Upload
randy-millet
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Lesson 24-Security and Law
Background
Computer security is similar to any other subject in the society.
As it changes our lives, laws will be enacted to:
– Enable desired behaviors.
– Prohibit undesired behaviors.
Laws may have been overly restrictive, limiting business options,
such as in the area of importing and exporting encryption
technology.
In other cases, legislation is being implemented slowly and this
fact has hindered business initiatives, such as in digital signatures.
Objectives
Upon completion of this lesson, the learner will be able to:
– List laws and rules concerning importing and exporting
encryption software.
– List laws that govern computer access and trespass.
– List laws that govern encryption and digital rights
management.
– List laws that govern digital signatures.
– List computer security laws that govern privacy in various
industries.
– List laws that enforce ethical behavior.
Encryption Restrictions
Governments control the encryption technology.
– The level of control varies from outright banning to little or no
regulation.
Control over import and export is a vital method of
maintaining a level of control over encryption technology in
general.
Laws and restrictions center on cryptography.
Commercial transactions and network communications
have expanded the use of cryptographic methods to
include secure network communications.
United States Law
Export controls on commercial encryption products are administered by
the Bureau of Industry and Security (BIS) of the U.S. Department of
Commerce.
Encryption protection has been accorded the same level of attention as the
export of weapons for war.
With the rise of the Internet, this position has somewhat relaxed.
– The United States updated its encryption export regulations to provide treatment
consistent with the regulations adopted by the European Union (EU).
– The member nations of the Wassenaar Arrangement agreed to remove key
length restrictions on encryption hardware and software.
– This action effectively removed “mass market” encryption products from the list
of dual-use items controlled by the Wassenaar Arrangement.
United States Law
The U.S. encryption export control policy rests on three
principles:
– Review of encryption products prior to sale.
– Streamlined post-export reporting.
– License review of certain exports of strong encryption to
foreign government end users.
U.S. rules require notification to the BIS for export in all
cases.
United States Law
The restrictions are lessened for “Mass Market” products as
defined by all of the following:
– They are generally available to the public by being sold,
without restriction, from stock at retail selling points by any of
these means:
– Over-the-counter transactions
– Mail-order transactions
– Electronic transactions
– Telephone call transactions
United States Law
The restrictions are lessened for “Mass Market” products as
defined by all of the following (continued):
– The cryptographic functionality cannot be easily changed by a user.
– They are designed for installation by a user without substantial support
by the supplier.
– Details of the items are accessible and will be provided to the
appropriate authority in the exporter's country to ascertain compliance
with export regulations.
Mass-market commodities and software employing a key length
greater than 64 bits for the symmetric algorithm must be
reviewed in accordance with BIS regulations.
Non-U.S. Laws
Export control rules for encryption technologies fall under
the Wassenaar Arrangement.
The Wassenaar Arrangement was established to contribute
to regional and international security and stability.
– It promotes transparency and greater responsibility in
transfers of conventional arms and dual-use goods and
technologies, thus preventing destabilizing accumulations.
Many nations have more restrictive policies than those
agreed upon as part of the Wassenaar Arrangement.
Digital Signature Laws
On October 1, 2000, the Electronic Signatures in Global and
National Commerce Act was enforced in the United States.
The existence of the E-Sign law and Uniform Electronic
Transactions Act (UETA) has enabled e-commerce
transactions to proceed.
The resolution of the technical details via court actions will
probably have little effect on consumers.
Digital Signature Laws
Non-U.S. Laws
– The UN General Assembly adopted the United Nations
Commission on International Trade Law (UNCITRAL) Model Law
on Electronic Signatures.
– These model laws have become the basis for many national
and international efforts in this area.
Digital Signature Laws
Canada
– Adopted a national model bill for electronic signatures to
promote e-commerce.
• Uniform Electronic Commerce Act (UECA) allows the use of
electronic signatures in communications with the government.
– Individual Canadian provinces have passed similar legislation.
• They define digital signature provisions for e-commerce and
government use.
Digital Signature Laws
The European Union
– The European Commission adopted a Communication on
Digital Signatures and Encryption: “Toward a European
Framework for Digital Signatures and Encryption.”
Digital Rights Management
The Digital Millennium Copyright Act (DMCA) was enacted on
October 20, 1998.
– This Act makes it illegal to develop, produce, and trade any device or
mechanism designed to circumvent technological controls used in copy
protection.
Copy protection methods are cryptographic in nature.
This provision has the ability to eliminate and/or severely research
into encryption, and the strengths and weaknesses of specific
methods.
The Digital Millennium Copyright Act (Section 1201(g)) allows
exemptions for legitimate research.
Digital Rights Management
There are specific exemptions for research, provided four
elements are satisfied:
– The person has lawfully obtained the encrypted copy,
phonorecord, performance, or display of the published work.
– Such act is necessary to conduct such encryption research.
– The person made a good faith effort to obtain authorization
before the circumvention.
– Such act does not constitute infringement under this title.
Privacy Laws
Governments in Europe and the United States have taken
different approaches to control privacy via legislation.
United States Laws
The Electronic Communications Privacy Act (ECPA) of 1986
addresses myriad legal privacy issues related computers and
technology specific to telecommunications.
– Sections of this law address e-mail, cellular communications,
workplace privacy, and other electronic communication issues.
– Prohibits an employer's monitoring an employee's computer
usage, including e-mail, unless consent is obtained.
– Protects electronic communications from wiretap and outside
eavesdropping.
