book

Legal Issues in Information Security

Name: Legal Issues in Information Security
Author: Joanna Lyn Grama
ISBN: 9780763791865

by Joanna Lyn Grama

October 2010

Intermediate to advanced

526 pages

17h 17m

English

Jones & Bartlett Learning

Read now

Unlock full access

Copyright
Preface
Purpose of This BookLearning FeaturesAudience
Acknowledgments
About the Author
ONE. Fundamental Concepts
1. Information Security Overview
Why Is Information Security an Issue?What Is Information Security?What Is Confidentiality?What Is Integrity?What Is Availability?Common Information Security ConceptsVulnerabilitiesThreatsRisksSafeguardsChoosing SafeguardsWhat Are Common Information Security Concerns?Shoulder SurfingSocial EngineeringPhishing and Targeted Phishing ScamsMalwareSpyware and Keystroke LoggersLogic BombsBackdoorsDenial of Service AttacksDo Different Types of Information Require Different Types of Protection?U.S. National Security InformationWhat Are the Mechanisms That Ensure Information Security?Laws and Legal DutiesContractsOrganizational GovernanceVoluntary OrganizationsDo Special Kinds of Data Require Special Kinds of Protection?CHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENT
2. Privacy Overview
Why Is Privacy an Issue?What Is Privacy?How Is Privacy Different from Information Security?What Are the Sources of Privacy Law?Constitutional LawFederal LawsCensus Confidentiality (1952)Freedom of Information Act (1966)Wiretap Act (1968, amended)Mail Privacy Statute (1971)Privacy Act (1974)Cable Communications Policy Act (1984)Electronic Communications Privacy Act (1986)Driver's Privacy Protection Act (1994)E-Government Act (2002)State LawsCommon LawsIntrusion into SeclusionPortrayal in a False LightAppropriation of Likeness or IdentityPublic Disclosure of Private FactsVoluntary AgreementsWhat Are Threats to Personal Data Privacy in the Information Age?Technology-Based Privacy ConcernsSpyware, Keystroke Loggers, and AdwareCookies, Web Beacons, and ClickstreamsRFID and GPS TechnologiesSecurity BreachesPeople-Based Privacy ConcernsPhishingSocial Engineering, Shoulder Surfing, and Dumpster DivingSocial Networking SitesInformation SharingSecurityOnline Data GatheringWhat Is Workplace Privacy?Telephone and Voice Mail MonitoringVideo Surveillance MonitoringComputer Use MonitoringE-mail MonitoringPublic EmployeesWhat Are General Principles for Privacy Protection in Information Systems?Privacy Policies and Data Privacy LawsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENTENDNOTES
3. The American Legal System
The American Legal SystemFederal GovernmentLegislative BranchExecutive BranchJudicial BranchStructure of the Federal JudiciaryState GovernmentSources of LawCommon LawCode LawConstitutional LawHow Does It All Fit Together?Types of LawCivilCriminalAdministrativeThe Role of PrecedentRegulatory AuthoritiesWhat Is the Difference Between Compliance and Audit?How Do Security, Privacy, and Compliance Fit Together?CHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENTENDNOTES
TWO. Laws Influencing Information Security
4. Security and Privacy of Consumer Financial Information
Business Challenges Facing Financial InstitutionsThe Different Types of Financial InstitutionsConsumer Financial InformationWho Regulates Financial Institutions?The Federal Reserve SystemFederal Deposit Insurance CorporationNational Credit Union AdministrationOffice of the Comptroller of the CurrencyOffice of Thrift SupervisionSpecial Role of the Federal Trade CommissionFederal Financial Institutions Examination Council (FFIEC)The Gramm-Leach-Bliley ActPurpose, Scope, and Main RequirementsThe Privacy RuleThe Safeguards RuleThe Pretexting RuleOversightFederal Trade Commission Red Flags RulePurposeScopeMain RequirementsOversightImplementation ConcernsPayment Card Industry StandardsPurposeScopeMain RequirementsOversightCase Studies and ExamplesFTC Privacy and Safeguards Rule EnforcementPCI DSS ExampleCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENTENDNOTES

