Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adler Pollock & Sheehan P.C. One Citizens Plaza, 8th Floor

Published byRose Craig Modified over 7 years ago

Similar presentations

Presentation on theme: "Adler Pollock & Sheehan P.C. One Citizens Plaza, 8th Floor"— Presentation transcript:

1 Adler Pollock & Sheehan P.C. One Citizens Plaza, 8th Floor Providence, RI 02903 (401)

2 Legal Aspects of Cybersecurity
Stephen R. Ucci Esq. Government Contracts Group Chair (o) (m)

3 Cyber today “University Attacked by its own vending machines…” Networkworld .com March 6, 2017 Congressional Cybersecurity Caucus News Round up March 3, 2017 “Microsoft wants a Digital Geneva Convention on cyber attacks” cnet.com February 14, 2017

4 Stephen R. Ucci 20 years Government Contracts Experience
Author of the RI Identity Theft Protection Act Cybersecurity Task Force- National Conference of State Legislators Rhode Island Corporate Cyber Initiative- Salve Regina University

5 A new language Botnet- A network of private devices controlled as a group without the owners knowledge. (Zombie) Cloud computing- Utilizing different remote servers for the storage of data. Cryptocurrency- a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank. Cyber attack- A deliberate action that effects the availability or integrity of data or information systems. Cyber exfiltration- The unauthorized copying or removal of data from a system. Cyber intrusion- The unauthorized access into a system.

6 A new language Encryption- Transforming data to mask its content.
Internet of Things (IoT)- Devices that collect store and send information without human intervention. Phishing- Attempting to obtain confidential information (including user names and passwords) from internet users, usually by sending an that looks as though it has been sent by a legitimate organization. Ransomware- Malicious code that encrypts data with the intent to extract payment for the decryption key Spear Phishing- sending s ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. Spoofing- Faking the sending address of a transmission to gain unauthorized entry into a secure system.

7 A common enemy The methods used by attackers are virtually the same whether state sponsored, coordinated or by an individual. The vulnerability is the same whether it is Government, industry or private person.

8 A Common Defense Acknowledgement from the Top Culture of Vigilance
Continuous improvement/information sharing

9 A Common Defense Human Factors Social Engineering Failing to update
Carelessness Trust Lack of training Look at physical solutions for technical risk

10 The Basics A security incident response plan Training Policies
Travel, usage, drive usage, public networks War gaming, testing

11 The Three Pillars Internal Policies procedures, training, awareness
Insurance Response plan preparation Network Licensing IT services/Clod

12 The Three Pillars External
Contractual requirements Flow down to suppliers Legal requirements

13 The Three Pillars Breach Incident response plan
Contractual requirements Legal requirements Law enforcement? Data sharing

14 Cyber Information Sharing Act -2015 CISA
A voluntary system for entities to share cyber threat indicators and defensive measures without liability to third parties and exempt from Antitrust laws. (also FOIA, regulatory action, non waiver of trade secrets, limitation on ex parte communications) Does not limit liability for the data breach itself. Must be shared through a process established by DHS.

15 CISA- 2015 DHS Programs AIS- Automated Indicator Sharing (Authentication) CISCP- Cyber Information Sharing and Collaboration Program (CRADA) ECS- Enhanced Cybersecurity Service (Commercial Service Providers)

16 Cybersecurity National Action Plan (CNAP)
Directs DHS to create a security certification for devices and products (UL). Enhanced cyber training and awareness i.e. Dual authentication and threat training National Center for Cybersecurity and Resilience- Partners DOE and DHS for critical infrastructure. Created Federal Chief Information Security Officer (CISO) Coordinates incident response through DOJ, justice and DNI. (DSS?)

17 FAR 52.204-21 Basic Safe Guarding of Covered Contractor Information Systems
15 Requirements from NIST SP Applicable to all acquisitions other than COTS. “Systems owned or operated by a contractor that process store or transmit Federal Contract Information” Must be flowed down. No incident reporting requirement or certification.

18 DFAR 252.204-7012 Full compliance with NIST 800-171
Assessment and reporting of areas of non compliance to contracting officer within 30 days of award. (may request a deviation) 72 Hours to report cyber incidents to the DoD CIO (dibnet) Malicious software to DoD cyber crime center. Preserve evidence and cooperate with investigation. Flow to all suppliers storing processing or generating Covered defense information as part of the contract. Not applicable to COTS if acquisition is solely for COTS items.

19 DFAR 252.204-7012 cont. Covered Defense Information –
Unclassified information that is (A) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (B) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of performance of the contract and Falls into any of the following categories (A) Controlled Technical Information (Dist. B through F), (B) Critical Information (Operations security) (C) Export Control (D) Any other information marked or otherwise identified in the contract that requires safeguarding or dissemination controls. (PPI)

20 NIST SP Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations The Federal Information Security Modernization Act of 2014 mandated NIST develop this Special Publication. Achieves parity between Federal and non federal entities. 14 “Families” of security requirements: Access Control Awareness and training Audit and accountability Configuration Management Identification and authentication Incident Response Maintenance Media protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity Detailed breakdown of security controls Regularly updated

Download ppt "Adler Pollock & Sheehan P.C. One Citizens Plaza, 8th Floor"

Similar presentations

Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.

1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
C8- Securing Information Systems

C8- Securing Information Systems
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Similar presentations

Ads by Google