Law And Regulations Flashcards

1
Q

Name the three main categories of law?

A

Criminal - keeps our society safe (murder, addict etc.)

Civil - maintain orderly society and govern matter that aren’t crime (disputes, employment matters, estate procedures)

Admin - ensures government functions effectively (policies and procedures to govern daily operations of the agency) used by government to carry out day to day business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What criminal laws protect society from computer crime?

A

Computer fraud and abuse act
The electronics communications privacy act
Identify theft and assumption deterrence act

  • all provide criminal penalties
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe civil law?

A

Law enforcement agencies don’t get involved

It is down to the person who has been ‘wronged’ to seek legal counsel and file a civil lawsuit

Does not impose imprisonment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What should you do when operating in a gray area of Law?

A

Retain legal counsel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why do computer crimes fall within federal durisdiction?

A

Because computer cimes cross states. They still have state laws for computer crimes and they can have harsher penalties. All of the laws in CISSP are federal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CFAA

A

Computer Fraud and Abuse Act - accessing or damaging federal interest computer systems without authorised access. - computers used by gov and finance. Also includes modifying medical records.

Replaced CCCA - comprehensive crime control act 1984

Also covers interstate commerce computer systems (key point)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the CFAA amendments 1994?

A

Computer abuse amendments of 1994

security changed since last CFFA amendment in 1986.

Covers a wider set of computers (interstate commerce), imprisonment of offenders even if they didn’t mean to and let victims pursue civil law for compensation.

Updated up to 2008

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Criticism of CFAA?

A

Overboard law

Criminalises violation of websites terms of services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Federal sentencing guidelines 1991

A

Helps to provide punishment guidelines for computer crimes

  • prudent man rule
  • execs can minimise punishment by demonstrating due car
  • three burdens of proof of negligence - person must have legal obligation, person much have failed to comply, must be causing relationship between negligence and damages
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What law did the national information infrastructure protection act (1996) replace?

A

Computer fraud and abuse act (CFAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the National Information Infrastructure Protection Act (1996) include?

A
  • computer systems used in international commerce

- protect CNI such as rail road, telco etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is FISMA?

A

Federal information security management act (2002)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain FISMA?

A

Requires government agencies to have an information security programme covering their operations. Must include activities of controls and security management programmes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Negative of FISMA?

A

Huge burden to maintain documentation for compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which organisation develops the FISMA implementation guidelines?

A

NIST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Computer Fraud and Abuse Act (CFAA) - USA

A
  • number of amendments
  • currently protects federal computers used by gov or in interstate commerce from abuse
  • 1st computer crime legislation
  • number of amendments to include computers used by financial institutions and increased damage threshold
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Federal Cybersecurity Laws 2014

A
  • laws brought in my Obama to modernise federal cyber security laws
    1) FISMA 2 (modernisation) - cyber security responsibility sits with department of homeland security
    2) cyber security enhancement act - NIST is responsible for coordinating nationwide work on cyber security standards (800-53 security and privacy controls for federal information systems) (NIST cyber security framework)
    3) DHLS had to create a NCSC for information sharing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name some of the computer crime laws

A
  • CFAA (computer fraud and abuse act)
  • Federal sentencing guidelines
  • NIIP (nations information infrastructure protection act)
  • FISMA (Federal information security management act)
  • Federal cyber security laws 2014
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is intellectual property?

A

Intangible assets such as brand names, secret recipes, moves

Laws exist to protect IP

Four main rules - copyrights, trademarks, patents and trade secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Copyright and the digital millennium copyright act (aka copyright)

A

Protects against unathorised duplication of creators work (music, sounds recording, motion pictures, sculptures, architectural works)

Also literary works (includes software)

Copyright protects creative work and is a Criminal law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What part of the software does copyright protect? (Literary works)

A

Only the source code not the idea

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Is formal copyright required?

A

You can register your work for copyright

But copyright is enforced automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What’s work for hire?

A

When you create work during the normal working hours - it belongs to the company

24
Q

How long does copyright law protect your work?

A

70 years or until death of last surviving author

25
Q

How long does copyright protect work for hire?

A

95 years from the date of first publication or 120 years from the date of creation - whatever is shorter

26
Q

What is the DMCA and why was it bought in?

A

Digital millennium copyright act

Bought in to tackle changes in copyright circumvention

I.e copyright mechanisms placed on CDs or DVDs. Schools and libraries exempt

Also limits liability on ISPs if they have no involvement in transmission

27
Q

What are trademarks?

A

Protect words, slogans and logos used to identify a company / service

To avoid confusion in the market place and protect IP

28
Q

What do the 2 trademark symbols mean?

A

TM - automatically protected under trademark law

R - officially registered with USPTO and can take more then a year

29
Q

Which type of law is trademark and patent law?

