Management of Information Security (Whitman) Ch. 2 Part 1
• Constitutional Law—Originates with the U.S. Constitution, a state constitution, or local constitution, b_________, or CHARTER. • S___________ Law—Originates from a LEGISLATIVE branch specifically tasked with the creation and PUBLICATION of laws and statutes. • Regulatory or Administrative Law—Originates from an E_____________ branch or authorized REGULATORY agency, and includes executive ORDERS and regulations. • Common Law, C_____ Law, and Precedent—Originates from a JUDICIAL branch or OVERSIGHT board and involves the INTERPRETATION of law based on the actions of a PREVIOUS and/or higher court or board.
BYLAWS STATUTORY EXECUTIVE CASE
Computer F_______ and A________ (CFA) Act: The cornerstone of many computer-related FEDERAL laws and enforcement efforts, the CFA formally criminalizes "accessing a computer WITHOUT authorization or exceeding authorized access" for systems containing information of NATIONAL interest as determined by the U.S. government. Computer S____________ Act (CSA): A U.S. law designed to improve security of FEDERAL information systems. It charged the National Bureau of STANDARDS, now NIST, with the development of standards, guidelines, and associated methods and techniques for computer systems, among other responsibilities. Electronic Communications P_________ Act (ECPA) of 1986: A collection of statutes that regulate the INTERCEPTION of wire, electronic, and oral communications.
FRAUD ABUSE SECURITY PRIVACY
As a future InfoSec professional, you will be required to understand the scope of an organization's LEGAL and ETHICAL responsibilities. The InfoSec professional should play an important role in an organization's approach to controlling l__________ for PRIVACY and security risks. In the modern LITIGIOUS societies of the world, sometimes laws are enforced in CIVIL courts and PLAINTIFFS are awarded large payments for damages or to punish DEFENDANTS. To minimize these liabilities, the InfoSec practitioner must understand the current legal environment and keep apprised of new laws, REGULATIONS, and ethical issues as they emerge. By e_____________ employees and management about their legal and ethical obligations and the proper use of information technology and information security, security professionals can keep their organizations focused on their primary objectives.
LIABILITIES EDUCATING
All management, specifically InfoSec professionals, are expected to act in compliance with legal requirements when COLLECTING, STORING, and USING information, especially p_______________ identifiable information (PII). The Roman poet J___________, in his work Satire VI, asked "Quis custodiet ipsos custodies?" (loosely translated, "Who will watch the watchmen?").
PERSONALLY JUVENAL
Health Insurance P_______________ and Accountability Act (HIPAA) of 1996: Also known as the Kennedy-KASSEBAUM Act, this law attempts to protect the CONFIDENTIALITY and security of health care data by establishing and enforcing standards and by STANDARDIZING electronic data INTERCHANGE. information a________________: Pieces of NON-private data that, when COMBINED, may create information that VIOLATES privacy. Not to be confused with aggregate information. P__________ Act of 1974: A federal law that regulates the GOVERNMENT'S collection, storage, use, and dissemination of INDIVIDUAL PERSONAL information contained in records maintained by the federal government.
PORTABILITY AGGREGATION PRIVACY
Yet another distinction addresses how legislation affects individuals in society, and is categorized as p_______ law or p______ law. P_________ law is considered a subset of CIVIL law, and regulates the relationships among individuals as well as relationships between individuals and ORGANIZATIONS; it encompasses FAMILY law, COMMERCIAL law, and LABOR law. P_______ law regulates the structure and administration of GOVERNMENT agencies and their relationships with CITIZENS, employees, and other governments. P_______ law includes criminal law, administrative/REGULATORY law, and constitutional law.
PRIVATE PUBLIC
Within modern society, individuals elect to trade some aspects of personal freedom for social ORDER. As Jean Jacques R___________ explained in The Social Contract, or Principles of Political Right (1762), laws are the rules that members of a society create to balance an individual's RIGHT to self-d_______________ with the NEEDS of the whole. Laws are rules adopted and enforced by governments to CODIFY expected behavior in modern society. They are largely drawn from the ethics of a culture, which define SOCIALLY acceptable behaviors that conform to the widely held principles of the members of that society. The key difference between law and ethics is that law carries the s__________ of a GOVERNING AUTHORITY and ethics do not. Ethics, in turn, are based on cultural m_______, which are the relatively fixed MORAL ATTITUDES or CUSTOMS of a societal group. Some ethics are thought to be universal. For example, murder, theft, and assault are actions that deviate from ethical and legal codes in most, if not all, the world's cultures.
ROUSSEAU DETERMINATION SANCTION MORES
Protection of credit information Fair C_______ Reporting Act (FCRA) 1970 Regulates the COLLECTION and USE of consumer credit information Privacy F__________ Privacy Act 1974 Governs federal agency use of PERSONAL information Privacy of student information Family E__________________ Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) 1974 Also known as the BUCKLEY Amendment; protects the PRIVACY of STUDENT education records Copyright C___________ Act (update to U.S. Copyright Law (17 USC)) 1976 Protects INTELLECTUAL property, including PUBLICATIONS and SOFTWARE Cryptography Electronic Communications P________ Act (update to 18 USC) 1986 Regulates INTERCEPTION and DISCLOSURE of electronic information; also referred to as the Federal WIRETAPPING Act
credit federal educational copyright privacy
Within STATUTORY law, one can further divide laws into their association with individuals, groups, and the "state": • Civil law embodies a wide variety of laws pertaining to relationships between and among i__________________ and o___________________. Civil law includes CONTRACT law, EMPLOYMENT law, family law, and tort law. Tort law is the subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury. Perceived damages within civil law are pursued in civil court and are not prosecuted by the state. • Criminal law addresses violations HARMFUL to society and is actively enforced and prosecuted by the state. Criminal law addresses statutes associated with TRAFFIC law, PUBLIC order, PROPERTY damage, and personal damage, where the S_______ takes on the responsibility of seeking RETRIBUTION on behalf of the PLAINTIFF, or INJURED party.
individuals organizations STATE
Online commerce and information protection Federal T________ Commission Act (FTCA) 1914 Recently used to challenge organizations with DECEPTIVE claims regarding the PRIVACY and security of customers' PERSONAL information Telecommunications C_______________________ Act (47 USC 151 et seq.) 1934 Includes amendments found in the Telecommunications Deregulation and Competition Act of 1996; this law regulates INTERSTATE and FOREIGN telecommunications (amended 1996 and 2001) Freedom of information F_____________ of Information Act (FOIA) 1966 Allows for the DISCLOSURE of previously unreleased information and documents controlled by the U.S. government
trade communications freedom