Chapter 4
What is the penalty for theft of trade secrets where a foreign government or agent is involved?
$500K and 15 years imprisonment based on the Economic Espionage Act of 1996
What are the three types of software license agreements?
(1) Contractual - written agreements between a software vendor and user. (2) Shrink-wrap agreements - written on software packing and take effect when a user opens the package. (3) Click-wrap agreements - included in a package but require the user to accept the terms during the software installation process.
In the US, how long are trademarks initially issued for?
10 years. Can be renewed for unlimited successive 10-year periods.
What is the minimum age a child must be before companies can collect personal identifying information from children without parental consent, according to the Children's Online Privacy Protection Act (COPPA)?
13
What is the standard duration of patent protection in the US?
20 years from the application date with the Patent and Trademark Office
Current copyright law provides for a lengthy period of protection. Works by one or more authors are protected until _________ years after the death of the last surviving author
70 years Works for hire and anonymous works are provided protection for 95 years from the date of first publication or 120 years from the date of creation, whichever is shorter.
What is a copyright?
A protection against an original work of authorship (creator). Examples include books, articles, poems, and songs. Protects the actual source code of computer software, not the ideas or process behind software.
What is a trade secret?
A secret device or technique used by a company in manufacturing its products. Intellectual property that is critical to a business. Trade secret law protects the operating secrets of a firm. Patent law does not provide adequate protection for computer software products.
What does the prudent man rule mean?
Allows executives to minimize punishment if they have acted prudently.
What are the notification requirements placed on organizations that experience a data breach?
California's SB 1386 implemented the first statewide requirement to notify individuals of a breach of their infrastructure. All but three states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA-covered entity breaches their protected health information.
What is the difference between certification and accreditation (with regards to Security Management)?
Certification is the technical evaluation of the security components and their compliance for the purpose of accreditation. Accreditation is the formal acceptance by management of the adequacy of the system's overall security.
Contract disputes, real estate transactions, employment matters, and estate/probate procedures are examples of which type of law _______________
Civil law
Administrative law is published in the ______________________
Code of Federal Regulations (CFR)
__________ amended the ECPA that requires all communication carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology
Communications Assistance for Law Enforcement Act (CALEA)
___________ was the first major piece of cybercrime-specific legislation in the United States
Computer Fraud and Abuse Act (CFAA) Was carefully written to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states' rights and treading on thin constitutional ice.
Which act protects computers used by the government or in interstate commerce from a variety of abuses?
Computer Fraud and Abuse Act. First major piece of cybercrime-specific legislation in the US in 1984. It was amended in 1994 to include financial firms that do business with the government.
___________ guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work
Copyright law
What is the difference between criminal law, civil law, and administrative law?
Criminal law protects society against acts that violate basic principles we believe in. Violations of criminal law are prosecuted by federal and state governments. Civil law provides the framework for the transaction of business between people and organizations (law enforcement agencies are not involved). Violations of civil law are brought to the court and argued by the two affected parties. Administrative law is used by government agencies to effectively carry out their day-to-day business (federal regulations enforced).
The 2014 FISMA modified the rules of the 2002 FISMA by centralizing federal cybersecurity responsibility with the ________________________
Department of Homeland Security. However, defense-related cybersecurity issues are the responsibility of the Secretary of Defense, while the Director of National Intelligence bears responsibility for intelligence-related issues.
The _____________________ includes the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder (designed to protect copy-prevention mechanisms on digital media)
Digital Millennium Copyright Act (DMCA) Provides for penalties of up to $1,000,000 and 10 years in prison for repeat offenders. The DMCA also recognizes that ISPs have a legal status similar to the "common carrier" status of telephone companies and does not hold them liable for the "transitory activities" of their users. To be exempt from this, the ISP cannot interfere with transmissions.
Which act prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of Internet service providers for the activities of their users?
Digital Millennium Copyright Act of 1998
Which act provides penalties for individuals found guilty of the theft of trade secrets?
Economic Espionage Act of 1996. Harsher penalties apply when the individual knows that the information will benefit a foreign government. Typically $500,000 fine and up to 15 years in jail for stealing trade secrets from a US corporation with the intent of benefitting a foreign government or agent.
Which act makes it a crime to invade the electronic privacy of an individual?
