ISOL633 Schiller International University Law Regulation Analysis you are to write a 4 page paper, using the same APA rules discussed at the residency, on

ISOL633 Schiller International University Law Regulation Analysis you are to write a 4 page paper, using the same APA rules discussed at the residency, on a chapter of your choice (chapters 1 through 8). The topic should be your analysis of the law or regulation, the need for the law/regulation, and a recent example of the law/regulation in the media.The title page and references does not count towards your page limit. ISOL 633 LEGAL REGULATIONS,
INVESTIGATION, AND
COMPLIANCE
Chapter 8
Federal Government Information
Security and Privacy Regulations
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
KEY CONCEPTS
• Security challenges facing the federal government
• Federal government information security and privacy
regulation
• Federal Information Security Management Act
(FISMA)
• Office of Management and Budget (OMB)
• Other federal agency responsibilities
• Import and export laws for information technology
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
INFORMATION SECURITY
CHALLENGES FACING THE
FEDERAL GOVERNMENT
• Federal government is largest producer and user of information in U.S.
• Government computer systems hold:
• Data critical for government operations
• Employment, tax, and citizenship data
• Data on businesses operating in the U.S.
• Data that’s used to protect the U.S. from threats
• Federal IT systems and data in them are attractive targets for criminals
• Examples: Pentagon Fighter Jet Blueprints
• USAJOBS
• IRS
• Passports, Green cards, Visas
• National Security Information
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A LITTLE HISTORY…LAWS
GOVERNING INFORMATION
SECURITY AND PRIVACY
• 1987 Computer Security Act (CSA)
• 2002 E-Government Act
• Title III – Federal Information Security Management
Act (FISMA)
• 2009 Cyberspace Policy Review
• 2013 Obama’s Executive Order on Cybersecurity
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA)
? Who must follow?
? What is definition of Information Security?
? Components:
?
?
?
?
?
?
Determine govt agency info security responsibilities
Require annual independent review
Authorize IST to devp info security standards
OMB Oversight – Now shared with DHS
Requires risk based approach for NSS
Created Federal Security Incident Response Center
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA) (CONTINUED)
•
•
•
•
•
•
•
•
•
Risk Assessment
Inventory IT system/Update System
Implement policies and procedures designed to reduce risk
Implement plan for subsystems to support larger information
security program
Provide training for employees and subcontractors
Annual testing
Implement contingency plan for repairing weaknesses
Implement procedure for responding to incidents of breach
Implement business continuity plan
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA)
? Testing and Annual Review
? National Institute for Standards and
Technology
? Chief Information Security Officer (CISO)
Required for insuring compliance
? CyberScope
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA)
? Who receives Agency Annual Report and Review Evaluation?
?
?
?
?
?
?
House of Representatives Oversight Committee
House of Representatives Science and Technology Committee
Senate Committee on Governmental Affairs
Senate Committee on Commerce, Science and Technology
Government Accounting Office
Congressional Subcommittee authorizing Agency existence
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
INSPECTOR GENERAL (IG)
? Inspector General Act of 1978
? Different IG for each Federal Government Agency
? Independent Audits
? Reports to Congress
? Reviews actions and ensure efficient operation and
good practices
? Appointed either by President or by Agency Head
depending on size of agency
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NATIONAL INSTITUTE OF
STANDARDS AND
TECHNOLOGY (NIST)
? Within the Department of Commerce
? Creates Standards for ALL Federal Agencies
who DO NOT have NSS
? Categorize data and systems
? Guidelines for systems depending on category
? Creates minimum information security controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NITS DOCUMENTS
? Federal Information Processing Standards
(FIPS)
? Special Publications (SPs)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FISMA IMPLEMENTATION
PROJECT
Develop and update security
Standards so comply with FISMA
Provide security reference
materials to support the Risk
Management Framework (RMF)
Apply risk management-based
approach to security controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST RISK MANAGEMENT
FRAMEWORK PROCESS
Categorize IT
systems
Select security
controls
Implement
security
controls
Assess security
controls
Authorize IT
systems
Continuously
monitor security
controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST RISK MANAGEMENT
FRAMEWORK PROCESS
Categorize IT
systems
Select security
controls
Implement
security
controls
Assess security
controls
Authorize IT
systems
Continuously
monitor security
controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FIPS 199 STANDARDS FOR CATEGORIZING
FEDERAL INFORMATION AND
INFORMATION SYSTEMS
LOW
• Loss of CIA has limited adverse
affect on agency, its information
and assets. Minor damage.
