Policy and Legislation - PowerPoint PPT Presentation

About This Presentation
Title:

Policy and Legislation

Description:

Companies that use credit reports to screen new hires. Data Accountability and Trust Act (DATA) ... 'Ireland's online bank RaboDirect has become the first bank ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 40
Provided by: timothyj8
Category:

less

Transcript and Presenter's Notes

Title: Policy and Legislation


1
Policy and Legislation
  • (Slides from Aaron Rhys Shelmire)

2
Uniform Trade Secrets Act (UTSA)
  • Secret must generate or have the potential to
    generate income
  • Steps are taken to keep it secret
  • Enacted by states (48 and D.C.)

3
Computer Fraud and Abuse Act
  • prohibits access to protected computers without
    authorization
  • Prohibits exceeding authorization levels granted

4
Electronic Communications Protection Act
  • Prohibits the unauthorized and unjustified
    interception, disclosure, or use of
    communications, including electronic
    communications
  • Title I - The Wiretap Act
  • Title II - The Stored Communications Act
  • Pen and Trace and Trap Statute

5
ECPA - Wiretap Act (1)
  • Prohibits intentional or attempted interception
    of a wire, oral, or electronic communications as
    well as the disclosure of that information
  • Certain Exceptions made
  • interceptions by service providers acting within
    ordinary scope of their business, as necessary
    for rendering its services or protecting the
    service provider's rights or property
  • interceptions authorized by court order or other
    lawful authority

6
ECPA - Wiretap Act (2)
  • interceptions made by a party involved in the
    communication
  • interceptions made with the consent of one party
    to the communication
  • in some states it must be both parties

7
ECPA - Wiretap Act (3)
  • interceptions of a computer trespasser's
    communications made to, through, or from a
    protected computer if the owner authorized
    interception, interception is part of an
    investigation, and the contents of communications
    are reasonably believed to be relevant to the
    investigation

8
ECPA - Stored Communications Act
  • Wiretap Act does not cover Communications from
    Storage (i.e. websites email)
  • imposes criminal and civil liability for the
    intentional, unauthorized access to an electronic
    communication service facility to obtain, alter,
    or prevent authorized access to a stored wire or
    electronic communication

9
ECPA - Pen and Trace and Trap Statute
  • No person may install or use a pen register or a
    trap and trace device without first obtaining a
    court order
  • Exceptions
  • Service Provider
  • Verification of Service
  • Consent
  • an ISP can disclose non-content (originator,
    receiver, dates, times, Layer-4 and below, et
    cetera) information, except to the government
  • Government needs a warrant, a subpoena or the
    consent of subscriber

10
Federal Rules of Evidence (1)
  • Hearsay
  • A statement other than one made by the defendant
    while testifying offered as evidence
  • Computer generated records
  • Output of computer programs untouched by human
    hands
  • Computer stored records
  • Output generated by a person stored on a computer
  • Exception
  • Records of regularly conducted activity
  • If it is defined in POLICY

11
Federal Rules of Evidence (2)
  • Authentication of evidence
  • Achieved by collector of that evidence testifying
    to its authenticity
  • Best Evidence Rule
  • If data are stored in a computer or similar
    device, any printout or other output readable by
    sight, shown to reflect the data accurately, is
    an original

12
4th Amendment
  • Protects against unreasonable search by the
    government
  • Does not protect against search from private
    individuals or companies
  • Courts have ruled that a disk is akin to a
    closed container and that individuals expect
    similar privacy

13
5th Amendment
  • No person shall be compelled in any criminal
    case to be a witness against himself
  • Extends to cryptographic keys
  • Dont have to give up memorized keys

14
Sarbanes Oxley (1)
  • Chief executives of publicly traded companies
    must validate financial statements and other
    information
  • CEOs and CFOs must affirm that their companies
    have proper internal controls
  • IT systems keep control of everything
  • IT systems must be secure to ensure proper
    internal controls
  • Internally developed systems must be developed
    securely

15
Sarbanes Oxley (2)
  • Secure Identity Management
  • Identity Provisioning
  • Policy-based access control
  • Strong authentication
  • Data Protection Integrity
  • But it doesnt say how.

16
HIPAA (1)
  • Health Insurance Portability and Accountability
    Act
  • Applies to doctors, health-care providers,
    pharmacists, et cetera.
  • Established in part to prevent unauthorized use
    and disclosure of Protected Health Information
    (PHI)

17
HIPAA(2)
  • Part 160 General Administrative Requirements
  • Part 162 Administrative Requirements
  • Part 164 Security And Privacy Rules

18
HIPAA(3)
  • Privacy rule the right of an individual to
    control the use of personal information.
  • Security rule administrative, technical and
    physical safeguards specifically as they relate
    to electronic PHI (ePHI), the protection of ePHI
    data from unauthorized access, whether external
    or internal, stored or in transit.
  • Implement Policies and Procedures
  • Protect, Prevent, Detect, and Contain incidents
  • Risk Analysis
  • Risk Management
  • Sanctions against violators
  • Assign Security Responsibility

19
HIPAA(4)
  • Methods to Authorize Access
  • Methods to record the establishment of access and
    modification of information
  • Security Awareness and Training
  • Security reminders
  • Log-in Monitoring
  • Password Management
  • Transmission Security
  • Integrity controls
  • Encryption/decryption