Electronic Communications Privacy Act (ECPA)
The ___________ Act made it a crime to invade the electronic privacy of an individual
Electronic Communications Privacy Act of 1986 (ECPA)
The __________ , which was passed in 2016 and went in to effect in 2018, provides a single, harmonized law that covers data throughout the European Union. It is a much wider scope than the data protection directive. Applies to all orgs that collect data from EU residents or process that information on behalf of someone who collects it. It also applies to organizations that are not based in the EU. The ability for the EU to enforce this law globally remains and open question.
European Union General Data Protection Regulation (GDPR) Covers protection of personal information.
How did the National Infrastructure Protection Act of 1996 extend the CFAA?
Extended the CFAA coverage to utilities, railroads, airlines, etc. Treats any reckless or irresponsible use of "infrastructure" as a felony.
______ is the law that governs information security operations at federal agencies?
FISMA - Federal Information Security Management Act. It places authority for classified systems in the hands of the NSA, and authority for all other systems with the National Institute for Standards and Technologies.
The ________________ act requires that federal agencies implement an information security program that covers the agency's operations
Federal Information Security Management Act (FISMA). It also requires that the government agencies include the activities of their contractors in their security management programs. IT places a significant burden on federal agencies and government contractors, who must develop and maintain substantial documentation of their FISMA compliance activities.
Which act modernized FISMA?
Federal Information Systems Modernization Act. NSA and DoD are dealt with separately than other government agencies and non-governmental organizations.
Which privacy regulation requires deletion of data when it is no longer needed?
GDPR.
Which act relaxed the regulations about what information could be shared among banks, insurance firms, and other financial institutions?
Gramm-Leach Bliley Act of 1999 (GBLA)
The ___________ act relaxed regulations for banks, insurance companies, and creditors. Limited the type of information that can be exchanged among subsidiaries of the same corporation and required financial institutions to provide written policies to all customers by 2001.
Gramm-Leach-Bliley Act (GLBA) of 1999
_____________ made changes to laws governing health insurance and health maintenance organizations (HMOs). Among the provisions are privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and organizations that process or store private medical information about individuals.
Health Information Portability and Accountability Act (HIPAA)
What is important about the Health Information and Technology for Economic and Clinical Health Act of 2009
In 2009, Congress amended HIPAA by passing (HITECH), which updated many of HIPAA's privacy and security requirements. Adds coverage for business associates that handle protected health information on behalf of a HIPAA covered entity. HITECH's data breach notification rule is unique in that it is a federal law mandating the notification of affected individuals
Copyrights, trademarks, patents, and trade secrets are all examples of what?
Intellectual Property
___________ has the responsibility for coordinating worldwide work on voluntary cybersecurity standards
NIST By Congress passing the Cybersecurity Enhancement Act
What is a trademark?
Names, slogans, and logos that identify a company, product, or service. Official recognition of a trademark can be registered with the US Patent and Trade Office. (USPTO).
Should senior management delegate important security tasks to IT and Security personnel?
No, not in totality. IT and Security personnel should be consulted, but the tasks should not be delegated to them.
Are mathematical algorithms (eg. code) able to be patent-protected?
No. They can be copyrighted though. If the code will be made public, then someone wouldn't seek trade secret protection.
Which privacy standard requires the following to occur (1) All data has to be firewalled, (2) default passwords may never be used, (3) physical controls on equipment used in data handling and storage, and (4) regular security tests?
PCI Data Security Standard
A __________ provides protection against the creators of new inventions. Refers to hardware and manufacturing processes with regards to security.
Patent Software source code cannot be patented (this could be copyrighted). However the processes and hardware behind software code code be patented.
_______ are given an initial period of 20 years in which the inventor is given exclusive rights. At the end of the period, the invention is in the public domain available for anyone to use
Patents
The ____________ is a compliance requirement that is not dictated by law but by contractual obligation. It governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and bank that processes the business's transactions.
Payment Card Industry Data Security Standard (PCI DSS) Orgs that that are not merchants but store, process, or transmit credit card information on behalf of merchants must also comply with PCI DSS.
Which act mandates that agencies maintain only the records that are necessary for conducting their businesses? The act only applies only to government agencies.
Privacy Act of 1974
What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances?
Privacy Act. The privacy act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.