MODERATE
• Loss of CIA has serious adverse
effect with significant damage to
assets.
HIGH
• Loss of CIA has severe or
catastrophic adverse effect with
major damage to assets.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST DOCUMENTS
? FIPS 200 Minimum Security Requirements
for Federal Information and Information
Systems
? SP 800-53-Revision 4 Recommended
Security and Privacy Controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
CENTRAL INCIDENT
RESPONSE CENTER
? 1996 under direction of OMB/DHS
? Requirements:
? Give Tech Support
? Share info about security incidents
? Inform agencies about potential threats
? Consult with NIST and with agencies with NSS
about security incidents
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
CENTRAL INCIDENT
RESPONSE CENTER
•
•
Reporting depending on category
Categories 0 -6
•
•
•
•
•
•
•
0 – Network testing
1 – Unauthorized Access
2 – Denial of Services
3 – Malicious Code
4 – Improper Use
5 – Scan, Probes and attempted access
6 – Investigations
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NATIONAL SECURITY
SYSTEMS
•
•
NSS – Those systems used for Intelligence activities,
command and control of military forces, weapons
and weapon control equipment, cryptography to
protect national security, military and military
intelligence, classified for defense and foreign policy
Oversight – Committee on National Security Systems
(CNSS)
•
21 voting members
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ACCESS CONTROL MODELS
Discretionary
Access Control
(DAC)
• Discretion of the
owner
Mandatory
Access Control
(MAC)
• Security labels and
classifications
Role-Based
Access Control
(RBAC)
• Job function or role
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL PRIVACY LAWS
• Privacy Act of 1974
• Applies to Federal Government but not
State and local governments
• Definition of Record under this act
• Exemptions (12)
• SORN
• OMB Oversight
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL PRIVACY LAWS
• E-Government Act of 2002
• Review IT systems for privacy risks
• Post privacy policies on website
• Post machine readable privacy policies
• Report privacy activities to OMB
• PIA
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OMB REQUIREMENTS FOR
BREACH NOTIFICATION
• Review and reduce the volume of personally
identifiable information store
• Eliminate unnecessary use of SSNs
• Explore alternatives to using SSN as a personal
identifier
• Develop policies and procedures for individuals
who are authorized to access personally
identifiable information
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OMB BREACH NOTIFICATION
Breach Notification Plan
Determine
Source of
Time for
if breach
the
notification notification
notification
required
Legal Issues in Information Security
Contents
of the
notice
Means of
providing
the notice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Who gets
the notice
REGULATORY REQUIREMENTS FOR THE
IMPORT AND EXPORT OF INFORMATION
TECHNOLOGY
? Department of Commerce
? Export Administration Regulations (EAR)
? Export Administration Act of 1979
? Bureau of Industry and Security
? Commerce Control List (CCL)
? Department of State
? International Traffic in Arms Regulations (ITAR)
? Treasury Department
? Office of Foreign Asset Control (OFAC)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
REGULATORY REQUIREMENTS FOR
THE IMPORT AND EXPORT OF
INFORMATION TECHNOLOGY
? Export of Technology or Software
? Release of technology or software subject to the EAR
in a foreign country
? Release of technology or source code subject to the
EAR to a foreign national within the United States or
outside.
? Transfer of source code
? Inspection or oral communication of code
? Violations subject to civil penalties or denial of
export privileges
? Willful violations subject to criminal penalties
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
THANK YOU
For Questions:
Email: Leslie.Stovall@ucumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Issues in
Information Security
Lesson 1
Information Security Overview
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Recognize fundamental concepts of
information systems security (ISS).
? Begin to think about the legal implications of ISS concept
and issues
? Definitions and general terms
? Concepts
? Classifications or types of information security
? Different levels of protection for various types of
information
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
What is Information Security?
? Practice of protecting information
What is the primary goal of Information Security?