A

Civil law

30
Q

What’s ‘intent to use’ application?

A

Register a trademark that you intent to use eventually

31
Q

What should a trademark be?

A

Not similar to another trademark

Not descriptive of the good or services on offer

32
Q

What’s a patent?

A

Protect IP of inventors for up to 20 years

  • inventions must be new, innovative and not obvious
33
Q

What are patent trolls?

A

Register a patent for technology (very broad) and then pursue legal actions against others

34
Q

What are trade secrets?

A

IP critical to a business and damaged would occur if it was released to the public or competitors

  • secret blends/recipes
  • certain manufacturing processes
35
Q

What can be used to protect trade secrets?

A
  • copyright or patents to protect invention but you have to reveal the ‘secret’
  • they only protect for a limited time before I can be used by the public
  • instead you should have good controls in place to ensure only authorised people know and they sign a NDA
36
Q

Best way to protect computer software?

A

Patent law and copyright law don’t fully protect it

So best to keep it as a trade secret (as done by MS)

37
Q

Economic Espionage Act

A

Protects trade secrets with fined and prison

Criminal law

38
Q

Name the four types of licensing agreements?

A
  • contractual licences - written contracts between vendor and users
  • shrink wrap - written on the outside of the package and you agree by breaking the seal
  • click through agreements - click through during the installation process - give your consent
  • cloud services licences - based on click through agreements and common in personal and corporate use
39
Q

What are import/export laws?

A

Developed during the Cold War to stop technology falling into the wrong hands/nations

Used to be very strict and only for allies but have been relaxed since through the ITAR and EAR regulations

  • both stop exportation of military and defence items
40
Q

Which countries are excluded in America’s computer export controls?

A

Cuba Iran North Korea Sudan and Syria

41
Q

Why were encryption export controls lifted?

A

To maintain a competitive advantage in the Industry, must still submit for review beforehand.

42
Q

Do Americans have a right to privacy?

A

No. But there are laws in place to help with this - but more focussed on how the government protects your private information

43
Q

Privacy act 1974

A

How to government deal with private information - they can’t share without private consent. They destroy information when not needed and you can request access to your info.

Doesn’t apply to businesses

44
Q

ECPA and CALEA (privacy related)

A
  • electronic communications privacy act
  • communications assistance for law enforcement act

Expanded on the first law to make wiretaps possible for law enforcement with a court order.

USA patriot act expands on this making wire tapping allowing them to have blank authorisation for all comms

45
Q

HIPPA (and HITECH)

A

Healthy insurance portability and accountability act

  • ensure hospitals and health care company protect their data

health information technology for economic and clinical health act

  • expands on HIPPA to include organisations that handle health information so all follow the law. Must also notify people of the breach (federal law)
46
Q

What federal law looks at data breach notifications?

A

The HITECH law (but only relayed to health care)

But California was the first stage to pass SB 1386 To inform people of data breach notification. Was followed by most states

47
Q

COPPA

A

Child online privacy protection act

  • series of demands on websites for children’s
  • must give notices and also permission from parents
48
Q

Gramm- Leach - Biley Act of 1999

A

Relaxed regulations between financial institutions sharing information and the services the provide.

49
Q

USA patriot act

A
  • wiretapping with blanket authorisation
  • ISPS can provide information to government
  • amends CFAA for more severe penalities
50
Q

FEPRA

A

Family Educational Rights and Privacy act

  • applies to educational institutions and allows parents/students to view and correct information. Schools can release info either
51
Q

Identity theft and assumption deterrence act

A

Used to only recognise the creditors but now recognised the person who’s identify was taken.

Prison term 15 years and 250k fine

52
Q

The courts say privacy is maintained when there is a ‘reasonable expectation of privacy’

A

I.e you wouldn’t expect a post card not to be read. Employees do not have this when using company technology

53
Q

European privacy law

A

To protect data being processed. American companies doing business in Europe can obtain protection under the privacy Sheila agreement

7 requirements include:

  • inform individuals about data processing
  • providing free and accessible dispute resolution
  • cooperate with the department of commerce
  • maintain data integrity and purpose limits tim.
  • ensure accountability for data transferred to third parties
  • transparency related to enforcement agencies
  • ensuring commitments are kept as long as data is held
54
Q

GDPR

A

Wider scope then EU data protection directive

  • applied to all organisations collecting data from the EU
  • must reveal breached within 24 hours
  • give individuals access to their data
  • The right to be forgotten
55
Q

Explain compliance with an example

A

Not regulatory but law but part of a contractual agreement

  • PCI- DSS - enforced through the merchants terms. 12 requirements for credit card security (firewalls, access control etc.)
56
Q

When should you review vendors security controls?

A

As part of TPG and vendor selection

  • what/how is info stored, protected, encrypted, segregated, audits, access, incident response etc.