SlideShare a Scribd company logo

Data Security Law and Management.pdf

M
MeshalALshammari12

Data Security Law and Management

Education
1 of 30
Download to read offline
Data Security Law and Management
2 Due Care and Due Diligence  Due care: An organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches.  Due diligence: An organization investigated all vulnerabilities.  If an organization does not take actions that a prudent person would have taken under similar circumstances, the organization is negligent.  When due diligence occurs, organizations recognize areas of risk.  When due care occurs, organizations implement plans to protect against the identified risks.
3 Compliance  Compliance involves being in alignment with standards, guidelines, regulations, and/or legislation. Organizations must comply with governmental laws and regulations.  Governance, risk management, and compliance (GRC) is the overarching term.  Legal and regulatory compliance: Security professionals must understand the laws and regulations of – the country or countries in which they work – the industry within which they operate  Privacy requirements compliance: Privacy requirements compliance is primarily concerned with the confidentiality of data, particularly personally identifiable information (PII).
4 Computer Crime Concepts  Computer crimes today are usually made possible by a victim’s negligence.  Investigating and prosecuting computer crimes is even more difficult because evidence is mostly intangible.  Obtaining a trail of evidence of activities performed on a computer is hard. continues
5 Computer Crime Concepts, cont.  Security professionals must understand the following computer crime concepts: – Computer-assisted crime – Computer-targeted crime – Incidental computer crime – Computer prevalence crime – Hackers versus crackers continues
6 Computer Crime Concepts, cont.  White hat, gray hat, and black hat are more easily understood and less often confused than the terms hackers and crackers. – A white hat does not have any malicious intent. – A black hat has malicious intent. – A gray hat is considered somewhere in the middle of the two. A gray hat will break into a system, notify the administrator of the security hole, and offer to fix the security issues for a fee. continues
7 Computer Crime Concepts, cont.  Computer crime examples – Fake or rogue antivirus software is installed on computers because of scare tactics that are displayed in pop-up boxes. – Ransomware attempts to extort money from potential victims by either encrypting the computer's data and asking for payment to fix it, or claiming that the computer has been used for illegal activities and a fine must be paid to prevent prosecution. – Scareware locks up a computer and warns that a violation of federal or international law has occurred, and a fine must be paid.
8 Major Legal Systems  Civil code law  Common law, divided into three systems – Criminal law – Civil/tort law – Administrative/regulatory law  Customary law  Religious law  Mixed law
9 Licensing and Intellectual Property  Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. – Patent – Trade secret – Trademark – Copyright – Software piracy and licensing issues continues
10 Licensing and Intellectual Property, cont.  Employees are the greatest threat for any organization. – Organizations should take measures to protect confidential resources from unauthorized internal access. – Any information that is part of a patent, trade secret, trademark, or copyright should be marked and given the appropriate classification. – Access controls should be customized for this information, and audit controls should be implemented to alert personnel if any access occurs. – Due care procedures and policies must be in place to ensure that any laws protecting these assets can be used to prosecute an offender. continues
11 Licensing and Intellectual Property, cont.  Digital Rights Management (DRM) – DRM includes restrictive license agreements and encryption. It protects computer games, software, documents, eBooks, films, music, and television. – The primary concern of DRM is the control of documents by using open, edit, print, or copy access restrictions that are granted on a permanent or temporary basis.
12 Cyber Crimes and Data Breaches  A data breach is any incident in which information considered private or confidential is released to unauthorized parties.  A cyber crime is any criminal activity carried out by means of computers or the Internet.
13 Import/Export Controls  Many organizations today develop trade relationships with organizations located in other countries.  Organizations must be aware of the export and import laws of both the source and destination countries.  Ensure that legal counsel is involved in the process so that all laws and regulations are followed.  Organizations must ensure that they are in compliance with all laws and regulations, including international regulations and laws.  Obtain the proper training to ensure compliance.
14 Trans-Border Data Flow  Trans-border data transfers allow organizations and industries to share information digitally much faster than in the past.  Data is subject to the laws and legal systems of every jurisdiction along its route.  The jurisdiction can be affected when the organization that owns the data is in one country while the data is stored in another country.  Security professionals must oversee the privacy and data protection laws of all jurisdictions that may affect the organization.  Security professionals should develop a detailed data-flow map for all organizational processes.
15 Privacy  Privacy concerns usually cover three areas: – Which personal information can be shared with whom – Whether messages can be exchanged confidentially – Whether and how one can send messages anonymously  Personally identifiable information (PII) – PII is any piece of data that can be used alone or with other information to identify a single person. – Examples include full name, identification numbers, date of birth, place of birth, biometric data, financial account numbers, and digital identities. – Security professionals must ensure that they understand international, national, state, and local regulations and laws regarding PII. continues
16 Privacy, cont. Laws and regulations Security professionals must be aware of the laws and at a minimum understand how those laws affect their organization’s operations. – Sarbanes-Oxley (SOX) Act – Health Insurance Portability and Accountability Act (HIPAA) – Gramm-Leach-Bliley Act (GLBA) of 1999 – Computer Fraud and Abuse Act (CFAA) of 1986 – Federal Privacy Act of 1974 – Federal Intelligence Surveillance Act (FISA) of 1978 – Electronic Communications Privacy Act (ECPA) of 1986 – Computer Security Act of 1987 continues
