CISSP Legal and Regulatory
Major legal systems
Civil Law (Legal System) – most common, judge ruling typically does not set precedent. The system of civil law leverages codified laws or statutes to determine what is considered with the bounds of law. Judicial rulings cary less weight under common law.
Common Law – Legal system used in US, Canada, UK and most former British Colonies. Common law places significant emphasis on particular cases and judicial precedents as determinants of laws. Judicial rulings can sometimes supersede statutes and laws created by the legislative body.
Religious Law – Religious doctrine or interpretations serves as a source of legal understanding and statutes. Islam serves as the most common source for religious legal systems. Sharia is the term used for Islamic law and it uses the Qur’an and Hadith as its foundation.
Customary Law – Customary law refers to those customs or practices that are so commonly accepted by a group that the custom is treated as law. In Information security, the concept of best practices is closely associated with customary law.
Criminal, Civil, and Administrative Law
Within Common law there are various branches of law including criminal, civil and administrative law.
Society is the victim. The goal of criminal law is to promote and maintain and orderly and law abiding citizenry. In order to convict someone accused of criminal act, the crime must be proved beyond any any reasonable doubt. Once proven the punishment will potentially include incarceration, financial penalties or in some jurisdiction, death.
Aka Tort law deals with injury, resulting from someone violating their responsibility to provide duty of care. An individual, group, organization is the victim and concerns most commonly private parties where punishment is focused on compensating the victim.
Common types of Financial damages
- Statutory – Prescribed by law, awarded to victim even if the victim incurred no actual loss or injury
- Compensatory – Provide victim with financial reward in effort to compensate for loss of injury incurred
- Punitive – Awarded to attempt to discourage a particular violation where compensatory or statutory damages alone would not act as a deterrent
Aka regulatory law enacted by government agencies. Government mandated compliance measures are administrative laws. Examples are FCC regulations, HIPAA security mandates, FDA regulations, FAA Regulations.
This is a branch of civil law related to wrongdoing against an individual measured against “best practice” or “duty of care”, where the action taken or negligence of responsibility of an individual or organization is considered to be outside the bounds expected of behavior of a “reasonable, right thinking, or prudent man”; and in this relates back to custom, and often may change over time. Here again, the burden of proof is on preponderance of the evidence weighing against the defendant. This is the largest source of lawsuits and damages under major legal systems. This is particularly important in the realms of cyber security laws. In protecting customer data the “Prudent Man Rule” is applied to set the bar for duty of care in what processes, infrastructure and practices a right thinking person would consider necessary as a minimum. If a business is seen to be below that bar of expectation then the organization and business stakeholders are considered negligent in providing the necessary due care to protect its customers, assets and business stakeholders.
Agreements between companies and individuals can be broken, whether verbal or documented in writing, and damages for wrongdoing can occur. This is again a type of civil law.
Questions of liability often turn into questions regarding potential negligence. The Prudent Man Rule is applied to determine actions or inactions constitute negligence.
Prudent man rule
Acting responsibly and cautiously like a prudent man
In the event of a severe incident, Information security professionals will be required to provide all evidence during investigations. The evidence should be relevant, authentic, accurate, complete and convincing.
- Real or Physical Evidence – Tangible of physical objects. Hard drives, DVDs, USB or printed documents. May also include visual or audio surveillance tapes generated during or after the event.
- Direct Evidence – Testimony provided by witness. Thsi will be an oral testimony or a written statement based on information gathered through the witness’s five senses (an eyewitness account) that proves or disproves a specific fact or issue.
- Circumstantial Evidence – Provides details regarding circumstances that allow for assumptions to be made regarding other types of evidence.
If a person testified she directly witnessed the defendant create and distribute malware, this is direct evidence. If the forensics investigation of the defendant’s computer revealed the existence of source code for the malware, this is circumstantial evidence.