5. Security and Privacy of Information Belonging to Children and Educational Records
Challenges in Protecting Children on the InternetIdentification of ChildrenFirst Amendment and CensorshipDefining ObscenityChildren's Online Privacy Protection ActPurpose of COPPAScope of the RegulationMain RequirementsGaining Parent's ConsentPrivacy PolicyPrivacy Policy LocationPrivacy Policy ContentOversightChildren's Internet Protection Act (CIPA)PurposeScope of the RegulationMain RequirementsInternet Safety PolicyExceptionsOversightFamily Educational Rights and PrivacyPurpose and ScopeMain RequirementsParent and Student RightsProtection of RecordsAnnual NotificationExceptionsOversightCase Studies and ExamplesLiberty Financial and Children's PrivacyIconix Brand Group, Inc.Gonzaga University StudentRelease of Disciplinary RecordsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENTENDNOTES
6. Security and Privacy of Health Information
Business Challenges Facing the Health Care IndustryWhy Is Health Care Information So Sensitive?The Health Insurance Portability and Accountability ActPurposeScopeMain Requirements of the Privacy RuleRequired DisclosuresPermitted Uses and DisclosuresTreatment, Payment, and Health Care OperationsUses and Disclosures Made After an Opportunity to Opt OutMade for Public Health and Safety ActivitiesLimited Data Sets Used or Disclosed for Specified ActivitiesUses and Disclosures that Require AuthorizationMinimum Necessary RuleOther Individual Rights under the Privacy RuleAmendments of PHIAccounting of DisclosuresPrivacy NoticesAdministrative RequirementsMain Requirements of the Security RuleSafeguards and Implementation SpecificationsAdministrative SafeguardsPhysical SafeguardsTechnical SafeguardsOversightThe HITECH ActCompliance and EnforcementBreach Notification ProvisionsChanges to the Privacy and Security RulesThe Role of State Laws Protecting Medical RecordsCase Studies and ExamplesOCR Enforcement InformationHIPAA and Federal Trade Communications ActCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENTENDNOTES
7. Corporate Information Security and Privacy Regulation
The Enron Scandal and Securities-Law ReformCorporate Fraud at EnronWhy Is Accurate Financial Reporting Important?The Sarbanes-Oxley Act of 2002Purpose and ScopeMain RequirementsPublic Company Accounting Oversight BoardDocument RetentionCertificationDisclosure ControlsInternal ControlsOversightCompliance and Security ControlsCOBITGAITISO/IEC StandardsNIST Computer Security GuidanceSOX Influence in Other Types of CompaniesCorporate Privacy IssuesCase Studies and ExamplesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENTENDNOTES
8. Federal Government Information Security and Privacy Regulations
Information Security Challenges Facing the Federal GovernmentThe Federal Information Security Management ActPurpose and ScopeMain RequirementsAgency Information Security ProgramsThe Role of NISTCentral Incident Response CenterNational Security SystemsOversightProtecting Privacy in Federal Information SystemsThe Privacy Act of 1974The E-Government Act of 2002OMB Breach Notification PolicyImport and Export Control LawsCase Studies and ExamplesMissing Hard DrivesSocial Networking SitesThe Future of FISMACHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENTENDNOTES
9. State Laws Protecting Citizen Information and Breach Notification Laws
History of State Actions to Protect Personal InformationChoicePoint Data BreachBreach Notification RegulationsCalifornia Breach Notification ActOther Breach Notification LawsActivities That Constitute a BreachEntities Covered by the LawTime for NotificationContents of NotificationEncryption RequirementsPenalties for Failure to NotifyPrivate Cause of ActionData-Specific Security and Privacy RegulationsMinnesota and Nevada: Requiring Businesses to Comply with Payment Card Industry StandardsIndiana: Limiting SSN Use and DisclosureEncryption RegulationsMassachusetts: Protecting Personal InformationNevada Law: Standards-Based EncryptionData Disposal RegulationsWashington: Everyone Has an ObligationNew York: Any Physical RecordCase Studies and ExamplesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENTENDNOTES
10. Intellectual Property Law
The Digital Wild West and the Importance of Intellectual Property LawLegal Ownership and the Importance of Protecting Intellectual PropertyPatentsPatent BasicsPatent RequirementsThe Patent ProcessInfringement and RemediesWhat Is the Difference Between Patents and Trade Secrets?TrademarksTrademark BasicsUse in CommerceDistinctiveThe Registration ProcessInfringement and RemediesRelationship of Trademarks on Domain NamesCopyrightCopyright BasicsCopyright RegistrationInfringement and RemediesFair UseProtecting Copyrights Online—The Digital Millennium Copyright Act (DMCA)DMCA BasicsTechnology Protection MeasuresOnline Copyright InfringementComputer MaintenanceDMCA Implementation ConcernsCase Studies and ExamplesTrade SecretsService Provider Liability for Copyright InfringementCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENTENDNOTES
11. The Role of Contracts
General Contracting PrinciplesContract FormCapacity to ContractContract LegalityForm of OfferForm of AcceptanceMeeting of the MindsConsiderationPerformance and Breach of ContractContract RepudiationContracting OnlineLegal Capacity OnlineForm of Offer and AcceptanceE-mail CommunicationsText and Instant MessagesTwitter and other Social Networking SitesExistence and EnforcementAuthenticity and Non-RepudiationSpecial Types of Contracts in CyberspaceShrinkwrap ContractsClickwrap ContractsBrowsewrap ContractsHow Do These Contracts Regulate Behavior?Emerging Contract Law IssuesCloud ComputingInformation Security Terms in ContractsData Definition and UseGeneral Data Protection TermsCompliance with Legal and Regulatory RequirementsCase Studies and ExamplesContract Formation via E-mailContract Dispute StatisticsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENTENDNOTES
12. Criminal Law and Tort Law Issues in Cyberspace
General Criminal Law ConceptsMain Principles of Criminal LawType of Wrongful ConductElements of a CrimeJurisdictionCriminal ProcedureCommon Criminal Laws Used in CyberspaceThe Computer Fraud and Abuse Act (1984)Computer Trespass or IntrusionTheft of InformationInterception of Communications LawsSpam and Phishing LawsCybersquattingMalicious ActsWell-Known CybercrimesGeneral Tort Law ConceptsStrict Liability TortsNegligence TortsIntentional TortsCivil ProcedureCommon Tort Law Actions in CyberspaceDefamationIntentional Infliction of Emotional DistressTrespass TortsPrivacy ViolationsCase Studies and ExamplesCAN-SPAM ActDefamationCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENTENDNOTES
THREE. Security and Privacy in Organizations
13. Information Security Governance
What Is Information Security Governance?Information Security Governance PlanningCommon Information Security Governance RolesInformation Security Governance and ManagementInformation Security Governance in the Federal GovernmentInformation Security Governance DocumentsPoliciesStandardsProceduresGuidelinesCreating Information Security PoliciesPolicy Development ProcessRecommended Information Security PoliciesAcceptable Use PoliciesAUP TermsEnforcementAnti-Harassment PoliciesWorkplace Privacy and Monitoring PoliciesData Retention and Destruction PoliciesData Retention PoliciesData Destruction PoliciesIntellectual Property PoliciesAuthentication and Password PoliciesSecurity Awareness and TrainingCase Studies and ExamplesAcceptable Use Case StudyIntellectual Property ExampleCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENTENDNOTES
14. Risk Analysis, Incident Response, and Contingency Planning