17 Privacy, cont. Laws and regulations, cont. – United States Federal Sentencing Guidelines of 1991 – Communications Assistance for Law Enforcement Act (CALEA) of 1994 – Personal Information Protection and Electronic Documents Act (PIPEDA) – California Consumer Privacy Act (CCPA) – Internal Traffic in Arms Regulations (ITAR) – NTS DFS Rule 500 – Investigatory Powers Act of 2016 – Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (India) continues
18 Privacy, cont. Laws and regulations, cont. – Personal Data Protection Act (PDPA) in Singapore – Personal Information Protection Law (PIPL) inn China – Basel II – Federal Information Security Management Act (FISMA) of 2002 – Economic Espionage Act of 1996 – USA PATRIOT Act of 2001 – Health Care and Education Reconciliation Act of 2010 – USA Freedom Act of 2015 – Clarifying Lawful Overseas Use of Data (CLOUD) Act continues
19 Privacy, cont.  Employee Privacy Issues – Employee privacy issues must be addressed to ensure that the organization is protected. – Give employees proper notice of any monitoring that might be used. – Ensure that the monitoring of employees is applied in a consistent manner. – Some actions are protected by the U.S. Constitution's Fourth Amendment. – Security professionals and senior management should consult with legal counsel when designing and implementing any monitoring solution. continues
20 Privacy, cont.  European Union & General Data Protection Regulation (GDPR) – The EU Principles on Privacy include strict laws to protect private data. – The EU's Data Protection Directive provides direction on how to follow the laws set forth in the principles. – The EU created the Safe Harbor Privacy Principles to help guide U.S. organizations in compliance with the EU Principles on Privacy. – The EU Electronic Security Directive defines electronic signature principles. – Beginning on May 25, 2018, the members of the EU began applying the General Data Protection Regulation (GDPR), which applies to EU-based organizations that collect or process the personal data of EU residents and to organizations outside the EU that monitor behavior or offer goods and services to EU residents.
21 Privacy  What are the main reasons employers monitor workers? Provide examples of three types of employee monitoring that you feel are justified. Provide three examples of three types of employee monitoring you feel are not justified. continues
22 Privacy  You are a new brand manager for a product line of Coach purses. You are considering purchasing customer data from a company that sells a large variety of women’s products online. In addition to providing a list of names, mailing addresses, and email addresses, the data includes an estimate of customers’ annual income based on the zip code in which they live, census data, and highest level of education achieved. You could use the data to identify likely purchasers of your high-end purses, and you could then send those people emails announcing the new product line and touting its many features. List the advantages and disadvantages of such a marketing strategy. Would you recommend this means of promotion in this instance? Why or why not?. continues
23 Investigation Types Operations/Administrative Do not result in any criminal, civil, or regulatory issue Criminal Carried out because a federal, state, or local law has been violated Civil Occur when one organization or party suspects another organization of civil wrongdoing Regulatory Occur when a regulatory body investigates an organization for a regulatory infraction Industry Standards Provide criteria within an industry relating to standard functioning of operations in their respective fields of production eDiscovery Litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process continues
24 Professional Ethics  Ethics for any profession are the right and wrong actions that are the moral principle of that occupation.  Security professionals, particularly those who hold the CISSP certification, should understand the ethics published by the International Information Systems Security Certification Consortium (ISC)2, the Computer Ethics Institute, the Internet Architecture Board (IAB), and the organization that employs them. continues
25 Professional Ethics, cont.  (ISC)2 Code of Ethics – (ISC)2 provides a strict Code of Ethics for its certificate holders. • All certificate holders must follow the Code of Ethics. • Any reported violations of the code are investigated. • Certificate holders who are found to be guilty of violation will have their certification revoked. – The four mandatory canons for the Code of Ethics are: • Protect society, the common good, necessary public trust and confidence, and the infrastructure. • Act honorably, honestly, justly, responsibly, and legally. • Provide diligent and competent service to principals. • Advance and protect the profession. continues
26 Professional Ethics, cont.  (ISC)2 Code of Ethics, cont. – Certificate holders are required to report any actions by other certificate holders that they feel are in violation of the code.  Computer Ethics Institute – The Computer Ethics Institute created the Ten Commandments of Computer Ethics: 1. Do not use a computer for harm. 2. Do not interfere with the computer work of other people. 3. Do not snoop around in the computer files of other people. 4. Do not use a computer to steal. 5. Do not use a computer to lie. continues
27 Professional Ethics, cont.  Ten Commandments of Computer Ethics, cont. 6. Do not install and use licensed software unless you have paid for it. 7. Do not use another person's computer unless you have permission or have paid the appropriate compensation for said usage. 8. Do not appropriate another person's intellectual output. 9. Consider the consequences of the program you are writing or the system you are designing. 10. Always use a computer in ways that ensure consideration and respect of other people and their property. continues
28 Professional Ethics, cont.  Internet Architecture Board (IAB) – The IAB oversees the design, engineering, and management of the Internet. – Ethics statements issued by the IAB usually detail any acts that they deem irresponsible. – Request for Comments (RFC) 1087, called "Ethics and the Internet," is the specific IAB document that outlines unethical Internet behavior. continues
29 Professional Ethics, cont.  Organizational ethics – By adopting a formal ethics statement and program, the organization emphasizes to its employees that they are expected to act in an ethical manner in all business dealings. – Several laws in the United States can affect the development and adoption of an organizational ethics program. – If an organization adopts an ethics program, the organization’s liability is often limited if the organization ensures that personnel has been instructed on the organization's ethics.
30 Professional Ethics  What does it mean for an organization to act ethically? How can one evaluate whether this is the case?

