Sunday, 31 July 2011

CISSP CBK 8 Legal, Regulations, Compliance, and Investigations

Legal, Regulations, Compliance, and Investigations

Council of Europe (CoE) Convention on Cybe rcrime:
If the organization is exchanging data with European entities, it may need to adhere to the Safe harbor

safe harbor framework how any entity that is going to move Private data to and from Europe must provide protection

Civil law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. no Jail sentence

Criminal law when an individuals conduct violates the government laws / Jail sentence

Administrative/regulatory law deals with regulatory standards that regulate performance and conduct

Intellectual property laws do not necessarily look at who is right or wrong, but rather how a company can protect what it rightfully owns from unauthorized duplication or use,

Trade Secret = competitive value or advantage (formula for Drink)
Copyright= rights for authors(unauthorized copying and distribution of a work)
Trademark= protect a word,name, symbol (identifiable packaging, “trade dress.”)
Patent= (usually valid for 20 years from the date of approval)

international trademark law efforts and international registration are overseen by the World Intellectual Property Organization (WIPO), an agency of the United Nations

Similar to trademarks, international patents are overseen by the WIPO

Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms.

Federal Privacy Act of 1974, it has enacted new laws, Gramm-Leach-Bliley Act of 1999

Federal Privacy Act If an agency collects data on a person, that person has the right to receive a report outlining data collected about him if it is requested ialso gives individuals the right to review records about themselves, to find out if these records have been disclosed, and to request corrections or amendments of these records)

Sarbanes-Oxley Act (SOX) law governs accounting practices,
Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers option to share the data with other companies.

1994 U.S. Communications Assistance for Law Enforcement Act all communications carriers to make wiretaps possible

Computer Fraud and Abuse Act,1986, 1996
  • access to federal Govt computers to access classified info
  • access to financial institution computers or any computer
  • unauthorised access to Govt computer
  • knowing access of a protected computer without authorization with intend to Fraud
  • causing the transmission of Program/ Information and Code from a computer without owners authorization
  • trafficking of computer password for fraud
  • transmission of communication containing threats

The Federal Privacy Act of 1974
Government agencies can maintain personnel information only if it is necessary to accomplish the agency’s purpose.

The Privacy Act dictates that an agency cannot disclose this information without written Permission from the individual however there are some exceptions.

1996 U.S Economic and Protection of Proprietary Information Act Industrial and corporate Espionage

1980 Organization for Economic Cooperation and Development (OECD) Guidelines
Deals with data collection limitations, the quality of data, specifications of the purpose for data collection, limitations of data use, participation by the individual on whom the data is being collected, and accountability of the data controller

Basel II
how much capital banks need to put aside to guard against the types of financial and operational risks banks face

1987 U.S. Computer Security Act federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems

Computer Security Act of 1987 identify computers with sensitive information.

American citizens are protected by the Fourth Amendment against unlawful search and seizure

Payment Card Industry Data Security Standards (PCI DSS)
any entity that processes, transmits, stores, or accepts credit card data PCI DSS is a private-sector industry initiative. It is not a law and failure to comply may lead to revocation of merchant status or a fine
PCI DSS main areas
  • Build and Maintain a Secure Network,
  • Protect Cardholder Data,
  • Maintain a Vulnerability Management Program,
  • Implement Strong Access Control Measures,
  • Regularly Monitor and Test Networks,
  • Maintain an Information Security Policy

Economic Espionage Act of 1996

1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes max fine up to 290 Million $

Employee Privacy Issues
manager can listen your conversation with customer but not your personal conversation

Government regulations SOX, HIPAA, GLBA, BASEL
Self-regulation Payment Card Industry (PCI)
Individual user Passwords, encryption, awareness

Downstream liability when two companies work to gather they must ensure proper protection for each other so if virus effect one company other wil get effected and will finally Sue upstream company.

event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/or impacts its security posture.

incident response policy should be managed by Legal Department

Three types of incident response team
virtual team members have other jobs slower response
permanent team which is dedicated strictly to incident response
hybrid team some are permanent members and some are called when needed

Main goal of incident handling is to contain and mitigate any damage caused by an incident and to prevent any further damage.

Steps to Incident Responce
Triage : initial screening of the reported event either it is False positive
Investigation:- proper collection of relevant data

honeypots can introduce liability issues and be used to attack other internal targets

Steps of Forensic Investigation

exigent circumstances when law enforcement quickly seize the evidents to avoid destruction for some one

Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence

The life cycle of evidence includes
Collection and identification
Storage, preservation, and transportation
Presentation in court
Return of the evidence to the victim or owner

Oral evidence is not considered best evidence because there is no firsthand reliable proof

evidence should be authentic , complete , sufficient and reliable

Dumpster diving is unethical, but it’s not illegal.
Trespassing is illegal,
Emanation = Tempest

Some things may not be illegal, but that does not necessarily mean they are ethical

Red box simulated the tones of coins being deposited into a pay phone
Black Box method to manipulate line voltage to enable people to call toll-free lines.
Blue Box ' that enabled people to make free long-distance phone calls,

Generally Accepted System Security Principles (GASSP) are security-oriented principles and do not specifically cover viruses or worms

ISC2 Code of Ethics

Code of Ethics Preamble:
  • Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:
  • Protect society, the commonwealth, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession

Business attack = competitive intelligence to get trade secret
Intelligence attack = Military
Financing Attack = Bank Fraud

Corroborative Evidence supporting evidence is used to help prove an idea or a point, however It cannot stand on its own i.e Torn clothes, 911 call recording

computer fraudsters hold a position of trust

exclusionary rule mentions that evidence must be gathered legally

incident handling Contain and repair any damage caused by an event

Memory Dump gives an State of the Machine.

Circumstantial evidence = inference of information from other, intermediate, relevant facts. Secondary evidence = copy of evidence or oral description
Conclusive evidence = overrides all other evidence

GIASP Generally Accepted Information Security Principles
Computer security supports the mission of the organization
Computer security is an integral element of sound management
Computer security should be cost-effective
Systems owners have security responsibilities outside their own organization
Computer security responsibilities and accountability should be made explicit
Computer security requires a comprehensive and integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors

No comments:

Post a Comment