CSCI-618: Information Security

Risk Management and Legal

Issues
Objectives

■ Identify the types and targets of computer crime

■ Summarize the major types of attacks performed by
cyber criminals
■ Understand the context of the computer in the legal
system
■ Appreciate the complexities of intellectual property law

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 2
Objectives (cont.)

■ Discuss the issues surrounding computer security and

privacy rights
■ Articulate the challenges of computer forensics
■ Recognize ethical issues related to information
security

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 3
Introduction

■ IS specialists need to keep up with the latest laws, codes of

ethics, and other rules governing the use of information
technology
■ The speed of technological change outstrips the speed at
which our governing bodies can create applicable laws
■ This gap makes the IS specialist’s role even more critical

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 4
Types of Computer Crime

■ The 2020 Verizon Data Breach Investigations report revealed

that
❑ 5 - 10 trillion cost of cyber crime by 2025
❑ 63% of attacks are driven by financial motives
❑ It took on average 8 month for organization to detect a cyber breach
❑ It wook ~ 10 seconds for organizations to fall victim for a ransomware
attack

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 5
Types of Computer Crime (cont.)

■ Major categories of computer crimes

❑ Military and intelligence attacks
❑ Business attacks
❑ Financial attacks
❑ Terrorist attacks
❑ Grudge attacks
❑ Thrill attacks

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 6
How Cyber Criminals Commit Crimes

■ Most prevalent types of computer crimes

❑ Denial-of-Service (DoS) attacks
❑ Rogue code
❑ Software piracy
❑ Social engineering
❑ Dumpster diving
❑ Spoofing of Internet Protocol addresses
❑ Emanation eavesdropping
❑ Embezzlement
❑ Information warfare

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 7
The Computer and the Law

■ Three branches of the legal system

❑ Legislative branch (Congress and Senate)
■ Statuary law, referred to as session law
❑ Administrative branch
■ Administrative law, also referred to as natural justice
■ Disputes are resolved before an administrative tribunal, not a court
❑ Judicial branch
■ Common law

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 8
The Computer and the Law cont.

■ Three primary categories in common law

❑ Civil law: Compensates individuals who were harmed through
wrongful acts known as torts
■ Does not involve imprisonment only fines
❑ Criminal law: Punishes those who violate government laws and harm
an individual or group
■ Involves imprisonment in addition to fines
❑ Regulatory law: Regulates the behavior of administrative agencies of
government
■ Can exact both financial penalties and imprisonment

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 9
Intellectual Property Law
■ Besides copyright protection, designed to protect the distribution and reproduction
rights of the owner, intellectual property law includes several other categories:
❑ Patent law
■ Patents grant an inventor the right to exclude others from producing or using the inventor’s
discovery or invention for a limited period of time
■ Patents are good for 17 years in the USA
■ Patents are given to software
❑ Trademarks
■ Trademarks are any word, name, symbol, or device, or any combination thereof that the
individual intends to use commercially and wants to distinguish as coming from a unique source
❑ Trade secrets
■ A trade secret is a patent in process, an embryonic but unofficial and legally unprotected idea

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 10
Privacy and the Law

■ Fair Information Practices in the Electronic Marketplace (source: the Federal Trade
Commission’s May 2000 report)
❑ Notice/awareness
■ Web site should tell the user how it collects and handles user information
❑ Choice/consent
■ Web sites must give consumers control over how their personally identifying information is used
❑ Access/participation
■ Users would be able to review, correct, and in some cases delete personally identifying
information on a particular Web site
❑ Security/integrity
■ Web sites must implement policies, procedures, and tools that will prevent unauthorized access
and hostile attacks against the site

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 11
International Privacy Issues

■ The International Safe Harbor Principles

❑ Notice
■ Companies must notify individuals what personally identifying information they are collecting,
why they are collecting it, and how to contact the collectors
❑ Choice
■ Individuals must choose whether and how their personal information is used by, or disclosed to,
third parties
❑ Onward transfer
■ Third parties receiving personal information must provide the same level of privacy protection as
the company from whom the information is obtained
❑ Security
■ Companies housing personal information and sensitive data must secure the data

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 12
International Privacy Issues (cont.)

■ The International Safe Harbor Principles cont.

