Information Security Legal and Regulatory Issues Flashcards
What is intellectual propery and how can it be protected?
- intangible assets created through intellectual efforts
- can be protected through:
- Patent
- Trademark
- Copyright
- Trade Secret
- Licensing
Describe Patent
- form of legal protection granted to inventors for their inventions or discoveries
- provides exclusive rights to the inventor for a limited period, typically 20 years from the date of filing, to prevent others from making, using, selling, or importing the patented invention without permission
Describe Trademark
- recognizable sign, symbol, design, word, phrase, logo or combination thereof that distinguishes goods or services of one business from those of others
- serves as an identifier of the source of the goods or services and helps build brand recognition and customer trust
Describe Copyright
- legal protection granted to authors, artists, musicians, and creators of original works
- automatically applies upon creation of an original work in a fixed tangible form, such as literature, music, software, paintings, photographs, or films
- duration of copyright protection varies depending on the country, but in general, it lasts for the lifetime of the author plus a certain number of years after their death
Describe Trade Secret
- confidential and valuable business information that is absolutely critical to the business, as it provides a competitive advantage to its owner
- can include formulas, recipes, manufacturing processes, customer lists, marketing strategies, or any other information that is not generally known or readily accessible to others
- unlike patents or trademarks, trade secrets are not publicly disclosed
Describe Licensing
- granting of rights to use, distribute, or modify software according to the terms outlined in a software license agreement
- define the terms of use, such as the number of installations, permitted usage, limitations, support provisions, and restrictions on copying or modification
What are the 4 types of licensing?
- Contractual License
- Shrink-Wrap License
- Click-Through License
- Cloud Services License
Describe Contractual License
- software licensing agreement that is negotiated and agreed upon through a formal contract between the software vendor and the user or organization
- the terms and conditions of the license, including usage rights, limitations, and fees, are outlined in the contract
- typically used for custom software solutions or specialized software tailored to specific business needs
Describe Shrink-Wrap License
- type of software license that is packaged with the software product and is presented to the user upon opening the shrink-wrapped package
- typically printed inside the package or included as a separate document
Describe Click-Through License
- type of software license agreement that is presented to the user during the installation or download process of the software
- user is required to read and accept the terms and conditions of the license agreement by clicking an “Accept” or “Agree” button before proceeding with the installation or use of the software
Describe Cloud Services License
- licensing models used for software or services delivered through cloud computing platforms
- typically outline the usage rights, data ownership, service level agreements (SLAs), and any restrictions or limitations on the use of the cloud services
What are Import and Export Controls?
regulations and measures imposed by governments to manage the cross-border movement of goods, services, technologies, and information
What is the Purpose of Import and Export Controls? (3)
- National Security
- Non-Proliferation
- Economic Interests
What might be the regulated items for import/export?
- physical goods, software, technologies, technical data, encryption devices, or cryptographic materials
- may also cover the transfer of services, such as consulting or technical assistance, related to controlled items
What are Dual-Use Technologies?
goods, software, or technologies that have both civilian and military applications
What is Wassenaar Arrangement?
international export control regime that focuses on the non-proliferation of conventional arms and dual-use goods and technologies
What does Wassenaar Arrangement cover?
covers a wide range of items, including firearms, military equipment, and certain dual-use goods and technologies that have both civilian and military applications
What is the impact of Wassenaar Arrangement on information security?
may require security professionals to be aware of and comply with export control regulations when dealing with certain software, encryption technologies, intrusion software, or other technologies that could have military or security implications
Data Privacy is protection of what?
- Personal Information (PI)
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
What is Personal Information (PI)?
- any information that can identify an individual, either directly or indirectly
- can be sensitive and must be protected to maintain individuals’ privacy and prevent unauthorized use or disclosure
What is the key distinction between Personal Information (PI) and Personally Identifiable Information (PII)?
- ambiguity and direct identification
- PII directly and unambiguously identifies an individual, whereas PI may require some additional effort, context, or data correlation to link the information to a specific person
What is Personally Identifiable Information (PII)?
- specifically refers to information that can be used to identify an individual
- protecting PII is crucial to prevent identity theft, fraud, and unauthorized access to individuals’ personal data
- subset of Personal Information
What is Protected Health Information (PHI)?
- individually identifiable health information that is created, received, stored, or transmitted by healthcare providers, health plans, or healthcare clearinghouses
- includes personal details related to an individual’s physical or mental health, healthcare services received, medical history
What is Right to be Forgotten?
- individual’s right to request the removal or deletion of their personal data from online platforms or search engine results
- individuals have the right to have their personal data erased, made inaccessible, or no longer linked to their identity when certain conditions are met
What is Transborder Data Flow?
- movement or transfer of personal data across national borders or jurisdictional boundaries
- data privacy laws and regulations often impose restrictions and requirements on such cross-border data transfers to ensure the protection and privacy of individuals’ personal information
Transborder Data Flow has legal constraints over where data can be what?
