Domain 1 - Laws and Regulations

Question 1

<p>Administrative law</p>

Answer 1

<p>Govt- mandated compliance measures. i.e. FCC regs, CDC regs.</p>

Question 2

<p>Attestation</p>

Answer 2

<p>3 party attests that the service provider is meeting requirements of SLA. Security or otherwise. ISO 27001 is commonly used for audit guide.</p>

Question 3

Business Records Exception/exemption

Answer 3

Business records, such as logs on a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice.

Must be accompanied by testimony of individual qualified to show these criteria were met.

Question 4

California Senate bill 1386

Answer 4

First state-based data-breach notification law in 2002.

Requires organizations experiencing a data breach to notify California residencts who might be affected.

Question 5

Circumstantial evidence

Answer 5

establishes the circumstances of a crime.

evidence which serves to establish the circumstances related to particular points or even other evidence

Question 6

Civil law (National System of law)

Answer 6

Leverages codified laws or statues to determine what is within the bounds of law. Most common type of national law across the world.

Not to be confused with sub-section of common law, also called ‘civil law’ - referencing tort law.

Question 7

<p>CoCom</p>

Answer 7

<p>Cold War era export control agreement - Coordinating Committee for Multilaterar Export Controls</p>

Question 8

Common law

Answer 8

Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others. The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws.

Question 9

Computer ethics institute 10 commandments

Answer 9

a. Thou shalt not use a comp to harm others
b. Not interfere with others’ comp. work.
c. Thou shalt not snoop
d. Not use comp. to steal
e. Not use a comp. to bear false witness
f. Not copy or use proprietary software for which you haven’t paid
g. Not use other’s comp resources without authori or proper compensation
h. Not appropriate others intellectual output.
i. You should think about social consequences of the program or system you’re engineering
j. Always use PC in a way to ensure consideration and respect for fellow humans.

Question 10

<p>Computer Fraud and Abuse act – title 18, section 1030</p>

Answer 10

<p>i. One of the first us laws about computer crime<br></br>ii. Attacks on computer systems with damages above $5000 are criminalized<br></br>iii. Foreign and interstate commerce portion covers many more computers than originally intended.<br></br>iv. Drafted 1984. Amended 2001, 2008</p>

Question 11

corroborative evidence

Answer 11

Provides additional evidence for a fact that may be called into question.

Is supporting evidence used to help prove an idea or point. It cannot stand on its own

Question 12

The Council of Europe’s Convention on Cybercrime of 2001

Answer 12

international cooperation in computer crime policy. Signed by 65 countries, including the US (signed 2006)

Question 13

Criminal law

Answer 13

Defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public

Question 14

Direct Evidence

Answer 14

Testimony of direct witness

Question 15

<p>Due care</p>

Answer 15

<p>AKA Prudent man rule. Means you do what a reasonable person would do in a given situation.</p>

Question 16

<p>due diligence</p>

Answer 16

<p>management of due care.</p>

Question 17

Electronic Communications Privacy Act – ECPA

Answer 17

Brings same level of search and seizure protection to non-telephony electronic communications.

PATRIOT act reversed this to a degree

Question 18

<p>Entrapment vs enticement</p>

Answer 18

<p>Entrapment = law enforcement persuades someone to commit a crime when they otherwise wouldn't have.<br></br><br></br>Enticement = Law enforcement makes chance of crime favorable, but the criminal was already going to do the criminal thing.</p>

Question 19

<p>EU US Safe Harbor (EU-US)</p>

Answer 19

<p>US orgs can share data with EU branches, if and only if they follow EU Data Protection Directive</p>

Question 20

Gramm-Leach Bliley Act

Answer 20

Requires financial institutions to protect the CIA of consumer financial info. Forced them to notify consumers of privacy practices.

Question 21

Gross negligence

Answer 21

If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.

Question 22

h. Payment Card Industry Data Security Standards PCI-DSS

Answer 22

The standard applies to cardholder data for both credit and debit cards.

