Legal, Regulations, Compliance, and Investigations

Law, as it applies to information systems security, has multiple facets. A security professional is expected to know and understand what laws apply to computer crimes, how to determine whether a crime has occurred, how to preserve evidence, the basics of conducting an investigation, and the liabilities under the law.

In addition to legal obligations, a security practitioner has ethical responsibilities to the employer, the constituency that is being served, and to the profession as a whole. These ethical factors are delineated by a number of professional organizations, including the International Information Systems Security Certification Consortium (ISC)2, the Internet Activities Board (IAB), and the Computer Ethics Institute.

Types of Computer Crime

Computer-related crimes have increased because of the connectivity provided by the Internet and the ever-decreasing costs of computational resources. Because Internet-based crimes can be initiated from jurisdictions all over the world, many are difficult to investigate and prosecute.

Numerous government and private sector surveys show that computer crimes are increasing. It is difficult to estimate the economic impact of these crimes, however, because many are never detected or reported. It is not unreasonable to assume, however, that computer crimes result in billions of dollars in losses to companies in the worldwide economy. In general, computer crimes fall into three categories - crimes committed against the computer, crimes using the computer, and crimes in which the computer is incidental. The following is a general listing of the most prominent types of computer crimes:

Examples of Computer Crime

The following are some specific instances of computer crimes:

Laws have been passed in many countries to address these crimes. Obviously, there are jurisdictional problems associated with the international character of the Internet that make prosecution difficult and sometimes impossible. Some of the international organizations that are addressing computer crime are the United Nations, Interpol, the European Union, and the G8 leading industrial nations.

The rapid development of new technology usually outpaces the law. Thus, law enforcement uses traditional laws against embezzlement, fraud, DoS, and wiretapping to prosecute computer criminals. The issues of digital signatures, e-commerce, and digital currency will certainly have to be addressed by the legal system as these technologies are deployed.

In addition to law enforcement agencies, a number of other organizations in the United States track computer crimes. These organizations include the Department of Energy Computer Incident Advisory Capability (CIAC), the Carnegie Mellon University Software Engineering Institute Computer Emergency Response Team Coordination Center (CERT/CC), and the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS).

Law

There are many types of legal systems in the world, and they differ in how they treat evidence, the rights of the accused, and the role of the judiciary. Examples of these different legal systems are common law, Islamic and other religious law, and civil law. The common law system is employed in the United States, United Kingdom, Australia, and Canada. Civil law systems are used in France, Germany, and Quebec, to name a few.

Example The United States

Under the United States Constitution, there are three “branches” of government, and all contribute to making the laws. These branches are the legislative branch, the executive branch, and the judicial branch. The legislative branch makes statutory laws, the administrative agencies of the executive branch create administrative laws, and the judicial branch makes the common laws found in court decisions.

Compilation of Statutory Law

Statutory laws are collected as session laws, which are arranged in order of enactment, or as statutory codes, which arrange the laws according to subject matter. In the United States at the federal level, the session laws are found in the Statutes at Large (Stat.), and the statutory codes are held in the United States Code (U.S.C.). The statutory laws for the states are also arranged in these two categories.

Federal statutes are usually cited to the United States Code, and this citation contains the following elements:

For example, “18 U.S.C. § 1001 (1992)” refers to Section 1001 in Title 18 of the 1992 edition of the United States Code. Title 18 in the United States Code is Crimes and Criminal Procedures, and many computer crimes are prosecuted under this title. The U.S. Computer Fraud and Abuse Act, which addresses the use of federal-interest computers to commit fraud, can be found as “18 U.S.C. § 1030 (1986).” Other titles are as follows:

Compilation of Administrative Law

Administrative laws are also arranged either chronologically in administrative registers or by subject matter in administrative codes. At the federal level, these arrangements are respectively called the Federal Register (Fed. Reg.) and the Code of Federal Regulations (C.F.R.). A citation to the Code of Federal Regulations includes the following:

Thus, the reference “12 C.F.R. § 100.4 (1992)” points to Section 100.4 in Title 12 of the 1992 edition of the Code of Federal Regulations.

Compilation of Common Law

Common law is compiled as Case Reporters in chronological fashion and in Case Digests arranged by subject matter.

Common Law System Categories

The main categories of laws under the common law system (not to be confused with common law resulting from court decisions) are criminal law, civil (tort) law, and administrative/regulatory law.

Other categories of law under the common law system that relate to information systems are intellectual property and privacy laws.