❑ Data integrity
■ Companies must reassure individuals that their data is complete, accurate,
current, and used for the stated purposes only
❑ Access
■ Individuals must have the right and ability to access their information and
correct, modify, or delete any portion of it
❑ Enforcement
■ Each company must adopt policies and practices that enforce the
aforementioned privacy principles

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 13
Privacy Laws in the United States

■ 1970 U.S. Fair Credit Reporting Act: Regulates the activities of credit
bureaus
■ 1986 U.S. Electronic Communications Act: Protects the confidentiality of
private message systems through unauthorized eavesdropping
■ 1987 U.S. Computer Security Act: Improves the security and privacy of
sensitive information in federal computer systems
■ 1996 U.S. Kennedy-Kassenbaum Health Insurance and Portability
Accountability Act (HIPAA): Protects the confidentiality and portability of
personal health care information

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 14
Privacy Laws in the United States
cont.
■ 2000 National Security Directive 42 (NSD-42): Gives
guidance on the security of national defense systems,
among other roles
■ 2001 U.S. Patriot Act HR 3162, aka “Uniting and
Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act
■ 2002 Federal Information Security Management Act:
Defines the basic statutory requirements for protecting
federal computer systems
■ 2010 Fair Depth Collection Practices Act: Addresses
unfair or unconscionable means to collect or attempt to
collect a debt
© Pearson Education 2014, Information Security: Principles
and Practices, 2nd Edition 15
Computer Forensics

■ The National Data Conversion Institute (NDCI) makes a case for using
expert investigative services to solve computer crimes
■ Arguments for the advantages of using investigative services
❑ Successful litigation frequently depends on obtaining irrefutable computer evidence
❑ Your evidence may not be as good as the opposition’s if you are using less sophisticated
data-detection techniques
❑ Your adversaries do not want you to obtain the data you need
❑ The technology used to create the data you need may have already disappeared. Time is
of the essence.

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 16
The Information Security Professional’s Code
of Ethics
■ ISC2 Code of Ethics: Four mandatory canons
❑ Protect society, the commonwealth, and the
infrastructure
❑ Act honorably, honestly, justly, responsibly, and
legally
❑ Provide diligent and competent service to principals
❑ Advance and protect the profession

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 17
Other Ethics Standards

■ Computer Ethics Institute’s Ten Commandments of Computer

Ethics
■ Internet Activities Board’s Ethics and the Internet
■ U.S. Department of Health, Education, and Welfare Code of
Fair Information Practices

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 18
Summary

■ Laws, investigative principles, and professional ethics are as

important to information security professionals as knowing
how to design firewall architecture, which is a fundamental
security technology

© Pearson Education 2014, Information Security: Principles

and Practices, 2nd Edition 19
 “Managing Compliance”

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 20
All rights reserved.
 U.S. Compliance Laws
▪ Federal Information Security Management Act
(FISMA)
▪ Health Insurance Portability and Accountability
Act (HIPAA)
▪ Gramm-Leach-Bliley Act (GLBA)
▪ Sarbanes-Oxley Act (SOX)
▪ Family Educational Rights and Privacy Act
(FERPA)
▪ Children’s Internet Protection Act (CIPA)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 21
All rights reserved.
 U.S. Compliance Laws and their Applicability

Law Applicability
FISMA Federal agencies
Any organization handling medical
HIPAA
data
Banks, brokerage companies, and
GLBA
insurance companies
FERPA Educational institutions

Schools and libraries using

CIPA E-Rate discounts

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 22
All rights reserved.
Canadian Privacy Laws

• Federal privacy laws:

• Privacy Act: The Privacy Act imposes
restrictions on how 150 federal government
organizations collect, use and disclose PI
• PIPEDA: Federally regulated and private
sector businesses subject to the federal
Personal Information (PI ) Protection and
Electronic Documents Act (PIPEDA)
• Provincial laws go over and above the federal
legislation and govern individual rights for
collecting, storing and transferring personal
information
 GDPR
the EU General Data Protection (GDPR) will introduce a range of requirements that will have
significant impacts on organizations. Combined with increasing demands from consumers, privacy is
now firmly positioned at the top of the corporate agenda

Proposed – January 25th 2012

Passed - December 17, 2015
Adoption – Spring 2016

Enforcement – Spring 2018

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 24
All rights reserved.
 HIPAA Compliance Process
▪ HIPAA covers any
organization that handles
health data
• Medical facilities
• Insurance companies
• Any company with a
health plan if employees
handle health data

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 25
All rights reserved.
 U.S. Compliance Regulatory Agencies

Securities and Exchange

Commission (SEC)

