Legal / Standards Flashcards
18 USC §1029 and 1030
The U.S. Code categorizes and defines the laws of the United States by titles. Title 18 details “Crimes and Criminal Procedure.” Section 1029, “Fraud and related activity in connection with access devices,” states that if you produce, sell, or use counterfeit access devices or telecommunications instruments with intent to commit fraud and obtain services or products with a value over $1,000, you have broken the law. Section 1029 criminalizes the misuse of computer passwords and other access devices such as token cards.
Section 1030, “Fraud and related activity in connection with computers,” prohibits accessing protected computers without permission and causing damage. This statute criminalizes the spreading of viruses and worms and breaking into computer systems by unauthorized individuals.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) basically gives ethical hackers the power to do the types of testing they perform and makes it a mandatory requirement for government agencies.
FISMA requires that each federal agency develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The information security program must include the following:
Periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency
Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each agency information system
Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks
Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices (including the management, operational, and technical controls of every agency information system identified in their inventory) with a frequency depending on risk, but no less than annually
A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency
Procedures for detecting, reporting, and responding to security incidents (including mitigating risks associated with such incidents before substantial damage is done and notifying and consulting with the federal information security incident response center, and as appropriate, law enforcement agencies, relevant Offices of Inspector General, and any other agency or office, in accordance with law or as directed by the President
Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency
This act is guaranteed job security for ethical white hat hackers to perform continual security audits of government agencies and other organizations.
Sarbanes-Oxley Act (SOX)
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements.
Congressmen Paul Sarbanes and Michael Oxley drafted the act with the goal of improving corporate governance and accountability, in light of the financial scandals that occurred at Enron, WorldCom, and Tyco, among others.
The Sarbanes-Oxley Act (SOX) is a law that requires publicly traded companies to submit to independent audits and to properly disclose financial information. In addition, SOX requires the use of internal security controls. Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) must not only certify that those internal security controls have been established but also certify the accuracy of the company’s financial statements.
ISO 27002
ISO/IEC 27002 is the international standard that outlines best practices for implementing information security controls. ISO/ IEC 27002 is the companion standard for ISO/IEC 27001, the international standard that outlines the specifications for an information security management system (ISMS).
This standard covers the controls that are an important part of information security management for all organizations. Any organization that stores and manages information should have controls in place to address information security risks. Although the specific requirements for handling information security may be different, there are a lot of similar controls organizations can put in place to secure their data and comply with legal standards.
HIPPA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
GLBA
The U.S. Gramm-Leach-Bliley Act (GLBA) is a law that protects the confidentiality and integrity of personal information that is collected by financial institutions. The GLBA also requires that financial institutions disclose their privacy practices to their customers.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) security evaluation method is not a law. PCI DSS is a standard that was created and is used by the Payment Card Industry Security Standards Council (PCI SSC), which includes companies such as American Express, Discover, MasterCard, and Visa. PCI DSS focuses on protecting personally identifiable information (PII) in financial transactions by using secure networks, managing vulnerabilities, implementing strong methods of access control, implementing network security tests and monitoring, and maintaining a security policy. To maintain compliance with PCI DSS Requirement 11, companies must perform quarterly external vulnerability scans and annual penetration tests; these tests must also be performed after any significant change is made to the network. Vulnerability scans can be performed with a tool such as Nessus, SAINT, Retina, or Core Impact.
The PCI DSS standard consists of the following 12 requirements:
1: Install and maintain a firewall configuration to protect cardholder data.
2: Do not use vendor-supplied defaults for system passwords and other security parameters.
3: Protect stored cardholder data.
4: Encrypt transmission of cardholder data across open, public networks.
5: Use and regularly update antivirus software or programs.
6: Develop and maintain secure systems and applications.
7: Restrict access to cardholder data by business need to know.
8: Assign a unique ID to each person with computer access.
9: Restrict physical access to cardholder data.
10: Track and monitor all access to network resources and cardholder data.
11: Regularly test security systems and processes.
12: Maintain a policy that addresses information security for all personnel.
NIST SP 800-30
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 defines the following steps for conducting a risk assessment:
- Purpose, Scope, and Source Identification, or System Characterization
- Threat Identification
- Vulnerability Identification - Multiple scanners from different vendors
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Communicating and Sharing Risk Assessment Information
- Maintain the Risk Assessment
OSSTMM
The Institute for Security and Open Methodologies (ISECOM) maintains the OSSTMM, which provides a repeatable framework for operational security testing and analysis. The OSSTMM includes testing of human, physical, wireless, telecommunications, and network security. ISECOM has also created a version of the OSSTMM for web application security testing and analysis.
The OSSTMM defines three types of compliance:
l Legislative – deals with governmental regulations l Contractual – deals with requirements that are enforced by an industry or group
l Standards-based – deals with practices that are recommended and must be followed to be certified by an organization or group
The OSSTMM recognizes the following 10 types of controls, which are divided into two classes:
l Class A – Interactive Controls
¡ Authentication – provides for identification and authorization based on credentials ¡ Indemnification – provides contractual protection against loss or damages
¡ Resilience – protects assets from corruption or failure ¡ Subjugation – ensures that interactions occur according to processes defined by the asset owner
¡ Continuity – maintains interactivity with assets if corruption or failure occurs
l Class B – Process Controls
¡ Nonrepudiation – prevents a participant from denying its actions ¡ Confidentiality – ensures that only participants have knowledge of an asset
¡ Privacy – ensures that only participants have access to the asset
¡ Integrity – ensures that participants know when assets and processes change ¡ Alarm – notifies participants when interactions occur
FITARA
The Federal Information Technology Acquisition Reform Act (FITARA) contained sections that were made U.S. law as part of the National Defense Authorization Act (NDAA) for Fiscal Year 2015. FITARA was a 2013 bill that was intended to change the framework that determines how the U.S. government purchases technology. A primary aim of the bill was to reduce the amount of budget spent on maintaining out-of-date systems. The bill did not pass Congress, although sections of it became law with the NDAA for Fiscal Year 2015. The bill was intended to create and streamline Chief Information Officer (CIO) roles and assign responsibilities to those roles in federal agencies, with the exception of the U.S. Department of Defense (DOD).
TCSEC
The Trusted Computer System Evaluation Criteria (TCSEC) provides guidance on evaluating the effectiveness of computer security controls, whereas the Trusted Network Interpretation Environments Guideline (TNIEG) provides guidance on the minimum security protection required in different network environments. TCSEC, which is also known as Orange Book, was created by the U.S. Department of Defense (DoD) in the 1980s. Systems are evaluated by using the following four divisions of security, where A is the highest form of security and D is the lowest:
A. Verified Protection
B. Mandatory Protection
C. Discretionary Protection
D. Minimal Protection
Divisions are further broken down into numbered categories that more accurately describe the system’s method of access control, with higher numbers indicating more secure systems
