You are on page 1of 16

1

Information Security
Laws

the Gramm-Leach-Bliley Act


(GLBA)

purpose
type

The Health Insurance


Portability and Accountability
Act (HIPAA)

fine
purpose

section
Sarbanes-Oxley Act
Licensing

Safeguards Rule
Financial Privacy Rule
Pretexting Protection

purpose
type
End-user license agreement
(EULA)

Equipment-specific and Site


Licenses

GPL and Open Source Licenses

Piracy and related issues in


Copyright law

The Digital Millennium


Copyright Act (DMCA)

The Privacy Rule


The Security Rule
Licensing
definition
purpose
example
definition
purpose
example
definition
purpose
example
definition
purpose
example
definition
purpose
example

contract

Electronic Contract
Computer crime

types of crimes

Civil law

Criminal law

Intellectual property law

Copyright

Offer,
Acceptance
Consideration.
definition
structure
trespass
Illegal interception without authority
Interference with computer data
without authorization
Interfering with a system without
authorization
child pornography
Industrial espionage
Harassment
Electronic Fraud
cyber vandalism
Theft of commercial documents
definition
purpose
example
definition
purpose
example
definition
purpose
example
UK -law Copyright, Designs and
Patents Act 1988
limited monopoly
Fair Use
Section 107 of the Act

four factors used in determining


fair use
Copyright and Fraud: Plagiarism
definition
Confidence
Design rights
Domain names
Moral rights
Performance rights
Patents

definition
purpose
example
Patent Infringement
primary types of patents Utility patents
Design Patents
Plant Patents
innovation patent

Passing off
Trademarks

definition
purpose
example
Service Mark

Collective Mark

definition
example
definition
example
definition
example
definition
example

definition
purpose
example
definition
purpose
example

Certification Mark

Service Mark and Trade Dress

Import/export Laws

definition
purpose
example
definition
purpose
example

Trademark Eligibility The applicants name


A name and address required for
correspondence
An apparent depiction of the mark
A list of the goods or services
provided
Trademark Infringement Trademark Act of 1946
1114
1125
Document Management
definition
purpose
example
Minimum Document Retention
Guidelines
Electronic Espionage
definition
purpose
example
definition
purpose
example
The Uniform Computer
definition
Information Transactions Act
(UCITA)
purpose
example
cryptography

encryption law
Tier 3 countries
Tier 4 countries
Liability

Privacy law

definition
purpose
example
standard
Upstream liability
Downstream liability
Spamming
Sexual Abuse of Children in Chat
Rooms
Child Pornography
Harassment
Identity Fraud
definition
purpose
example
Electronic Communications
Privacy Act of 2000
The Privacy Act of 1974. 5 U.S.C.
552a
The Fair Credit Reporting Act
(FCRA)
The Federal Right to Privacy Act
(1978)
The Video Privacy Protection Act
of 1988
The Cable Communications
Policy Act of 1984

PCI-DSS
COBIT

The Equal Credit Opportunity


Act (ECOA)
The Family Educational Rights
and Privacy Act (FERPA) of 1974
Defending the confidentiality

Monitoring employees

Transborder data flow


definition
purpose
example

US law

physical security,
computer and network security,
the security of the network
infrastructure
the proper training of employees.

Real-time interception from


monitoring the network and
systems,
Keystroke recorders, and
e-mail monitoring,
Court order,
Court issued Subpoena,
Review of log files,
Transactional data,
System usage history, and
Intrusion Detection Systems and
Firewalls
Wiretap Act, 18 U.S.C. 2511
Access to Stored Electronic
Communications, 18 U.S.C. 2701
Wire Fraud Act, 18 U.S.C. 1343
Trafficking in Fraudulent Access
Devices, 18 U.S.C 1029
Computer Fraud and Abuse Act,
18 U.S.C. 1030

Litigation support

definition
purpose
example
The litigation process of
discovery

The U.S. Courts Federal Court

definition
purpose
example
definition of discoverable material
Early Attention to Electronic
Discovery Issues
Format of Production
Electronically Stored Information
from Sources that Are Not
Reasonably Accessible
Asserting Claim of Privilege or
Work Product Protection After
Production
Safe Harbor Provisions

Elements of
Investigations

Incident handling and response

the effective management

issues that need to be


addressed by management

The development of an incident


response function within the
organization,
The actual response to an incident
and how it is handled, and
The successful recovery and
learning process that follows after
the incident.
Ensuring that policies and
processes exist and are effective,

Rule
26(a)(1)(B)
Rule 16(b)(5)
Rule
26(b)(2)(i),
(ii), and (iii)
Rule 26(b)(5)

Rule 37(f)

Ensuring that staff are available


and trained in a manner that
allows them to successfully
respond,
Ensuring that the proper authority
and chain of command has been
decided before the incident
occurs, and
Ensuring that the incident team
has the necessary equipment and
software.
contracts and other agreements
with third parties need to
incorporate incident response
processes

steps

Incident Response Procedures

Acceptable SLA targets

Liability of the contracting parties


Regulatory requirement
satisfaction
Access control requirements
Right to audit or contract an audit
Right to monitor activity and
suspend accounts
Escalation procedures and
contacts
Maintenance responsibilities
1. preparation of the system;
2. identification of the problem;
3. containment of the problem;
4. eradication of the problem;
5. recovering from the incident
6. the follow-up analysis.