The _________________ requires senior executives to take personal responsibility for ensuring the due care that ordinary prudent individuals would exercise in the same situation
Prudent man rule. It now applies to InfoSec. Came from federal sentencing guidelines to help federal judges interpret computer crime laws.
What is important about the Federal Information Security Management Act of 2002 (FISMA)?
Setup NIST as a voluntary good practices organization. NIST is responsible for developing the FISMA implementation guidelines.
Which of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it: (1) Verbal agreement, or (2) Shrink-wrap agreement
Shrink-wrap agreement. They become effective when a user opens a software package.
Why is a well-rounded compliance program so important?
Since most organizations are subject to a wide variety of legal and regulatory requirements related to information security, building a compliance program ensures that you become and remain compliant with these often overlapping requirements.
What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? (1) Federal interest systems, or (2) Systems used in interstate commerce
Systems used in interstate commerce. CFAA was amended in 1994, which includes a large portion of the computer systems in the US.
What symbol is used for a trademark that has been applied for but not yet granted? R or TM?
TM. When the registration is granted, R can be used.
What is important about the fourth amendment?
The basis for privacy rights is here. Prohibits government agents from searching private property without a warrant and probable cause.
How should security be incorporated into the procurement and vendor governance process?
The expanded use of cloud services by many organizations requires added attention to conducting reviews of information security controls during the vendor selection process and as part of ongoing vendor governance.
What is the objective of a security program?
To protect the company's assets
The main objective of ___________ protection is to avoid confusion in the marketplace while protecting the intellectual property rights of people and organizations.
Trademark. They do not need to be officially registered to gain protection under the law.
True or False: Export Administration Regulations (EAR) cover a broader set of items that are designed for commercial use but may have military applications
True
True or False: The Children's Online Privacy Protection Act of 1998 makes a series of demands on websites that cater to children or knowingly collect information from children under the age of 13
True
True or False: The Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Identity Theft and Assumption Deterrence Act provide criminal penalties for serious cases of computer crime
True
True or False: The Family Educational Rights and Privacy bill is specialized for educational institutions that accept funding from the federal government (the vast majority of schools)
True
True or False: The International Traffic in Arms Regulations (ITAR) controls the export of items that are specifically designed as military and defense items, included related technology information
True
True or False: The Identity Theft and Assumption Deterrence Act makes identity theft a crime against the person whose identity was stolen and the creditors defrauded.
True Make sure to indicate in employment contract that there is no expectation of privacy for employees if activity needs to be monitored for business purposes (and acceptable use and privacy policies).
True or false: The CFAA covers abuse against any computer used exclusively by the US government and any computer used exclusively by a financial institution
True Now covers any computer used in interstate (and international) commerce. Allows for imprisonment of offenders. Provides legal authority for victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages. It is often criticized for being overly broad. Now extends to portions of the national infrastructure other than computing systems (eg. railroads, gas pipelines, power grids, etc.)
True or False: US citizens are allowed to export security encryption products after being reviewed by the Commerce Department (no longer than 30 days to review)
True. Encryption export controls.
True or False: The Privacy Shield replaced the invalidated safe harbor agreement and was approved by the European Commission in July 2016.
True. It is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. US companies conducting business in Europe must inform individuals about data processing (in privacy policy).
True or False: US firms can export high-performance computing systems to virtually any country without receiving prior approval from the government (except Cuba, Iran, North Korea, Sudan, and Syria)
True. These are related to computer export controls.
All federal and state laws must comply with the ultimate authority that dictates how the US system of government works, the _______________
US Constitution
What are the major laws that govern privacy of personal information in both the US and EU?
US has a number of privacy laws that affect the government's use of information as well as the use of information by specific industries, such as financial services companies and healthcare organizations that handle sensitive information. The EU has a more comprehensive General Data Protection Regulation that governs the use and exchange of personal information.
The ___________ act broadened the powers of law enforcement organizations and intelligence agencies when monitoring electronic communications. It allows authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under a single warrant. Also, ISPs may voluntarily provide the government with a large range of information
USA PATRIOT Act of 2001. It is now known as the USA Freedom Act.
Which act allows for aggregating wiretaps on warrants in many cases, and raises penalties specified in the CFAA?
USA Patriot Act of 2001
How are trademarks registered?
USPTO (US Patent and Trademark Office). Trademarks don't carry the R logo until they are registered.
Does the USA PATRIOT Act protect privacy or weaken it?
Weakens
