principles of information system security: text and cases gurpreet dhillon powerpoint prepared by...
TRANSCRIPT
Principles of Information System Security: Text and Cases
Gurpreet Dhillon
PowerPoint Prepared by Youlong ZhuangUniversity of Missouri-Columbia
Principles of Information System Security: Text and Cases
Chapter FourteenLegal Aspects of Information
System Security
Copyright 2006 John Wiley & Sons, Inc.
14-3
Learning Objectives
Familiar with the following six acts Computer Fraud and Abuse Act Computer Security Act Health Insurance Portability and
Accountability Act USA PATRIOT Act Sarbanes-Oxley Act Federal Information Security Management
Act
Copyright 2006 John Wiley & Sons, Inc.
14-4
The Need for Laws
Controls within a firm may not be enough for IS security
Laws are required to investigate and prosecute violators
This chapter discusses six legal enactments by Congress
Copyright 2006 John Wiley & Sons, Inc.
14-5
The Computer Fraud and Abuse Act (CFAA) CFAA was introduced in 1984 to
protect computers used by government or in defense
CFAA was extended in 1986 to protect ‘federal interest computers’
CFAA was amended in 1996 to protect all computers involved in interstate and international commerce
Copyright 2006 John Wiley & Sons, Inc.
14-6
CFAA (cont’d) The purpose is to provide protections and
penalties for violating the law The penalties include both criminal and
civil The legal elements of computer fraud
includes Knowingly and with intent to defraud Accessing a protected computer without
authorization, or exceeding authorization Thereby furthers a fraud and obtains anything
of value
Copyright 2006 John Wiley & Sons, Inc.
14-7
CFAA (cont’d)
CFAA applies to the private sector, not just in the federal government
CFAA allows plaintiffs to pursue actions against defendants in federal court, not just in state courts
CFAA allows a double whammy against the defendant, and allows the plaintiff to attempt to recover more in damages
Copyright 2006 John Wiley & Sons, Inc.
14-8
CFAA, the Case of Shurgard Storage Centers v. Safeguard Self Storage
Several managers of Shurgard Storage left to work for Safeguard (a competitor)
They allegedly used the plaintiff’s computers to email trade secrets to the defendant
The defendants argued They were Shurgard employees at the time
The court said No longer have the ‘authorization’ when
they send information to their new firm
Copyright 2006 John Wiley & Sons, Inc.
14-9
CFAA, the Case of Shurgard Storage v. Safeguard Self Storage (cont’d)
The defendant argued No evident of traditional elements of
common law fraud The court said
Proof of the elements of common law fraud is not required under the CFAA
The disloyal employee was in effect treated as a hacker
Copyright 2006 John Wiley & Sons, Inc.
14-10
CFAA, the Case of Shurgard Storage v. Safeguard Self Storage (cont’d)
‘Damage’ is defined as any ‘impairment to the integrity’ of the computer data or information
The term ‘protected computer’ and ‘without authorization’ have broad meaning and intended scope
Copyright 2006 John Wiley & Sons, Inc.
14-11
The Computer Security Act (CSA)
CSA was passed by Congress in 1987
Motivation Escalating use of computer systems
by the government Requirement to unsure the security
and privacy of unclassified, sensitive information
Copyright 2006 John Wiley & Sons, Inc.
14-12
CSA (cont’d)
Purposes To standardize and tighten security
on computers of government and its contractors
To train workforce in maintaining appropriate security levels
Copyright 2006 John Wiley & Sons, Inc.
14-13
CSA (cont’d)
Issues that shaped debate over the CSA The National Security Agency (NSA) vs.
the National Institute of Standards and Technology (NIST)
The need for greater training of personnel involved in Federal computer security
The scope of the legislation in terms of defining a ‘Federal computer system’
Copyright 2006 John Wiley & Sons, Inc.
14-14
CSA (cont’d)
CSA requires the identification of systems and establishment of security plans
CSA requires mandatory periodic training CSA requires NIST to establish a
computer standards program CSA requires the establishment of a
computer system security and privacy advisory board within the Department of Commerce
Copyright 2006 John Wiley & Sons, Inc.
14-15
Health Insurance Portability and Accountability Act (HIPPA)
HIPAA is to promote a better healthcare delivery system by broad and sweeping legislative measures
IS security is of paramount important to the future of any health care program
All firms that deal with personal history information (PHI) have to be in compliance with HIPAA
Copyright 2006 John Wiley & Sons, Inc.
14-16
HIPAA Requirements
HIPAA was passed in 1996 Primary purpose of HIPAA is to
improve Medicare and the efficiency and effectiveness of the healthcare system
Privacy concerns with what information is covered
Security is the mechanism to protect the information
Copyright 2006 John Wiley & Sons, Inc.
14-17
HIPAA Requirements (cont’d) Standardization of electronic patient
administrative and financial data Unique identifiers for providers, health plans,
and employers Changers to most healthcare transaction and
administrative information systems Privacy regulation and the confidentiality of
patient information Technical practices and procedures to insure
data integrity, security, and availability of healthcare information
Copyright 2006 John Wiley & Sons, Inc.
14-18
HIPAA Compliance and Recommended Protection Organizations can complete a business
impact analysis and a risk assessment to determine compliance with HIPAA
Baseline assessment: examine current security environment with respect to policies, processes, and technology
Gap analysis: compare current environment with the proposed regulatory
Risk assessment: address the areas identified in the Gap Analysis requiring remediation
Copyright 2006 John Wiley & Sons, Inc.
14-19
HIPAA Compliance and Recommended Protection (cont’d)
HIPAA mandates security standards be applied in four main areas Administrative procedures (e.g.
personnel procedures) Physical safeguards (e.g. locks) Technical security services: to protect
data at rest Technical security mechanisms: to
protect data in transit
Copyright 2006 John Wiley & Sons, Inc.
