Cybersecurity Standards and Law

Cybersecurity Standards

Standard security frameworks emerge from the need to bring order to a potentially chaotic information

systems environment. Some security architecture models are a part of the computer hardware and soft-

ware you buy, and some are implemented as policies, standards and practices. All standards and frame-

works strive to ensure that IT security is well understood and adequately managed.

In addition to security standard frameworks, organizations will often compare their security program to

others in the same industry, and share best practices through formal and informal peer groups and infor-

mation sharing groups. In the financial services, Financial Services Information Sharing and Analysis

Center (FS-ISAC) is a good model for the successful sharing of industry-relevant information around

physical and cybersecurity threats and vulnerabilities. FS-ISAC was established in 1999, in response to

Presidential Directive 63. This is one of the sixteen critical infrastructure sectors defined by Presidential

Policy Directive 21 (PPD-21).

The Trusted Computer System Evaluation Criteria (TCSEC) is a U.S. Department of Defense

(DoD) standard architecture model that defines criteria for assessing the access controls in a computer

system. Referred to as The Orange Book, it has restricted use due to its mainframe and defense orienta-

tions. It deals primarily with ensuring confidentiality while overlooking integrity and availability. The

Trusted Network Interpretation and the Trusted Database Management System Interpretation were

added to cover network-specific security issues and database security aspects. TCSEC defines a trusted

computing base (TCB) as the combination of hardware, firmware, and software responsible for enforc-

ing a security policy.

Module 8:

Cybersecurity Standards and Law

https://www.fsisac.com/


https://www.photospin.com/content/photos/full/500_3690345.jpg

Module 8: Cybersecurity Standards and Law

TCSEC suggests four basic classes that are ordered in a hierarchical manner. Class D is the lowest level

security evaluation. There is no security or minimal protection at this level. Class C specifies discretion-

ary protection, while Class B specifies mandatory protection. Class A specifies verified protection.

The Information Technology Security Evaluation Criteria (ITSEC) is the European equivalent of

the TCSEC. Its purpose is to demonstrate conformance of a product or a system (target of evaluation)

against threats. It considers the evaluation factors to be functionality and the assurance aspects of cor-

rectness and effectiveness. Functionality refers to enforcing functions of the security targets, which can

be individually specified or enforced through predefined classes. Evaluation of correctness assesses the

level at which security functions can or cannot be enforced. Evaluation of effectiveness is a measure as

to whether the security enforcing functions and mechanisms of the target of evaluation satisfy the secu-

rity objectives.

ITSEC has largely been replaced by Common Criteria (CC). CC is an effort of international harmoni-

zation on information systems security standards. It is a means to select security measures and evaluate

the security requirements. In many ways, it provides a taxonomy for evaluating functionality. It includes

eleven functional classes of requirements, which are further divided into 66 families of criteria.

CC has gained significant importance in the industry, especially as a means of defining the security

needs of users. However, there are some inherent deficiencies in it. First, CC lacks clarity in defining a

product, target of evaluation, or a target of evaluation security function. It also lacks a proper definition

of threats and their characterization. It even makes specification of security policies optional. Finally, it

does not clearly provide details as to how the security requirements should be specified.


https://www.photospin.com/content/illustrations/full/481_3052768.jpg

The Control Objectives for Information and Related Technology (COBIT) model provides advice

about implementation of controls and control objectives for information security. COBIT was released

by ISACA in 1996, and is a business framework for the governance and management of IT. It is com-

posed of 34 high-level objectives, spanning 215 control objectives. Many organizations with compliance

programs use the COBIT model.

The Information Technology Infrastructure Library (ITIL) is similar to COBIT. ITIL is focused on man-

aging service levels of IT systems, whereas COBIT aligns business goals and risk management with IT

goals and processes. For organizations that want to develop more specific security controls, many turn to

the ISO/IEC 27000 series of standards.

