principles of information system security: text and cases gurpreet dhillon powerpoint prepared by...

Principles of Information System Security: Text and Cases

Gurpreet Dhillon

PowerPoint Prepared by Youlong ZhuangUniversity of Missouri-Columbia

Principles of Information System Security: Text and Cases

Chapter FourteenLegal Aspects of Information

System Security

Copyright 2006 John Wiley & Sons, Inc.

14-3

Learning Objectives

Familiar with the following six acts Computer Fraud and Abuse Act Computer Security Act Health Insurance Portability and

Accountability Act USA PATRIOT Act Sarbanes-Oxley Act Federal Information Security Management

Act


14-4

The Need for Laws

Controls within a firm may not be enough for IS security

Laws are required to investigate and prosecute violators

This chapter discusses six legal enactments by Congress


14-5

The Computer Fraud and Abuse Act (CFAA) CFAA was introduced in 1984 to

protect computers used by government or in defense

CFAA was extended in 1986 to protect ‘federal interest computers’

CFAA was amended in 1996 to protect all computers involved in interstate and international commerce


14-6

CFAA (cont’d) The purpose is to provide protections and

penalties for violating the law The penalties include both criminal and

civil The legal elements of computer fraud

includes Knowingly and with intent to defraud Accessing a protected computer without

authorization, or exceeding authorization Thereby furthers a fraud and obtains anything

of value


14-7

CFAA (cont’d)

CFAA applies to the private sector, not just in the federal government

CFAA allows plaintiffs to pursue actions against defendants in federal court, not just in state courts

CFAA allows a double whammy against the defendant, and allows the plaintiff to attempt to recover more in damages


14-8

CFAA, the Case of Shurgard Storage Centers v. Safeguard Self Storage

Several managers of Shurgard Storage left to work for Safeguard (a competitor)

They allegedly used the plaintiff’s computers to email trade secrets to the defendant

The defendants argued They were Shurgard employees at the time

The court said No longer have the ‘authorization’ when

they send information to their new firm


14-9

CFAA, the Case of Shurgard Storage v. Safeguard Self Storage (cont’d)

The defendant argued No evident of traditional elements of

common law fraud The court said

Proof of the elements of common law fraud is not required under the CFAA

The disloyal employee was in effect treated as a hacker


14-10

CFAA, the Case of Shurgard Storage v. Safeguard Self Storage (cont’d)

‘Damage’ is defined as any ‘impairment to the integrity’ of the computer data or information

The term ‘protected computer’ and ‘without authorization’ have broad meaning and intended scope


14-11

The Computer Security Act (CSA)

CSA was passed by Congress in 1987

Motivation Escalating use of computer systems

by the government Requirement to unsure the security

and privacy of unclassified, sensitive information


14-12

CSA (cont’d)

Purposes To standardize and tighten security

on computers of government and its contractors

To train workforce in maintaining appropriate security levels


14-13

CSA (cont’d)

Issues that shaped debate over the CSA The National Security Agency (NSA) vs.

the National Institute of Standards and Technology (NIST)

The need for greater training of personnel involved in Federal computer security

The scope of the legislation in terms of defining a ‘Federal computer system’


14-14

CSA (cont’d)

CSA requires the identification of systems and establishment of security plans

CSA requires mandatory periodic training CSA requires NIST to establish a

computer standards program CSA requires the establishment of a

computer system security and privacy advisory board within the Department of Commerce


14-15

Health Insurance Portability and Accountability Act (HIPPA)

HIPAA is to promote a better healthcare delivery system by broad and sweeping legislative measures

IS security is of paramount important to the future of any health care program

All firms that deal with personal history information (PHI) have to be in compliance with HIPAA


14-16

HIPAA Requirements

HIPAA was passed in 1996 Primary purpose of HIPAA is to

improve Medicare and the efficiency and effectiveness of the healthcare system

Privacy concerns with what information is covered

Security is the mechanism to protect the information


14-17

HIPAA Requirements (cont’d) Standardization of electronic patient

administrative and financial data Unique identifiers for providers, health plans,

and employers Changers to most healthcare transaction and

administrative information systems Privacy regulation and the confidentiality of

patient information Technical practices and procedures to insure

data integrity, security, and availability of healthcare information


14-18

HIPAA Compliance and Recommended Protection Organizations can complete a business

impact analysis and a risk assessment to determine compliance with HIPAA

Baseline assessment: examine current security environment with respect to policies, processes, and technology

Gap analysis: compare current environment with the proposed regulatory

Risk assessment: address the areas identified in the Gap Analysis requiring remediation


14-19

HIPAA Compliance and Recommended Protection (cont’d)

HIPAA mandates security standards be applied in four main areas Administrative procedures (e.g.