14-20
HIPAA Compliance and Recommended Protection (cont’d)
Risk analysis Identifying and documenting all
electronic PHI repositories Periodically re-inventory electronic
PHI repositories Identifying the potential
vulnerabilities to each repository Assigning a level of risk to each
electronic PHI repository
Copyright 2006 John Wiley & Sons, Inc.
14-21
HIPAA Compliance and Recommended Protection (cont’d)
Risk management Implementing security measure to
reduce risks and vulnerabilities to a reasonable and appropriate level
Medium and high risk EPHI repositories must be secured in accordance with HIPAA Security Policies #1-17
Sanctions for noncompliance
Copyright 2006 John Wiley & Sons, Inc.
14-22
HIPAA Compliance and Recommended Protection (cont’d)
Information system activity review Implementing an internal audit
procedure to regularly review records of system activity
HIPAA compliance/risk management officer Need such an officer with proper
training and credentials
Copyright 2006 John Wiley & Sons, Inc.
14-23
Positive Aspects of HIPAA A standardization of identifiers that
makes it possible to communicate effectively, efficiently, and consistently
Health care provider/insurance related industry more cognizant of associated risks related to PHI
The accountability through the use of monitoring and updating the security aspect of PHI
Disaster planning helps in the continuity and quality of health care delivery
Copyright 2006 John Wiley & Sons, Inc.
14-24
Negative Aspects of HIPAA
Cost: health care organizations have spent years and over $17 billion dollars in an effort to comply with HIPAA
Complications of interpretation and compliance
Fines and penalties Loss of productivity
Copyright 2006 John Wiley & Sons, Inc.
14-25
USA Patriot Act Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
It was signed into law on Oct 26 2001 The goal is to enable law enforcement
agencies with the tools necessary to investigate and apprehend people that are suspected for planning or carrying out terrorist acts
Copyright 2006 John Wiley & Sons, Inc.
14-26
IT and USA Patriot Act Electronic Communications Privacy Act
(ECPA) of 1986 (defines rules and regulations for protection of privacy of electronic communication)
Foreign Intelligence Surveillance Act (FISA) of 1978 (defines standards for wiretapping/surveillance of electronic communication)
Computer Fraud and Abuse Act (CFAA) of 1986 (defines rules and regulations aimed at prevention of computer “hacking”)
Copyright 2006 John Wiley & Sons, Inc.
14-27
Subpoena and Disclosure of Content of Electronic Communication
ECPA limits the scope of electronic communication that could be made available
PATRIOT Act broadens the category of things that can be subpoenaed
ECPA limits an Internet Service Provider’s ability to disclose electronic communication content to proper authorities
PATRIOT Act extends this by ruling that ISPs can disclose (without prior notification to the user) the content of electronic communication when there is fear of physical threat
Copyright 2006 John Wiley & Sons, Inc.
14-28
Use of Pen and Trap Surveillance Devices to Electronic Communication
Will ISPs be required to make infrastructure changes to accommodate pen/trap devices?
Are there storage requirements that ISPs must address to support the storage of records?
Copyright 2006 John Wiley & Sons, Inc.
14-29
Prevention of Cyber-Terrorism The PATRIOT Act extends and
clarifies some key points of the CFAA The definition of “damages” is clarified Defining/clarifying “intentional actions” The definition of “protected computers”
is clarified Extension to provide protection to
designers of hardware, software, and firmware
Copyright 2006 John Wiley & Sons, Inc.
14-30
Prevention of Cyber-Terrorism (cont’d) Offended parties can now have clearer
understanding of when they can and cannot pursue prosecution under CFAA
Organizations will be able to show proof of greater than $5,000 in damage
Offended parties may need to become involved in investigation that covers several routers and trunks of the Internet
The risk/cost associated with civil prosecution against designers of hardware, software, and firmware can be reassessed by organizations
Copyright 2006 John Wiley & Sons, Inc.
14-31
Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and Investor Protection Act was sponsored by Congress by Senator Sarbanes and Representative Oxley
It was signed on July 30, 2002 It was passed in response to
corporate scandals in 2001 and 2002
Copyright 2006 John Wiley & Sons, Inc.
14-32
SOX (cont’d)
Areas covered by SOX External auditor oversight and
standards Internal audit committee
responsibility Executive management accountability Financial disclosure strengthening Criminal penalty
Copyright 2006 John Wiley & Sons, Inc.
14-33
IT and SOX Analysis and potential
implementation/integration of software packages on the market that assist with SOX compliance
Provide authentication of data through the use of data integrity controls
Capture and documentation of detailed logging of data access and modifications
Copyright 2006 John Wiley & Sons, Inc.
14-34
IT and SOX (cont’d)
Security data by means like firewalls Document and remediate IT
application control structures and processes
Provide storage capacity for the retention of corporate data assets related to the law
Provide recoverability of the archive
Copyright 2006 John Wiley & Sons, Inc.
14-35
Federal Information Security Management Act (FISMA) FISMA was passed late 2002 as a
requisite of the Department of Homeland Security
Security programs are required A structure for detecting and reporting
incidents A business continuity plan Defined and published security policies and
procedures A risk assessment plan
Copyright 2006 John Wiley & Sons, Inc.
14-36
FISMA (cont’d) At regular intervals, an agency has to
report its compliance to the requirements mandated by the law
IT executives are hold accountable for the management of a security policy
National Institute of Standards and Technology (NIST)
Categorization of Federal Information and Information Systems
Copyright 2006 John Wiley & Sons, Inc.
14-37
Copyright 2006 John Wiley & Sons, Inc.All rights reserved. Reproduction or translation of
this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.