Requires merchants and others to meet a minimum set of security requirements.

Mandates security policy, devices, control techniques, and monitoring.

Question 23

Hearsay Evidence

Answer 23

Second hand evidence Not first and knowledge – normally inadmissible in a case.

Can be secondary witnesses, or computer logs that don’t meet the Business Records Exception/exemption.

Question 24

HIPAA

Answer 24

HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards.
Risk Analysis is required.

HITECH act of 2009 makes HIPPA Privacy and Security provisions apply to business associates of covered entities as well. Passed in 1996

Question 25

<p>Import/export restriction</p>

Answer 25

<p>generally related to crypto technology. Export restrictions from US. Import restrections in countries with low human rights</p>

Question 26

<p>ISC2 code of ethics, number of Canons and Preamble statements</p>

Answer 26

<p>4 Canons<br></br><br></br>2 Preamble statements</p>

Question 27

NIST 800-30 Risk mgmt guide

Answer 27

Guide for Conducting Risk Assessments

9 steps

1. System charecterization
2. Threat identify
3. Vuln. Identify
4. Control (safeguard) analysis
5. Liklihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation

Question 28

OECD Privacy Guidelines

Answer 28

8 Principles1. Collection limitation 2. Data Quality3. Purpose Specification4. Use limitation5. Security Safeguards 6. Openness PRinciple7. Individual participation8. Accountability principle

Question 29

PATRIOT act

Answer 29

i. Expanded law enforcement electronic monitoring capabilities. Provided broader coverage for wiretaps. Allowed search and seizure without immediate disclosure
ii. Amends the ECPA so that 2nd offenders can get up to 20 years prison

Question 30

<p>Real Evidence</p>

Answer 30

<p>tangible/physical objects. Bloody Knife. Documentation, etc.</p>

Question 31

<p>Religious/customary law</p>

Answer 31

<p>Self explanatory</p>

Question 32

Right to penetration test, audit.

Answer 32

Common requirements put in an SLA. Requests the right to penetration test and/or audit the provider.

Question 33

Sarbanes Oxley 2002

Answer 33

i. Requires regulatory compliance for publicly traded companies.ii. Primary goal of SOX was to ensure good financial disclosure and auditor independence.

Question 34

Secondary evidence

Answer 34

This is common in cases involving IT.
Logs and documents from the systems are considered secondary evidence.

Copies of original documents, or oral description of said documents.

Question 35

<p>SLA, service level agreement.</p>

Answer 35

<p>Identifies key expectations between two business parties, ensures general performance expectations, increasingly also includes security requirements.</p>

Question 36

<p>US Breach Notification laws</p>

Answer 36

<p>Purpose to notify end users when their personal data is lost/stolen/released. Many states have safe harbor rules w/other states. Still very complex though, as each state has different rules.</p>

Question 37

<p>US Privacy Act of 1974</p>

Answer 37

<p>Codifies protection of personal data in use by fed govt. Individuals can access personal data used by govt</p>

Question 38

Wassenaar Arrangement

Answer 38

Current export control agreement. Less restrictive than CoCom.

Question 39

EU Data Protection Directive - Principle 1

Answer 39

Aggressive pro privacy law. 4 principles.

1. notify individ. how data is collected and used

Question 40

EU Data Protection Directive - Principle 2

Answer 40

2. Allow indiv. to opt out of sharing with 3rd parties

Question 41

EU Data Protection Directive - Principle 3

Answer 41

3. Require invid. to opt in for the most sensitive data

Question 42

EU Data Protection Directive - Principle 4

Answer 42

4. Provide reasonable protections on personal data

Question 43

Civil Law (sub section of Common law)

Answer 43

Not to be confused with the national type of law also called ‘civil law’

Tort law. deals with injury, resulting from someone violating their responsibility of duty of care. Burden of proof = beyond a reasonable doubt.