Date post: | 13-Jan-2016 |
Category: |
Documents |
Upload: | cleopatra-gardner |
View: | 217 times |
Download: | 0 times |
Lesson 5-Legal Issues in Information Security
Overview
U.S. criminal law.
State laws.
Laws of other countries.
Issues with prosecution.
Civil issues.
Privacy issues.
U.S. Criminal Law
Computer fraud and abuse:
18 US Code 1030 forms the basis for federal intervention in
computer crimes.
Section (a) of the statute defines computer crime as the intentional
access of a computer without authorization.
The statute states that the attacker has to obtain information that
should be protected.
The statute can be used only if the damage caused by the attack is
$5,000 or above.
U.S. Criminal Law
Credit card fraud and copyright:
18 US Code 1029 can be used in case of credit card frauds.
The statute makes it a crime to possess fifteen or more counterfeit
credit cards.
18 US Code 2319 defines criminal punishments for copyright
violations.
The statute can be used if at least 10 copies of one or more
copyrighted works have been reproduced or distributed.
The total retail value of the copies should exceed $1,000.
U.S. Criminal Law
Interception:
18 US Code 2511 outlaws interception of telephone calls and other
types of electronic communication.
This law prevents law enforcement from using wiretaps without a
warrant.
An intruder placing a sniffer on a computer system is likely to be in
violation of this law.
If appropriate, the law allows an organization to monitor its network
and computer systems for their protection.
U.S. Criminal Law
Access to electronic information:
18 US Code 2701 prohibits unlawful access to stored
communications.
This statute also prohibits authorized users from accessing
systems that store electronic information.
The statute allows the provider of the service to access any file
on the system.
U.S. Criminal Law
Patriot Act:
The USA-Patriot Act was passed in response to the September
11 terrorist attacks.
The Patriot Act increased the maximum penalties for violations
of 18 US Code 1030.
It also modified the wording in 18 US Code 1030 to redefine
“damage,” making it easier to reach the minimum $5,000
damage.
U.S. Criminal Law
Patriot Act (continued):
An action affecting a computer system used by the
government for justice, national defense, or national security,
is considered a violation of federal law.
An individual inside the United States attacking a system
outside the country can be prosecuted under federal law.
U.S. Criminal Law
Patriot Act (continued):
The Pen Register Statute (18 US Code 3127) allowed law
enforcement to access telephone numbers dialed from a
particular telephone.
The Patriot Act modified the law to include any device or
process that records dialing, routing, addressing, or signaling
information.
U.S. Criminal Law
Patriot Act (continued):
It is now possible to collect e-mail header information and source
and destination IP addresses, TCP, and UDP port numbers.
The law prevents collection of e-mail subject lines and contents of
e-mail and downloaded files.
The Patriot Act modified the 18 US Code 2511 to allow interception
by law enforcement to monitor the activities of an intruder.
U.S. Criminal Law
Patriot Act (continued):
For interception, consent of the owner must be given and it
must be relevant to the investigation.
The law states that the interception can only access
communications to/from the trespasser.
The majority of the Homeland Security Act is directed at the
creation of the Department of Homeland Security.
State Laws
The state laws differ from federal laws with respect to what
constitutes a crime and how a crime may be punished.
The concept of what constitutes a computer crime differs
from state to state.
Laws of Other Countries
Computer crime laws in other countries may have an effect
on computer crime investigations in the United States.
If an attack is sourced to a system in another country, the
FBI will attempt to get assistance from the law enforcement
agencies there.
Laws of Other Countries
A country with no computer crime laws is unlikely to assist
in the investigation.
Unauthorized access to data in computers is a crime in
most countries with computer crime laws.
Issues with Prosecution
Before contacting law enforcement to prosecute offenders,
the organization must develop an incident response
procedure.
If normal business procedures are followed, no special
precautions need be taken to safeguard information as
evidence.
If the organization takes actions outside the scope of business
procedures, precautions need to be taken.
Issues with Prosecution
The organization’s general counsel should be consulted
before contacting law enforcement.
Advice should be taken from the organization counsel and
law enforcement before any action is taken.
Law enforcement is bound to follow rules to allow
information gathered to be used as evidence.
Issues with Prosecution
After taking possession of information, the law enforcement
will control access and protect it as evidence as per
procedures.
The law enforcement cannot gather information off the
network without a warrant, unless the organization willingly
offers information.
Civil Issues
Employees must be told that the organization can access or
monitor any information on the systems or network at any
time.
The employees should be asked to sign copies of the
organization’s policies to alleviate potential legal issues.
Civil Issues
Downstream liability is when an organization is held liable if
its compromised system is used to attack another
organization.
The question is whether the first organization took
reasonable care and appropriate measures to prevent this
occurring.
Privacy Issues
The federal government has enacted privacy legislation for
banking, financial and healthcare sectors.
Customer information belongs to the customer and not to
your organization.
Health Insurance Portability and Accountability Act (HIPAA)
An organization must take appropriate measures to safeguard
customer information from unauthorized disclosure.
The Department of Health and Human Services published the
final Health Information Portability and Accountability Act
(HIPAA) security regulations in February 2003.
HIPAA relates to the creation and enforcement of standards
for the protection of health information.
Health Insurance Portability and Accountability Act (HIPAA)
An organization must implement an addressable regulation if
it is found to be reasonable and appropriate.
If not, the organization must document why the regulation is
not reliable or appropriate and implement an alternate
mechanism.
The overall goal of the regulations is to maintain the
confidentiality, integrity, and availability of protected health
information (PHI).