- Corroborative Evidence – Evidence that provides additional support for a fact that might have been called into question
- Hearsay Evidence – Indirect second hand evidence. Exceptions (Rule 803) include computer generated data and logs
- Documentary evidence – Includes originals and copies of business records, computer-generated and computer-stored records, manuals, policies, standards, procedures, and log files. Most evidence presented in a computer crime case is documentary evidence.
- Best Evidence – Originals are preferred over copies. Conclusive tangible objects are preferred over oral testimony. Prefers evidence that meets relevant, authentic, accurate, complete and convincing as main criterias.
- Secondary Evidence – Copies of original documents and oral description. Exception: Rule 1001 allows logs and documents are considered original.
- Demonstrative evidence – Used to aid the court’s understanding of a case. Opinions are considered demonstrative evidence and may be either expert (based on personal expertise and facts) or non-expert (based on facts only). Other examples include models, simulations, charts, and illustrations.
Evidence must be reliable. Checksums such as MD5 and SHA-1 are used to ensure that no data changes occurred as a result of acquisition and analysis.
Chain of custody
Chain of custody requires that once evidence is acquired, full documentation be maintained regarding the who, what, when and where related to the handling of said evidence. Initials and or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form. Use of checksums and Chain of Custody forms by forensics investigators is best practice.
If evidence was obtained illegally, then it will be inadmissible in court. Search warrants are required to search a private citizen’s property. Exception is that if the property is in plain sight or at public checkpoints. Another exception is exigent circumstances where there is an immediate threat to human life or of evidence being destroyed. Search warrants only apply to law enforcement and those who are acting under the color of law. An example is a corporate security professional seizing data in a corporate case under direct supervision of law enforcement.
Entrapment and Enticement
Entrapment – When a law enforcement persuades someone to commit a crime when the person otherwise had no intention to.
Enticement – When a law enforcement makes conditions for commission favourable but the person is already determined to commit the crime.
- Computer systems as target – Crimes where the computer systems serve as a primary target, such as disrupting online commerce by means of Distributed Denial of Service attacks, installing malware on systems for the distribution of spam, or exploiting vulnerability on a system to leverage it to store illegal content.
- Computer as a tool – Crimes where the computer is a central component enabling the commission of the crime. Examples include: stealing trade secrets by compromising a database server, leveraging computers to steal cardholder data from payment systems, conducting computer based reconnaissance to target an individual for information disclose or espionage, and using computer systems for the purposes of harassment.
Intellectual property refers to intangible assets. This mostly refers to software, proprietary code, and other digital assets owned by the organization, but can also refer to unpublished books, music, art, inventions, patents, or other information that should be protected.
- Trademark – Associate with marketing, a distinguishing name, logo, symbol or image. TM used for unregistered and circle R is used with registered trademark.
- Servicemark – Is used to brand a service – SM
- Patent – Provide Monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the holder’s making the invention public. Europe and US patents last 20 years.
- Copyright – A copyright protects published or unpublished original work from unauthorized duplication without due credit and compensation. Copyright covers not only books but also advertisements, articles, graphic designs, labels, letters (including emails), lyrics, maps, musical compositions, product designs, etc. A registered copyright is one that has been registered with the copyright office. Copyrights last 70 years after death of author, or 95 years after first publication if it is a product of a corporation or 120 years after creation. Software is covered by copyright
- First sale doctrine – Allows legitimate purchaser of copyrighted material to sell it to another person.
- Fair use doctrine – Allows purchaser to duplicate copyrighted material without consent. Copyright act 1976 determines the purpose and style of excerpt; nature of copyrighted work; amount of content duplicated compared to overall length of work; and whether duplication might reduce value or desirability of original work
- Licenses – Contract between provider of software and consumer. EULA provides explicit limits on the use and distribution of the software
- Trade Secrets – Business proprietary information that is important to an organization to compete. The organization must exercise due care and due diligence in protection of trade secrets. Common protection methods include Non-compete and NDA (non disclosure) agreements. Lack of reasonable protection of trade secrets can make them cease to be trade secrets.