ISO/IEC 27002 (previously ISO 17799) was initially developed from BS7799, part 1. It is an interna-

tional standard that sets out best practice requirements for information security, and is one of the main IS

security standards. ISO/IEC 27002 provides best practice recommendations on information security

management for use by those responsible for initiating, implementing or maintaining information secu-

rity management systems (ISMS). The standard contains twelve main sections; within each section, se-

curity controls and their objectives are specified and outlined.

ISO27001 was initially developed from BS7799, part 2. It defines the specifications for an Information

Security Management System (ISMS). The standard contains twelve main sections; within each section,

security controls and their objectives are specified and outlined. ISO/IEC 27002 is an advisory standard,

which should be interpreted and applied to all types and sizes of organizations according to the particular

information security risks they face. This flexibility gives users a lot of latitude to adopt the information

security controls that make sense to them, but makes it unsuitable for the relatively straightforward com-

pliance testing implicit in most formal certification schemes. On the other hand, ISO/IEC 27001 is a cer-

tifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implement-

ing, maintaining and improving an IS management system, and lists 133 information security controls

that organizations are encouraged to adopt where appropriate within their ISMS. The controls are de-

rived from and aligned with ISO/IEC 27002. These renumbered standard security models are some of

the most widely referenced today by security professionals.

One source of public domain management models is the National Institute of Standards and Technology

(NIST) Computing Security Resource Center .


http://csrc.nist.gov/




“NIST Special Publication 800-12, Computer Security Handbook,” is an excellent reference, but offers

little help with the design and implementation of new security systems. “NIST SP 800-14, Generally Ac-

cepted Principles and Practices for Securing Information Technology Systems,” covers recommended

practices and common information security principles. “NIST SP 800-18, Guide for Developing Secu-

rity Plans for Federal Information Systems,” is a widely used publication with details on the assessment,

design and implementation of security controls. “NIST SP 800-53A, Guide for Assessing the Security

Controls in Federal Information Systems: Building Effective Security Assessment Plans,” replaces SP

800-26 and provides a systems development life cycle approach to security assessments. Finally, “NIST

SP 800-30, Risk Management Guide for Information Technology,” provides a good overview for devel-

oping an effective risk management program.

Figure 1. NIST Risk Management Framework, Retrieved from http://www.nist.gov/

The Federal Information Processing Standard, FIPS 199, is a U.S. government standard that estab-

lishes categories of information systems. Along with “FIPS 200, Minimum Security Requirements for

Federal Information and Information Systems,” these two NIST standards form the minimum security

requirements under the Federal Information Security Management Act (FISMA).


The International Telecommunication Union (ITU) has developed a standard security architecture for

open systems interconnection (OSI) applications. The standard, ITU_T x.800, establishes a framework

for applying security concepts to attacks on information systems and networks. It defines a security at-

tack as any action that compromises the security of information systems. A security mechanism is de-

fined as any control that is designed to detect, prevent or recover from an attack. A security service is de-

fined as any service that enhances the security of data processing systems and the information transfers of

an organization. Security services make use of one or more security mechanisms, and are intended to

counter the five categories of attacks: destruction, corruption, removal, disclosure, and interruption.

Figure 2. ITU-T X.800 provides a threat model that describes 5 categories of attack. Retrieved from

http://www.itu.int/

These security services are broken up into eight categories: access control, authentication, non-

repudiation, data confidentiality, communication security, data integrity, availability, and privacy.

http://www.itu.int/en/Pages/default.aspx


Figure 3. IT Security Services are broken up by ITU-T X.800 into 8 categories. These processing or com-

munications services give specific protection for attacks against confidentiality, integrity and availability.

Retrieved from http://www.itu.int/

There are several miscellaneous standards and guidelines that are worth mentioning. RFC 2196 Site Se-

curity Handbook is a framework to develop computer security policies and procedures. It provides prac-

tical guidance to system and network administrators on security issues with lists of factors and issues that

a site must consider in order to have effective security. “ISO/IEC TR 13335 Guidelines for the Man-

agement of IT Security” (GMITS) is a technical report that covers IT security rather than IS security.

