Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Information System Security: Text and Cases

Published byAnnabelle Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Principles of Information System Security: Text and Cases"— Presentation transcript:

1 Principles of Information System Security: Text and Cases
Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

2 Principles of Information System Security: Text and Cases
Chapter Fourteen Legal Aspects of Information System Security

3 Copyright 2006 John Wiley & Sons, Inc.
Learning Objectives Familiar with the following six acts Computer Fraud and Abuse Act Computer Security Act Health Insurance Portability and Accountability Act USA PATRIOT Act Sarbanes-Oxley Act Federal Information Security Management Act Copyright 2006 John Wiley & Sons, Inc.

4 Copyright 2006 John Wiley & Sons, Inc.
The Need for Laws Controls within a firm may not be enough for IS security Laws are required to investigate and prosecute violators This chapter discusses six legal enactments by Congress Copyright 2006 John Wiley & Sons, Inc.

5 The Computer Fraud and Abuse Act (CFAA)
CFAA was introduced in 1984 to protect computers used by government or in defense CFAA was extended in 1986 to protect ‘federal interest computers’ CFAA was amended in 1996 to protect all computers involved in interstate and international commerce Copyright 2006 John Wiley & Sons, Inc.

6 Copyright 2006 John Wiley & Sons, Inc.
CFAA (cont’d) The purpose is to provide protections and penalties for violating the law The penalties include both criminal and civil The legal elements of computer fraud includes Knowingly and with intent to defraud Accessing a protected computer without authorization, or exceeding authorization Thereby furthers a fraud and obtains anything of value Copyright 2006 John Wiley & Sons, Inc.

7 Copyright 2006 John Wiley & Sons, Inc.
CFAA (cont’d) CFAA applies to the private sector, not just in the federal government CFAA allows plaintiffs to pursue actions against defendants in federal court, not just in state courts CFAA allows a double whammy against the defendant, and allows the plaintiff to attempt to recover more in damages Copyright 2006 John Wiley & Sons, Inc.

8 CFAA, the Case of Shurgard Storage Centers v. Safeguard Self Storage
Several managers of Shurgard Storage left to work for Safeguard (a competitor) They allegedly used the plaintiff’s computers to trade secrets to the defendant The defendants argued They were Shurgard employees at the time The court said No longer have the ‘authorization’ when they send information to their new firm Copyright 2006 John Wiley & Sons, Inc.

9 CFAA, the Case of Shurgard Storage v. Safeguard Self Storage (cont’d)
The defendant argued No evident of traditional elements of common law fraud The court said Proof of the elements of common law fraud is not required under the CFAA The disloyal employee was in effect treated as a hacker Copyright 2006 John Wiley & Sons, Inc.

10 CFAA, the Case of Shurgard Storage v. Safeguard Self Storage (cont’d)
‘Damage’ is defined as any ‘impairment to the integrity’ of the computer data or information The term ‘protected computer’ and ‘without authorization’ have broad meaning and intended scope Copyright 2006 John Wiley & Sons, Inc.

11 The Computer Security Act (CSA)
CSA was passed by Congress in 1987 Motivation Escalating use of computer systems by the government Requirement to unsure the security and privacy of unclassified, sensitive information Copyright 2006 John Wiley & Sons, Inc.

12 Copyright 2006 John Wiley & Sons, Inc.
CSA (cont’d) Purposes To standardize and tighten security on computers of government and its contractors To train workforce in maintaining appropriate security levels Copyright 2006 John Wiley & Sons, Inc.

13 Copyright 2006 John Wiley & Sons, Inc.
CSA (cont’d) Issues that shaped debate over the CSA The National Security Agency (NSA) vs. the National Institute of Standards and Technology (NIST) The need for greater training of personnel involved in Federal computer security The scope of the legislation in terms of defining a ‘Federal computer system’ Copyright 2006 John Wiley & Sons, Inc.