Recommended

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Legal-Ethical-Professionalin-IS.pptx
Legal-Ethical-Professionalin-IS.pptxLegal-Ethical-Professionalin-IS.pptx
Legal-Ethical-Professionalin-IS.pptxShruthi48
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.pptDEEPAK948083
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 

Recommended

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Legal-Ethical-Professionalin-IS.pptx
Legal-Ethical-Professionalin-IS.pptxLegal-Ethical-Professionalin-IS.pptx
Legal-Ethical-Professionalin-IS.pptxShruthi48
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.pptDEEPAK948083
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightJames '​-- Mckinlay
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdfabdukadirabdullahuad
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxNargis Parveen
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
Lesson 2-Identify Theft
Lesson 2-Identify TheftLesson 2-Identify Theft
Lesson 2-Identify TheftMLG College of Learning, Inc
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxJhaiJhai6
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Software Legal Issues
Software Legal IssuesSoftware Legal Issues
Software Legal Issuesblogzilla
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoJoel A. Gómez Treviño
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxEdFeranil
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)Napier University
 
Cyber Laws
Cyber LawsCyber Laws
Cyber LawsMukesh Tekwani
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University of Engineering & Technology, Jamshoro
 

More Related Content

Similar to Data Security Law and Management.pdf

ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxNargis Parveen
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxJhaiJhai6
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Software Legal Issues
Software Legal IssuesSoftware Legal Issues
Software Legal Issuesblogzilla
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoJoel A. Gómez Treviño
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxEdFeranil
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)Napier University
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 

Similar to Data Security Law and Management.pdf (20)

GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptx
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2
 
Lesson 2-Identify Theft
Lesson 2-Identify TheftLesson 2-Identify Theft
Lesson 2-Identify Theft
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptx
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
Software Legal Issues
Software Legal IssuesSoftware Legal Issues
Software Legal Issues
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in Mexico
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptx
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
Cyber Laws
Cyber LawsCyber Laws
Cyber Laws
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 

Recently uploaded

Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17Celine George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111GangaMaiya1
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactisticshameyhk98
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfPondicherry University
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfstareducators107
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answersdalebeck957
 

Recently uploaded (20)

Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answers
 

Data Security Law and Management.pdf

  • 1. Data Security Law and Management
  • 2. 2 Due Care and Due Diligence  Due care: An organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches.  Due diligence: An organization investigated all vulnerabilities.  If an organization does not take actions that a prudent person would have taken under similar circumstances, the organization is negligent.  When due diligence occurs, organizations recognize areas of risk.  When due care occurs, organizations implement plans to protect against the identified risks.
  • 3. 3 Compliance  Compliance involves being in alignment with standards, guidelines, regulations, and/or legislation. Organizations must comply with governmental laws and regulations.  Governance, risk management, and compliance (GRC) is the overarching term.  Legal and regulatory compliance: Security professionals must understand the laws and regulations of – the country or countries in which they work – the industry within which they operate  Privacy requirements compliance: Privacy requirements compliance is primarily concerned with the confidentiality of data, particularly personally identifiable information (PII).
  • 4. 4 Computer Crime Concepts  Computer crimes today are usually made possible by a victim’s negligence.  Investigating and prosecuting computer crimes is even more difficult because evidence is mostly intangible.  Obtaining a trail of evidence of activities performed on a computer is hard. continues
  • 5. 5 Computer Crime Concepts, cont.  Security professionals must understand the following computer crime concepts: – Computer-assisted crime – Computer-targeted crime – Incidental computer crime – Computer prevalence crime – Hackers versus crackers continues
  • 6. 6 Computer Crime Concepts, cont.  White hat, gray hat, and black hat are more easily understood and less often confused than the terms hackers and crackers. – A white hat does not have any malicious intent. – A black hat has malicious intent. – A gray hat is considered somewhere in the middle of the two. A gray hat will break into a system, notify the administrator of the security hole, and offer to fix the security issues for a fee. continues
  • 7. 7 Computer Crime Concepts, cont.  Computer crime examples – Fake or rogue antivirus software is installed on computers because of scare tactics that are displayed in pop-up boxes. – Ransomware attempts to extort money from potential victims by either encrypting the computer's data and asking for payment to fix it, or claiming that the computer has been used for illegal activities and a fine must be paid to prevent prosecution. – Scareware locks up a computer and warns that a violation of federal or international law has occurred, and a fine must be paid.
  • 8. 8 Major Legal Systems  Civil code law  Common law, divided into three systems – Criminal law – Civil/tort law – Administrative/regulatory law  Customary law  Religious law  Mixed law
  • 9. 9 Licensing and Intellectual Property  Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. – Patent – Trade secret – Trademark – Copyright – Software piracy and licensing issues continues
  • 10. 10 Licensing and Intellectual Property, cont.  Employees are the greatest threat for any organization. – Organizations should take measures to protect confidential resources from unauthorized internal access. – Any information that is part of a patent, trade secret, trademark, or copyright should be marked and given the appropriate classification. – Access controls should be customized for this information, and audit controls should be implemented to alert personnel if any access occurs. – Due care procedures and policies must be in place to ensure that any laws protecting these assets can be used to prosecute an offender. continues
  • 11. 11 Licensing and Intellectual Property, cont.  Digital Rights Management (DRM) – DRM includes restrictive license agreements and encryption. It protects computer games, software, documents, eBooks, films, music, and television. – The primary concern of DRM is the control of documents by using open, edit, print, or copy access restrictions that are granted on a permanent or temporary basis.
  • 12. 12 Cyber Crimes and Data Breaches  A data breach is any incident in which information considered private or confidential is released to unauthorized parties.  A cyber crime is any criminal activity carried out by means of computers or the Internet.