– Users have a reasonable expectation of privacy under the Fourth
Amendment to the Constitution.
United States Laws
The use of a warning banner typically displayed whenever a
network connection occurs serves four main purposes:
– They establish the level of expected privacy (usually none on a
business system) and serve as consent to real-time monitoring
from a business standpoint.
– The banner tells the user that their connection to the network
signals their consent to monitoring.
– Consent can also be obtained to look at files and records.
United States Laws
The Patriot Act of 2001 substantially changed the levels of
checks and balances in U.S. privacy laws.
– It extends the tap and trace provisions of wiretap statutes to
the Internet.
– It mandates technological modifications at ISPs to facilitate
electronic wiretaps on the Internet.
– It permits the Justice Department to roll out of the Carnivore
program – an eavesdropping program for the Internet.
– It permits federal law enforcement personnel to investigate
computer trespass and enacts civil penalties for trespassers.
United States Laws
In 1999, the Gramm-Leach-Bliley Active Directory, which
has privacy provisions for individuals, affected the financial
industry.
– GLB privacy provisions include an opt-out method for
individuals.
– Some internal information sharing is required under the Fair
Credit Reporting Act (FCRA) between affiliated companies, but
GLB ended sharing to external third-party firms.
United States Laws
The Identity Theft and Assumption Deterrence Act (ITADA)
governs identity privacy and the establishment of identity
theft crimes.
It is a violation of the federal law to use another's identity
knowingly.
– The collection of information is governed by GLB, which makes
it illegal for someone to gather identity information on another
person under false pretenses.
– Student records have even further protections under the
Family Education Records and Privacy Act of 1974.
United States Laws
Fair and Accurate Credit Transactions Act of 2003 includes
identity-theft provisions.
– They are designed to be consumer-friendly.
– They include a free credit report annually.
– They require merchants to leave all but the last five digits of a
credit card number off store receipts.
– They establish a national system of fraud detection allowing
consumers to have a single number to call to receive advice,
set off a nationwide fraud alert, and protect their credit
standing.
United States Laws
– Medical and health information and privacy implications.
The U.S. Congress enacted the Health Insurance Portability &
Accountability Act (HIPAA) of 1996.
– HIPAA mandates changes in the way health and medical data
is stored, exchanged, and used.
– HIPAA restricts data transfers to ensure privacy, including
security standards and electronic signature provisions.
– Mandates a uniform level of protection regarding all health
information of an individual and is housed or transmitted
electronically.
United States Laws
– The standard mandates safeguards for physical storage,
maintenance, transmission, and access to individuals' health
information.
– Organizations that use electronic signatures will have to meet
standards ensuring information integrity, signer
authentication, and nonrepudiation.
– This law was designed to help users to fight identity theft
through early notification of the loss of control over personal
information stored in computer systems. In other words, it is
designed to force firms to notify users whenever their personal
information has become compromised.
European Laws
The governments of Europe have developed a
comprehensive concept of privacy administered via a set of
statutes known as data protection laws.
– These privacy statutes cover all personal data, whether
collected and used by the government or private firms.
– These laws are administered by the state and national data
protection agencies in each country.
European Laws
Privacy laws in Europe focus on the concept that privacy is
a fundamental human right that demands protection
through government administration.
– The Data Protection Directive has a provision allowing the
European Commission to block transfers of personal data to
any country outside the EU.
– The EU expressed concerns about the adequacy of data
protection in the United States following the differences in
approach between the United States and the EU with respect
to data protection.
Computer Trespass
Computer trespass is unauthorized entry into a computer system
via any means, including remote network connections. The
unauthorized entry into a computer system via any means,
including remote network connections.
– For crimes that are committed within a country's borders, national laws
apply.
– For cross-border crimes, international laws and international treaties
are the norm.
– Enforcement actions stemming from these agreements have been
rare, with most actions employing national laws where applicable.
Computer Trespass
Computer trespass is a crime in many countries.
National laws exist in many countries, including the EU,
Canada, and the United States.
– These laws vary by state, but they all have similar provisions
defining the unauthorized entry into, and use of, computer
resources as a crime.
Convention on Cybercrime
– The product of four years of work by the Council of Europe,
United States, Canada, Japan, and other countries.
– The convention is similar to a draft treaty.
Computer Trespass
Convention on Cybercrime
– Pursues a common criminal policy aimed at protecting the
society against cybercrime by adopting legislation and
promoting international cooperation.
– The convention deals with infringements of copyright,
computer-related fraud, child pornography, and violations of
network security.
Ethics
Sarbanes-Oxley Act of 2002
– It targets a series of financial reporting irregularities at the highest
levels of corporate leadership.
– Although it is aimed at the senior executive’s abuse of financial
reporting systems, these systems are major IT components of a firm.
– Notes: The inclusion of IT becomes a de facto standard event.
Sarbanes-Oxley Act of 2002
– Should the tampering of the electronic records that maintain a
company’s ability to perform accurate financial reporting occur, the
potential for a violation under this statute can occur.
Ethics
Sarbanes-Oxley has ramifications through the chain of
information used to report the current state of corporate
financial condition.
– Controls and oversight over all processes used to produce
financial reports must include aspects of the Enterprise Resource
Planning (ERP) software and the business processes surrounding
how it performs its specific functions in the enterprise.
– Validation of results from this process are subject to review and
given the complexity of the process, reviews and audits of IS
processes can be used for monitoring compliance.