personnel procedures) Physical safeguards (e.g. locks) Technical security services: to protect

data at rest Technical security mechanisms: to

protect data in transit


14-20


Risk analysis Identifying and documenting all

electronic PHI repositories Periodically re-inventory electronic

PHI repositories Identifying the potential

vulnerabilities to each repository Assigning a level of risk to each

electronic PHI repository


14-21


Risk management Implementing security measure to

reduce risks and vulnerabilities to a reasonable and appropriate level

Medium and high risk EPHI repositories must be secured in accordance with HIPAA Security Policies #1-17

Sanctions for noncompliance


14-22


Information system activity review Implementing an internal audit

procedure to regularly review records of system activity

HIPAA compliance/risk management officer Need such an officer with proper

training and credentials


14-23

Positive Aspects of HIPAA A standardization of identifiers that

makes it possible to communicate effectively, efficiently, and consistently

Health care provider/insurance related industry more cognizant of associated risks related to PHI

The accountability through the use of monitoring and updating the security aspect of PHI

Disaster planning helps in the continuity and quality of health care delivery


14-24

Negative Aspects of HIPAA

Cost: health care organizations have spent years and over $17 billion dollars in an effort to comply with HIPAA

Complications of interpretation and compliance

Fines and penalties Loss of productivity


14-25

USA Patriot Act Uniting and Strengthening America by

Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

It was signed into law on Oct 26 2001 The goal is to enable law enforcement

agencies with the tools necessary to investigate and apprehend people that are suspected for planning or carrying out terrorist acts


14-26

IT and USA Patriot Act Electronic Communications Privacy Act

(ECPA) of 1986 (defines rules and regulations for protection of privacy of electronic communication)

Foreign Intelligence Surveillance Act (FISA) of 1978 (defines standards for wiretapping/surveillance of electronic communication)

Computer Fraud and Abuse Act (CFAA) of 1986 (defines rules and regulations aimed at prevention of computer “hacking”)


14-27

Subpoena and Disclosure of Content of Electronic Communication

ECPA limits the scope of electronic communication that could be made available

PATRIOT Act broadens the category of things that can be subpoenaed

ECPA limits an Internet Service Provider’s ability to disclose electronic communication content to proper authorities

PATRIOT Act extends this by ruling that ISPs can disclose (without prior notification to the user) the content of electronic communication when there is fear of physical threat


14-28

Use of Pen and Trap Surveillance Devices to Electronic Communication

Will ISPs be required to make infrastructure changes to accommodate pen/trap devices?

Are there storage requirements that ISPs must address to support the storage of records?


14-29

Prevention of Cyber-Terrorism The PATRIOT Act extends and

clarifies some key points of the CFAA The definition of “damages” is clarified Defining/clarifying “intentional actions” The definition of “protected computers”

is clarified Extension to provide protection to

designers of hardware, software, and firmware


14-30

Prevention of Cyber-Terrorism (cont’d) Offended parties can now have clearer

understanding of when they can and cannot pursue prosecution under CFAA

Organizations will be able to show proof of greater than $5,000 in damage

Offended parties may need to become involved in investigation that covers several routers and trunks of the Internet

The risk/cost associated with civil prosecution against designers of hardware, software, and firmware can be reassessed by organizations


14-31

Sarbanes-Oxley Act (SOX)

The Public Company Accounting Reform and Investor Protection Act was sponsored by Congress by Senator Sarbanes and Representative Oxley

It was signed on July 30, 2002 It was passed in response to

corporate scandals in 2001 and 2002


14-32

SOX (cont’d)

Areas covered by SOX External auditor oversight and

standards Internal audit committee

responsibility Executive management accountability Financial disclosure strengthening Criminal penalty


14-33

IT and SOX Analysis and potential

implementation/integration of software packages on the market that assist with SOX compliance

Provide authentication of data through the use of data integrity controls

Capture and documentation of detailed logging of data access and modifications


14-34

IT and SOX (cont’d)

Security data by means like firewalls Document and remediate IT

application control structures and processes

Provide storage capacity for the retention of corporate data assets related to the law

Provide recoverability of the archive


14-35

Federal Information Security Management Act (FISMA) FISMA was passed late 2002 as a

requisite of the Department of Homeland Security

Security programs are required A structure for detecting and reporting

incidents A business continuity plan Defined and published security policies and

procedures A risk assessment plan


14-36

FISMA (cont’d) At regular intervals, an agency has to

report its compliance to the requirements mandated by the law

IT executives are hold accountable for the management of a security policy

National Institute of Standards and Technology (NIST)

Categorization of Federal Information and Information Systems


14-37

Copyright 2006 John Wiley & Sons, Inc.All rights reserved. Reproduction or translation of

this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.

principles of information system security: text and cases gurpreet dhillon powerpoint prepared by...

Documents