Generally Accepted Information Security Principles (GAISP) intends to develop a common interna-

tional body of knowledge on security and aims to enable a self-regulated information security profession.

OECD Guidelines for the Security of Information Systems would help in the development and implemen-

tation of coherent measures, practices, and procedures for the security of information systems.


Laws and Regulations

The government helps to identify and fill gaps that cannot be met through industry best practices and

self-regulation. In particular, laws and regulations are used to address crimes that leverage technology in

a unique way. In some cases, organizations are forced to comply with regulations; hospitals must be

compliant with healthcare regulations, and banks with financial regulations. Legal compliance can drive

improvements in security, but it is often said that compliance sets the floor and not the ceiling, as far as

security best practices are concerned.

The following are some examples of the types of activities laws seek to regulate:

Child protection

Cybercrime

Espionage

Fraud

Identity theft

Internet commerce and competition

Liability and safety

National security

Privacy

Theft of intellectual property

It can take a number of years for new legislation to be instituted in order to adequately address a new

technology. For example, eavesdropping may still be covered under wiretapping laws, because these

laws can be interpreted and applied to the interception of digital communications. On the other hand, the

Internet opened up new avenues for the theft of intellectual property and copyrighted material, so the

Digital Millennium Copyright Act (DMCA) was developed.

The DMCA is a U.S. law that criminalizes the production and distribution of tools that circumvent digital

rights management (DRM) on copyrighted material, such as music and movies. This law was a response

to a growth in computer technology and the Internet as methods of pirating copyrighted materials and

sharing them on peer-to-peer networks. Because new peer-to-peer technologies were advancing rapidly,

the copyright holders, represented by groups such as the Motion Picture Association of America (MPAA)

and the Recording Industry Association of America (RIAA), were unable to develop technology fast

enough to keep up. This is an example of the federal government stepping in to address a gap that stan-

dards and industry self-regulation could not remedy alone. This regulation opened the door for many

lawsuits, as well as groups such as the Electronic Freedom Foundation (EFF) who argued that DMCA

did little to actually prevent piracy

https://www.eff.org/issues/dmca



The DMCA was based on the World Intellectual Property Organization (WIPO) Copyright Treaty of

1996. It was open to very broad interpretation, and led to laws like the DMCA and the European Union

Copyright Directive (2001).

Another U.S. law that was intended to protect against offensive and pornographic material that was

widely available on the Internet was the Communications Decency Act (CDA) of 1996. It was in-

tended to regulate indecency on the Internet and protect children. CDA was another broad-brush meas-

ure aimed at providing a regulatory means of addressing a problem that arose from the rapid introduction

and growth of new technologies, namely computers and the Internet. It was opposed by groups such as

the American Civil Liberties Union (ACLU) on the grounds that it infringed on the free speech of adults.

CDA was struck down in 2006 by a U.S. Supreme Court decision.

CDA led to the Child Online Protection Act (COPA), which attempted to protect children from ob-

scene material online. It failed to be implemented, however other laws passed, such as the Children’s

Online Privacy Protection Act of 1998 (COPPA), which limits the information companies can collect on

minors, and the Children’s Internet Protection Act of 2000 (CIPA), which requires K-12 schools to use

Internet filters to protect children from certain categories of material, such as obscene and pornographic

material.

The Computer Fraud and Abuse Act (CFAA) was passed in 1984. It is aimed at protecting classified

information, financial records, and credit information stored within federal government computers. The

definition of "federal computers" was later amended and extended to include all computers involved in

interstate and international commerce, whether or not the U.S. government had a vested interest in a

given computer or storage device.

The CFAA defines the legal elements of computer fraud as: acting knowingly and with intent to de-

fraud; accessing a protected computer without authorization, or exceeding authorization; and obtaining

anything of value other than minimal computer time.



The Computer Security Act (CSA) was passed in 1987. It is aimed at standardizing and tightening se-

curity controls on computers in use throughout the federal government and its contractors, and training

its workforce to maintain appropriate security levels.

