CIT 485: Advanced Cybersecurity Policy, Legal, and Compliance Issues
Topics Policy, Standards, and Procedures US Government Security Policies (FISMA) Laws and Compliance PCI Data Security Standard (DSS) Bring Your Own Device (BYOD)
Policy, Standards, and Procedures Policy provides a statement of intent. Employees must use strong passwords on all accounts. Standard provides specifics to help organization members comply with policy. Passwords must be at least 10 characters long. They must not be stored on unencrypted media. Procedures To change your password, following the following steps: Login using your current password. Type passwd Enter your current password. Enter your new password twice.
Compliance Information security policies must secure compliance with applicable laws and regulations. Organizations must demonstrate due care, measures taken to ensure every employee knows what is acceptable and what is not. Organizations must also demonstrate due diligence, reasonable steps taken to meet the obligations imposed by laws and regulations.
Data Handling Policies Organizations must have data handling policies to ensure compliance with appropriate laws and regulations. Individual IT workers are responsible for following those policies to protect the data of customers and employees.
Enforcing Policies Enforceable policies must meet 5 criteria: Dissemination. Policy must be readily available. Review. Organization must demonstrate policy is accessible to all employees, regardless of language ability. Comprehension. Organization must demonstrate employees understand policies. Online tests and other assessments can be used to ensure comprehension. Compliance. Organization must demonstrate employees agreed to policy through signatures or another specific action. Uniform enforcement. Organization must enforce policy equally on all employees.
Computer Security Act (1987) Mandated baseline security standards for fed agencies. Assigned National Institute & Standards Technologies (NIST) responsibility for developing computer security standards and guidelines for federal government. NSA assigned responsibility for classified systems. Required security policies be created by agencies for computer systems with sensitive data. Mandated security awareness training for federal employees that use computers with sensitive data.
FISMA (2002) Federal Information Security Management Act Repealed Computer Security Act of 1987. Mandates federal agencies establish infosec programs. Risk assessments. Policies and procedures. Security awareness training. Incident response. Periodic security assessments.
FIPS Federal Information Processing Standards Notable FIPS Available on NIST web site. Some used only by federal government. Others used widely by private organizations. Notable FIPS 140-2: Standards for cryptography. Much cryptographic software comes with a FIPS version to meet 140-2. 800-53: Security controls for federal government systems.
Sarbanes-Oxley (SOX) (2002) Goal: reliability and accuracy of financial reporting Requires that corporate IT certify confidentiality and integrity of systems involved in financial reporting. Section 302 Requires corporate executives to personally certify the accuracy and completeness of their financial reports, Report on the effectiveness of internal controls for their financial reporting. Section 404 Mandates security assessment reports must be audited by an external firm.
Gramm-Leach-Bliley (1999) Financial Services Modernization Act Requires financial institutions to disclose privacy policies on the sharing of PII. Requires due notice to customers so that they can request information not to be shared. Requires notification of customers about privacy policies annually.
FERPA (1974) Family Educational Rights and Privacy Act Gives parents access to child educational records, but Requires permission of students age 18 or older. Restricts access to educational records Determines who can access PII, grades, and for which purposes. PII and grades can only be sent over secure channels. Student medical records governed by FERPA, not HIPAA.
HIPAA (1996) Health Insurance Portability and Accountability Act Affects almost all organizings doing health care. Privacy requirements for sharing health care records without patient consent. Requires providers give patients access to records. Establishes standards for digital health record exchange. Discussed in more detail in other classes like PHI 310.
COPPA (1998) Children's Online Privacy Protection Act Protects collection of data on children under age 13. Specifies requirements for website privacy policies. Defines consent requirements for websites. Restricts marketing to those under age 13. Enforced by the Federal Trade Commission (FTC).
PCI DSS Payment Card Industry (PCI) requires that organizations that accept payments must follow their Data Security Standard (DSS). Version 1.0 released in December 2004. Requires securing data at all systems and links: point-of-sale devices; mobile devices, personal computers or servers; wireless hotspots; web shopping applications; paper-based storage systems; the transmission of cardholder data to service providers; in remote access connections.
PCI DSS: 12 Requirements Installi and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Protect all systems against malware and regularly update anti-virus software or programs. Develop and maintain secure systems and applications.
PCI DSS: 12 Requirements Restrict access to cardholder data by business need-to-know. Identify and authenticate access to system components. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for all personnel.
Bring Your Own Device (BYOD) BYOD Policy Employees bring own mobile device to work. Same device contains both work and personal data. Risks to Employers Work data travels with device, not protected by firewall. Device may bring malware from outside inside firewall. Work data may remain on device after employment is terminated. Risks to Employees Makes devices subject to legal discovery. Mobile device management software can wipe device.
References Seth Hammon. Intro to Cyber Law and Ethics Module. CLARK. 2018. Michael E. Whitman, Herbert J. Mattord. Principles of Information Security, 6th Edition. Cengage Learning. 2017. PCI Security Standards Council. PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1. 2018. Richard Spinello. Cyberethics: Morality and Law in Cyberspace, 6th Edition. Jones & Bartlett. 2016.
Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/
Discuss: Aaron Schwartz Computer Fraud and Abuse Act (CFAA) written in 1986 to amend existing computer fraud law. Makes knowingly accessing a “protected computer” without authorization or exceeding authorized access a crime. Any computer with Internet access is likely a “protected computer”. Controversy: Aaron Schwartz case Aaron Schwartz created a script to automatically download many articles from JSTOR, violating their Terms of Service. Federal prosecutors charged him with 11 violations of CFAA with maximum penalty of 35 years, $1 million fine. CIT 485: Advanced Cybersecurity