Contingency PlanningRisk ManagementRisk Assessment ProcessRisk Assessment TeamIdentifying Assets, Vulnerabilities, and ThreatsLikelihood and Potential LossQuantitative Risk AnalysisQualitative Risk analysisDocument Needed ControlsRisk ResponseTraining EmployeesContinuously MonitoringThree Types of Contingency PlanningIncident Response PlanningIncident Response TeamIR Plan ProcessDisaster Recovery and Business Continuity PlanningDR/BC TeamDR/BC Plan DevelopmentTesting the PlanSpecial ConsiderationsAddressing Compliance RequirementsWhen to Call the PolicePublic RelationsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENTENDNOTES
15. Computer Forensics and Investigations
What Is Computer Forensics?What Is the Role of a Computer Forensic Examiner?Collecting, Handling, and Using Digital EvidenceThe Investigative ProcessIdentificationPreservationCollectionExaminationPresentationGuiding Principles for Forensic ExaminationLegal Issues Involving Digital EvidenceAuthority to Collect EvidenceThe Fourth Amendment and Search WarrantsFederal Laws Regarding Electronic Data CollectionThe Electronic Communications Privacy ActThe Wiretap ActThe Pen Register and Trap and Trace StatuteAdmissibility of EvidenceThe Hearsay RuleThe Best Evidence RuleCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENTENDNOTES
A. Answer Key
B. Standard Acronyms
C. Law and Case Citations
U.S. Federal LawsCourt RulesCourt Cases
D. The Constitution of the United States of America
Article. I.Section. 1.Section. 2.Section. 3.Section. 4.Section. 5.Section. 6.Section. 7.Section. 8.Section. 9.Section. 10.Article. II.Section. 1.Section. 2.Section. 3.Section. 4.Article III.Section. 1.Section. 2.Section. 3.Article. IV.Section. 1.Section. 2.Section. 3.Section. 4.Article. V.Article. VI.Article. VII.Amendments to the Constitution of the United States of America.Amendment I (1791)Amendment II (1791)Amendment III (1791)Amendment IV (1791)Amendment V (1791)Amendment VI (1791)Amendment VII (1791)Amendment VIII (1791)Amendment IX (1791)Amendment × (1791)Amendment XI (1795)Amendment XII (1804)Amendment XIII (1865)Section 1.Section 2.Amendment XIV (1868)Section 1.Section 2.Section 3.Section 4.Section 5.Amendment XV (1870)Section 1.Section 2.Amendment XVI (1913)Amendment XVII (1913)Amendment XVIII (1919)Section 1.Section 2.Section 3.Amendment XIX (1920)Amendment XX (1933)Section 1.Section 2.Section 3.Section 4.Section 5.Section 6.Amendment XXI (1933)Section 1.Section 2.Section 3.Amendment XXII (1951)Section 1.Section 2.Amendment XXIII (1961)Section 1.Section 2.Amendment XXIV (1964)Section 1.Section 2.Amendment XXV (1967)Section 1.Section 2.Section 3.Section 4.Amendment XXVI (1971)Section 1.Section 2.Amendment XXVII (1992)
Glossary of Key Terms
References

Content preview from Legal Issues in Information Security

Chapter 14. Risk Analysis, Incident Response, and Contingency Planning

RISK MANAGEMENT IS AN IMPORTANT information security tool. The risk management process helps an organization understand the risks, vulnerabilities, and threats that it faces each day. It helps it understand its security posture. It also helps the organization know where to strengthen that posture. An organization can't meet its information security goals if it doesn't understand its risks. It may not be able to properly protect its resources and data.

This chapter focuses on information technology risk management. It reviews fundamental risk concepts and how they're applied. It explains how organizations use risk management to help them create their other contingency plans. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Legal Issues in Information Security, 2nd Edition

Publisher Resources

ISBN: 9780763791858

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Legal Issues in Information Security

by Joanna Lyn Grama

Chapter 14. Risk Analysis, Incident Response, and Contingency Planning

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.