Health Insurance Portability and Accountability Act (HIPAA)
Administrative safeguards:
Security management process – regular risk analysis,
appropriate security measures to manage risk, sanction
policy for enforcement, and regular review of security log
and activity information are required.
Assigned security responsibility – an individual must be
assigned responsibility for security.
Health Insurance Portability and Accountability Act (HIPAA)
Administrative safeguards (continued):
Workforce security – procedures for authorization,
workforce clearance, and termination are addressable by
the organization.
Information access management – isolating health care
clearinghouse function is required. Procedures for access
authorization, establishment and modification are
addressable.
Health Insurance Portability and Accountability Act (HIPAA)
Administrative safeguards (continued):
Security awareness and training – periodic security updates,
protection from malicious software, login monitoring, and
password management are addressable.
Security incident procedures – policies and procedures to
address security incidents are required.
Health Insurance Portability and Accountability Act (HIPAA)
Administrative safeguards (continued):
Contingency plans – plans for data backup, disaster recovery,
and emergency mode operation are required. Periodic testing
and revisions of the contingency plans and assessment of the
relative criticality of specific applications is addressable.
Evaluation – performing periodic evaluations of security in
response to changes in operations or environment is required.
Health Insurance Portability and Accountability Act (HIPAA)
Administrative safeguards (continued):
Business associate contracts and other arrangements – it is
required that contracts requiring appropriate security be in
place with any organization that shares PHI.
Health Insurance Portability and Accountability Act (HIPAA)
Physical safeguards:
Facility access controls – procedures for contingency plans,
facility security plan, access control and validation, and
recording repairs and modifications to the physical security of
the facility are addressable.
Workstation use – policies specifying the physical attributes of
workstations that can access PHI are required.
Health Insurance Portability and Accountability Act (HIPAA)
Physical safeguards (continued):
Workstation security – physical security safeguards for all
workstations that can access PHI are required.
Device and media controls – procedures for disposing PHI and
the media on which it was stored and the removal of PHI
before reusing media are required. Records of movement of
media, hardware is addressable.
Health Insurance Portability and Accountability Act (HIPAA)
Technical safeguards:
Access control – it is required that each user be assigned a unique
identifier and that emergency access procedures be implemented.
Automatic logoff and encryption/decryption of PHI are addressable.
Audit controls – implementation of mechanisms that record and
examine activity on systems containing PHI is required.
Integrity – a method to authenticate electronic PHI is addressable.
Health Insurance Portability and Accountability Act (HIPAA)
Technical safeguards (continued):
Person or entity authentication – mechanisms to authenticate
identity of individuals seeking access to PHI is required.
Transmission security – mechanisms to detect unauthorized
modification of PHI in transit and to encrypt PHI when
appropriate are addressable.
Health Insurance Portability and Accountability Act (HIPAA)
Organization requirements:
Any contracts with organizations that will be able to access PHI
must include provisions for security.
Health plan documents must provide for the sponsor to take
appropriate measures to protect PHI.
Health Insurance Portability and Accountability Act (HIPAA)
Policies, procedures, and documentation requirements:
The organization is required to keep documentation for six
years from the date of creation.
Policies and procedures must be made available to individuals
who will be implementing the mechanisms.
Graham-Leach-Bliley Financial Services Modernization Act (GLBA)
The Graham-Leach-Bliley Financial Services Modernization
Act (GLBA) was passed in 1999.
Section 502 of the act prohibits financial organizations from
disclosing customer information without giving him a
chance to opt out.
Graham-Leach-Bliley Financial Services Modernization Act (GLBA)
The act requires financial institutions to safeguard customer
information from unauthorized disclosure.
For this purpose, financial oversight companies have
published “Interagency Guidelines Establishing Standards
for Safeguarding Customer Information”.
Graham-Leach-Bliley Financial Services Modernization Act (GLBA)
The guidelines impose requirements on the financial
organization’s security program.
Information security program – Each organization must
implement a comprehensive written security program.
Board involvement – The organization’s board must
approve the security program.
Assessing risk – Each organization must conduct periodic
risk assessments.
Graham-Leach-Bliley Financial Services Modernization Act (GLBA)
The security mechanisms that the organization must use to
manage and control risk are:
Access controls to information.
Physical access restrictions to systems and records.
Encryption of sensitive information in transit.
System change procedures.
Graham-Leach-Bliley Financial Services Modernization Act (GLBA)
The security mechanisms that the organization must use to
manage and control risk are:
Dual control procedures, segregation of duties, and
background checks.
Intrusion detection systems.
Incident response procedures.
Environment protection.
Graham-Leach-Bliley Financial Services Modernization Act (GLBA)
The guidelines identify the following requirements in case
of third party involvement:
Due diligence in selecting service providers.
Requiring service providers to implement security.
Monitoring service providers.
Adjusting the program.
Reporting to the board.
Summary
18 US Code 1030 is the primary computer crime statute.
18 US Code 1029 deals with credit card frauds.
18 US Code 2319 deals with copyright issues.
18 US Code 2511 prohibits interception of electronic
information without warrants.
18 US Code 2701 prohibits unlawful access to stored
information.
Summary
The Patriot Act made several modifications to existing laws.
The state laws regarding computer crime differ from the
federal laws and from state to state.
Computer crime laws in other countries can affect
investigations in the United States.
Organizations must have a detailed discussion of the options
before contacting law enforcement to prosecute offenders.
Summary
The organization must make it known that the employees
should have no expectation of privacy.
The information security staff and the general counsel of
the organization must coordinate in case of downstream
liability.
HIPAA sets out regulations for the protection of health
information.
Summary
GLBA relates to privacy of customer information.
GLBA led to the “Interagency Guidelines Establishing
Standards for Safeguarding Customer Information”