prev
next
out of 7

CISSPSecurityLaws

  • Upload
    saanire

  • View
    222

  • Download
    0

Embed Size (px)

Citation preview

  • 8/2/2019 CISSPSecurityLaws

    1/7

    Computer Security, Privacy and Crime Laws

    From the CISSSP Prep Guide:Krutz, Ronald L. and Vines, Russell Dean, The CISSP Prep Guide: Mastering the TenDomains of Network Security; John Wiley & Sons, New York, New York, 2001, 305-

    308.

    The following is a summary of laws, regulations, directives and lists requirements pertaining tothe protection of computer-related information:

    1970 U.S. Fair Credit Reporting Act. Covers consumer reporting agencies.

    1970 U.S. Racketeer Influenced and Corrupt Org anizat io n Act (RICO). Addresses bothcriminal and civil crimes involving racketeers influencing the operation of legitimate businesses-crimes cited in this act include mail fraud, securities fraud, and the use of a computer to perpetrate

    fraud.

    1973 U. S. Code Of Fair Information Practices. Applies to personal recordkeeping.

    1974 U.S. Privacy Act. Applies to federal agencies. Provides for the protection of information aboutprivate individuals that is held in federal databases, and grants access by the individual to thesedatabases.

    1980 Organization For Economic Cooperation and Development (OECD)

    Guidelines. Provides for data collection limitations, the quality of the data, specifications of thepurpose for data collection, limitations on data use, information security safeguards, openness,

    participation by the individual on whom the data is being collected, and accountability of the datacontroller.

    1984 U.S. Medical Computer Crime Act. Addresses illegal access or alteration ofcomputerized medical records through phone or data networks.

    1984 (Strengthened in 1988 and 1994) First U.S. Federal Computer Crime Law Passed.Covered classified defense or foreign relations information, records of financial institutions or creditreporting agencies, and government computers. Unauthorized access or access in excess ofauthorization became a felony for classified information and a misdemeanor for financialinformation. This law made it a misdemeanor to knowingly access an U.S. Government computer

    without or beyond authorization if the U.S Government's use of the computer would be affected.

    1988 (Amended in 1996) U.S. Computer Fraud and Abuse Act. Clarified the 1984 law andadded three new crimes:

    1. When use of a federal interest computer furthers an intended fraud.2. Altering, damaging, or destroying information in a federal interest computer orpreventing the use of the computer or information that causes a loss of $1000 or more orcould impair medical treatment.

  • 8/2/2019 CISSPSecurityLaws

    2/7

    3. Trafficking in computer passwords if it affects interstate or foreign commerce or permitsunauthorized access to government computers.

    1986 U.S. Electronic Communications Privacy Act. Prohibits eavesdropping or the interceptionof message contents without distinguishing between private or public systems.

    1987 Computer Security Act. Places requirements on federal government agencies to conductsecurity-related training, to identify sensitive systems, and to develop a security plan for thosesensitive systems. A category of sensitive information called Sensitive But Unclassified(SBU)has to be considered. This category, formerly called Sensitive Unclassified Information (SUI),pertains to information below the Government's Classified level that is important enough to protect,such as medical information, financial information and research and development knowledge. Thisact also partitioned the government's responsibility for security between the National Institute ofStandards and Technology (NISA) and the National Security Agency (NSA.) NIST was givenresponsibility for information security in general, (primarily for the commercial and SBU arenas),and NSA retained the responsibility for cryptography for classified government and military

    applications.

    1991 Federal Sentencing Guidelines. Provides punishment guidelines for those found guilty ofbreaking federal law. These guidelines are as follows:

    1. Treat the unauthorized possession of information without the intent to profit from theinformation as a crime.

    2. Address both individuals and organizations.3. Make the degree of punishment a function of the extent to which the organization has

    demonstrated due diligence (due care or reasonable care) in establishing aprevention and detection program.

    4. Invoke theprudent man rule that requires senior officials to perform their duties withthe care that ordinary, prudent people would exercise under similar circumstances.