14 Copyright 2006 John Wiley & Sons, Inc.
CSA (cont’d) CSA requires the identification of systems and establishment of security plans CSA requires mandatory periodic training CSA requires NIST to establish a computer standards program CSA requires the establishment of a computer system security and privacy advisory board within the Department of Commerce Copyright 2006 John Wiley & Sons, Inc.

15 Health Insurance Portability and Accountability Act (HIPPA)
HIPAA is to promote a better healthcare delivery system by broad and sweeping legislative measures IS security is of paramount important to the future of any health care program All firms that deal with personal history information (PHI) have to be in compliance with HIPAA Copyright 2006 John Wiley & Sons, Inc.

16 Copyright 2006 John Wiley & Sons, Inc.
HIPAA Requirements HIPAA was passed in 1996 Primary purpose of HIPAA is to improve Medicare and the efficiency and effectiveness of the healthcare system Privacy concerns with what information is covered Security is the mechanism to protect the information Copyright 2006 John Wiley & Sons, Inc.

17 HIPAA Requirements (cont’d)
Standardization of electronic patient administrative and financial data Unique identifiers for providers, health plans, and employers Changers to most healthcare transaction and administrative information systems Privacy regulation and the confidentiality of patient information Technical practices and procedures to insure data integrity, security, and availability of healthcare information Copyright 2006 John Wiley & Sons, Inc.

18 HIPAA Compliance and Recommended Protection
Organizations can complete a business impact analysis and a risk assessment to determine compliance with HIPAA Baseline assessment: examine current security environment with respect to policies, processes, and technology Gap analysis: compare current environment with the proposed regulatory Risk assessment: address the areas identified in the Gap Analysis requiring remediation Copyright 2006 John Wiley & Sons, Inc.

19 HIPAA Compliance and Recommended Protection (cont’d)
HIPAA mandates security standards be applied in four main areas Administrative procedures (e.g. personnel procedures) Physical safeguards (e.g. locks) Technical security services: to protect data at rest Technical security mechanisms: to protect data in transit Copyright 2006 John Wiley & Sons, Inc.

20 HIPAA Compliance and Recommended Protection (cont’d)
Risk analysis Identifying and documenting all electronic PHI repositories Periodically re-inventory electronic PHI repositories Identifying the potential vulnerabilities to each repository Assigning a level of risk to each electronic PHI repository Copyright 2006 John Wiley & Sons, Inc.

21 HIPAA Compliance and Recommended Protection (cont’d)
Risk management Implementing security measure to reduce risks and vulnerabilities to a reasonable and appropriate level Medium and high risk EPHI repositories must be secured in accordance with HIPAA Security Policies #1-17 Sanctions for noncompliance Copyright 2006 John Wiley & Sons, Inc.

22 HIPAA Compliance and Recommended Protection (cont’d)
Information system activity review Implementing an internal audit procedure to regularly review records of system activity HIPAA compliance/risk management officer Need such an officer with proper training and credentials Copyright 2006 John Wiley & Sons, Inc.

23 Positive Aspects of HIPAA
A standardization of identifiers that makes it possible to communicate effectively, efficiently, and consistently Health care provider/insurance related industry more cognizant of associated risks related to PHI The accountability through the use of monitoring and updating the security aspect of PHI Disaster planning helps in the continuity and quality of health care delivery Copyright 2006 John Wiley & Sons, Inc.

24 Negative Aspects of HIPAA
Cost: health care organizations have spent years and over $17 billion dollars in an effort to comply with HIPAA Complications of interpretation and compliance Fines and penalties Loss of productivity Copyright 2006 John Wiley & Sons, Inc.

25 Copyright 2006 John Wiley & Sons, Inc.
USA Patriot Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act It was signed into law on Oct The goal is to enable law enforcement agencies with the tools necessary to investigate and apprehend people that are suspected for planning or carrying out terrorist acts Copyright 2006 John Wiley & Sons, Inc.