  • 13. 13 Import/Export Controls  Many organizations today develop trade relationships with organizations located in other countries.  Organizations must be aware of the export and import laws of both the source and destination countries.  Ensure that legal counsel is involved in the process so that all laws and regulations are followed.  Organizations must ensure that they are in compliance with all laws and regulations, including international regulations and laws.  Obtain the proper training to ensure compliance.
  • 14. 14 Trans-Border Data Flow  Trans-border data transfers allow organizations and industries to share information digitally much faster than in the past.  Data is subject to the laws and legal systems of every jurisdiction along its route.  The jurisdiction can be affected when the organization that owns the data is in one country while the data is stored in another country.  Security professionals must oversee the privacy and data protection laws of all jurisdictions that may affect the organization.  Security professionals should develop a detailed data-flow map for all organizational processes.
  • 15. 15 Privacy  Privacy concerns usually cover three areas: – Which personal information can be shared with whom – Whether messages can be exchanged confidentially – Whether and how one can send messages anonymously  Personally identifiable information (PII) – PII is any piece of data that can be used alone or with other information to identify a single person. – Examples include full name, identification numbers, date of birth, place of birth, biometric data, financial account numbers, and digital identities. – Security professionals must ensure that they understand international, national, state, and local regulations and laws regarding PII. continues
  • 16. 16 Privacy, cont. Laws and regulations Security professionals must be aware of the laws and at a minimum understand how those laws affect their organization’s operations. – Sarbanes-Oxley (SOX) Act – Health Insurance Portability and Accountability Act (HIPAA) – Gramm-Leach-Bliley Act (GLBA) of 1999 – Computer Fraud and Abuse Act (CFAA) of 1986 – Federal Privacy Act of 1974 – Federal Intelligence Surveillance Act (FISA) of 1978 – Electronic Communications Privacy Act (ECPA) of 1986 – Computer Security Act of 1987 continues
  • 17. 17 Privacy, cont. Laws and regulations, cont. – United States Federal Sentencing Guidelines of 1991 – Communications Assistance for Law Enforcement Act (CALEA) of 1994 – Personal Information Protection and Electronic Documents Act (PIPEDA) – California Consumer Privacy Act (CCPA) – Internal Traffic in Arms Regulations (ITAR) – NTS DFS Rule 500 – Investigatory Powers Act of 2016 – Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (India) continues
  • 18. 18 Privacy, cont. Laws and regulations, cont. – Personal Data Protection Act (PDPA) in Singapore – Personal Information Protection Law (PIPL) inn China – Basel II – Federal Information Security Management Act (FISMA) of 2002 – Economic Espionage Act of 1996 – USA PATRIOT Act of 2001 – Health Care and Education Reconciliation Act of 2010 – USA Freedom Act of 2015 – Clarifying Lawful Overseas Use of Data (CLOUD) Act continues
  • 19. 19 Privacy, cont.  Employee Privacy Issues – Employee privacy issues must be addressed to ensure that the organization is protected. – Give employees proper notice of any monitoring that might be used. – Ensure that the monitoring of employees is applied in a consistent manner. – Some actions are protected by the U.S. Constitution's Fourth Amendment. – Security professionals and senior management should consult with legal counsel when designing and implementing any monitoring solution. continues
  • 20. 20 Privacy, cont.  European Union & General Data Protection Regulation (GDPR) – The EU Principles on Privacy include strict laws to protect private data. – The EU's Data Protection Directive provides direction on how to follow the laws set forth in the principles. – The EU created the Safe Harbor Privacy Principles to help guide U.S. organizations in compliance with the EU Principles on Privacy. – The EU Electronic Security Directive defines electronic signature principles. – Beginning on May 25, 2018, the members of the EU began applying the General Data Protection Regulation (GDPR), which applies to EU-based organizations that collect or process the personal data of EU residents and to organizations outside the EU that monitor behavior or offer goods and services to EU residents.
  • 21. 21 Privacy  What are the main reasons employers monitor workers? Provide examples of three types of employee monitoring that you feel are justified. Provide three examples of three types of employee monitoring you feel are not justified. continues
