1

Information Security
Laws
the Gramm-Leach-Bliley Act
(GLBA)
purpose


type Safeguards Rule

Financial Privacy Rule

Pretexting Protection

fine


The Health Insurance
Portability and Accountability
Act (HIPAA)
purpose


section The Privacy Rule

The Security Rule

Sarbanes-Oxley Act purpose


type Licensing

Licensing End-user license agreement
(EULA)
definition

purpose

example

Equipment-specific and Site
Licenses
definition

purpose

example

GPL and Open Source Licenses definition

purpose

example

Piracy and related issues in
Copyright law
definition

purpose

example

The Digital Millennium
Copyright Act (DMCA)
definition

purpose

example
2


contract Offer,

Acceptance

Consideration.

Electronic Contract definition

structure

Computer crime types of crimes trespass

Illegal interception without authority


Interference with computer data
without authorization


Interfering with a system without
authorization


child pornography

Industrial espionage

Harassment

Electronic Fraud

cyber vandalism

Theft of commercial documents

Civil law definition

purpose

example

Criminal law definition

purpose

example

Intellectual property law Copyright definition

purpose

example

UK -law Copyright, Designs and
Patents Act 1988


limited monopoly

Fair Use

Section 107 of the Act
3


four factors used in determining
fair use


Copyright and Fraud: Plagiarism

definition

Confidence


Design rights


Domain names


Moral rights


Performance rights


Patents definition

purpose

example

Patent Infringement

primary types of patents Utility patents definition


example


Design Patents definition


example


Plant Patents definition


example


innovation patent definition


example


Passing off


Trademarks definition

purpose

example

Service Mark definition


purpose


example


Collective Mark definition


purpose


example
4



Certification Mark definition


purpose


example


Service Mark and Trade Dress definition


purpose


example


Trademark Eligibility The applicants name

A name and address required for
correspondence


An apparent depiction of the mark

A list of the goods or services
provided


Trademark Infringement Trademark Act of 1946 1114


1125


Document Management definition

purpose

example

Minimum Document Retention
Guidelines


Electronic Espionage definition

purpose

example

Import/export Laws definition


purpose


example


The Uniform Computer
Information Transactions Act
(UCITA)
definition

purpose

example

cryptography
5


encryption law

Tier 3 countries

Tier 4 countries

Liability definition


purpose


example


standard PCI-DSS

COBIT

Upstream liability


Downstream liability


Spamming


Sexual Abuse of Children in Chat
Rooms



Child Pornography


Harassment


Identity Fraud


Privacy law definition


purpose


example


Electronic Communications
Privacy Act of 2000



The Privacy Act of 1974. 5 U.S.C.
552a



The Fair Credit Reporting Act
(FCRA)



The Federal Right to Privacy Act
(1978)



The Video Privacy Protection Act
of 1988



The Cable Communications
Policy Act of 1984


6


The Equal Credit Opportunity
Act (ECOA)



The Family Educational Rights
and Privacy Act (FERPA) of 1974



Defending the confidentiality physical security,

computer and network security,

the security of the network
infrastructure


the proper training of employees.

Transborder data flow


Monitoring employees definition


purpose


example Real-time interception from
monitoring the network and
systems,


Keystroke recorders, and

e-mail monitoring,

Court order,

Court issued Subpoena,

Review of log files,

Transactional data,

System usage history, and

Intrusion Detection Systems and
Firewalls


US law Wiretap Act, 18 U.S.C. 2511

Access to Stored Electronic
Communications, 18 U.S.C. 2701


Wire Fraud Act, 18 U.S.C. 1343

Trafficking in Fraudulent Access
Devices, 18 U.S.C 1029


Computer Fraud and Abuse Act,
18 U.S.C. 1030

7


Litigation support definition


purpose


example


The litigation process of
discovery
definition

purpose

example

The U.S. Courts Federal Court definition of discoverable material

Early Attention to Electronic
Discovery Issues
Rule
26(a)(1)(B)


Rule 16(b)(5)


Format of Production

Electronically Stored Information
from Sources that Are Not
Reasonably Accessible
Rule
26(b)(2)(i),
(ii), and (iii)


Asserting Claim of Privilege or
Work Product Protection After
Production
Rule 26(b)(5)


Safe Harbor Provisions Rule 37(f)
Elements of
Investigations



Incident handling and response the effective management The development of an incident
response function within the
organization,


The actual response to an incident
and how it is handled, and


The successful recovery and
learning process that follows after
the incident.


issues that need to be
addressed by management
Ensuring that policies and
processes exist and are effective,

8


Ensuring that staff are available
and trained in a manner that
allows them to successfully
respond,


Ensuring that the proper authority
and chain of command has been
decided before the incident
occurs, and


Ensuring that the incident team
has the necessary equipment and
software.


contracts and other agreements
with third parties need to
incorporate incident response
processes
Acceptable SLA targets

Liability of the contracting parties

Regulatory requirement
satisfaction


Access control requirements

Right to audit or contract an audit

Right to monitor activity and
suspend accounts


Escalation procedures and
contacts


Maintenance responsibilities

steps 1. preparation of the system;

2. identification of the problem;

3. containment of the problem;

4. eradication of the problem;

5. recovering from the incident

6. the follow-up analysis.