Intellectual Property Law

The following categories fall under intellectual property law:

Information Privacy and Privacy Laws

Privacy is the right of an individual to protection from unauthorized disclosure of the individual’s personally identifiable information (PII). For example, the Health Insurance Portability and Accountability Act (HIPAA) lists the following 16 items as a person’s individual identifiers:

An individual’s right to privacy is embodied in the following fundamental principles of privacy:

Privacy Policy

Organizations develop and publish privacy policies that describe their approaches to handling PII. Web sites of organizations usually have their privacy policies available to read online, and these policies usually cover the following areas:

Privacy-Related Legislation and Guidelines

The following list summarizes some important legislation and recommended guidelines for privacy:

European Union (EU) Principles

The protection of information on private individuals from intentional or unintentional disclosure or misuse is the goal of the information privacy laws. The intent and scope of these laws widely varies from country to country. The European Union (EU) has defined privacy principles that in general are more protective of individual privacy than those applied in the United States. Therefore, the transfer of personal information from the EU to the United States, when equivalent personal protections are not in place in the United States, is prohibited. The EU principles include the following:

Health Care–Related Privacy Issues

An excellent example of the requirements and application of individual privacy principles is in the area of health care. The protection from disclosure and misuse of a private individual’s medical information is a prime example of a privacy law. Some of the common health care security issues are as follows:

The U.S. Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA - Public Law 104-191), effective August 21, 1996, addresses the issues of health care privacy and plan portability in the United States. With respect to privacy, this Act stated, “Not later than the date that is 12 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall submit … detailed recommendations on standards with respect to the privacy of individually identifiable health information.” This Act further stated “the recommendations … shall address at least the following:

The Privacy regulations were reopened for public comment for an additional period that closed on March 30, 2001. In March 2002, HHS proposed changes to the HIPAA Privacy Rule in response to input from health care–related organizations as well as the private sector. The changes were put into effect in August 2002. The Final Privacy Rule refers to security issues as illustrated in the following statements:

“(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

(2) Implementation specification: safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.”

The Platform for Privacy Preferences (P3P)

The Platform for Privacy Preferences was developed by the World Wide Web Consortium (W3C) to implement privacy practices on Web sites. The W3C P3P Specification, which can be found at www.w3.org/TR, states:

P3P enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.

With P3P, an organization can post its privacy policy in machine-readable form (XML) on its Web site. This policy statement should include:

The P3P specification contains the following items:

A useful consequence of implementing P3P on a Web site is that Web site owners are required to answer multiple-choice questions about their privacy practices. This activity will cause the organization sponsoring the Web site to think about and evaluate its privacy policy and practices in the event that it has not already done so. After answering the necessary P3P privacy questions, an organization can then proceed to develop its policy. A number of sources provide free policy editors and assistance in writing privacy policies. Some of these resources can be found at http://www.w3.org/P3P/ and http://p3ptoolbox.org/.

P3P also supports user agents that allow a user to configure a P3P-enabled Web browser with the user’s privacy preferences. Then, when the user attempts to access a Web site, the user agent compares the user’s stated preferences with the privacy policy in machine-readable form at the Web site. Access will be granted if the preferences match the policy. Otherwise, either access to the Web site will be blocked or a pop-up window will appear notifying the user that he or she must change the privacy preferences. Microsoft’s Internet Explorer 6 (IE6) Web browser supports P3P and can be used to generate and display a report describing a particular Web site’s P3P-implemented privacy policy.

Another P3P implementation is provided by AT&T’s Privacy Bird software, which is an add-on to a browser and inserts an icon of a bird in the top right corner of a user’s Web browser. The AT&T software reads the XML privacy policy statements from a Web site and causes the bird to chirp and change color to inform the user if the user’s listed privacy preference settings are satisfied by the Web site’s P3P policy statements. Clicking on the bird provides more detailed information concerning mismatches between the Web site’s policy practices and the user’s provided preferences.

Electronic Monitoring

Additional personal security issues involve keystroke monitoring, e-mail monitoring, surveillance cameras, badges, and magnetic entry cards. Key issues in electronic monitoring are that the monitoring is conducted in a lawful manner and that it is applied in a consistent fashion. With e-mail, for example, an organization monitoring employee e-mail should:

In this context, it is useful to examine the difference between enticement and entrapment. Enticement occurs after an individual has gained unauthorized access to a system. The intruder is then lured to an attractive area, or honey pot, in order to provide time to determine the origin of the intrusion and eventually the identity of the intruder. For example, a student breaking into a professor’s computer may be lured to a file entitled “Final Examination Questions.” Entrapment, on the other hand, encourages the commission of a crime that the individual initially had no intention of committing.

Recent legislation has given the U.S. government additional license to monitor electronic communications and computer files. See the discussion on the PATRIOT Act in the section on “Computer Security, Privacy, and Crime Laws.”

Computer Security, Privacy, and Crime Laws

The following is a summary of laws, regulations, and directives that lists requirements pertaining to the protection of computer-related information:

Additional information on FISMA is given in Chapter 12.

