• widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions
• created jointly in 2004 by 4 major credit-card companies - Visa, MasterCard, Discover and American Express

Question 61

What are the 6 major objectives Payment Card Industry Data Security Standard is based on?

Answer 61

1. a secure network must be maintained in which transactions can be conducted
2. cardholder information must be protected wherever it is stored
3. systems should be protected against the activities of malicious hackers
4. cardholder data should be protected physically as well as electronically
5. networks must be constantly monitored and regularly tested
6. a formal information security policy must be defined, maintained and followed

Question 62

What’s European Union Privacy Law?

Answer 62

• directive outlining privacy measures required for protecting personal data processed by information systems
• organizations based outside Europe must consider the applicability of these rules

Question 63

What is Privacy Shield?

Answer 63

• agreement between the EU and US outlining seven requirements for the processing of personal information
• allows the Department of Commerce and Federal Trade Commission (FTC) to certify businesses that comply with regulations

Question 64

Who does FISMA apply to?

Answer 64

government agencies and contractors

Question 65

What does the Code of Federal Regulations (CFR) contain?

Answer 65

text of all administrative laws promulgated by federal agencies

Question 66

When are non-compete or non-disclosure agreements usually signed?

Answer 66

in the beginning of a contract

Question 67

Who does Federal Code of Ethics apply to?

Answer 67

only to federal employees

Question 68

What’s RFC 1087?

Answer 68

provide code of ethics for the internet - not binding

Question 69

What are some of the methods associated
with the DRM solutions?

Answer 69

• DRM License
  
  • grants access to a product and defines the terms of use
  • typically a small file that includes the terms of use and decryption key that unlocks the access to the product
• Persistent Online Authentication (Always-On DRM)
  
  • requires system to be connected to the internet to be able to use it
  • if connection to the authentication server fails or authentication fails, user is prevented from using the product
• Continuous Audit Trail
  
  • tracks all use of copyrighted product
  • can detect abuse, such as concurrent use
• Automatic Expiration
  
  • automatic expiration block access to content if the paid period expires

Question 69

If there’s a need to exchange customer information between a company located in the US with a company located in EU, what’s the best method to ensure GDPR compliance for such transfer?

Answer 69

• standard contractual clauses
• if data shared internally within company, binding corporate rules would be appropriate

Question 70

Management believes that employee engaged in unauthorized use of computing resources for a side business. What is the burden of proof that must be met in this investigation?

Answer 70

there is no standard

Question 71

What is the standard of proof for a criminal investigation?

Answer 71

beyond a reasonable doubt

Question 72

What’s Best Evidence?

Answer 72

• form of documentary evidence
• original document rather than a copy or description

Question 73

Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?

Answer 73

Digital Millenium Copyright Act

Question 74

What’s the hearsay rule?

Answer 74

witness cannot testify about what someone else told them, except under very specific exceptions

Question 75

What’s sworn affidavit?

Answer 75

written statement or declaration made by an individual under oath or affirmation, confirming that the information provided in the statement is true and accurate to the best of their knowledge and belief

Question 76

What’s the best evidence rule?

Answer 76

copies of documents may not be submitted into evidence if the originals are available

Question 77

Is there a testimonial evidence rule?

Answer 77

no

Question 78

What evidentiary standard is required for civil cases?

Answer 78

preponderance of evidence

Question 79

Which one of the intellectual property protection mechanisms has the shortest duration in the United States?

Answer 79

patent

Question 80

What are operational investigations?

Answer 80

performed by internal teams to troubleshoot performance or other technical issues

Question 81

Which one of the investigation types has the loosest standards for the collection and preservation of information?

Answer 81

operational investigation

Question 82

What’s required by California Online Privacy Protection Act if commercial web service collects personal information from California residents?

Answer 82

requires that commercial websites that collect personal information from users in California conspicuously post a privacy policy

Question 83

What symbol is used to represent copyright?

Answer 83

©

Question 84

Once trademark application is approved, it becomes a registered trademark. What is the symbol used for registered trademarks?

Answer 84

®

Question 85

Until trademark registration is granted, what symbol is used for the protected asset?

Answer 85

™

Question 86

If there are 2 people holding the same copyright, when does it cease to exist, if one of them dies?

Answer 86

copyright protection generally lasts for 70 years after the death of the last surviving author of the work

Question 87

Does patent protection apply to mathematical algorithms?

Answer 87

no

Question 88

When does patent protection kick in and for how long?

Answer 88

U.S. patent law provides for an exclusivity period of 20 years beginning at the time a utility patent application is submitted to the Patent and Trademark Office

Question 89

What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered?

Answer 89

Preservation

Question 90

What type of evidence are the server logs?

Answer 90

documentary evidence

Question 91

When conducting an internal investigation, what is the most common source of evidence?

Answer 91

voluntary surrender

Question 92

What’s Interconnection Security Agreement (ISA)?

Answer 92

formal declaration of the security stance, risks, and technical requirements of a link between two organizations’ IT infrastructures

Question 93

What’s the goal of Interconnection Security Agreement (ISA)?

Answer 93

define the expectations and responsibilities of maintaining security over a communications path between two networks

Question 94

What’s memorandum of understanding (MOU) or memorandum of agreement (MOA) ?

Answer 94

• expression of agreement or aligned intent, will, or purpose between two entities
• not typically a legal agreement or commitment but rather a more formal form of a reciprocal agreement or handshake

Question 95

What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?

Answer 95

proportionality