- processed
- stored
- accessed
What are the different typs of law?
- Criminal Law
- Common Law
- Civil (Statutory) Law
- Administrative Law
- Customary Law
- Religious Law
- Maritime Law
- Contract and Tort Law
What’s Criminal Law?
- contains prohibitions against acts such as murder, assault, robbery and arson
- crime against society as a whole
What’s Common Law?
- based on legal precedents, or decisions made by judges in previous cases
- originated in England and expanded through the British Empire and later to countries influenced by English legal traditions
What are the primary sources of common law?
- primary sources of common law are court decisions (case law) and legal customs
- judicial decisions are considered binding on future cases with similar facts or legal issues, creating a doctrine of stare decisis (to stand by things decided)
What is Civil (Statutory) Law?
- based on codified legal systems that rely on comprehensive written codes of law enacted by legislatures
- traces its roots back to ancient Rome and continental Europe
What is the role of courts in Civil Law?
- courts in civil law systems play a narrower role compared to common law systems
- they primarily interpret and apply legislation rather than establishing legal principles through case law
What is Customary Law?
also known as traditional or indigenous law, is a legal system based on customs, traditions, and practices of specific communities or groups
What’s Administrative Law?
- branch of law that governs the activities and operations of administrative agencies, regulatory bodies, and government departments
- establishes the legal framework for the functioning of administrative bodies and the relationship between these agencies and the public
What’s Maritime Law?
specialized branch of law that governs legal matters and activities related to navigation, shipping, maritime commerce, and marine affairs
What’s Contract Law?
- deals with agreements between parties that create legally enforceable obligations
- governs the creation, interpretation, performance, and breach of contracts
- provides remedies and legal recourse if one party fails to fulfill their contractual obligations
What’s Tort Law?
- deals with civil wrongs that cause harm or injury to individuals or their property
- unlike contract law, tort law does not require a pre-existing agreement between parties
- aims to compensate the injured party for the harm suffered and may also serve as a deterrent to prevent similar wrongful conduct in the future
What’s Copyright and the Digital Millennium Copyright Act?
covers literary, musical and dramatic works
What does GDPR mean?
General Data Protection Regulations
What’s the goal of GDPR?
aims to protect the privacy and rights of individuals within the EU and governs the processing and handling of personal data
What’s the Scope and Territorial Application of GDPR?
- applies to organizations that process personal data of individuals residing in the EU, regardless of where the organization is located
- has extraterritorial reach and can impact organizations globally
Who are data controllers in GDPR?
entities that determine the purposes and means of processing
Who are data processors in GDPR?
entities that process data on behalf of the controller
What does a business need to obtain from a subject before processing their data?
consent
What is Data Protection Officer (DPO)?
some organizations are required to appoint a Data Protection Officer, responsible for overseeing GDPR compliance, data protection impact assessments, and acting as a point of contact for individuals and supervisory authorities
How is the Data Breach Notification defined under GDPR?
- organizations are required to notify the relevant supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
- notification should include details of the breach, its impact, and any mitigating measures taken
What are the penalties for lower-level infringements under GDPR?
up to €10 million or 2% of global annual turnover for lower-level infringements
What are the penalties for more severe infringements under GDPR?
up to €20 million or 4% of global annual turnover for more severe infringements
What’s the point of Health Information Technology for Economic and Clinical Health (HITECH)?
- adoption and meaningful use of health information technology (IT) and the security of electronic health records (EHRs)
- strenghtening the privacy and security provisions of HIPAA by introducing new provisions
- introducing mandatory breach notification requirements for covered entities and business associates
What’s the point of Communications Assistance for Law Enforcement Act (CALEA)?
ensure that telecommunications service providers have the necessary technical capabilities to comply with authorized law enforcement surveillance requests
What’s a cyber crime?
crime committed against a computer
What are the stages of Evidence Lifecycle and how should it be protected in each step?
- identification
- as soon as possible, capture everything that is available at the time when the investigation starts
- seizure
- once evidence is seized, it’s documented and chain of custody process is triggered
- transportation
- evidence and integrity cannot be altered during the transportation process
- analysis
- needs to analyze what’s there rather than what the investigators want to find
- storage
- evidence needs to be properly protected and stored right until the day it’s returned to its rightful owner or destroyed
What is addressed by the Civil Law?
- contract disputes, real estate transactions, employment, estate and probate
- monetary disputes
Federal Sentencing Guidelines outlined three burdens of proof for negligence. What are they?
- person accused of negligence must have a legally recognized obligation
- person must have failed to comply with recognized standards
- there must be a causal relationship between the act of negligence and the subsequent damages
What’s Economic Espionage Act of 1996?
- changed the legal definition of theft so that it was no longer restricted by physical constraints
- made theft of proprietary economic information an act of espionage
- defines the term “economic espionage” as the theft or misappropriation of a trade secret with the intent or knowledge that the offense will benefit any foreign government, foreign instrumentality or foreign agent
What does ITAR stand for?