Investigation

The field of investigating computer crime is also known as computer forensics. Specifically, computer forensics is the collecting of information from and about computer systems that is admissible in a court of law.

Computer Investigation Issues

To explore computer crime investigation, it is useful to consider the motivations for committing computer crime. The major reasons are financial gain, revenge, ego, or to receive attention. The method of operation, or modus operandi, of computer criminals is designed to create a high probability of successfully carrying out the criminal act, protecting their identity, and enhancing their means of escape.

Because of the nature of information that is stored on the computer, investigating and prosecuting computer criminal cases have unique issues, such as the following:

Evidence

The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. The major types of computer evidence are computer printouts, plotter outputs, display screens, and magnetic or optical storage. Because the evidence involved in a computer crime may be intangible and subject to easy modification without a trace, evidence must be carefully handled and controlled throughout its entire life cycle. Specifically, there is a chain of evidence that one must follow and protect. The following are the major components of this chain of evidence:

The evidence life cycle covers the evidence gathering and application process. This life cycle has the following components:

Evidence Admissibility

To be admissible in a court of law, evidence must meet certain stringent requirements. The evidence must be relevant, legally permissible, reliable, properly identified, and properly preserved. The main points of these requirements are as follows:

Types of Evidence

Legal evidence can be classified into the following types:

Searching and Seizing Computers

The U.S. Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS) has issued the publication Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (January 2001). The document introduction states, “This publication provides a comprehensive guide to the legal issues that arise when federal law enforcement agents search and seize computers and obtain electronic evidence in criminal investigations. The topics covered include the application of the Fourth Amendment to computers and the Internet, the Electronic Communications and Privacy Act, workplace privacy, the law of electronic surveillance and evidentiary information system security uses.” The document also cites the following U.S. Codes relating to searching and seizing computers:

The headings of these codes illustrate the areas covered and, in general, the increased concern for the privacy of the individual.

Conducting the Investigation

There are many issues involved in the conduct of an investigation of suspected computer crime. For example, in a corporate environment, an investigation should involve management, corporate security, human resources, the legal department, and other appropriate staff members. The act of investigating may also affect critical operations. For example, it may prompt a suspect to commit retaliatory acts that may compromise data, result in a DoS, generate negative publicity, or open individual privacy issues. Thus, it is important to prepare a plan beforehand on how to handle reports of suspected computer crimes. A committee of appropriate personnel should be set up beforehand to address the following issues:

If a computer crime is suspected, it is important not to alert the suspect. A preliminary investigation should be conducted to determine whether a crime has been committed, examining the audit records and system logs, interviewing witnesses, and assessing the damage incurred. It is critical to determine whether disclosure to legal authorities is required by law or regulation. U.S. Federal Sentencing Guidelines require organizations to report criminal acts. There are a number of pertinent issues to consider relative to outside disclosure. Negative publicity resulting in a lack of confidence in the business of the organization is an obvious concern. Once an outside entity such as law enforcement is involved, information dissemination is out of the hands of the organization. Law enforcement involvement necessarily involves support from the organization in terms of personnel time.

The timing of requesting outside assistance from law enforcement is another major issue. In the United States, law enforcement personnel are bound by the Fourth Amendment to the U.S. Constitution and must obtain a warrant to search for evidence. This amendment protects individuals from unlawful search and seizure. A search warrant is issued when there is probable cause for the search, and it provides legal authorization to search a location for specific evidence. Private citizens are not held to this strict requirement, thus, in some cases, a private individual can conduct a search for possible evidence without a warrant. However, if a private individual were asked by a law enforcement officer to search for evidence, a warrant would be required, because the private individual would be acting as an agent of law enforcement.

An exception to the search warrant requirement for law enforcement officers is the Exigent Circumstances Doctrine. Under this doctrine, if probable cause is present and destruction of the evidence is deemed imminent, the search can be conducted without the delay of having the warrant in-hand.

Thus, if law enforcement is called in too early when a computer crime is suspected, the law enforcement investigators will be held to a stricter standard than the organization’s employees in regard to searching for and gathering evidence. However, there is a higher probability that any evidence acquired will be admissible in court, because law enforcement personnel are trained in preserving the chain of evidence. As stated previously, the dissemination of information and the corresponding publicity will also be out of the organization’s control when the investigation is turned over to law enforcement. Conversely, if law enforcement is called in too late to investigate a possible computer crime, improper handling of the investigation and evidence by untrained organization employees may reduce or eliminate the chances of a successful prosecution.

Good sources of evidence include telephone records, video cameras, audit trails, system logs, system backups, witnesses, results of surveillance, and e-mails.

A standard discriminator used to determine whether a subject may be the perpetrator of a crime is to evaluate whether the individual had a Motive, the Opportunity, and the Means to commit the crime. This test is known as MOM.