There are four major requirements in the CSA. First, it requires the identification of systems and the es-

tablishment of security plans. Second, it requires mandatory periodic training in computer security

awareness and accepted computer security practices. Third, it requires the National Institute of Standards

and Technology (NIST) to establish a computer standards program to develop standards and guidelines

to control loss and unauthorized modification or disclosure of sensitive information and to prevent com-

puter-related fraud and misuse. Finally, it requires the establishment of the Computer System Security

and Privacy Advisory Board within the Department of Commerce. CSA was superseded by the Federal

Information Security Management Act (FISMA).

FISMA was passed in 2002. It is aimed at mandating that federal organizations establish a framework

that facilitates the effective management of security controls in their IT domain.

FISMA has four components. First, it requires the Chief Information Officer of each federal agency to

define and implement an information security program. Second, it requires all impacted agencies to re-

port their compliance with the requirements at regular intervals. Third, it holds IT executives account-

able for the management of a security policy. Fourth, it makes the Office of Management and Budget

responsible for the creation of policies, standards, and guidelines that each agency must adhere to in

their information security program.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It is aimed

at improving Medicare under titles XVIII and XIX of the Social Security Act and enhancing the effi-

ciency and effectiveness of the healthcare system through the development of a health information sys-

tem with established standards and requirements for the electronic transmission of health information.

There are five major areas of HIPAA regarding personal history information (PHI) privacy and security.

The first is the standardization of electronic patient administrative and financial data. The second is the

establishment of unique identifiers for providers, health plans, and employers. The third area makes

changes to most healthcare transaction and administrative information systems. The fourth area deals

with privacy regulation and the confidentiality of patient information. Finally, the fifth is technical prac-

tices and procedures to insure data integrity, security, and availability of healthcare information.

https://www.photospin.com/content/illustrations/full/673_3606887.jpg


The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept

and Obstruct Terrorism Act (USA PATRIOT Act) was passed in 2001. It is aimed at equipping law

enforcement agencies with the tools necessary to investigate and apprehend people that are suspected of

planning or carrying out terrorist acts.

The USA PATRIOT Act covers a wide range of topics. First, the law broadens the category of things

that can be subpoenaed. Second, it extends a previous rule by allowing ISPs to disclose the content of

electronic communication when there is fear of physical threat to people without prior notification to the

user. Third, it includes Internet communication in the types of things for which surveillance can be un-

dertaken using pen and trap methods. Fourth, it protects ISPs from prosecution for assisting with wire-

taps/surveillance of electronic communication. Finally, it extends and clarifies some of the key points of

the CFAA.

The Public Company Accounting Reform and Investor Protection Act (a.k.a. the Sarbanes-Oxley

Act or SOX) was passed in 2002 in the wake of the Enron and WorldCom financial scandals. It is

aimed at strengthening corporate governance of enterprise financial practices.

SOX covers five major areas. They are as follows:

External audit oversight and standards

Internal audit committee responsibility

Executive management accountability

Financial disclosure strengthening

Criminal penalty for violations

The right to privacy is strongly defended in Europe, as demonstrated by the European Union (EU) Data

Privacy Directive (Directive 95/46/EC). This directive regulates the processing of personal data. It goes

further than the sectorial approach taken by the United States, which is more laissez-faire and involves

industry standards and self-regulation. The U.S. approach protects free speech, and interprets privacy as

an implicit right, constitutionally. The EU takes a stronger stance on the unchecked use of personal in-

formation. As companies do business globally, they must comply with laws and regulations in many ju-

risdictions. This means identifying legal and compliance subject matter experts to protect their interests

as they operate globally.

http://www.justice.gov/archive/ll/highlights.htm



Ethical and Cultural Issues

Security standards and best practices provide a framework for developing a cybersecurity program.

