Law And Regulations Flashcards
Name the three main categories of law?
Criminal - keeps our society safe (murder, addict etc.)
Civil - maintain orderly society and govern matter that aren’t crime (disputes, employment matters, estate procedures)
Admin - ensures government functions effectively (policies and procedures to govern daily operations of the agency) used by government to carry out day to day business
What criminal laws protect society from computer crime?
Computer fraud and abuse act
The electronics communications privacy act
Identify theft and assumption deterrence act
- all provide criminal penalties
Describe civil law?
Law enforcement agencies don’t get involved
It is down to the person who has been ‘wronged’ to seek legal counsel and file a civil lawsuit
Does not impose imprisonment
What should you do when operating in a gray area of Law?
Retain legal counsel
Why do computer crimes fall within federal durisdiction?
Because computer cimes cross states. They still have state laws for computer crimes and they can have harsher penalties. All of the laws in CISSP are federal
CFAA
Computer Fraud and Abuse Act - accessing or damaging federal interest computer systems without authorised access. - computers used by gov and finance. Also includes modifying medical records.
Replaced CCCA - comprehensive crime control act 1984
Also covers interstate commerce computer systems (key point)
What are the CFAA amendments 1994?
Computer abuse amendments of 1994
security changed since last CFFA amendment in 1986.
Covers a wider set of computers (interstate commerce), imprisonment of offenders even if they didn’t mean to and let victims pursue civil law for compensation.
Updated up to 2008
Criticism of CFAA?
Overboard law
Criminalises violation of websites terms of services
Federal sentencing guidelines 1991
Helps to provide punishment guidelines for computer crimes
- prudent man rule
- execs can minimise punishment by demonstrating due car
- three burdens of proof of negligence - person must have legal obligation, person much have failed to comply, must be causing relationship between negligence and damages
What law did the national information infrastructure protection act (1996) replace?
Computer fraud and abuse act (CFAA)
What does the National Information Infrastructure Protection Act (1996) include?
- computer systems used in international commerce
- protect CNI such as rail road, telco etc.
What is FISMA?
Federal information security management act (2002)
Explain FISMA?
Requires government agencies to have an information security programme covering their operations. Must include activities of controls and security management programmes.
Negative of FISMA?
Huge burden to maintain documentation for compliance
Which organisation develops the FISMA implementation guidelines?
NIST
Computer Fraud and Abuse Act (CFAA) - USA
- number of amendments
- currently protects federal computers used by gov or in interstate commerce from abuse
- 1st computer crime legislation
- number of amendments to include computers used by financial institutions and increased damage threshold
Federal Cybersecurity Laws 2014
- laws brought in my Obama to modernise federal cyber security laws
1) FISMA 2 (modernisation) - cyber security responsibility sits with department of homeland security
2) cyber security enhancement act - NIST is responsible for coordinating nationwide work on cyber security standards (800-53 security and privacy controls for federal information systems) (NIST cyber security framework)
3) DHLS had to create a NCSC for information sharing
Name some of the computer crime laws
- CFAA (computer fraud and abuse act)
- Federal sentencing guidelines
- NIIP (nations information infrastructure protection act)
- FISMA (Federal information security management act)
- Federal cyber security laws 2014
What is intellectual property?
Intangible assets such as brand names, secret recipes, moves
Laws exist to protect IP
Four main rules - copyrights, trademarks, patents and trade secrets
Copyright and the digital millennium copyright act (aka copyright)
Protects against unathorised duplication of creators work (music, sounds recording, motion pictures, sculptures, architectural works)
Also literary works (includes software)
Copyright protects creative work and is a Criminal law
What part of the software does copyright protect? (Literary works)
Only the source code not the idea
Is formal copyright required?
You can register your work for copyright
But copyright is enforced automatically
What’s work for hire?
When you create work during the normal working hours - it belongs to the company
How long does copyright law protect your work?
70 years or until death of last surviving author
How long does copyright protect work for hire?
95 years from the date of first publication or 120 years from the date of creation - whatever is shorter
What is the DMCA and why was it bought in?
Digital millennium copyright act
Bought in to tackle changes in copyright circumvention
I.e copyright mechanisms placed on CDs or DVDs. Schools and libraries exempt
Also limits liability on ISPs if they have no involvement in transmission
What are trademarks?
Protect words, slogans and logos used to identify a company / service
To avoid confusion in the market place and protect IP
What do the 2 trademark symbols mean?
