Sunday, 31 July 2011

CISSP CBK 8 Legal, Regulations, Compliance, and Investigations

Legal, Regulations, Compliance, and Investigations

Council of Europe (CoE) Convention on Cybe rcrime:
If the organization is exchanging data with European entities, it may need to adhere to the Safe harbor

safe harbor framework how any entity that is going to move Private data to and from Europe must provide protection

Civil law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. no Jail sentence

Criminal law when an individuals conduct violates the government laws / Jail sentence

Administrative/regulatory law deals with regulatory standards that regulate performance and conduct

Intellectual property laws do not necessarily look at who is right or wrong, but rather how a company can protect what it rightfully owns from unauthorized duplication or use,

Trade Secret = competitive value or advantage (formula for Drink)
Copyright= rights for authors(unauthorized copying and distribution of a work)
Trademark= protect a word,name, symbol (identifiable packaging, “trade dress.”)
Patent= (usually valid for 20 years from the date of approval)

international trademark law efforts and international registration are overseen by the World Intellectual Property Organization (WIPO), an agency of the United Nations

Similar to trademarks, international patents are overseen by the WIPO

Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms.

Federal Privacy Act of 1974, it has enacted new laws, Gramm-Leach-Bliley Act of 1999

Federal Privacy Act If an agency collects data on a person, that person has the right to receive a report outlining data collected about him if it is requested ialso gives individuals the right to review records about themselves, to find out if these records have been disclosed, and to request corrections or amendments of these records)

Sarbanes-Oxley Act (SOX) law governs accounting practices,
Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers option to share the data with other companies.

1994 U.S. Communications Assistance for Law Enforcement Act all communications carriers to make wiretaps possible

Computer Fraud and Abuse Act,1986, 1996
  • access to federal Govt computers to access classified info
  • access to financial institution computers or any computer
  • unauthorised access to Govt computer
  • knowing access of a protected computer without authorization with intend to Fraud
  • causing the transmission of Program/ Information and Code from a computer without owners authorization
  • trafficking of computer password for fraud
  • transmission of communication containing threats

The Federal Privacy Act of 1974
Government agencies can maintain personnel information only if it is necessary to accomplish the agency’s purpose.

The Privacy Act dictates that an agency cannot disclose this information without written Permission from the individual however there are some exceptions.

1996 U.S Economic and Protection of Proprietary Information Act Industrial and corporate Espionage

1980 Organization for Economic Cooperation and Development (OECD) Guidelines
Deals with data collection limitations, the quality of data, specifications of the purpose for data collection, limitations of data use, participation by the individual on whom the data is being collected, and accountability of the data controller

Basel II
how much capital banks need to put aside to guard against the types of financial and operational risks banks face

1987 U.S. Computer Security Act federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems

Computer Security Act of 1987 identify computers with sensitive information.

American citizens are protected by the Fourth Amendment against unlawful search and seizure

Payment Card Industry Data Security Standards (PCI DSS)
any entity that processes, transmits, stores, or accepts credit card data PCI DSS is a private-sector industry initiative. It is not a law and failure to comply may lead to revocation of merchant status or a fine
PCI DSS main areas
  • Build and Maintain a Secure Network,
  • Protect Cardholder Data,
  • Maintain a Vulnerability Management Program,
  • Implement Strong Access Control Measures,
  • Regularly Monitor and Test Networks,
  • Maintain an Information Security Policy

Economic Espionage Act of 1996

1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes max fine up to 290 Million $

Employee Privacy Issues
manager can listen your conversation with customer but not your personal conversation

Government regulations SOX, HIPAA, GLBA, BASEL
Self-regulation Payment Card Industry (PCI)
Individual user Passwords, encryption, awareness

Downstream liability when two companies work to gather they must ensure proper protection for each other so if virus effect one company other wil get effected and will finally Sue upstream company.

event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/or impacts its security posture.

incident response policy should be managed by Legal Department

Three types of incident response team
virtual team members have other jobs slower response
permanent team which is dedicated strictly to incident response
hybrid team some are permanent members and some are called when needed

Main goal of incident handling is to contain and mitigate any damage caused by an incident and to prevent any further damage.

Steps to Incident Responce
Triage : initial screening of the reported event either it is False positive
Investigation:- proper collection of relevant data

honeypots can introduce liability issues and be used to attack other internal targets

Steps of Forensic Investigation

exigent circumstances when law enforcement quickly seize the evidents to avoid destruction for some one

Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence

The life cycle of evidence includes
Collection and identification
Storage, preservation, and transportation
Presentation in court
Return of the evidence to the victim or owner

Oral evidence is not considered best evidence because there is no firsthand reliable proof

evidence should be authentic , complete , sufficient and reliable

Dumpster diving is unethical, but it’s not illegal.
Trespassing is illegal,
Emanation = Tempest

Some things may not be illegal, but that does not necessarily mean they are ethical

