Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.
This chapter will introduce some of the basic concepts that are important to all information security professionals. The actual implementation of laws surrounding intellectual property, privacy, reasonable searches, and breach notification, to name a few, will differ amongst various regions of the world, but the importance of these concepts is still universal.
Major types and classifications of laws
The three major systems of law are:
- civil – by far the most common of the major legal systems is that of civil law, which is employed by many countries throughout the world. The system of civil law leverages codified laws or statutes to determine what is considered within the bounds of law.
- common – Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others.The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws.
- religious – religious law serves as the third of the major legal systems. Religious doctrine or interpretation serves as a source of legal understanding and statutes. However, the extent and degree to which religious texts, practices, or understanding are consulted can vary greatly.
The most significant difference between civil and common law is that, under civil law, judicial precedents and particular case rulings do not carry the weight they do under common law.
Within common law there are various branches of laws:
- criminal law – pertains to those laws where the victim can be seen as society itself. The goals of criminal law are to deter crime and to punish offenders.
- civil law -Another term associated with civil law is tort law, which deals with injury, loosely defined, that results from someone violating their responsibility to provide a duty of care. Tort law is the primary component of civil law, and is the most significant source of lawsuits seeking damages.While, in criminal law, society is seen as the victim, in civil law the victim will be an individual, group, organization.Another difference between criminal and civil law is the goal of each. The focus of criminal law is punishment and deterrence; civil law focuses on compensating the victim.The most common outcome of a successful ruling against a defendant is requiring the payment of financial damages.
- administrative law – Administrative law or regulatory law is law enacted by government agencies.Some examples of administrative law are FCC regulations, HIPAA Security mandates, FDA regulations, and FAA regulations.
Types of laws relevant to computer crimes
One of the most difficult aspects of prosecution of computer crimes is attribution. Meeting the burden of proof requirement in criminal proceedings, beyond a reasonable doubt, can be difficult given an attacker can often spoof the source of the crime or can leverage different systems under someone else’s control.
Intelectual property is protected by the U.S law under one of four classifications:
- patents – Patents provide a monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the patent holder’s making the invention public.
- trademarks – Trademarks are associated with marketing: the purpose is to allow for the creation of a brand that distinguishes the source of products or services.
- copyrights – represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works, and is typically denoted by the circle c symbol. Software is typically covered by copyright as if it were a literary work. Two important limitations on the exclusivity of the copyright holder’s monopoly exist: the doctrines of first sale and fair use. The first sale doctrine allows a legitimate purchaser of copyrighted material to sell it to another person. If the purchasers of a CD later decide that they no longer cared to own the CD, the first sale doctrine gives them the legal right to sell the copyrighted material even though they are not the copyright holders.
- trade secrets – business-proprietary information that is important to an organization’s ability to compete. Software source code or firmware code are examples of computer-related objects that an organization may protect as trade secrets.
Privacy and data protection laws
Privacy and data protection laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse.
Several important pieces of privacy and data protection legislation include :
- U.S. Federal Privacy Act of 1974 – protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents.
- U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996 – seeks to guard protected health information from unauthorized use or disclosure.
- Payment Card Industry Data Security Standard (PCI-DSS) – the goal is to ensure better protection of card holder data through mandating security policy, security devices, control techniques and monitoring of systems and networks.
- U.S. Gramm-Lech-Bliley Financial Services Modernization Act (GLBA) – requires financial institutions to protect the confidentiality and integrity of consumer financial information.
Associated with personal data privacy concerns are the recent development of breach notification laws. The push for mandatory notification of persons whose personal data has been, or is likely to have been, compromised started with state laws.
Legal liability is another important legal concept for information security professionals and their employers. Society has grown quite litigious over the years, and the question of whether an organization is legally liable for specific actions or inactions can prove costly.
Two important terms to understand are due care and due diligence, which have become common standards that are used in determining corporate liability in courts of law.
The standard of due care, or a duty of care, provides a framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve.