- IP Attacks – Software piracy, trade secrets targeted by espionage. Trademarks can fall under several attacks such as counterfeiting, dilution (ex. Kleenex referred to any facial tissue) and cybersquatting and typo squatting (registering in bad faith domain name associated with another person’s trademark.
Privacy is the protection of confidentiality of personal information. These include PII (Personally identifiable Information) such as social security numbers, financial information such as annual salary and bank account information required for payroll deposits and healthcare information for insurance purposes. One issue to understand is whether a citizen’s privacy protections are primarily opt-in or opt-out. Opt-in requires individuals to have to do something in order to had their data used, where as opt-out agreements require an individual to have to do something to prevent their data from being resold.
EU data protection directive
- Requires notifying individuals how their personal data is collected used
- Allowing individuals to opt out of sharing their personal data with third parties
- Requiring individuals to opt into share the most sensitive personal data
- Providing reasonable protections for personal data
OECD Privacy Guidelines
Organization for Economic Cooperation and Development (OECD) – constitutes 30 nations EU, US, Mexico, Australia, Japan and Czeck Republic. The OECD Privacy Guidelines were the first internationally agreed privacy principles that focus on developing policies for the protection of personal data.
The OECD framework contains eight driving principles.
- Collection Limitation principle – Personal data collection should have limits. Personal data should be gained with the knowledge and consent of the data subject.
- Data Quality Principle – Personal data should be complete, relevant to the purposes, accurate and maintained and kept up to date.
- Purpose specification principle – Purpose should be known and use should be limited to purposes outlined at the time of collection
- Use limitation Principle – Data should never be disclosed without consent of the data subject or by the authority of law.
- Security Safeguards Principle – Data should be reasonable protected against unauthorized use, disclosure or alteration
- Openness Principle – General policy concerning collection and use of personal data should be readily available outlining the main purposes of the use of the data as well as the identity and usual residence of the data controller.
- Individual Participation Principle – individuals should be: able to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; able to find out if entity holds their data, made aware of personal data held, given reason for any denial to data held and process for challenging any denials, able to challenge the content of any personal data being used and have process for updating their personal data if found inaccurate or incomplete
- Accountability Principle – The entity using the personal data should be accountable to principles above
EU-US Safe Harbour
Personal data of EU citizens may not be transmitted to countries outside of EU even with user consent. US based organizations must voluntarily consent to EU data protection directive in order to obtain this data. US-EU Safe Harbor process relates to privacy, that is protection of personal data. The Safe Harbor is a construct that outlines how U.S.-based companies can comply with the EU privacy. The Safe Harbor Privacy Principles states that if a non-European organization wants to do business with a European entity, it will need to adhere to the Safe Harbor requirements if certain types of data will be passed back and forth during business processes
US Privacy Act of 1974
Defines how US citizens PII is used by the federal government. The Privacy Act of 1974 is a U.S. federal law that established a code of fair information practice that oversees and governs the collection, use, dissemination, and maintenance of any personally identifiable information used in systems of records by federal agencies. The act provides users individuals with access to the data being maintained related to them with some national security exceptions.
There are import and export restrictions in cryptographic technologies. In the 90s US was the one of the primary instigators of banning the export of cryptographic technologies especially to those who are considered a political threat.
Important Laws and regulations
- HIPAA – Health Insurance Portability and Accountability Act – The privacy and security portions seek to guard protected health information (PHI) from unauthorized use or disclosure for entities such as Health plans, Healthcare providers, and clearing houses. The HITECH (Health Information Technology for Economic and Clinical Health) act extended privacy and security requirements of HIPAA to those that serve as business associates to those entities
- Computer Fraud and Abuse Act Title 18 Section 1030 – Attacks on US protected computers, government, financial processing in foreign or interstate commerce that results in $5000 in damages in one year is criminalized
- ECPA – Electronic Communications Privacy Act – Protected electronic communications from warrantless wiretapping
- USA PATRIOT act of 2001 – Full name Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act – Passed due to September 11 terrorist attack. Weakened the ECPA by expanding law enforcement electronic monitoring capabilities
- Gramm-Leach-Bliley Act (GLBA) – Requires financial insitutions to protect the confidentiality and integrity of consumer financial information and to notify consumers of privacy practices.