? To protect 3 aspects of information
• Confidentiality
• Integrity
• Availability
What is a Triad?
? Grouping of three things we generally think about together as a unit
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Key Concepts
? Confidentiality, integrity, and availability
(C-I-A triad)
? Basic information system security concepts
? Risk analysis and mitigation
? Mechanisms for organizational information
security
? Data classifications requiring specialized
legal consideration
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
WHAT IS CONFIDENTIALITY?
? Preventing people who should not have access to data from obtaining it.
? Important at all phases
• Creation of data
• Manipulation, summarization, use
• Analysis
• Transmission
• Destroy
? Breaches
• Intentional
• Accidential
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
WHAT IS INTEGRITY?
? Means systems and their data are accurate.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
WHAT IS AVAILABILITY?
? Making sure the systems operate reliably and that
data is accessible by people with permission
when they need it.
? Insures no bottlenecks or slowdowns and that
data is available at peak times.
• Single point failure –Single piece of hardware
or software critical to the entire system.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
C-I-A Triad
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Seven Domains of a Typical IT
Infrastructure
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Basic Risk Management Concepts
? Vulnerability ~ asset weaknesses
? Threats – Anything that has the potential to harm the system
? Threat Agents – Hackers and Malware
? Exploitation – Threats that are carried out
? Mitigation ~ safeguard assets
? Risks ~ The likelihood that a threat will be exploited. Some can
be minimized by asset owner
? Safeguards ~ Implemented by an organization as controls used
to reduce harm caused by vulnerability and threats.
? Referred to as “risk mitigation”
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Risk Management Process
Organization
Safeguard
Vulnerability
Threat
Agent
Risk
Threat
Legal Issues in Information Security
Asset
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Roles in Risk Management
Senior Management
Chief Information Security
Officer
Information
Technology
Department
Legal Issues in Information Security
Legal Department
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Information Security Common
Concerns
?
?
?
?
?
?
?
?
Shoulder Surfing
Social Engineering
Phishing and Targeted Phishing Scams
Malware
Spyware and Keystroke Loggers
Logic Bombs
Back Doors
Denial of Service Attacks
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Information Security in Different
Contexts
Private-Harmful to
organization if
disclosed
• High interest in
confidentiality
Public-No harm to
organization
through disclosure
• High interest in
availability
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Data Classification
Governmental
Classification
General Corporate
Classification
Secret
Corporate
Confidential
Client Confidential
Confidential
Proprietary
Top Secret
Restricted
Unclassified
Legal Issues in Information Security
Public
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Mechanisms for Ensuring
Information Security
Legal Issues in Information Security
Laws and
Legal Duties
Contracts
Governance
Voluntary
Organizations
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Legal Mechanisms to Ensure
Information Security
? Laws
• Gramm-Leach-Bliley Act, HIPAA,
COPP, FERPA and Many others
? Information Regulations
• Financial, credit card, health, etc.
? Agencies
• FTC, Banks, DHHS, SEC, DOE, etc.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Thank you!
Please email questions and/or
comments to
Dr. Les Stovall
Leslie.Stovall@ucumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
ISOL 633 Legal
Regulations,
Investigations and
Compliance
Chapter 2 – Lecture 2
Privacy Overview
Learning Objectives/Key Concepts
Examine the concept of privacy and its
legal protections.
? Basic
privacy principles
? Explain
the difference between
Information Security and Privacy
? Describes
Legal Issues in Information Security
threats to privacy
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objectives/Key
Concepts Continued
?
Explain important issues regarding
workplace privacy
?
General principles for privacy protection
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is Privacy?
? A person has control of his or her
personal data
? Control = a person can specify the
collection, use, and sharing of their
data
? Government’s power to interfere in the
privacy of its citizens is limited
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Private Information
Financial
information
Health
information
Biometric
data
Personal Id.
Information
Other
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Not All Information is private
? We would like to control every aspect of
our life in terms of who has access to it.
? Not all information is private
? Public records
? Minutes of government meetings
? Sex Offender Registration
? Criminal records
? Court Dockets
? Pleadings
Legal Issues in Information Security
© 2015 Jones an…
Purchase answer to see full
attachment