If the investigation is undertaken internally, the suspect should be interviewed to acquire information and to determine who committed the offense. This interrogation should be planned in advance, and expert help should be obtained in the conduct of the interview. Obviously, the suspect is alerted when he or she is scheduled for interrogation, and a common mistake in setting up and conducting the interview is providing the suspect with too much information. With this information, the suspect may try to alter additional evidence, leave the premises, or warn other coconspirators. In the conduct of the interrogation, the pertinent information relative to the crime should be obtained, and the questions should be scripted beforehand. To avoid the possible destruction of critical information by the suspect, original documents should not be used in the conduct of the interview.

Export Issues and Technology

In July 2000 the United States announced a relaxation of its encryption export policy to certain countries. To quote the President’s Chief of Staff, John D. Podesta, “Under our new policy, American companies can export any encryption product to any end user in the European Union and eight other trading partners. We’re also speeding up the time to market by eliminating the 30-day waiting period when exporting encryption goods to these countries.”

Podesta also pointed out the effect that advancing technology has had on the Electronic Communications and Privacy Act (ECPA). He pointed out, “ECPA, like its predecessors, has, in many ways, become outdated by the new advances in computer technology and electronic communication. Since its passage in 1986, we’ve seen a communications revolution with the explosion of the cell phone and the development and use of the World Wide Web. Today, there are more than 95 million cell phone users, and more than 50 million households online in the United States. More than 1.4 billion e-mails change hands every day … ECPA was not devised to address many of the issues related to these newer, faster means of electronic communication. It doesn’t extend the stringent Title III protections to the capture of e-mail that you send to your friends or business partners.” Podesta cited legislation that was being proposed to amend existing statutes and outmoded language (which applied primarily to wiretapping) and to define protections for hardware and software systems in general.

Liability

In 1997 the Federal Sentencing Guidelines were extended to apply to computer crime. Recall that, under these guidelines, senior corporate officers can be personally subject to up to $290 million in fines if their organizations do not comply with the law. These guidelines also treat the possession of illegally acquired material without intent to resell as a crime.

Management has the obligation to protect the organization from losses due to natural disasters, malicious code, compromise of proprietary information, damage to reputation, violation of the law, employee privacy suits, and stockholder suits. Management must follow the prudent-man rule, which “requires officers to perform duties with diligence and care that ordinary, prudent people would exercise under similar circumstances.” The officers must exercise due care or reasonable care to carry out their responsibilities to the organization. In exercising due care, corporate officers must institute the following protections:

The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from exploitation of the corresponding vulnerability. If C < L, then a legal liability exists.

Incident handling, noted in the prevention list, is an important part of the contingency planning that addresses the handling of malicious attacks, usually by technical means. Incident handling or an emergency response should be planned for prior to the occurrence of any incidents and should address the following questions:

Incident handling can be considered as the portion of contingency planning that responds to malicious technical threats and can be addressed by establishing a Computer Incident Response Team (CIRT). A proper incident response is important to limit the resulting damage, to provide information for prevention of future incidents, and to serve as a means of increasing employee awareness. The majority of incidents do not occur from outside sources, such as crackers and malicious code. Many incidents are the result of incompetent employees, malicious employees, other insiders, accidental actions, and natural disasters. If an intruder is identified, penalty options include civil or criminal prosecution, employee termination, reprimand, or suspension.

Attacks can be traced in real time or indirectly after the fact. To accomplish a real-time trace, the source of the attack has to be identified while it is occurring. This trace usually has to go through intermediate computers that were part of the attack path. Thus, the administrators of these systems have to be willing to cooperate in back tracing to locate the initiator of the attack. Indirect tracing is accomplished by analyzing log files of computer systems that were part of the attack path.

The Carnegie Mellon University Computer Emergency Response Team Coordination Center (CERT®/CC) is an excellent source of information for establishing and maintaining organizational CIRTs.

Ethics

Ethics is concerned with standards of behavior and considerations of what is “right” and what is “wrong.” It is difficult to state hard ethical rules because definitions of ethical behavior are a function of an individual’s experience, background, nationality, religious beliefs, culture, family values, and so on.

Similarly, ethical computing is a phrase that is often used but difficult to define. Certified professionals are morally and legally held to a higher standard of ethical conduct. In order to instill proper computing behavior, ethics should be incorporated into an organizational policy and further developed into an organizational ethical computing policy.

Some people who conduct attacks on computers rationalize these attacks with assumptions such as the following:

Individual ethical behavior varies widely because a person’s perception of ethics is a function of many variables in that person’s background. Because one is not stealing physical property, the “borrowing” or “viewing” of information on an organization’s computers is perceived by many as innocent behavior. Some crackers (malicious hackers) feel that any information available for access or subject to access by virtue of inadequate control measures is fair game. Others are of the opinion that hacking into an organization’s information systems is performing a service by alerting the organization to weaknesses in their system safeguards. These naïve and incorrect perspectives trample on the rights of individual privacy and compromise critical and organizational proprietary information.