26 Copyright 2006 John Wiley & Sons, Inc.
IT and USA Patriot Act Electronic Communications Privacy Act (ECPA) of 1986 (defines rules and regulations for protection of privacy of electronic communication) Foreign Intelligence Surveillance Act (FISA) of 1978 (defines standards for wiretapping/surveillance of electronic communication) Computer Fraud and Abuse Act (CFAA) of 1986 (defines rules and regulations aimed at prevention of computer “hacking”) Copyright 2006 John Wiley & Sons, Inc.

27 Subpoena and Disclosure of Content of Electronic Communication
ECPA limits the scope of electronic communication that could be made available PATRIOT Act broadens the category of things that can be subpoenaed ECPA limits an Internet Service Provider’s ability to disclose electronic communication content to proper authorities PATRIOT Act extends this by ruling that ISPs can disclose (without prior notification to the user) the content of electronic communication when there is fear of physical threat Copyright 2006 John Wiley & Sons, Inc.

28 Use of Pen and Trap Surveillance Devices to Electronic Communication
Will ISPs be required to make infrastructure changes to accommodate pen/trap devices? Are there storage requirements that ISPs must address to support the storage of records? Copyright 2006 John Wiley & Sons, Inc.

29 Prevention of Cyber-Terrorism
The PATRIOT Act extends and clarifies some key points of the CFAA The definition of “damages” is clarified Defining/clarifying “intentional actions” The definition of “protected computers” is clarified Extension to provide protection to designers of hardware, software, and firmware Copyright 2006 John Wiley & Sons, Inc.

30 Prevention of Cyber-Terrorism (cont’d)
Offended parties can now have clearer understanding of when they can and cannot pursue prosecution under CFAA Organizations will be able to show proof of greater than $5,000 in damage Offended parties may need to become involved in investigation that covers several routers and trunks of the Internet The risk/cost associated with civil prosecution against designers of hardware, software, and firmware can be reassessed by organizations Copyright 2006 John Wiley & Sons, Inc.

31 Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and Investor Protection Act was sponsored by Congress by Senator Sarbanes and Representative Oxley It was signed on July 30, 2002 It was passed in response to corporate scandals in 2001 and 2002 Copyright 2006 John Wiley & Sons, Inc.

32 Copyright 2006 John Wiley & Sons, Inc.
SOX (cont’d) Areas covered by SOX External auditor oversight and standards Internal audit committee responsibility Executive management accountability Financial disclosure strengthening Criminal penalty Copyright 2006 John Wiley & Sons, Inc.

33 Copyright 2006 John Wiley & Sons, Inc.
IT and SOX Analysis and potential implementation/integration of software packages on the market that assist with SOX compliance Provide authentication of data through the use of data integrity controls Capture and documentation of detailed logging of data access and modifications Copyright 2006 John Wiley & Sons, Inc.

34 Copyright 2006 John Wiley & Sons, Inc.
IT and SOX (cont’d) Security data by means like firewalls Document and remediate IT application control structures and processes Provide storage capacity for the retention of corporate data assets related to the law Provide recoverability of the archive Copyright 2006 John Wiley & Sons, Inc.

35 Federal Information Security Management Act (FISMA)
FISMA was passed late 2002 as a requisite of the Department of Homeland Security Security programs are required A structure for detecting and reporting incidents A business continuity plan Defined and published security policies and procedures A risk assessment plan Copyright 2006 John Wiley & Sons, Inc.

36 Copyright 2006 John Wiley & Sons, Inc.
FISMA (cont’d) At regular intervals, an agency has to report its compliance to the requirements mandated by the law IT executives are hold accountable for the management of a security policy National Institute of Standards and Technology (NIST) Categorization of Federal Information and Information Systems Copyright 2006 John Wiley & Sons, Inc.

37 Copyright 2006 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.

Download ppt "Principles of Information System Security: Text and Cases"

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
The Islamic University of Gaza

The Islamic University of Gaza
E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Principles of Information System Security: Text and Cases

Principles of Information System Security: Text and Cases
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.

Similar presentations

Ads by Google