2. 2
Due Care and Due Diligence
Due care: An organization took all reasonable measures to prevent
security breaches and also took steps to mitigate damages caused
by successful breaches.
Due diligence: An organization investigated all vulnerabilities.
If an organization does not take actions that a prudent person
would have taken under similar circumstances, the organization is
negligent.
When due diligence occurs, organizations recognize areas of risk.
When due care occurs, organizations implement plans to protect
against the identified risks.
3. 3
Compliance
Compliance involves being in alignment with standards,
guidelines, regulations, and/or legislation. Organizations must
comply with governmental laws and regulations.
Governance, risk management, and compliance (GRC) is the
overarching term.
Legal and regulatory compliance: Security professionals must
understand the laws and regulations of
– the country or countries in which they work
– the industry within which they operate
Privacy requirements compliance: Privacy requirements
compliance is primarily concerned with the confidentiality of data,
particularly personally identifiable information (PII).
4. 4
Computer Crime Concepts
Computer crimes today are usually made possible by a victim’s
negligence.
Investigating and prosecuting computer crimes is even more
difficult because evidence is mostly intangible.
Obtaining a trail of evidence of activities performed on a computer
is hard.
continues
5. 5
Computer Crime Concepts, cont.
Security professionals must understand the following computer
crime concepts:
– Computer-assisted crime
– Computer-targeted crime
– Incidental computer crime
– Computer prevalence crime
– Hackers versus crackers
continues
6. 6
Computer Crime Concepts, cont.
White hat, gray hat, and black hat are more easily understood and
less often confused than the terms hackers and crackers.
– A white hat does not have any malicious intent.
– A black hat has malicious intent.
– A gray hat is considered somewhere in the middle of the two. A gray
hat will break into a system, notify the administrator of the security hole,
and offer to fix the security issues for a fee.
continues
7. 7
Computer Crime Concepts, cont.
Computer crime examples
– Fake or rogue antivirus software is installed on computers because of
scare tactics that are displayed in pop-up boxes.
– Ransomware attempts to extort money from potential victims by either
encrypting the computer's data and asking for payment to fix it, or
claiming that the computer has been used for illegal activities and a fine
must be paid to prevent prosecution.
– Scareware locks up a computer and warns that a violation of federal or
international law has occurred, and a fine must be paid.
8. 8
Major Legal Systems
Civil code law
Common law, divided into three systems
– Criminal law
– Civil/tort law
– Administrative/regulatory law
Customary law
Religious law
Mixed law
9. 9
Licensing and
Intellectual Property
Intellectual property law is a group of laws that recognizes
exclusive rights for creations of the mind.
– Patent
– Trade secret
– Trademark
– Copyright
– Software piracy and licensing issues
continues
10. 10
Licensing and
Intellectual Property, cont.
Employees are the greatest threat for any organization.
– Organizations should take measures to protect confidential resources
from unauthorized internal access.
– Any information that is part of a patent, trade secret, trademark, or
copyright should be marked and given the appropriate classification.
– Access controls should be customized for this information, and audit
controls should be implemented to alert personnel if any access
occurs.
– Due care procedures and policies must be in place to ensure that any
laws protecting these assets can be used to prosecute an offender.
continues
11. 11
Licensing and
Intellectual Property, cont.
Digital Rights Management (DRM)
– DRM includes restrictive license agreements and encryption. It
protects computer games, software, documents, eBooks, films,
music, and television.
– The primary concern of DRM is the control of documents by using
open, edit, print, or copy access restrictions that are granted on a
permanent or temporary basis.
12. 12
Cyber Crimes and Data Breaches
A data breach is any incident in which information considered
private or confidential is released to unauthorized parties.
A cyber crime is any criminal activity carried out by means of
computers or the Internet.
13. 13
Import/Export Controls
Many organizations today develop trade relationships with
organizations located in other countries.
Organizations must be aware of the export and import laws of both
the source and destination countries.