Due care discussions often reference the Prudent Man Rule, and require that the organization engage in business practices that a prudent, right thinking, person would consider to be appropriate.
A concept closely related to due care is due diligence. While due care intends to set a minimum necessary standard of care to be employed by an organization, due diligence requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders. Due diligence is the management of due care: it follows a formal process.
Computer crime and information security laws
- U.S. Computer Fraud and Abuse Act of 1986 – the first U.S. federal computer crime law.
- USA PATRIOT Act of 2001 – expanded law enforcement’s electronic monitoring capabilities.
- U.S. Sarbanes-Oxley Act of 2002 (SOX) – the primary goal of SOX is to ensure adequate financial disclosure and financial auditor independence.
Legal aspects of investigations
Digital forensics provides a formal approach to dealing with investigations and evidence with special consideration of the legal aspects of this process.
The main distinction between forensics and incident response is that forensics is evidence-centric and typically more closely associated with crimes, while incident response is more dedicated to identifying, containing, and recovering from security incidents.
The forensic process must preserve the “crime scene” and the evidence in order to prevent unintentionally violating the integrity of either the data or the data’s environment. A primary goal of forensics is to prevent unintentional modification of the system.
Anti-forensics makes forensic investigation difficult or impossible.
The general phases of the forensic process are: the identification of potential evidence; the acquisition of that evidence; analysis of the evidence; and finally production of a report.
While forensics investigators traditionally removed power from a system, the typical approach now is to gather volatile data. Acquiring volatile data is called live forensics, as opposed to the post-mortem forensics associated with acquiring a binary disk image from a powered down system.
Evidence is one of the most important legal concepts for information security professionals to understand.
Evidence should be relevant, authentic, accurate, complete, and convincing. Evidence gathering should emphasize these criteria.
- Real (or physical) evidence – consists of tangible or physical objects.
- Direct evidence – is testimony provided by a witness regarding what the witness actually experienced with her five senses.
- Circumstantial evidence – is evidence which serves to establish the circumstances related to particular points or even other evidence.In order to strengthen a particular fact or element of a case there might be a need for corroborative evidence. This type of evidence provides additional support for a fact that might have been called into question.
- Hearsay evidence – constitutes second-hand evidence. As opposed to direct evidence, which someone has witnessed with her five senses, hearsay evidence involves indirect information.Business and computer generated records are generally considered hearsay evidence, but case law and updates to the Federal Rules of Evidence have established exceptions to the general rule of business records and computer generated data and logs being hearsay.
Courts prefer the best evidence possible. Original documents are preferred over copies: conclusive tangible objects are preferred over oral testimony. Recall that the five desirable criteria for evidence suggest that, where possible, evidence should be: relevant, authentic, accurate, complete, and convincing.
Secondary evidence is a class of evidence common in cases involving computers. Secondary evidence consists of copies of original documents and oral descriptions.
Computer-generated logs and documents might also constitute secondary rather than best evidence.
Evidence must be reliable. It is common during forensic and incident response investigations to analyze digital media. It is critical to maintain the integrity of the data during the course of its acquisition and analysis. Checksums can ensure that no data changes occurred as a result of the acquisition and analysis.
In addition to the use of integrity hashing algorithms and checksums, another means to help express the reliability of evidence is by maintaining chain of custody documentation. Chain of custody requires that once evidence is acquired, full documentation regarding who, what, and when and where evidence was handled is maintained.
Entrapment is when law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime. Entrapment can serve as a legal defense in a court of law, and, therefore, should be avoided if prosecution is a goal.
A closely related concept is enticement. Enticement could still involve agents of law enforcement making the conditions for commission of a crime favorable, but the difference is that the person is determined to have already broken a law or is intent on doing so.
Ethics help to describe what you should do in a given situation based on a set of principles or values.
ISC2 Code of ethics contains 4 mandatory canons:
- protect society, the commonwealth and the infrastructure.
- act honorably, honestly, justly, responsibly and legally.
- provide diligent and competent service to principals.
- advance and protect the profession.