    5. Place responsibility on senior organizational management for the prevention anddetection programs with fines of up to $290 million for nonperformance.

    1992 OECD Guidelines to Serve as a Total Security Framework. Framework includes laws,policies, technical and administrative measures, and education.

    1994 U.S. Communications Assistance for Law Enforcement Act. Requires allcommunications carriers to make wiretaps possible.

    1994 U.S. Computer Abuse Amendments Act . This act accomplished the following:1. Changed the federal interest computer to a computer used in interstate commerce or

    communications.2. Covers viruses and worms.3. Included intentional damage as well as damage done with "reckless disregard of substantial

    and unjustifiable risk".4. Limited imprisonment for the unintentional damage to one year.5. Provides for civil action to obtain compensatory damages or other relief.

  • 8/2/2019 CISSPSecurityLaws

    3/7

    1998 Council Directive (Law) on Data Protection for the European Union (EU). Declares thateach EU nation is to enact protections similar to those of the OECD Guidelines.

    1990 U.S. Economic and Protection of Proprietary Information Act. Addresses industrial andcorporate espionage and extends the definition of property to include proprietary economic

    information in order to cover theft of this information.

    1996 U.S. Kennedy-Kassenbaum Health Insurance and Portability Accountability Act

    (HIPPA) (with the additional requirements added in December of 2000). Addresses theissues of personal health care information privacy and health plan portability in the United States.

    1996 U.S. National Information Infrastructure Protection Act. Enacted in October of 1996 aspart of Public Law 104-294, it amended the Computer Fraud and Abuse Act, which is codified at 18U.S.C. 1030. The amended Computer Fraud and Abuse Act is patterned after the OECD Guidelinesfor the Security of Information Systems and addresses the protection of the confidentiality, integrity,and availability of data and systems. This path is intended to encourage other countries to adopt a similar

    framework, thus creating a more uniform approach to addressing computer crime in the existingglobal information infrastructure.

    Generally Accepted Systems Security Principles (GASSP). These items are not laws, butare accepted principles that have a foundation in the OECD Guidelines.

    1. Computer security supports the mission of the organization.2. Computer security is an integral element of sound management.3. Computer security should be cost-effective.4. Systems owners have security responsibilities outside their organizations.5. Computer security responsibilities and accountability should be made explicit.6. Computer security requires a comprehensive and integrated approach7. Computer security should be periodically reassessed.8. Computer security is constrained by societal factors.

    As of this writing, there is also pending legislation dealing with U.S. Government procurementissues and electronic transactions. These pending laws are:

    The Uniform Electronic Transactions Act (UM A) and the Uniform Computer

    Information Transactions Act (UCITA.)

    The UETA applies to practices at the state level that are covered in the FederalElectronic Signatures in Global and Nation Commerce Act of 2000 (E-Sign.) Asthe result of this legislation, a major change would be the permission to useelectronic signatures for certain transactions.

    UCITA legislation deals with shrink-wrap and click-wrap licensing agreementsWith these agreements, a user explicitly agrees to the licensing terms uponopening the shrink-wrapped box of new software or when asked to click agreementto terms in order to install the new software It makes such licensing agreementslegally binding but does not hold the software developer liable for consequentialdamages due to the softwares failure to perform. UCITA essentially confirms thestatus quo.

  • 8/2/2019 CISSPSecurityLaws

    4/7

    From:http://www.ecu.edu/cs-itcs/itsecurity/GLB.cfm

    The Gramm-Leach Bliley Act

    TheGramm-Leach Bliley Act(GLBA) requires financial institutions, including colleges and universities, todevelop, implement, and maintain a comprehensive written information security program that containsadministrative, technical, and physical safeguards appropriate to the size and complexity of the institution, the natureand scope of its activities, and the sensitivity of any customer-information issue.

    From:http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

    The Family Educational Rights and Privacy ActThe Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR

    Part 99) is a Federal law that protects the privacy of student education records. The lawapplies to all schools that receive funds under an applicable program of the U.S.Department of Education.