International Traffic in Arms Regulations (ITAR)
What’s International Traffic in Arms Regulations (ITAR)?
- controls the export of items that are specifically designed as military and defense items
- govern export of sensitive hardware and software products to other nations
What does EAR stand for?
Export Administration Regulations
What’s Export Administration Regulations (EAR)?
- covers a broader set of items that are designed for commercial use, but may have military applications
- govern export of sensitive hardware and software products to other nations
What’s Payment Card Industry Data Security Standard?
- widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions
- created jointly in 2004 by 4 major credit-card companies - Visa, MasterCard, Discover and American Express
What are the 6 major objectives Payment Card Industry Data Security Standard is based on?
- a secure network must be maintained in which transactions can be conducted
- cardholder information must be protected wherever it is stored
- systems should be protected against the activities of malicious hackers
- cardholder data should be protected physically as well as electronically
- networks must be constantly monitored and regularly tested
- a formal information security policy must be defined, maintained and followed
What’s European Union Privacy Law?
- directive outlining privacy measures required for protecting personal data processed by information systems
- organizations based outside Europe must consider the applicability of these rules
What is Privacy Shield?
- agreement between the EU and US outlining seven requirements for the processing of personal information
- allows the Department of Commerce and Federal Trade Commission (FTC) to certify businesses that comply with regulations
Who does FISMA apply to?
government agencies and contractors
What does the Code of Federal Regulations (CFR) contain?
text of all administrative laws promulgated by federal agencies
When are non-compete or non-disclosure agreements usually signed?
in the beginning of a contract
Who does Federal Code of Ethics apply to?
only to federal employees
What’s RFC 1087?
provide code of ethics for the internet - not binding
What are some of the methods associated
with the DRM solutions?
- DRM License
- grants access to a product and defines the terms of use
- typically a small file that includes the terms of use and decryption key that unlocks the access to the product
- Persistent Online Authentication (Always-On DRM)
- requires system to be connected to the internet to be able to use it
- if connection to the authentication server fails or authentication fails, user is prevented from using the product
- Continuous Audit Trail
- tracks all use of copyrighted product
- can detect abuse, such as concurrent use
- Automatic Expiration
- automatic expiration block access to content if the paid period expires
If there’s a need to exchange customer information between a company located in the US with a company located in EU, what’s the best method to ensure GDPR compliance for such transfer?
- standard contractual clauses
- if data shared internally within company, binding corporate rules would be appropriate
Management believes that employee engaged in unauthorized use of computing resources for a side business. What is the burden of proof that must be met in this investigation?
there is no standard
What is the standard of proof for a criminal investigation?
beyond a reasonable doubt
What’s Best Evidence?
- form of documentary evidence
- original document rather than a copy or description
Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?
Digital Millenium Copyright Act
What’s the hearsay rule?
witness cannot testify about what someone else told them, except under very specific exceptions
What’s sworn affidavit?
written statement or declaration made by an individual under oath or affirmation, confirming that the information provided in the statement is true and accurate to the best of their knowledge and belief
What’s the best evidence rule?
copies of documents may not be submitted into evidence if the originals are available
Is there a testimonial evidence rule?
no
What evidentiary standard is required for civil cases?
preponderance of evidence
Which one of the intellectual property protection mechanisms has the shortest duration in the United States?
patent
What are operational investigations?
performed by internal teams to troubleshoot performance or other technical issues
Which one of the investigation types has the loosest standards for the collection and preservation of information?
operational investigation
requires that commercial websites that collect personal information from users in California conspicuously post a privacy policy
What symbol is used to represent copyright?
©
Once trademark application is approved, it becomes a registered trademark. What is the symbol used for registered trademarks?
®
Until trademark registration is granted, what symbol is used for the protected asset?
™
If there are 2 people holding the same copyright, when does it cease to exist, if one of them dies?
copyright protection generally lasts for 70 years after the death of the last surviving author of the work
Does patent protection apply to mathematical algorithms?
no
When does patent protection kick in and for how long?
U.S. patent law provides for an exclusivity period of 20 years beginning at the time a utility patent application is submitted to the Patent and Trademark Office
What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered?
Preservation
What type of evidence are the server logs?
documentary evidence
When conducting an internal investigation, what is the most common source of evidence?
voluntary surrender
What’s Interconnection Security Agreement (ISA)?
formal declaration of the security stance, risks, and technical requirements of a link between two organizations’ IT infrastructures
What’s the goal of Interconnection Security Agreement (ISA)?
define the expectations and responsibilities of maintaining security over a communications path between two networks
What’s memorandum of understanding (MOU) or memorandum of agreement (MOA) ?
- expression of agreement or aligned intent, will, or purpose between two entities
- not typically a legal agreement or commitment but rather a more formal form of a reciprocal agreement or handshake
What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?
proportionality