Incident Response Procedures

9


types of information that should
be logged
1. Dates and times of incident-
related phone calls.


2. Dates and times when incident-
related events were discovered or
occurred.


3. Amount of time spent working
on incident-related tasks.


4. People you have contacted or
have contacted you.


5. Names of systems, programs or
networks that have been affected


dimensions to preparation Personnel,

Policy and procedure,

Software and hardware,

Data and communications,

Power and environmental
controls,


Transport,

Room to operate

Documentation

Incident response teams (CSIRT)


Evidence preservation Document file names, dates, and
times on the system and create a
timeline


Chain of Custody

Digital Forensics Identify and articulate probable
cause necessary to obtain a search
warrant and recognize the limits
of warrants.


Locate and recover relevant
electronic evidence from

10

computer systems using a variety
of tools.

Recognize and maintain a chain of
custody.


Follow a documented forensics
investigation process.


Dos and Don'ts Ask questions

Document methodically

Operate in good faith

Don't get in too deep

Decide to investigate

Treat everything as confidential

File it

sources of evidence Computer Based Information

Photographs, Maps and Charts

Internal Correspondence and
email


Legal and Regulatory Filings

Company Intranet access and
Publications


Formal meeting minutes or
transcripts


Casual conservations

Conversations at trade shows and
events.


private personnel record

Home addresses

Home phone number

Names of spouse and children

Employees salary

Social security number
11


Medical records

Credit records or credit union
account information


Performance reviews

Documentation


SMART methodology Specific

Measurable

Achievable

Realistic

Time-based

Interviewing and fact-finding


goal Establish rapport

Stress that the interview is
seeking only the truth


Listen carefully

Evaluate the interviewees
responses to the questions with
care


Take first-rate notes

Remain objective and composed

list Interviewees - who was to be
interviewed


The order of the interviews

How much time has been allotted
per interview


Classify the interviewees (such as
by complainant, witness, subject)


Research and list the allegations
that pertain to each interviewee
and the relevant facts for each of
these

12


Write out the questions you
intend to ask beforehand.


The number of interviewers that
will be present


A topic outline

phase Phase 1: Introduction

Phase 2: Build Rapport

Phase 3: Questioning

Phase 4: Summarize

Phase 5: Close

problem 1. Uncooperative interviewees

2. Refusal to comply

3. Intimidation from either party

4. Requests for other attendees at
an interview


5. A lose of impartiality

6. Reprisal

7. Requests for advice from
interviewees


technique Sworn Statement or Declaration

Verbatim (such as a tape
recording)


Results of Interview (Record of
Interview)


Video and Teleconference
Interviews


Searches (and the 4th
Amendment)
Warrants

Anton Piller (Civil Search)
Professional Ethics definition


purpose


example

13


examples of principles


Mission, Vision and Values
Statements
The Mission Statement What do we do and why?

How do we do it?

For whom do we do it?

Provides a "reason for being".

Provides clarity and focus and
makes choices.


Is clear and concise.

Should be accepted by the wider
organization.


Helps guide people into doing the
right thing.


The Vision Statements A plan for the future,

A source of inspiration,

The place to go when in need of
clear decision-making criteria,


The source to ensure that policy
aligns with the destination set by
the organization.


commitment It creates a sense of desire and
builds commitment.


Paints the ideal future.

Is an expression made in terms of
hope.


Is united with the values of the
organization.


A Statement of Values Code of Ethics Preamble

Code of Ethics Canons

encourage Research

Teaching
14


Identifying, mentoring, and
sponsoring candidates for the
profession


Valuing the certificate

discourage Raising unnecessary alarm, fear,
uncertainty, or doubt


Giving unwarranted comfort or
reassurance


Consenting to bad practice

Attaching weak systems to the
public network


Professional association with non-
professionals


Professional recognition of or
association with amateurs


Associating or appearing to
associate with criminals or
criminal behavior


Protect society, the
commonwealth, and the
infrastructure



Act honorably, honestly, justly,
responsibly, and legally



Provide diligent and competent
service to principals



Advance and protect the
profession



Interpreting Policy as a Security
Professional - Ethics
Vision statements


Mission statements


Doctrine or Core values

15


Frequent internal writings on
related topics



Awareness sessions


The 10 Commandments of IT
Security
Thou shalt not use a computer
to harm other people.



Thou shalt not interfere with
other people's computer work.



Thou shalt not snoop around in
other people's computer files.



Thou shalt not use a computer
to steal.



Thou shalt not use a computer
to bear false witness.



Thou shalt not copy or use
proprietary software for which
you have not paid



Thou shalt not use other
people's computer resources
without authorization or proper
compensation.



Thou shalt not appropriate
other people's intellectual
output.



Thou shalt think about the social
consequences of the program
you are writing or the system
you are designing.



Thou shalt always use a
computer in ways that insure
consideration and respect for
your fellow human being.


16


Human Resource (HR) Issues Terms and Conditions of
Employment - Employment
Letters / Contracts



Employee Confidential
Information Undertaking
documents



policies on Intellectual Property
Rights



Sharing Employee Information


Induction Training


Disciplinary Process


Grievance Procedure


Exit Interviews


Information Security Clearance
Levels



Compliance with legal
requirements