U.S. Law: U.S. Information Security Law and Regulations

Question 1

What’s Computer Fraud and Abuse Act (CFAA)?

Answer 1

the first major piece of US cybercrime-specific legislation

Question 2

What’s Federal Sentencing Guidelines?

Answer 2

punishment guidelines to help federal judges interpret computer crime laws

Question 3

What’s Federal Information Security Management Act (FISMA)?

Answer 3

formal infosec operations for federal government

Question 4

What’s Children’s Online Privacy Protection Act (COPPA)? Specify the age.

Answer 4

• protect the online privacy of children under the age of 13
• places certain requirements on operators of websites or online services directed towards children or those with knowledge that they collect personal information from children

Question 5

What’s Electronic Communication Privacy Act (ECPA)?

Answer 5

• governs the privacy of electronic communications
• defines the legal standards for government surveillance, access, and disclosure of electronic communications, including emails, text messages, and other forms of electronic communication

Question 6

What’s Gramm-Leach-Bliley Act (GLBA)?

Answer 6

• U.S. federal law that governs the privacy and security of customer information held by financial institutions
• aims to ensure the confidentiality and integrity of consumers’ personal financial information

Question 7

What is the key requirment when doing crimminal investigation?

Answer 7

• document the time, place, who was there, each step
• later, there will be a need to demonstrate what was done, whether procedures were followed

Question 8

What’s Chain of Custody?

Answer 8

• process of maintaining the integrity, confidentiality, and availability of digital evidence in a forensically sound manner
• it is an unbroken documented record of everything done with, and by whom, during the evidence lifecycle

Question 9

What does Computer and Abuse Act (CFAA) address?

Answer 9

unauthorized and malicious activities on federal systems

Question 10

What are enforceable governmental requests?

Answer 10

• warrant (soudní autorizace pro policii; e.g. prohledani bytu)
• subpoena (předvolání)
• court order (soudní příkaz)

Question 11

To be admissible, evidence must be what? (3)

Answer 11

1. relevant
2. material
3. competent

Question 12

What individuals are responsible for preserving the chain of custody of evidence?

Answer 12

• police investigators
• evidence technicians
• attorneys
• anyone involved in the collection, processing, analysis and production of evidence

Question 13

Can crime be also violation of a regulation?

Answer 13

yes

Question 14

What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances?

Answer 14

Privacy Act

Question 15

What federal government agency has the authority to regulate the export of encryption software?

Answer 15

Bureau of Industry and Security (BIS)

Question 16

What U.S. law prevents the removal of protection mechanisms placed on a copyrighted work by the copyright holder?

Answer 16

Digital Millennium Copyright Act (DMCA) prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder

Question 17

What does DMCA stand for?

Answer 17

Digital Millennium Copyright Act (DMCA)

Question 18

How does DMCA protect ISPs?

Answer 18

ISPs are not liable for the “transitory activities” of their customers; the fact that their customers transmit copyrighted material through their network does not make them liable

Question 19

Can HIPPA, GLBA and SOX involve criminal penalties if violated?

Answer 19

yes

Question 20

What is Government Information Security Reform Act (GISRA)?

Answer 20

precursor to FISMA which expired in 2002

Question 21

What does FedRAMP stand for?

Answer 21

Federal Risk and Authorization Management Program (FedRAMP)

Question 22

What’s FedRAMP?

Answer 22

U.S. federal program that mandates a standardized approach to security assessment, authorization and continuous monitoring of cloud products and services

Question 23

What does a cloud service need in order to be able to provide cloud services to U.S. government?

Answer 23

FedRAMP certification

Question 24

Which law effectively extends the fourth amendment of the U.S. constitution to the electronic realm?

Answer 24

The Stored Communication Act (SCA) of 1986

Question 25

What was the reason behind creating The Stored Communication Act (SCA) of 1986?

Answer 25

to create privacy protection for electronic communications like email or other digital communication stored on the internet

Question 26

What are the 7 principles of Privacy Shield that organizations need to commit to?

Answer 26

1. notice
2. choice
3. security
4. access
5. accountability for onward transfer
6. data integrity and purpose limitation
7. recourse, enforcement and liability

Question 27

What are contractual requirements?

Answer 27

agreements that often specify a set of security controls or a compliance framework that must be implemented by a vendor; required by a legal contract between private parties (e.g. PCI DSS)

Question 28

GDPR conflicts with what U.S. law and in what way?

Answer 28

GDPR conflicts with the CLOUD Act; GDPR forbids the transfer of data to countries that lack adequate privacy protections

Question 29

What are statutory requirements?

Answer 29

requirements required by law

Question 30

What’s the name of the government-wide program that provides for a standardized approach to security assessments, authorization, and continuous monitoring of cloud products and services?

Answer 30

FedRAMP

Question 31

What does the Clarifying Lawful Overseas Use of Data (CLOUD) Act require the U.S.-based businesses to do?

Answer 31

respond to legal requests for data no matter where the data is physically located; aids in evidence collection in investigation of serious crimes

Question 32

What is the purpose of Privacy Shield?

Answer 32

exists to solve the lack of an US-equivalent to GDPR, which impacts rights and obligations around data transfer; allows the transfer of personal data from EEA (European Economic Area) to the U.S. based companies

Question 33

What is dictated by standards?

Answer 33

a reasonable level of performance; can be internal (created by the org itself) or external (from industry bodies or trade groups)

Question 34

What is a framework?

Answer 34

set of guidelines helping organizations improve their security posture

Question 35

What does the Clarifying Lawful Overseas Use of Data (CLOUD) Act require?

Answer 35

requires CSPs to hand over data to aid in investigation of serious crimes, even if stored in another country

Question 36

What are regulatory requirements?

Answer 36

refer to rules issued by a regulatory body (appointed by a governmental entity) that may be required by law

Question 37

What laws contain breach notification requirements?

Answer 37

1. GLBA
2. HIPAA