  • 22. 22 Privacy  You are a new brand manager for a product line of Coach purses. You are considering purchasing customer data from a company that sells a large variety of women’s products online. In addition to providing a list of names, mailing addresses, and email addresses, the data includes an estimate of customers’ annual income based on the zip code in which they live, census data, and highest level of education achieved. You could use the data to identify likely purchasers of your high-end purses, and you could then send those people emails announcing the new product line and touting its many features. List the advantages and disadvantages of such a marketing strategy. Would you recommend this means of promotion in this instance? Why or why not?. continues
  • 23. 23 Investigation Types Operations/Administrative Do not result in any criminal, civil, or regulatory issue Criminal Carried out because a federal, state, or local law has been violated Civil Occur when one organization or party suspects another organization of civil wrongdoing Regulatory Occur when a regulatory body investigates an organization for a regulatory infraction Industry Standards Provide criteria within an industry relating to standard functioning of operations in their respective fields of production eDiscovery Litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process continues
  • 24. 24 Professional Ethics  Ethics for any profession are the right and wrong actions that are the moral principle of that occupation.  Security professionals, particularly those who hold the CISSP certification, should understand the ethics published by the International Information Systems Security Certification Consortium (ISC)2, the Computer Ethics Institute, the Internet Architecture Board (IAB), and the organization that employs them. continues
  • 25. 25 Professional Ethics, cont.  (ISC)2 Code of Ethics – (ISC)2 provides a strict Code of Ethics for its certificate holders. • All certificate holders must follow the Code of Ethics. • Any reported violations of the code are investigated. • Certificate holders who are found to be guilty of violation will have their certification revoked. – The four mandatory canons for the Code of Ethics are: • Protect society, the common good, necessary public trust and confidence, and the infrastructure. • Act honorably, honestly, justly, responsibly, and legally. • Provide diligent and competent service to principals. • Advance and protect the profession. continues
  • 26. 26 Professional Ethics, cont.  (ISC)2 Code of Ethics, cont. – Certificate holders are required to report any actions by other certificate holders that they feel are in violation of the code.  Computer Ethics Institute – The Computer Ethics Institute created the Ten Commandments of Computer Ethics: 1. Do not use a computer for harm. 2. Do not interfere with the computer work of other people. 3. Do not snoop around in the computer files of other people. 4. Do not use a computer to steal. 5. Do not use a computer to lie. continues
  • 27. 27 Professional Ethics, cont.  Ten Commandments of Computer Ethics, cont. 6. Do not install and use licensed software unless you have paid for it. 7. Do not use another person's computer unless you have permission or have paid the appropriate compensation for said usage. 8. Do not appropriate another person's intellectual output. 9. Consider the consequences of the program you are writing or the system you are designing. 10. Always use a computer in ways that ensure consideration and respect of other people and their property. continues
  • 28. 28 Professional Ethics, cont.  Internet Architecture Board (IAB) – The IAB oversees the design, engineering, and management of the Internet. – Ethics statements issued by the IAB usually detail any acts that they deem irresponsible. – Request for Comments (RFC) 1087, called "Ethics and the Internet," is the specific IAB document that outlines unethical Internet behavior. continues
  • 29. 29 Professional Ethics, cont.  Organizational ethics – By adopting a formal ethics statement and program, the organization emphasizes to its employees that they are expected to act in an ethical manner in all business dealings. – Several laws in the United States can affect the development and adoption of an organizational ethics program. – If an organization adopts an ethics program, the organization’s liability is often limited if the organization ensures that personnel has been instructed on the organization's ethics.
  • 30. 30 Professional Ethics  What does it mean for an organization to act ethically? How can one evaluate whether this is the case?