types of information that should 1. Dates and times of incidentbe logged related phone calls.
2. Dates and times when incidentrelated events were discovered or
occurred.
3. Amount of time spent working
on incident-related tasks.
4. People you have contacted or
have contacted you.
5. Names of systems, programs or
networks that have been affected
dimensions to preparation Personnel,
Policy and procedure,
Software and hardware,
Data and communications,
Power and environmental
controls,
Transport,
Room to operate
Documentation
Incident response teams (CSIRT)
Evidence preservation
Document file names, dates, and
times on the system and create a
timeline
Chain of Custody
Digital Forensics
Identify and articulate probable
cause necessary to obtain a search
warrant and recognize the limits
of warrants.
Locate and recover relevant
electronic evidence from

10

computer systems using a variety


of tools.

Dos and Don'ts

sources of evidence

Recognize and maintain a chain of


custody.
Follow a documented forensics
investigation process.
Ask questions
Document methodically
Operate in good faith
Don't get in too deep
Decide to investigate
Treat everything as confidential
File it
Computer Based Information
Photographs, Maps and Charts
Internal Correspondence and
email
Legal and Regulatory Filings
Company Intranet access and
Publications
Formal meeting minutes or
transcripts
Casual conservations
Conversations at trade shows and
events.
private personnel record
Home addresses
Home phone number
Names of spouse and children
Employees salary
Social security number

11

Medical records
Credit records or credit union
account information
Performance reviews
Documentation
SMART methodology Specific
Measurable
Achievable
Realistic
Time-based
Interviewing and fact-finding
goal Establish rapport
Stress that the interview is
seeking only the truth
Listen carefully
Evaluate the interviewees
responses to the questions with
care
Take first-rate notes
Remain objective and composed
list Interviewees - who was to be
interviewed
The order of the interviews
How much time has been allotted
per interview
Classify the interviewees (such as
by complainant, witness, subject)
Research and list the allegations
that pertain to each interviewee
and the relevant facts for each of
these

12

Write out the questions you


intend to ask beforehand.
The number of interviewers that
will be present
A topic outline
phase Phase 1: Introduction
Phase 2: Build Rapport
Phase 3: Questioning
Phase 4: Summarize
Phase 5: Close
problem 1. Uncooperative interviewees
2. Refusal to comply
3. Intimidation from either party
4. Requests for other attendees at
an interview
5. A lose of impartiality
6. Reprisal
7. Requests for advice from
interviewees
technique Sworn Statement or Declaration
Verbatim (such as a tape
recording)
Results of Interview (Record of
Interview)
Video and Teleconference
Interviews
Searches (and the 4th
Warrants
Amendment)
Anton Piller (Civil Search)
Professional Ethics

definition
purpose
example

13

examples of principles
Mission, Vision and Values
Statements

The Mission Statement

What do we do and why?

How do we do it?
For whom do we do it?
Provides a "reason for being".
Provides clarity and focus and
makes choices.
Is clear and concise.
Should be accepted by the wider
organization.
Helps guide people into doing the
right thing.
The Vision Statements
A plan for the future,
A source of inspiration,
The place to go when in need of
clear decision-making criteria,
The source to ensure that policy
aligns with the destination set by
the organization.
commitment It creates a sense of desire and
builds commitment.
Paints the ideal future.
Is an expression made in terms of
hope.
Is united with the values of the
organization.
A Statement of Values
Code of Ethics Preamble
Code of Ethics Canons
encourage Research
Teaching

14

Identifying, mentoring, and


sponsoring candidates for the
profession
Valuing the certificate
discourage Raising unnecessary alarm, fear,
uncertainty, or doubt
Giving unwarranted comfort or
reassurance
Consenting to bad practice
Attaching weak systems to the
public network
Professional association with nonprofessionals
Professional recognition of or
association with amateurs
Associating or appearing to
associate with criminals or
criminal behavior

Interpreting Policy as a Security


Professional - Ethics

Protect society, the


commonwealth, and the
infrastructure
Act honorably, honestly, justly,
responsibly, and legally
Provide diligent and competent
service to principals
Advance and protect the
profession
Vision statements
Mission statements
Doctrine or Core values

15

The 10 Commandments of IT
Security

Frequent internal writings on


related topics
Awareness sessions
Thou shalt not use a computer
to harm other people.
Thou shalt not interfere with
other people's computer work.
Thou shalt not snoop around in
other people's computer files.
Thou shalt not use a computer
to steal.
Thou shalt not use a computer
to bear false witness.
Thou shalt not copy or use
proprietary software for which
you have not paid
Thou shalt not use other
people's computer resources
without authorization or proper
compensation.
Thou shalt not appropriate
other people's intellectual
output.
Thou shalt think about the social
consequences of the program
you are writing or the system
you are designing.
Thou shalt always use a
computer in ways that insure
consideration and respect for
your fellow human being.

16

Human Resource (HR) Issues

Terms and Conditions of


Employment - Employment
Letters / Contracts
Employee Confidential
Information Undertaking
documents
policies on Intellectual Property
Rights
Sharing Employee Information
Induction Training
Disciplinary Process
Grievance Procedure
Exit Interviews
Information Security Clearance
Levels

Compliance with legal


requirements

You might also like