These breaches of security can result in million-dollar losses to an organization through the destruction or unavailability of critical data and resources or through stock devaluation. From the national perspective, destructive cracker behavior could seriously affect a nation’s critical infrastructure, economic health, and national security. Clearly, these types of malicious hacking results cannot be explained away by claims of freedom of speech and freedom of expression rights.

A number of organizations have addressed the issue of ethical computing and have generated guidelines for ethical behavior. A few of these ethical codes are presented to provide a familiarization with the items addressed in such codes. Some of these lists are under revision. However, the versions illustrate the general areas that are important in ethical computing behavior.

(ISC)2 Code of Ethics

The preamble to the (ISC)2 Code of Ethics states:

The Canons of the (ISC)2 Code of Ethics are:

The Computer Ethics Institute s Ten Commandments of Computer Ethics

In 1992, the Coalition for Computer Ethics incorporated as the Computer Ethics Institute (CEI) to focus on the interface of advances in information technologies, ethics, and corporate and public policy. The CEI addresses industrial, academic, and public policy organizations. The Institute’s founding organizations are the Brookings Institution, IBM, the Washington Consulting Group, and the Washington Theological Consortium. The Institute is concerned with the ethical issues associated with the advancement of information technologies in society and has generated the following ten commandments of computer ethics:

  1. Thou shalt not use a computer to harm other people.

  2. Thou shalt not interfere with other people’s computer work.

  3. Thou shalt not snoop around in other people’s computer files.

  4. Thou shalt not use a computer to steal.

  5. Thou shalt not use a computer to bear false witness.

  6. Thou shalt not copy or use proprietary software for which thou hast not paid.

  7. Thou shalt not use other people’s computer resources without authorization or the proper compensation.

  8. Thou shalt not appropriate other people’s intellectual output.

  9. Thou shalt think about the social consequences of the program thou art writing for the system thou art designing.

  10. Thou shalt use a computer in ways that ensure consideration and respect for thy fellow humans.

The Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)

Access to and use of the Internet is a privilege and should be treated as such by all users of the system.

The IAB also makes the following statement:

The Internet exists in the general research milieu. Portions of it continue to be used to support research and experimentation on networking. Because experimentation on the Internet has the potential to affect all of its components and users, researchers have the responsibility to exercise great caution in the conduct of their work. Negligence in the conduct of Internet-wide experiments is both irresponsible and unacceptable.

Any activity is defined as unacceptable and unethical that purposely:

  1. Seeks to gain unauthorized access to the resources of the Internet

  2. Destroys the integrity of computer-based information

  3. Disrupts the intended use of the Internet

  4. Wastes resources such as people, capacity, and computers through such actions

  5. Compromises the privacy of users

  6. Involves negligence in the conduct of Internetwide experiments

The U S Department of Health and Human Services Code of Fair Information Practices

The United States Department of Health and Human Services has developed the following list of fair information practices that focuses on the privacy of individually identifiable personal information:

  1. There must not be personal data record-keeping systems whose very existence is secret.

  2. There must be a way for a person to find out what information about him or her is in a record and how it is used.

  3. There must be a way for a person to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without their consent.

  4. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must ensure the reliability of the data for their intended use and must take precautions to prevent misuses of that data.

The Organization for Economic Cooperation and Development (OECD)

The Organization for Economic Cooperation and Development (OECD) (www.oecd.org) has issued guidelines that are summarized as follows:

  1. Collection Limitation Principle - There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

  2. Data Quality Principle - Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, it should be accurate, complete, and up-to-date.

  3. Purpose Specification Principle - The purposes for which personal data is collected should be specified not later than at the time of data collection, and the subsequent use should be limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

  4. Use Limitation Principle - Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:

    1. With the consent of the data subject

    2. By the authority of law

  1. Security Safeguards Principle - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.

  2. Openness Principle - There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of its use, as well as the identity and usual residence of the data controller.

  3. Individual Participation Principle - An individual should have the right:

    1. To obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him or her

    2. To have communicated to him or her data relating to him or her within a reasonable time:

      • At a charge, if any, that is not excessive

      • In a reasonable manner

      • In a form that is readily intelligible to him

    1. To be given reasons if a request made under subparagraphs (a) and is denied, and to be able to challenge such denial

    2. To challenge data relating to him or her and, if the challenge is successful, to have the data erased, rectified, completed, or amended

  1. Accountability Principle - A data controller should be accountable for complying with measures that give effect to the principles stated above.

  2. Transborder Issues - A member country should refrain from restricting transborder flows of personal data between itself and another member country except where the latter does not yet substantially observe these guidelines or where the re-export of such data would circumvent its domestic privacy legislation.