Federal Trade
Commission (FTC)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 26
All rights reserved.
 U.S. Compliance Regulatory Agencies
▪ Federal Deposit Insurance Corporation (FDIC)
▪ Department of Homeland Security (DHS)
▪ State Attorney General (AG)
▪ U.S. Attorney General (U.S. AG)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 27
All rights reserved.
 Organizational Policies for Compliance: Fiduciary
Responsibility
▪ Fiduciary
• Refers to a relationship of trust
• Could be a person who is trusted to hold
someone else’s assets
▪ Trusted person has the responsibility to act in the
other person’s best interests and avoid conflicts
of interest

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 28
All rights reserved.
 Organizational Policies for Compliance: Fiduciary
Responsibility (Cont.)
▪ Examples of trust relationships:
• An attorney and a client
• A CEO and a board of directors
• Shareholders and a board of directors
▪ Fiduciary is expected to take extra steps:
• Due diligence
• Due care

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 29
All rights reserved.
 Standards and Guidelines

PCI
NIST GAISP
DSS

COBIT ISO IEC

ITIL RMF
CMMI
DoD

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 30
All rights reserved.
 PCI DSS Compliance
▪ Created by Payment Card Industry Security Standards Council
▪ American Express, Discover Financial Services, JCB International,
MasterCard Worldwide, and Visa Inc.
▪ Modernized by the Security Standards Council
▪ Effort to obstruct and prevent further theft of personal information

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 31
All rights reserved.
 PCI DSS Standards
▪ Use of personal identification numbers (PIN)
▪ Installation of software used to store, process,
and/or transmit cardholder data
▪ PCI DSS standards serve as PCI DSS goals
▪ Merchants who store, process, and/or transmit
cardholder data must comply
▪ Merchants should establish processes that work
toward PCI DSS goals

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 32
All rights reserved.
 Goals and Process Steps to PCI DSS
Goals Process Steps
Build and maintain ▪ Install a firewall system
a secure network ▪ Perform testing when configurations
that is PCI change
compliant
▪ Identify all connections to cardholder
information
▪ Review configuration rules every six
months
▪ Change all default passwords

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 33
All rights reserved.
 Goals and Process Steps to PCI DSS
Goals Process Steps
Protect ▪ Display the maximum of the first six
cardholder data and last four digits of the primary
account number
▪ Encrypt all online information

Maintain a ▪ Install anti-virus software

vulnerability ▪ Install vendor-provided security
management patches
program

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 34
All rights reserved.
 Goals and Process Steps to PCI DSS

Goals Process Steps

Implement strong ▪ Limit the accessibility of cardholder
access control information
measures ▪ Assign an unreadable password
▪ Monitor the physical access to
cardholder data
▪ Maintain a visitor log and save the
log for at least three months

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 35
All rights reserved.
 Goals and Process Steps to PCI DSS

Goals Process Steps

Regularly monitor and test ▪ Use a wireless analyzer to
networks check for wireless access
points
▪ Scan internal and external
networks
▪ Install software to
recognize any modification
by unauthorized personnel

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 36
All rights reserved.
 Goals and Process Steps to PCI DSS

Goals Process Steps

Maintain an ▪ Include annual and day-to-day
information security procedures and policies to
security policy recognize security breaches
▪ Perform background checks on
potential employees
▪ Educate employees on compliance
regulations

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 37
All rights reserved.
 PCI DSS Process
• Build and maintain a secure
network that is PCI compliant
• Protect cardholder data
• Maintain a vulnerability
management program
• Implement strong access
control measures
• Regularly monitor and test
networks
• Maintain an information security
policy

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 38
All rights reserved.
 Seven COBIT Enablers

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 39
All rights reserved.
 ITIL Lifecycle
▪ Phases

• Service Strategy

• Service Design

• Service Transition

• Service Operation

• Continual Service Improvement

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 40
All rights reserved.
 CMMI
▪ Primary areas of interest

• Product and service development

• Service establishment,
management, and delivery

• Product and service acquisition

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 41
All rights reserved.
 Risk Management Framework (RMF) for
Department of Defense Information
Technology (IT)
▪ Government transitioned from DIACAP to RMF for
DoD IT in March 2014
▪ Six steps of RMF:
• Step 1: Categorize system
• Step 2: Select security controls
• Step 3: Implement security controls
• Step 4: Assess security controls
• Step 5: Authorize system
• Step 6: Monitor security controls

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Managing Risk in Information Systems www.jblearning.com Page 42
All rights reserved.