LAW

Question 1

Criminal Law

Answer 1

Society is the victim and proof must be “beyond a reasonable doubt”.

E.g., murder, assault, robbery, arson, etc.

incarceration, death and financial fines to “Punish and deter”

Criminal Computer Crimes:

Computer Fraud and Abuse Act
Identity Theft and Assumption Deterrence Act

Question 2

Civil Law

Answer 2

AKA: Tort Law

Provide for an orderly society and govern acts that are not crimes but require an independent arbiter.

E.g., contract disputes, real estate transactions, employment matters, estate/probate

Question 3

Administrative Law

Answer 3

AKA: Regulatory Law

Laws enacted by government (FDA, HIPPA, FAA, etc) - not Congress.

Policies, procedures, and regulations that govern the daily ops.

E.g., procedures used within a fed agency to obtain a new desk phone…to immigration policies.

Administrative laws do not require an act of the legislative branch (Congress) to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government.

Question 4

Private Regulation

Answer 4

Compliance is required by CONTRACT (eg: PCI-DSS)

Question 5

Liability

Answer 5

Who is held accountable?
Who is to blame?
Who should pay?

Question 6

Due Diligence and Due Care

Answer 6

Due Diligence - proper research to build and deploy new systems

Due Care - prudent person rule = what would a prudent person do in this situation?

Question 7

Types of evidence

Answer 7

Real - tangible / physical (hard disks, usb drives — but NOT that data on them)

Direct - testimony from a first hand witness

Circumstantial - evidence to support circumstances for a point or other evidence.

Corroborative - supports facts of the case, not facts on their own (i.e, support other facts)

Question 8

Chain of custody

Answer 8

Who handled it?

When did they handle it?

What did the do with it?

Where did they handle it?

Question 9

Due Diligence vs Due Care vs Negligence

Answer 9

Due Diligence (DD) = R&D on tech in question&raquo_space; the process of identifying and remediating the cyber risks that third-party vendors bring to your ecosystem

Due Care (DC) = take action (carry out change / fix / etc) based on DD&raquo_space; taking reasonable steps to protect your organization’s reputatoin, financial, and legal best interests

Negligence = opposite of due care

The - Federal Sentencing Guidelines - formalized the prudent man rule and applied it to information security.

Question 10

Type of Evidence

Answer 10

Real. = tangible and physical objects in IT (H/D, USB drive, etc) –> NOT the data on them.

Direct. = testimony from a first hand witness

Circumstantial = evidence to SUPPORt events for a point or other evidence.

Corroborative. = supports facts of the case - NOT facts on their own.

Hearsay. = not first-hand knowledge like log files. NOTE: rule 803 changes this.

Question 11

Five rules of evidence

Answer 11

1. Be authentic
2. Be accurate
3. Be complete
4. Be convincing
5. Be admissible

Question 12

Computer Fraud and Abuse Act (CFAA)

Answer 12

Computer Fraud and Abuse Act

first major piece of cybercrime specific legislation in US.

Based on CCCA of 1984 which covered just ‘federal’ computers, CFAA covered all ‘federal interest’ computers…which is cross state line.

The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.

The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for those individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer systems.

Question 13

Federal Sentencing Guidelines

Answer 13

1991

punishment guidelines to help judges.

Introduced ‘prudent man’ rule

Question 14

FISMA

Answer 14

Federal information Systems Management Act

passed 2002

governs information security operations at federal agencies

The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).

Question 15

ECPA

Answer 15

Electronic Communications Privacy Act

makes it a crime to invade the electronic privacy of an individual.

Question 16

Digital Millennium Copyright Act

Answer 16

of 1998.

prohibits the circumvention of copy protections mechanisms placed in digital media

limits the ability of ISP to monitor users

1. transmission must be done by person OTHER THAN the ISP
2. transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by ISP
3. the ISP must not determine the recipients of material
4. intermediate copies must not ordinarily be accessible to anyone other than recipients and must not be retained longer than necessary
5. material must be transmitted with no modification to it’s content

Question 17

Economic Espionage Act

Answer 17

of 1996.

provides penalties for individuals found guilty of the theft of trade secrets.

Question 18

Software License Agreements

Answer 18

contractual = written agreements between software vendor and user.

shrink-wrap = agreements written on packaging and take effect when users opens

click-through = users requires to accept terms during installation

Question 19

California’s SB 1386

Answer 19

first statewide requirement to notify individuals of a breach of PII. All but 3 states followed.

note that HIPAA covers federal PII.

Question 20

GDPR

Answer 20

General Data Protection Regulation

EU

governs the user and exchange of PII.

Question 21

COPPA

Answer 21

Children’s Online Privacy Protection Act (COPPA)

What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent?

13

Question 22

Patent Protection

Answer 22

20 years from the date of application.

Question 23

HIPPA

Answer 23

Health Insurance and Portability and Accountability Act of 1996

** The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 amended the privacy and security requirements of HIPAA.

Question 24

What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances?

Answer 24

The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.

Question 25

ECPA

Answer 25

Electronic Communications Privacy Act

Question 26

Gramm-Leach-Bliley Act

Answer 26

GLBA of 1999

strict barriers between government and financial.

Question 27

Privacy Shield

Answer 27

The Privacy Shield framework, governed by the U.S. Department of Commerce and Federal Trade Commission, allows U.S. companies to certify compliance with EU data protection law.

Question 28

Admissible Evidence (what is…)

Answer 28

1. Relevant
2. Material (i.e., related to..)
3. Competent (i.e., legally obtained)

Question 29

Types of Evidence

Answer 29

1. real evidence
2. documentary evidence&raquo_space; best evidence&raquo_space; parol evidence
3. testimonial evidence

Question 30

What regulation formalizes the prudent man rule that requires senior executives to take personal responsibility for their actions?

Answer 30

A. CFAA
B. Federal Sentencing Guidelines
C. GLBA
D. Sarbanes–Oxley

The Federal Sentencing Guidelines released in 1991 formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.

Question 31

When attempting to impose accountability on users, what key issue must be addressed?

Answer 31

A. Reliable log storage system
B. Proper warning banner notification
C. Legal defense/support of authentication
D. Use of discretionary access control

To effectively hold users accountable, your security must be legally defensible. Primarily, you must be able to prove in a court that your authentication process cannot be easily compromised. Thus, your audit trails of actions can then be tied to a human.

Question 32

What regulation formalizes the prudent man rule, requiring that senior executives of an organization take personal responsibility for ensuring due care?

A. National Information Infrastructure Protection Act
B. Federal Information Security Management Act
C. Information Security Reform Act
D. Federal Sentencing Guidelines

Answer 32

d

The Federal Sentencing Guidelines formalized the prudent man rule and applied it to information security.

Question 33

Generally, a privacy policy is designed to protect what?

A. A user’s privacy
B. The public’s freedom
C. Intellectual property
D. A company’s right to audit

Answer 33

The purpose of a privacy policy is to inform users where they do and do not have privacy for the primary benefit of the protection of the company’s right to audit and monitor user activity.