Red box simulated the tones of coins being deposited into a pay phone
Black Box method to manipulate line voltage to enable people to call toll-free lines.
Blue Box ' that enabled people to make free long-distance phone calls,

Generally Accepted System Security Principles (GASSP) are security-oriented principles and do not specifically cover viruses or worms

ISC2 Code of Ethics

Code of Ethics Preamble:
  • Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:
  • Protect society, the commonwealth, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession

Business attack = competitive intelligence to get trade secret
Intelligence attack = Military
Financing Attack = Bank Fraud

Corroborative Evidence supporting evidence is used to help prove an idea or a point, however It cannot stand on its own i.e Torn clothes, 911 call recording

computer fraudsters hold a position of trust

exclusionary rule mentions that evidence must be gathered legally

incident handling Contain and repair any damage caused by an event

Memory Dump gives an State of the Machine.

Circumstantial evidence = inference of information from other, intermediate, relevant facts. Secondary evidence = copy of evidence or oral description
Conclusive evidence = overrides all other evidence

GIASP Generally Accepted Information Security Principles
Computer security supports the mission of the organization
Computer security is an integral element of sound management
Computer security should be cost-effective
Systems owners have security responsibilities outside their own organization
Computer security responsibilities and accountability should be made explicit
Computer security requires a comprehensive and integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors

Sunday, 24 July 2011



business continuity coordinator is leader of BCP

BCP Planing
1. Project initiation
2. BIA
3. Recovery strategy
4. Plan design and development
5. Implementation
6. Testing
7. Continual maintenance

1. Project intiation
develop the continuity planning policy statement.mgmt support and resources
Establishing need for the BCP
Obtaining management support
Identifying strategic internal and external resources
Establishing members of team
Establishing project management work plan
Determining need for automated data collection tools
Preparing and presenting status reports
2.Business Impact Analysis
Maximum tolerable downtime
Operational disruption and productivity
Financial considerations
Regulatory responsibilities
Reputation, Preventive measures
3. Recovery strategy
Business process recovery
Facility recovery
Supply and technology recovery
User environment recovery
Data recovery

hot site (subscription service) and a redundant site (owned by the company).

backup site should be 15 Miles recommended , critical environment 50-200 Miles

Software escrow means that a third party holds the source code, backups of the compiled code, manuals, and other supporting materials.

Disk duplexing means there is more than one disk controller. If one disk controller fails, the other is ready and available

Electronic vaulting makes copies of files as they are modified and periodically transmits them to an off site backup site (not real time its batch processing) bulk Information transfer

Remote journaling is off site data storage for real time transaction logs
tape vaulting auto transfer data to tape controller remote site

Block ciphers do not use public cryptography (private and public keys).

Type of testing includes
Structured walk-through
Full interruption

The functions of a critical system can only be replaced by identical capabilities. Other functions can be performed manually.

Dual Data Center strategy also called redundent site or alternate site would be employed for applications, which cannot accept any downtime without impacting business.

property Insurance Replacement Cost Valuation (RCV) clause your damaged property will be compensated Based on new item for old regardless of condition of lost item

ACV (actual Cost Value)Value of item on the date of loss

disaster recovery plan is usually very information technology (IT) focused

The eight detailed and granular steps of the BIA are:
1. Select Individuals to interview for the data gathering.
2. Create data gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
3. Identify the company's critical business functions.
4. Identify the resources that these functions depend upon.
5. Calculate how long these functions can survive without these resources.
6. Identify vulnerabilities and the threats to these functions.
7. Calculate risk for each of the different business functions.
8. Document findings and report them to management.

Creating a BCP committee is part of the scope and plan initiation

Recovery Time Objectives (RTO) is the amount of time allowed for the recovery of a business function. If the RTO is exceeded, then severe damage to the organization would result. Recovery Time Objectives RTO would be defined as part of the recovery plan and not as part of the BIA.

The Recovery Point Objectives (RPO) is the point in time in which data must be restored in order to resume processing (mainly Business Transaction)

A data backup is the first step in contingency planning

Human Resources may not be a part of the BCP committee

Named PERILS Burden of proof that particular loss is covered is on Insured

The primary difference between them is that one type of policy covers what is "named" (included) in the policy while the other covers what is not included. A named peril policy is often a good choice for those business owners whose business is located in an area frequently hit by natural disasters such as hurricanes, tornados, or floods. Such a policy spells out the specific events for which you are covered. The cost of the premiums will depend on the location of the business and the likelihood of the specific peril(s). Anything not specifically named in such a policy is not covered.
An all-risk policy covers your business from damages caused by any type of disaster with the exception of those specifically excluded in the policy. Floods and earthquakes are two events that are typically excluded, but coverage for these types of disasters can be added to the policy for an additional fee.
Use of the All Risk form shifts the burden of proof onto the insurer to prove that a particular loss was not covered by the policy.

The Occupant Emergency Plan (OEP) provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency

BCP is corrective control.