  3. A member country can also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.

Assessment Questions

You can find the answers to the following questions in Appendix A.

1. 

According to the Internet Architecture Board (IAB), an activity that causes which of the following is considered a violation of ethical behavior on the Internet?

  1. Wasting resources

  2. Appropriating other people’s intellectual output

  3. Using a computer to steal

  4. Using a computer to bear false witness

2. 

Which of the following best defines social engineering?

  1. Illegal copying of software

  2. Gathering information from discarded manuals and printouts

  3. Using people skills to obtain proprietary information

  4. Destruction or alteration of data

3. 

Because the development of new technology usually outpaces the law, law enforcement uses which traditional laws to prosecute computer criminals?

  1. Malicious mischief

  2. Embezzlement, fraud, and wiretapping

  3. Immigration

  4. Conspiracy and elimination of competition

4. 

Which of the following is not a category of law under the Common Law System?

  1. Criminal law

  2. Civil law

  3. Administrative/regulatory law

  4. Derived law

5. 

A trade secret:

  1. Provides the owner with a legally enforceable right to exclude others from practicing the art covered for a specified time period

  2. Protects original works of authorship

  3. Secures and maintains the confidentiality of proprietary technical or business-related information that is adequately protected from disclosure by the owner

  4. Is a word, name, symbol, color, sound, product shape, or device used to identify goods and to distinguish them from those made or sold by others

6. 

Which of the following is not a European Union (EU) principle?

  1. Data should be collected in accordance with the law.

  2. Transmission of personal information to locations where equivalent personal data protection cannot be ensured is permissible.

  3. Data should be used only for the purposes for which it was collected and should be used only for a reasonable period of time.

  4. Information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual.

7. 

The Federal Sentencing Guidelines:

  1. Hold senior corporate officers personally liable if their organizations do not comply with the law

  2. Prohibit altering, damaging, or destroying information in a federal interest computer

  3. Prohibit eavesdropping or the interception of message contents

  4. Established a category of sensitive information called Sensitive But Unclassified (SBU)

8. 

What does the prudent-man rule require?

  1. Senior officials to post performance bonds for their actions

  2. Senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances

  3. Senior officials to guarantee that all precautions have been taken and that no breaches of security can occur

  4. Senior officials to follow specified government standards

9. 

Information Warfare is:

  1. Attacking the information infrastructure of a nation to gain military or economic advantages

  2. Developing weapons systems based on artificial intelligence technology

  3. Generating and disseminating propaganda material

  4. Signal intelligence

10. 

The chain of evidence relates to:

  1. Securing laptops to desks during an investigation

  2. DNA testing

  3. Handling and controlling evidence

  4. Making a disk image

11. 

The Kennedy-Kassebaum Act is also known as:

  1. RICO

  2. OECD

  3. HIPAA

  4. EU Directive

12. 

Which of the following refers to a U.S. government program that reduces or eliminates emanations from electronic equipment?

  1. CLIPPER

  2. ECHELON

  3. ECHO

  4. TEMPEST

13. 

Imprisonment is a possible sentence under:

  1. Civil (tort) law

  2. Criminal law

  3. Both civil and criminal law

  4. Neither civil nor criminal law

14. 

Which one of the following conditions must be met if legal electronic monitoring of employees is conducted by an organization?

  1. Employees must be unaware of the monitoring activity.

  2. All employees must agree with the monitoring policy.

  3. Results of the monitoring cannot be used against the employee.

  4. The organization must have a policy stating that all employees are regularly notified that monitoring is being conducted.

15. 

Which of the following is a key principle in the evolution of computer crime laws in many countries?

  1. All members of the United Nations have agreed to uniformly define and prosecute computer crime.

  2. Existing laws against embezzlement, fraud, and wiretapping cannot be applied to computer crime.

  3. The definition of property is extended to include electronic information.

  4. Unauthorized acquisition of computer-based information without the intent to resell is not a crime.

16. 

The concept of due care states that senior organizational management must ensure that:

  1. All risks to an information system are eliminated.

  2. Certain requirements must be fulfilled in carrying out their responsibilities to the organization.

  3. Other management personnel are delegated the responsibility for information system security.

  4. The cost of implementing safeguards is greater than the potential resultant losses resulting from information security breaches.

17. 

Liability of senior organizational officials relative to the protection of the organization’s information systems is prosecutable under:

  1. Criminal law

  2. Civil law

  3. International law

  4. Financial law

18. 

Responsibility for handling computer crimes in the United States is assigned to:

  1. The Federal Bureau of Investigation (FBI) and the Secret Service

  2. The FBI only

  3. The National Security Agency (NSA)

  4. The Central Intelligence Agency (CIA)

19. 

