Laws, Regulations, and Compliance Flashcards
What is the Comprehensive Crime Control Act?
Passed in 1984. Several rules pertaining to the use of federal computers in crimes, trafficking in passwords, and doing damage to a federal computer in excess of $1,000.
What is the Computer Fraud and Abuse Act?
Passed in 1986. threshold raised to $5,000 but covered all federal “interest” computers, including any computers used by the federal government, a financial institution, or any combination of computers used when not located in the same state.
The CFAA amendments were passed in 1994. Outlawed the creation of any code that might damage a computer system. Covers any computer in interstate commerce. Allowed for imprisonment, and allows victims to pursue civil action.
What was the National Information Infrastructure Protection Act?
Passed in 1996. Broadened CFAA to cover computer systems used in international commerce. Also covered key infrastructure separate from computer networks, Treats any intentional or reckless act causing damamge to critical infrastructure as a felony.
What were the Federal Sentencing guidelines?
Released in 1991. Formalized the prudent person rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary individuals would take. this applies to information security. Allows organizations and executives to minimize penalties for infractions by showing they used due diligence. Three burdens of proof. person accused of negligence must have a legally recognized obligation. Person must fail to comply with recognized standards. Must be a causal relationship between the act of negligence and subsequent damages.
What was FISMA?
The Federal Information Security Management Act was passed in 2002. Requires federal agencies to implement an information security program. Replaced the Computer Security Act of 1987 and the Government Information Security Act of 2000. Required periodic risk assessments; policies and procedures based on the risk assessments, and subordinate plans for providing adequate information security for networks, facilities, etc. Also required security awareness training, periodic testing and evaluation of the effectiveness of these policies, a process for planning/implementing/evaluating remedial actions to address any deficiencies, procedures for responding to incidents, and plans for continuty of operations. Also covers contractors.
What federal security requirements were passed in 2014?
Federal Information Security Modernization Act modified the 2002 FISMA by centralizing response in DHS except for defense and intelligence issues.
The Cybersecurity Enhancement Act required NIST to coordinate nationwide work on voluntary cybersecurity standards. Common NIST standards are 800-53 (Required security controls for federal agencies; also a benchmark for industry); 800-171 (similar to 800-53; required for federal contractors); and the Cybersecurity Framework, a set of standards designed to serve as a voluntary risk-based framework for securing information systems.
National Cybersecurity Protection Act, which charged DHS with setting up a national cybersecurity and communications integration center.
Describe copyright law.
Covers liteary works, musical works, dramatic works, pantomines and choreographic works, pictorial/graphical/sculpure works, motion pictures, sound recordings, and architectural works.
Copyright law only protections the actual source code in computer software, not the ideas behind it, and it’s not clear whether it covers a software package’s GUI.
Copyright ownership defaults to the creator of the work. If it was “for hire” the employer owns it.
Works are protected until 70 years after the last surviving author, except anonymous works and works for hire get protection for 95 years from the date of first publication or 120 years from the date of creation, whichever is shorter.
DMCA passed in 1998. Prohibits attempts to circumvent copyright protections, with penalties up to $1 million and 10 years in prison. Nonprofits are exempt from that.
Also limits the liability of ISPs when they are used by criminals. Similar to ““common carrier”” statutes. Allows the creation of software backups as long as the license allows for it, the usage complies with the agreement, and the copies are deleted when no longer needed.Streaming audio treated as ““eligible nonsubscription agreements.”
What are trademarks?
Words, slogans, and logos used to identify a company and its products or services. Goal is to avoid confusion in the marketplace. Do not have to officially register to get protectoin.
You can register a trademark that you intend to use but are not already using.
In the US, you can register a trademark for 10 years at a time. Must not be confusingly similar to another trademark, and should not be descriptive of the goods or services you are offering.
What are patents?
Utility patents protect the intellectual property rights of inventors. They give you 20 years from the date of application for exclusive use. The invention must be new, must be useful, and must not be obvious.
Common for hardware. Used for software but some see them as too broad.
Design patents protect the appearance of an invention and only last for 15 years.
What are trade secrets?
Copyrights and patents have two major disadvantages for protecting trade secrets. Filing them requires you publicly disclose your work, which removes the secret part. Also only provide protection for a limited period. So you must create internal controls to preserve need to know, and have NDAs in place for those who are read in.
This is one of the best ways to protect software. Patent law does not provide adequate protection, and copyright law only protects the actual source code (so others could create their own code to do the same thing). So companies like Microsoft use this to protect their intellectual property.
What is the Economic Espionage Act of 1996?
Anyone who steals trade secrets from a U.S. corporation with the intention to benefit a foreign government may be fined up to $500,000 and imprisoned for up to 15 years. People stealing trade secrets under other circumstances may be fined up to $250,000 and face 10 years in prison.
Extended the definition of property to cover proprietary economic information.
What are the types of licensing agreements?
–contractual license agreements are written agreements between the software vendor and the customer, outlining the responsibilities of each. Most common for specialized/high priced software.
–Shrink wrap agreements are written on the outside of the packaging. You acknowledge the terms of service if you open the packaging.
–Click through license agreements means you click a button acknowledging the terms when you install it.
–Cloud services agreements build on click through. They flash legal terms on the screen for review, and there may not be a way to agree/disagree.
What is the Privacy Act?
Imposed regulations on federal agencies regarding the retention and release of information on individuals
What is the Electronic Communications Privacy Act of 1986?
Made is a crime to invade the personal privacy of an individual. Prohibits the interception or disclosure of electronic communications. Covers email, voicemails, and mobile phone conversations.
What is CALEA?
The Communications Assistance for Law Enforcement Act of 1994 required communications carriers to make wiretaps possible for any medium.