20
HIPAA(5)
  • Security Incident Procedures
  • Must respond and report/document
  • Contingency Plan
  • Data backup plan,
  • Disaster recovery plan
  • Emergency Mode Operation plan
  • Testing and Revision procedures
  • Applications and Data Criticality Analysis
  • Periodic Evaluation

21
HIPAA(6)
  • Technical Specifications
  • Unique User Identification
  • Emergency Access Procedure
  • Automatic Logoff
  • Encryption
  • Audit Controls
  • Integrity
  • Mechanism to authenticate that electronic
    protected health information (E-PHI) has not been
    altered

22
Fair and Accurate Credit Transactions (FACT) Act
of 2003
  • Extends Fair Credit Reporting Act of 1970 to
    provide protections from fraud and identity theft
  • Merchants and credit agencies must have secure
    systems to handle consumer fraud complaints and
    protect sensitive information (credit cards) from
    unauthorized disclosure.

23
FACT
  • Applies to more than consumer organizations
  • Companies that use credit reports to screen new
    hires

24
Data Accountability and Trust Act (DATA)
  • requires organizations to inform those whose data
    are "acquired by an unauthorized person" in the
    event of a data breach "if there is a reasonable
    basis to conclude that there is a significant
    risk of identity theft."
  • Passed House Energy and Commerce Committee

25
DATA
  • Federal Trade Commission enforces DATA
  • requires data brokers to establish security
    policies
  • requires audits by the FTC of organizations that
    experience security breaches.
  • Similar to Californias SB 1386
  • Does not require disclosure if data is encrypted

26
Cyber security research and development Act
  • H.R. 3394
  • To authorize funding for computer and network
    security research and development and research
    fellowship programs, and other purposes

27
Network Neutrality(1)
  • Michael Powell stated consumers are entitled to 4
    freedoms
  • access to the lawful Internet content of their
    choice
  • entitled to run applications and services of
    their choice, subject to the needs of law
    enforcement (i.e. wiretapping)
  • connect their choice of legal devices that do not
    harm the network
  • entitled to competition among network providers,
    application and service providers, and content
    providers

28
Network Neutrality (2)
  • Various Amendments to Telecom Act passed to
    solidify those concepts
  • exceptions to allow providers to discriminate for
    security purposes, or offer specialized services
    such as "broadband video" service.
  • Tiering not addressed
  • What does this have to do with Information
    Assurance?

29
Liability(1)
  • Company A sells a car that they know the back
    seat of the car was often engulfed in flames
    after a rear-end collision
  • person dies,
  • Company A is liable

30
Liability(2)
  • Company B sells software. They know of a critical
    flaw in their software, and even have a patch for
    this flaw, but refuse to release it until
    fix-it-Friday. Your system is compromised through
    this flaw, and you loose 3.2 mil. What do you do?

31
Liability(3)
  • in a test of major antivirus programs conducted
    by Brazils CERT the very best antivirus programs
    detected only 88 percent of the known keyloggers.
  • In U.S. victims of fraudulent money transfers are
    typically limited to 50 in liability under the
    Federal Reserve's Regulation E, so long as they
    report the crime quickly enough within two
    days. If they report it within 60 days, their
    liability is capped at 500.

32
The Lopez Case
  • Joe Lopez, the owner of a small computer supply
    company in Miami, sued Bank of America after
    cybercrooks were able to use a keylogging Trojan
    planted on his business computers to swipe bank
    account information and transfer 90,000 to
    Latvia.
  • Bank of America says it does not need to cover
    the loss because Mr. Lopez was a business
    customer and because it is not the bank's fault
    that he did not practice good computer hygiene.
    Mr. Lopez claims he did, and that in any case,
    Bank of America should have done more to warn him
    of the risks of computer crime.

33
RaboDirect
  • Ireland's online bank RaboDirect has become the
    first bank in the country to offer its customers
    a security guarantee customers are guaranteed
    they will not lose any money in the event of
    online theft. RaboDirect customers will have a
    token that generates a one-time use passcode to
    be used in their two-factor authentication
    scheme. - SANS newsbites Vol. 8 Issue 29

34
Insurance
  • Buy a safe, you have insurance up to 10,000
  • Power supply insurance up to 3,000
  • Buy commercial database software, insurance that
    my data is safe within it.

35
Cell phone records debacle
  • Pretexting - pretending to be a user to obtain
    phone records
  • Consumer Phone Records Act
  • Passed the House
  • Illegal to acquire, use or sell a person's
    confidential phone records without that person's
    written consent.

36
Cookies?
  • Only investigators are allowed to tap your phone,
    why are companies allowed to tap my web browsing?
  • Does government have a right to that data?
  • Google and the 2035 cookie?
  • Gmail account google search tracked web search

37
Cyber Law Enforcement
  • increased investment in law enforcement
  • cross-border cooperation among investigators, who
    are overwhelmed by the global nature of
    cybercrime.
  • "There are more criminals on the Internet street
    than policemen"

38
Internet police?
  • Kid in sweden commits a hacking crime gets off
    with community service
  • Need some way to fix this
  • Put Internet into UN or some other international
    hands, no longer DARPA

39
Cybersecurity
  • By exploiting vulnerabilities in our cyber
    systems, an organized attack may endanger the
    security of our Nations critical infrastructure
    - Cyberspace Strategy, page xi
Write a Comment
User Comments (0)
About PowerShow.com