In general, computer-based evidence is considered:

  1. Conclusive

  2. Circumstantial

  3. Secondary

  4. Hearsay

20. 

Investigating and prosecuting computer crimes is made more difficult because:

  1. Backups may be difficult to find.

  2. Evidence is mostly intangible.

  3. Evidence cannot be preserved.

  4. Evidence is hearsay and can never be introduced into a court of law.

21. 

Which of the following criteria are used to evaluate suspects in the commission of a crime?

  1. Motive, Intent, and Ability

  2. Means, Object, and Motive

  3. Means, Intent, and Motive

  4. Motive, Means, and Opportunity

22. 

Which one of the following U.S. government entities was assigned the responsibility for improving government efficiency through the application of new technologies and for developing guidance on information security for government agencies by the Paperwork Reduction Act of 1980, 1995?

  1. The National Institute for Standards and Technology (NIST)

  2. The General Services Administration (GSA)

  3. The Office of Management and Budget (OMB)

  4. The National Security Agency (NSA)

23. 

What is enticement?

  1. Encouraging the commission of a crime when there was initially no intent to commit a crime

  2. Assisting in the commission of a crime

  3. Luring the perpetrator to an attractive area or presenting the perpetrator with a lucrative target after the crime has already been initiated

  4. Encouraging the commission of one crime over another

24. 

Which of the following is not a computer investigation issue?

  1. Evidence is easy to obtain.

  2. The time frame for investigation is compressed.

  3. An expert may be required to assist.

  4. The information is intangible.

25. 

Conducting a search without the delay of obtaining a warrant if destruction of evidence seems imminent is possible under:

  1. Federal Sentencing Guidelines

  2. Proximate Causation

  3. Exigent Circumstances

  4. Prudent-Man Rule

26. 

Which one of the following items is not true concerning the Platform for Privacy Preferences (P3P) developed by the World Wide Web Consortium (W3C)?

  1. It allows Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents.

  2. It allows users to be informed of site practices in human-readable format.

  3. It does not provide the site privacy practices to users in machine-readable format.

  4. It automates decision making based on the site’s privacy practices when appropriate.

27. 

The 1996 Information Technology Management Reform Act (ITMRA), or Clinger-Cohen Act, did which one of the following?

  1. Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the Office of Management and Budget with providing guidance on information technology procurement

  2. Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the National Institute for Standards and Technology with providing guidance on information technology procurement

  3. Relieved the Office of Management and Budget of responsibility for procurement of automated systems and contract appeals and charged the General Services Administration with providing guidance on information technology procurement

  4. Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the National Security Agency with providing guidance on information technology procurement

28. 

Which one of the following U.S. Acts prohibits trading, manufacturing, or selling in any way that is intended to bypass copyright protection mechanisms?

  1. The 1999 Uniform Information Transactions Act (UCITA)

  2. The 1998 Digital Millennium Copyright Act (DMCA)

  3. The 1998 Sonny Bono Copyright Term Extension Act

  4. The 1987 U.S. Computer Security Act

29. 

Which of the following actions by the U.S. government is not permitted or required by the U.S. PATRIOT Act, signed into law on October 26, 2001?

  1. Subpoena of electronic records

  2. Monitoring of Internet communications

  3. Search and seizure of information on live systems (including routers and servers), backups, and archives

  4. Reporting of cash and wire transfers of $5,000 or more

30. 

Which Act required U.S. government agencies to do the following?

  • Manage information resources to protect privacy and security

  • Designate a senior official, reporting directly to the Secretary of the Treasury, to ensure that the responsibilities assigned by the Act are accomplished

  • Identify and afford security protections in conformance with the Computer Security Act of 1987 commensurate with the magnitude of harm and risk that may result from the misuse, loss, or unauthorized access relative to information collected by an agency or maintained on behalf of an agency

  • Implement and enforce applicable policies, procedures, standards, and guidelines on privacy, confidentiality, security, disclosures, and sharing of information collected or maintained by or for the agency

  1. 1994 U.S. Computer Abuse Amendments Act

  2. 1996, Title I, Economic Espionage Act

  3. 1987 U.S. Computer Security Act

  4. Paperwork Reduction Act of 1980, 1995

Answers

1. 

Answer: a

The correct answer is a. Answers b, c, and d are ethical considerations of other organizations.

2. 

Answer: c

The correct answer is c: using people skills to obtain proprietary information. Answer a is software piracy, answer b is dumpster diving, and answer d is a violation of integrity.

3. 

Answer: b

The answer b is correct. Answer a is not a law, answer c is not applicable because it applies to obtaining visas and so on, and answer d is not correct because the laws in answer b are more commonly used to prosecute computer crimes.

4. 

Answer: d

The correct answer, d, is a distracter. All the other answers are categories under common law.

5. 