Ensure that legal counsel is involved in the process so that all laws
and regulations are followed.
Organizations must ensure that they are in compliance with all laws
and regulations, including international regulations and laws.
Obtain the proper training to ensure compliance.
14. 14
Trans-Border Data Flow
Trans-border data transfers allow organizations and industries to
share information digitally much faster than in the past.
Data is subject to the laws and legal systems of every jurisdiction
along its route.
The jurisdiction can be affected when the organization that owns
the data is in one country while the data is stored in another
country.
Security professionals must oversee the privacy and data
protection laws of all jurisdictions that may affect the organization.
Security professionals should develop a detailed data-flow map for
all organizational processes.
15. 15
Privacy
Privacy concerns usually cover three areas:
– Which personal information can be shared with whom
– Whether messages can be exchanged confidentially
– Whether and how one can send messages anonymously
Personally identifiable information (PII)
– PII is any piece of data that can be used alone or with other
information to identify a single person.
– Examples include full name, identification numbers, date of birth,
place of birth, biometric data, financial account numbers, and digital
identities.
– Security professionals must ensure that they understand international,
national, state, and local regulations and laws regarding PII.
continues
16. 16
Privacy, cont.
Laws and regulations
Security professionals must be aware of the laws and at a minimum
understand how those laws affect their organization’s operations.
– Sarbanes-Oxley (SOX) Act
– Health Insurance Portability and Accountability Act (HIPAA)
– Gramm-Leach-Bliley Act (GLBA) of 1999
– Computer Fraud and Abuse Act (CFAA) of 1986
– Federal Privacy Act of 1974
– Federal Intelligence Surveillance Act (FISA) of 1978
– Electronic Communications Privacy Act (ECPA) of 1986
– Computer Security Act of 1987
continues
17. 17
Privacy, cont.
Laws and regulations, cont.
– United States Federal Sentencing Guidelines of 1991
– Communications Assistance for Law Enforcement Act (CALEA) of
1994
– Personal Information Protection and Electronic Documents Act
(PIPEDA)
– California Consumer Privacy Act (CCPA)
– Internal Traffic in Arms Regulations (ITAR)
– NTS DFS Rule 500
– Investigatory Powers Act of 2016
– Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules 2011
(India) continues
18. 18
Privacy, cont.
Laws and regulations, cont.
– Personal Data Protection Act (PDPA) in Singapore
– Personal Information Protection Law (PIPL) inn China
– Basel II
– Federal Information Security Management Act (FISMA) of 2002
– Economic Espionage Act of 1996
– USA PATRIOT Act of 2001
– Health Care and Education Reconciliation Act of 2010
– USA Freedom Act of 2015
– Clarifying Lawful Overseas Use of Data (CLOUD) Act
continues
19. 19
Privacy, cont.
Employee Privacy Issues
– Employee privacy issues must be addressed to ensure that the
organization is protected.
– Give employees proper notice of any monitoring that might be used.
– Ensure that the monitoring of employees is applied in a consistent
manner.
– Some actions are protected by the U.S. Constitution's Fourth
Amendment.
– Security professionals and senior management should consult with
legal counsel when designing and implementing any monitoring
solution.
continues
20. 20
Privacy, cont.
European Union & General Data Protection Regulation (GDPR)
– The EU Principles on Privacy include strict laws to protect private
data.
– The EU's Data Protection Directive provides direction on how to
follow the laws set forth in the principles.
– The EU created the Safe Harbor Privacy Principles to help guide
U.S. organizations in compliance with the EU Principles on Privacy.
– The EU Electronic Security Directive defines electronic signature
principles.
– Beginning on May 25, 2018, the members of the EU began applying
the General Data Protection Regulation (GDPR), which applies to
EU-based organizations that collect or process the personal data of
EU residents and to organizations outside the EU that monitor
behavior or offer goods and services to EU residents.
21. 21
Privacy
What are the main reasons employers monitor workers?