When standards and self-regulation are insufficient, the government may institute laws and regulations

to govern the use of technology. However, even with all of these standards and laws, they cannot keep

up with the pace of change of technology or its myriad uses. Standards and laws serve a broad role, but

it is up to the cybersecurity professional to interpret and apply them in an ethical manner.

The cybersecurity professional must make decisions based on:

Business objectives

Industry standards and best practices

Legal and regulatory compliance

Ethical and cultural considerations

While there are many regulations that apply to information protection and privacy, they only provide

high-level direction and fail to prescribe technologies and detailed plans for implementation. The cyber-

security or IT professional must understand how their choices can affect the organization and make ethi-

cal choices in how they use technology and apply data protection.

We live in a highly connected world, where data is at our fingertips. This is a marked change from how

most of us lived and worked in the 20th century. Data is being collected about ourselves, our employees,

and our customers. All of this information can provide a competitive advantage in the business world.

However, along with this information comes the risk that it can be misused. Additionally, with large data

sets and complex computer programs, it can be easy to make a clerical error during data entry, or when

writing computer code, and simple errors can have a significant impact. For example, a typo could affect

an individual’s credit score, and because of that they may fail to secure an educational loan or home

mortgage. Programming errors can open the door for attacks by cybercriminals, exposing your personal

and financial information.



Acting ethically, as an information technology or security professional, involves:

Maintaining privacy and confidentiality.

Obeying laws and regulations.

Acting in the best interest of your employer.

Working within the boundaries of your job description.

Notifying your employer of any breach or ethical concern.

Performing your due diligence to minimize mistakes and programming errors.

Respecting intellectual property rights.

Despite the potential for conflict, these four ethical frameworks should complement one another. How-

ever, when the conclusion is difficult to ascertain, there is one additional framework that can be em-

ployed, that of principalism. The application of normative principles can help to sort through a complex

dilemma. The following are complementary and derived from the four frameworks, previously dis-

cussed:

Autonomy

Non-maleficence

Beneficence

Justice

Autonomy involves the respect for the individual, and respect for their choices which do not contradict

the other normative principles. Non-maleficence basically involves not taking actions that harm others.

Beneficence is the principle of being willing to help others, when their need is justified and you have the

ability. Justice is the principle of fairness, equity and impartiality.

Another factor that influences ethical decision-making is the appreciation of cultural differences that in-

fluence the values and viewpoint of different groups. This is particularly relevant when dealing with di-

verse and global groups, where people are affected by different laws and societal influences.

The application of ethics is a three-step method:

Start by evaluating your ‘gut feeling’.

Test against utility, duty, rights and normative principles.

Consider legal and regulatory requirements and cultural context.


Utility has to do with feelings of happiness or pleasure when doing something right and feelings of un-

happiness or displeasure when doing something wrong. Duty is an action, or an act, that is required by

moral obligation. For example, if you witness something illegal or improper happening, it is your duty

to report it. Rights are what is due to you based on ethical principles, and also what is due to others.

Normative principles involve the attempt to answer specific moral questions about what people should

do or believe.

Then we consider different scenarios and dilemmas, we make better ethical decisions. There are many

opportunities in our work and personal lives to make ethical decisions about the use of information.

Some examples include:

How we protect privacy data of others and our own

How we log and monitor employees

How we manage intellectual property that belongs to our employer

How we consume digital media, where others own the copyright

Freedom of speech on the Internet

IT administrators and security professionals tend to have greater access to information than others, which

means they have a responsibility to be good stewards of this data. They need to protect its confidentiality,

integrity and availability. It could be an easy thing for an email administrator to read an executive’s

email, for example, but it is pretty clear it would be unethical and an invasion of privacy.

This brings up an important consideration for IT staff: Who watches the watchers? IT and security pro-

fessionals need to not only make ethical decisions, but they must not give others cause to doubt their in-

tegrity. Ethical behavior not only involves practice, but perception, and whether your job is in law en-

forcement, computer programming or computer security, you need to set an example so that others can

see you not only enforce rules, but also follow them. This is a key component of an overall awareness

program to educate end users on the proper and ethical use of the organization’s data and systems, and

inculcate a culture of security.