Answer: c

Answer c defines a trade secret. Answer a refers to a patent. Answer b refers to a copyright. Answer d refers to a trademark.

6. 

Answer: b

The transmission of data to locations where equivalent personal data protection cannot be ensured is not permissible for the EU. The other answers are EU principles.

7. 

Answer: a

The answer a is correct. Answer b is part of the U.S. Computer Fraud and Abuse Act. Answer c is part of the U.S. Electronic Communications Privacy Act. Answer d is part of the U.S. Computer Security Act.

8. 

Answer: b

The answer b is correct. Answer a is a distracter and is not part of the prudent man rule. Answer c is incorrect because it is not possible to guarantee that breaches of security can never occur. Answer d is incorrect because the prudent-man rule does not refer to a specific government standard but relates to what other prudent persons would do.

9. 

Answer: a

The answer a is correct. Answer b is a distracter and has to do with weapon systems development. Answer c is not applicable. Answer d is the conventional acquisition of information from radio signals.

10. 

Answer: c

The answer c is correct. Answer a relates to physical security, answer b is a type of biological testing, and answer d is part of the act of gathering evidence.

11. 

Answer: c

The answer c is correct. The others refer to other laws or guidelines.

12. 

Answer: d

The answer d is correct. Answer a refers to the U.S. government Escrow Encryption Standard. Answer b refers to the large-scale monitoring of RF transmissions. Answer c is a distracter.

13. 

Answer: b

Answer b is the only one of the choices in which imprisonment is possible.

14. 

Answer: d

The answer d is correct. Answer a is incorrect because employees must be made aware of the monitoring if it is to be legal; answer b is incorrect because employees do not have to agree with the policy; and answer c is incorrect because the results of monitoring may be used against the employee if the corporate policy is violated.

15. 

Answer: c

The answer c is correct. Answer a is incorrect because all nations do not agree on the definition of computer crime and corresponding punishments. Answer b is incorrect because the existing laws can be applied against computer crime. Answer d is incorrect because in some countries, possession without intent to sell is considered a crime.

16. 

Answer: b

The answer b is correct. Answer a is incorrect because all risks to information systems cannot be eliminated; answer c is incorrect because senior management cannot delegate its responsibility for information system security under due care; and answer d is incorrect because the cost of implementing safeguards should be less than or equal to the potential resulting losses relative to the exercise of due care.

17. 

Answer: b

18. 

Answer: a

The correct answer is a, making the other answers incorrect.

19. 

Answer: d

The answer d is correct. Answer a refers to incontrovertible evidence; answer b refers to inference from other, intermediate facts; and answer c refers to a copy of evidence or oral description of its content.

20. 

Answer: b

The answer b is correct. Answer a is incorrect because if backups are done, they usually can be located. Answer c is incorrect because evidence can be preserved using the proper procedures. Answer d is incorrect because there are exceptions to the hearsay rule.

21. 

Answer: d

22. 

Answer: c

23. 

Answer: c

Answer c is the definition of enticement. Answer a is the definition of entrapment. Answers b and d are distracters.

24. 

Answer: a

The correct answer is a. In many instances, evidence is difficult to obtain in computer crime investigations. Answers b, c, and d are computer investigation issues.

25. 

Answer: c

The answer c is correct. The other answers refer to other principles, guidelines, or rules.

26. 

Answer: c

In addition to the capabilities in answers a, b, and d, P3P does provide the site privacy practices to users in machine-readable format.

27. 

Answer: a

The answer a is correct. The other answers are distracters.

28. 

Answer: b

Answers a and d are distracters. Answer c, the 1998 Sonny Bono Copyright Term Extension Act, amends the provisions concerning duration of copyright protection. The Act states that the terms of copyright are generally extended for an additional 20 years.

29. 

Answer: d

Wire and cash transfers of $10,000 or more in a single transaction must be reported to government officials. Actions in answers a, b, and c are permitted under the PATRIOT Act. In answers a and b, the government has new powers to subpoena electronic records and to monitor Internet traffic. In monitoring information, the government can require the assistance of ISPs and network operators. This monitoring can extend even into individual organizations. In the PATRIOT Act, Congress permits investigators to gather information about electronic mail without having to show probable cause that the person to be monitored had committed a crime or was intending to commit a crime. In answer c, the items cited now fall under existing search and seizure laws. A new twist is delayed notification of a search warrant. Under the PATRIOT Act, if it is suspected that notification of a search warrant would cause a suspect to flee, a search can be conducted before notification of a search warrant is given.

In a related matter, the United States and numerous other nations have signed the Council of Europe’s Cybercrime Convention. In the United States, participation in the Convention has to be ratified by the Senate. In essence, the Convention requires the signatory nations to spy on their own residents, even if the action being monitored is illegal in the country in which the monitoring is taking place.

30. 

Answer: d
Related

Категории