Provide examples of three types of employee monitoring that
you feel are justified. Provide three examples of three types of
employee monitoring you feel are not justified.
continues
22. 22
Privacy
You are a new brand manager for a product line of Coach
purses. You are considering purchasing customer data from a
company that sells a large variety of women’s products online.
In addition to providing a list of names, mailing addresses,
and email addresses, the data includes an estimate of
customers’ annual income based on the zip code in which
they live, census data, and highest level of education
achieved. You could use the data to identify likely purchasers
of your high-end purses, and you could then send those
people emails announcing the new product line and touting its
many features. List the advantages and disadvantages of such
a marketing strategy. Would you recommend this means of
promotion in this instance? Why or why not?.
continues
23. 23
Investigation Types
Operations/Administrative
Do not result in any criminal, civil, or
regulatory issue
Criminal
Carried out because a federal, state, or
local law has been violated
Civil
Occur when one organization or party
suspects another organization of civil
wrongdoing
Regulatory
Occur when a regulatory body
investigates an organization for a
regulatory infraction
Industry Standards
Provide criteria within an industry relating
to standard functioning of operations in
their respective fields of production
eDiscovery
Litigation or government investigations
that deal with the exchange of
information in electronic format as part of
the discovery process
continues
24. 24
Professional Ethics
Ethics for any profession are the right and wrong actions that are
the moral principle of that occupation.
Security professionals, particularly those who hold the CISSP
certification, should understand the ethics published by the
International Information Systems Security Certification Consortium
(ISC)2, the Computer Ethics Institute, the Internet Architecture
Board (IAB), and the organization that employs them.
continues
25. 25
Professional Ethics, cont.
(ISC)2 Code of Ethics
– (ISC)2 provides a strict Code of Ethics for its certificate holders.
• All certificate holders must follow the Code of Ethics.
• Any reported violations of the code are investigated.
• Certificate holders who are found to be guilty of violation will have their
certification revoked.
– The four mandatory canons for the Code of Ethics are:
• Protect society, the common good, necessary public trust and confidence,
and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.
continues
26. 26
Professional Ethics, cont.
(ISC)2 Code of Ethics, cont.
– Certificate holders are required to report any actions by other
certificate holders that they feel are in violation of the code.
Computer Ethics Institute
– The Computer Ethics Institute created the Ten Commandments of
Computer Ethics:
1. Do not use a computer for harm.
2. Do not interfere with the computer work of other people.
3. Do not snoop around in the computer files of other people.
4. Do not use a computer to steal.
5. Do not use a computer to lie.
continues
27. 27
Professional Ethics, cont.
Ten Commandments of Computer Ethics, cont.
6. Do not install and use licensed software unless you have paid for it.
7. Do not use another person's computer unless you have permission or have
paid the appropriate compensation for said usage.
8. Do not appropriate another person's intellectual output.
9. Consider the consequences of the program you are writing or the system
you are designing.
10. Always use a computer in ways that ensure consideration and respect of
other people and their property.
continues
28. 28
Professional Ethics, cont.
Internet Architecture Board (IAB)
– The IAB oversees the design, engineering, and management of the
Internet.
– Ethics statements issued by the IAB usually detail any acts that they
deem irresponsible.
– Request for Comments (RFC) 1087, called "Ethics and the Internet,"
is the specific IAB document that outlines unethical Internet behavior.
continues
29. 29
Professional Ethics, cont.
Organizational ethics
– By adopting a formal ethics statement and program, the organization
emphasizes to its employees that they are expected to act in an
ethical manner in all business dealings.
– Several laws in the United States can affect the development and
adoption of an organizational ethics program.
– If an organization adopts an ethics program, the organization’s liability
is often limited if the organization ensures that personnel has been
instructed on the organization's ethics.
30. 30
Professional Ethics
What does it mean for an organization to act ethically? How can
one evaluate whether this is the case?