- California Senate Bill 1386 SB1386 – US State level breach notification law requiring organization to notify California residents if there is there is potential disclosure of personal data
- Sarbanes-Oxley Act of 2002 (SOX) – As a result of major accounting scandals SOX was passed. The act mandates public companies to ensure adequate financial disclosure, auditor independence and internal security controls such as risk assessment. Intentional violation can lead to criminal penalties.
- PCI – Payment Card industry Data Security Standard (PCI-DSS) – Requires merchants that process credit card data to adhere to PCI-DSS standards to ensure better protection of cardholder data by mandating security policy, security devices, control techniques and monitoring of systems and networks comprising of card holder data environments.
Security and 3rd Parties
Service Provider Contractual Security
- Service Level Agreements (SLA) – Identifies key expectations that the vendor is contractually required to meet such as performance, security, an availability expectations
- Attestation – Larger providers look to attestation to assure customers that they have gone through 3rd party scrutiny and review. SAS70, ISO27001 and PCI-DSS uses PCI Qualified Security Assesor (QSA) for attestation. For PCI a report of compliance (ROC) and Attestation of Compliance (AOC) may be issued to the organization.
- Right to penetration test/right to audit – Written approval for an organization to perform their own penetration testing and have a trusted provider to perform the assessment on their behalf
- Procurement – The security department should be leveraged prior to the procuring a solution or service to make informed and risk based decisions.
- Vendor Governance or vendor management – Goal is to ensure that strategic partnerships between organizations continually provide the expected value
- Acquisitions – Due diligence requires thorough risk assessment of any acquired company’s information security program. It requires vulnerability assessment and penetration testing of the acquired company before any merger of networks.
- Divestiture (De-mergers and De-acquisitions) – Management of Risks in sensitive data that arises when separating common formerly unified companies. Ie passwords and accounts, credentials, etc.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live within the European Union (EU) and the European Economic Area (EEA). Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information. The regulation applies regardless of where websites are based, which means it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.
The GDPR sets out seven key principles which should be at the core of your approach for personal data processing:
- Lawfulness, fairness, and transparency – There should be a lawful basis for each processing activity. The data processing is not in a way that is unexpected, and the data subject is informed of the processing.
- Purpose limitation – Be clear about your purposes for processing and record and specify them in the privacy notice to individuals. Limit the processing to those identified purposes.
- Data minimization – Only process personal data to the extent necessary.
- Accuracy – Ensure the personal data that you processed is accurate and up to date. Correct or erase inaccurate personal data as soon as possible.
- Storage limitation – Only keep personal data if you need it.
- Integrity and confidentiality (security) – Have appropriate security measures in place to protect the personal data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
- Accountability – Take responsibility for what you do with personal data and have appropriate measures and records in place to demonstrate your compliance with the data processing principles.
The goal is to put control back in the hands of ordinary citizens and simply the regulatory environment. Main items include:
- In case of data breach, the companies must inform the authorities within 24 hours.
- Every EU country must create a central data authority.
- Individuals must have access to their own data.
- Every individual information must be transferable from one service provider to another.
- Individuals have the right to be forgotten. All their information should be able to be deleted.
EU–US Privacy Shield
In October 2015 the European Court of Justice declared the previous framework (International Safe Harbor Privacy Principles) as invalid. Then the European Commission and the U.S. Government began talks about a new framework. This new framework was later put into effect on February 2, 2016.