    The Protection of Pupil Rights Amendment

    The Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. 1232h; 34 CFR Part 98)applies to programs that receive funding from the U.S. Department of Education (ED). PPRAis intended to protect the rights of parents and students in two ways:

    It seeks to ensure that schools and contractors make instructional materials availablefor inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and

    It seeks to ensure that schools and contractors obtain written parental consent beforeminor students are required to participate in any ED-funded survey, analysis, orevaluation that reveals some types of personal information.

    From:http://www.ecu.edu/cs-itcs/itsecurity/HIPAA-Privacy-Security.cfm

    HIPAA Privacy and SecurityThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) main goal was to

    ensure the portability of health insurance benefits particularly as individuals moved from job tojob.

    The Privacy Rule sets the standards for how protected patient health information should becontrolled.

    http://www.ecu.edu/cs-itcs/itsecurity/GLB.cfmhttp://www.ecu.edu/cs-itcs/itsecurity/GLB.cfmhttp://www.ecu.edu/cs-itcs/itsecurity/GLB.cfmhttp://www.ftc.gov/privacy/glbact/glbsub1.htmhttp://www.ftc.gov/privacy/glbact/glbsub1.htmhttp://www.ftc.gov/privacy/glbact/glbsub1.htmhttp://www.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlhttp://www.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlhttp://www.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlhttp://www.ecu.edu/cs-itcs/itsecurity/HIPAA-Privacy-Security.cfmhttp://www.ecu.edu/cs-itcs/itsecurity/HIPAA-Privacy-Security.cfmhttp://www.ecu.edu/cs-itcs/itsecurity/HIPAA-Privacy-Security.cfmhttp://www.ecu.edu/cs-itcs/itsecurity/HIPAA-Privacy-Security.cfmhttp://www.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlhttp://www.ftc.gov/privacy/glbact/glbsub1.htmhttp://www.ecu.edu/cs-itcs/itsecurity/GLB.cfm

  • 8/2/2019 CISSPSecurityLaws

    5/7

    The Security Rule mandates physical and technical safeguards that should be put in place toensure adequate ongoing protection of electronic protected healthcare information (EPHI). Thesesafeguards are based upon information security best practices.

    All workforce members must be trained on HIPAA security issues if they access computers that

    contain EPHI.

    Fromhttp://www.randomneuron.com/security/laws.htm

    Primary Source: SecurityFocus - U.S. Information Security Law, Part One: Protecting Private Sector Systems, andInformation Security Professionals and Trade Secrets by Steven Robinson last updated Feb 25, 2003

    The Wiretap Act - (1968, amended 1996)Imposes civil and criminal liability on any person who intentionally uses or attempts touse any electronic, mechanical, or other device, either directly or through another person,to intercept any oral communication:

    Federal Privacy Act of 1974

    It requires government agencies to limit disclosure of collected personal information toonly authorized persons; to keep the records accurate, relevant to the purpose of theagency, timely, and complete; and to safeguard the security of the records.

    CFAA - Computer Fraud and Abuse Act (1986, amended 1996)

    The CFAA imposes liability on anyone who:

    Intentionally accesses a protected computer without authorization or in excess of authority, and bydoing so, steals anything of value, other than the use of the computer itself, where that computer use isworth more than $5,000 in any one year period;

    Knowingly transmits a program, code or instruction, and as a result, intentionally causesdamage, without authorization, to a protected computer;

    Intentionally accesses a protected computer without authorization, and as a result, causes damage,recklessly or otherwise;

    Knowingly traffics illegally in passwords or other access credentials that allow unauthorizedaccess to a computer, if that traffic effects interstate or foreign commerce or the computer is used byor for the United States government;

    Threatening to damage a protected computer with intent to extort anything of value; or Attempts to doany of the above.

    The second part of the definition, the language that extends the CFAA's protections to any computer"used in interstate of foreign communication," is responsible for the great breadth of the CFAA's presentapplicability, because that language brings essentially every computer with Internet access within thescope of the statute.