TM - automatically protected under trademark law
R - officially registered with USPTO and can take more then a year
Which type of law is trademark and patent law?
Civil law
What’s ‘intent to use’ application?
Register a trademark that you intent to use eventually
What should a trademark be?
Not similar to another trademark
Not descriptive of the good or services on offer
What’s a patent?
Protect IP of inventors for up to 20 years
- inventions must be new, innovative and not obvious
What are patent trolls?
Register a patent for technology (very broad) and then pursue legal actions against others
What are trade secrets?
IP critical to a business and damaged would occur if it was released to the public or competitors
- secret blends/recipes
- certain manufacturing processes
What can be used to protect trade secrets?
- copyright or patents to protect invention but you have to reveal the ‘secret’
- they only protect for a limited time before I can be used by the public
- instead you should have good controls in place to ensure only authorised people know and they sign a NDA
Best way to protect computer software?
Patent law and copyright law don’t fully protect it
So best to keep it as a trade secret (as done by MS)
Economic Espionage Act
Protects trade secrets with fined and prison
Criminal law
Name the four types of licensing agreements?
- contractual licences - written contracts between vendor and users
- shrink wrap - written on the outside of the package and you agree by breaking the seal
- click through agreements - click through during the installation process - give your consent
- cloud services licences - based on click through agreements and common in personal and corporate use
What are import/export laws?
Developed during the Cold War to stop technology falling into the wrong hands/nations
Used to be very strict and only for allies but have been relaxed since through the ITAR and EAR regulations
- both stop exportation of military and defence items
Which countries are excluded in America’s computer export controls?
Cuba Iran North Korea Sudan and Syria
Why were encryption export controls lifted?
To maintain a competitive advantage in the Industry, must still submit for review beforehand.
Do Americans have a right to privacy?
No. But there are laws in place to help with this - but more focussed on how the government protects your private information
Privacy act 1974
How to government deal with private information - they can’t share without private consent. They destroy information when not needed and you can request access to your info.
Doesn’t apply to businesses
ECPA and CALEA (privacy related)
- electronic communications privacy act
- communications assistance for law enforcement act
Expanded on the first law to make wiretaps possible for law enforcement with a court order.
USA patriot act expands on this making wire tapping allowing them to have blank authorisation for all comms
HIPPA (and HITECH)
Healthy insurance portability and accountability act
- ensure hospitals and health care company protect their data
health information technology for economic and clinical health act
- expands on HIPPA to include organisations that handle health information so all follow the law. Must also notify people of the breach (federal law)
What federal law looks at data breach notifications?
The HITECH law (but only relayed to health care)
But California was the first stage to pass SB 1386 To inform people of data breach notification. Was followed by most states
COPPA
Child online privacy protection act
- series of demands on websites for children’s
- must give notices and also permission from parents
Gramm- Leach - Biley Act of 1999
Relaxed regulations between financial institutions sharing information and the services the provide.
USA patriot act
- wiretapping with blanket authorisation
- ISPS can provide information to government
- amends CFAA for more severe penalities
FEPRA
Family Educational Rights and Privacy act
- applies to educational institutions and allows parents/students to view and correct information. Schools can release info either
Identity theft and assumption deterrence act
Used to only recognise the creditors but now recognised the person who’s identify was taken.
Prison term 15 years and 250k fine
The courts say privacy is maintained when there is a ‘reasonable expectation of privacy’
I.e you wouldn’t expect a post card not to be read. Employees do not have this when using company technology
European privacy law
To protect data being processed. American companies doing business in Europe can obtain protection under the privacy Sheila agreement
7 requirements include:
- inform individuals about data processing
- providing free and accessible dispute resolution
- cooperate with the department of commerce
- maintain data integrity and purpose limits tim.
- ensure accountability for data transferred to third parties
- transparency related to enforcement agencies
- ensuring commitments are kept as long as data is held
GDPR
Wider scope then EU data protection directive
- applied to all organisations collecting data from the EU
- must reveal breached within 24 hours
- give individuals access to their data
- The right to be forgotten
Explain compliance with an example
Not regulatory but law but part of a contractual agreement
- PCI- DSS - enforced through the merchants terms. 12 requirements for credit card security (firewalls, access control etc.)
When should you review vendors security controls?
As part of TPG and vendor selection
- what/how is info stored, protected, encrypted, segregated, audits, access, incident response etc.