Another area where ethics come into question is in counterintelligence and nation-state warfare. It seems

much more evident that an individual is behaving unethically if they attack systems belonging to another

person, organization or nation. Even organizations that retaliate against attackers, or who lure in attackers

with the intention of entrapment, are probably crossing the line. When is it appropriate for law enforce-

ment, military groups or nation-states to attack another group: as retaliation or preemptively?

One recent example is the Stuxnet cyber-attack on Iran. This was a case where sophisticated computer

code was developed and deployed, anonymously and from a distance, against targets in another country.

The fact that cyber-attacks can be asymmetric and anonymous makes them different from conventional

warfare. Also, the distance and dissociative nature of cyber-attacks can make it difficult to ensure that no

harm comes to non-combatants.



Professionalizing the Cybersecurity Workforce

There is a growing global demand for cybersecurity professionals. Information technology is vital to

commerce and communication, and at the same time, threats are becoming more sophisticated and wide-

spread. Threats against corporations put intellectual property at risk. Threats against consumers put pri-

vacy and identity at risk. Cybercriminals attack targets for profit; terrorists attack a nation’s critical in-

frastructure.

Cybersecurity positions can encompass different roles and require different skill sets. The National Ini-

tiative for Cyberspace Careers and Studies (NICCS) defines 31 common specialty areas of cybersecurity

work. These different specialty areas may require different training and education, as well as certifica-

tions. In order to plan for the anticipated capacity and capabilities, and develop the necessary skills in

the cybersecurity workforce, efforts are being made to formalize the career paths available to cybersecu-

rity professionals.

Today, there are many educational degree and certificate programs in the field of cybersecurity. In addi-

tion, there are many educational opportunities available from information security training providers

which develop skills, such as the SANS Institute, Global Information Assurance Certification (GIAC)

and (ISC)². Training and certification may be required for jobs in certain industries or the government

sector, and may lend credibility to a person’s background when they must testify in court as an expert

witness or when they work with law enforcement.

In addition to developing technical and professional skills and maintaining their currency through ongo-

ing training and certification, the cybersecurity professional has a responsibility to abide by a standard

code of ethics and professional conduct as they represent their profession. One way that professionals

can demonstrate this is by membership in technical and professional societies that have a code of ethics.

Other ways the cybersecurity professional can contribute to the profession and demonstrate their com-

mitment is by serving on industry boards and committees, helping to organize training and conferences,

and through writing, teaching, and speaking on cybersecurity topics.

http://niccs.us-cert.gov/training/tc/framework/specialty-areas




Module Summary

Cybersecurity standards provide a framework of rules and best practices to follow to protect the confi-

dentiality, integrity and availability of data and systems. These standards are applied based on the busi-

ness context and regulatory environment. The cybersecurity professional is responsible for developing

and implementing security policy in a consistent and ethical manner. This is especially important when

dealing with legal and cultural issues that vary from state to state, and country to country. In order to

maintain skills, cybersecurity professionals develop themselves through training, certification and par-

ticipation with professional societies and groups, and abiding by a code of ethics and professional be-

havior.

References

Department of Homeland Security. (n.d.). National initiative for cyberspace careers and studies. Re-

trieved from http://niccs.us-cert.gov/training/tc/framework/specialty-areas

Electronic Frontier Foundation. (n.d). Digital millennium copyright act. Retrieved from https://

www.eff.org/issues/dmca

Financial Services. (2013). Information Sharing and Analysis Center. Retrieved from https://

www.fsisac.com/.

ITU. (2013). The International Telecommunication Union .Retrieved from http://www.itu.int/en/Pages/

default.aspx

NSIT.(2013, September 15). Computer Security Division. Computer Security resource Center. Retrieved

from http://csrc.nist.gov/

U.S. Department of Justice. (n.d.). The USA PATRIOT act: Preserving life and liberty. Retrieved from











Documents

Cybersecurity Standards and Law