    Electronic Communications Privacy Act (1986)

    PL 99-508 - Updated USC to cover electronic communications. It prohibits anyinterception of communications (without an authorized court order or jurisdiction).

    http://www.randomneuron.com/security/laws.htmhttp://www.randomneuron.com/security/laws.htmhttp://www.randomneuron.com/security/laws.htmhttp://www.randomneuron.com/security/laws.htm

  • 8/2/2019 CISSPSecurityLaws

    6/7

    The Stored Communications ActThe Stored Communications Act, 18 U.S.C. 2701-12, protects stored communications from beingaccessed and disclosed without authorization.

    U.S Economic and Protection of Proprietary Information Act 1996

    The Act makes it a federal criminal act for any person to convert a trade secret to his own

    benefit or the benefit of others intending or knowing that the offense will injure anyowner of the trade secret. The conversion of a trade secret is defined broadly to coverevery conceivable act of trade secret misappropriation including theft, appropriationwithout authorization, concealment, fraud artifice, deception, copying withoutauthorization, duplication, sketches, drawings, photographs, downloads, uploads,alterations, destruction, photocopies, transmissions, deliveries, mail, communications, orother transfers or conveyances of such trade secrets without authorization.

    Under this act, Computer source code is considered to be a trade secret.

    DMCA - The Digital Millennium Copyright Act

    The Digital Millennium Copyright Act, 17 U.S.C. 1201- 05 (the "DMCA"), provides that:"no person shall circumvent a technological measure that effectively controls access to awork protected under this title [the Copyright Law]," and goes on to prohibit the"manufacture, import, offer to the public, provide, or otherwise traffic in any technology,product, service, device, component, or part thereof, that " -

    "(A) is primarily designed or produced for the purpose of circumventing a technological measure thateffectively controls access to [a copyrighted work];"

    "(B) has only limited commercially significant purpose or use other than to circumvent a technologicalmeasure that effectively controls access to [a copyrighted work]; or"

    "(C) is marketed by that person or another acting in concert with that person with that person'sknowledge for use in circumventing a technological measure that effectively controls access to [acopyrighted work]."

    The DMCA defines the term "circumvent a technological measure" [to] mean[] to

    descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid,

    bypass, remove, deactivate, or impair a technological measure, without the authority of

    the copyright owner. 17 U.S.C. 1201 (a). This provision of the DMCA assists licensors ofdigitized copyrighted works in restricting access to those who obtain access to it lawfully andare therefore entitled to decrypt the work.

    Sarbanes-Oxley Act of 2002

    Enacted in response to the high-profile Enron and WorldCom financial scandals

    The Sarbanes-Oxley Act states that all business records, including electronic records andelectronic messages, must be saved for "not less than five years." The consequences fornon-compliance are fines, imprisonment, or both.

  • 8/2/2019 CISSPSecurityLaws

    7/7

    The legislation affects the IT departments whose job it is to store a corporation'selectronic records


Venture Capital

Venture Capital

Documents
Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

Documents
xCDC14a

xCDC14a

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents
Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
Simple Functions in Haskell

Simple Functions in Haskell

Documents
Rubik's cube solution

Rubik's cube solution

Documents
Cakes Recipes

Cakes Recipes

Documents
Life Is Just A Dream - Or Is It?

Life Is Just A Dream - Or Is It?

Documents
United States Constitution

United States Constitution

Documents
Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Documents
The Dutch Republic In International Trade

The Dutch Republic In International Trade

Documents
Iron Mills Essay

Iron Mills Essay

Documents
Chapter 23

Chapter 23

Documents
I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Documents
Personality Development

Personality Development

Documents
Keyboard Shortcuts for the Opera Browser for Mac OS X

Keyboard Shortcuts for the Opera Browser for Mac OS X

Documents
Fortran

Fortran

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
European Colinization of Latin America

European Colinization of Latin America

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
Algorithms

Algorithms

Documents
Oedipus The King: The Ideal Tragic Play

Oedipus The King: The Ideal Tragic Play

Documents
Disclaimer

Disclaimer

Documents
Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
Chapter 24

Chapter 24

Documents
Barclays1

Barclays1

Documents