- Information
- AI Chat
Untitled 1 - Notes for Legal Issues textbook
Legal Issues in Information Security (C 841)
Western Governors University
Recommended for you
Preview text
Legal Issues in Information Security
Information Security – generally describes the types of steps an organization should take to protect its information - the study and practice of protecting information - main goal is to protect the confidentiality, integrity, and availability (CIA) of information Confidentiality – only the people with the right permission can access and use information - protecting information from unauthorized access at all stages of its life cycle - must create, use, store, transmit, and destroy information in ways that protect its confidentiality ◦ Encryption – a way to protect information while it is stored or being transmitted ▪ converts information into unreadable code; only authorized people have the key to access the information ◦ Access Controls – grant or deny access to information systems ▪ ie: passwords or pins to login to a computer ◦ Shoulder Surfing – intentional attack that takes advantage or looking over someones shoulder to gain information ◦ Social Engineering – rely heavily on human interaction and human shortcomings ▪ try to charm the person into giving them access to information ◦ Mistakes Integrity – means that information systems and their data are accurate - Ensures changes cannot be made to data without appropriate permission - data in the system is moved and processed in predictable ways and does not change when it is processed ◦ Controls – ensure the correct entry of information; protect the data's integrity ◦ Making sure only authorized users have the ability to move/delete files protects integrity ◦ Antivirus software – protects integrity by making sure there are no viruses in the system that could harm it or change the data in it ▪ Accidental Compromises to Integrity: accidentally mistyping a name or address during data entry; someone deleting a file by mistake ▪ Intentional Compromises: someone purposefully deletes an important file - Insider Threats: threats within an organization - External Attackers: can infect information systems with computer viruses or vandalize a webpage ◦ Keystroke Logger – device or program that records keystrokes made on a keyboard or mouse, in an attempt to obtain usernames and passwords ◦ Audits – help detect unauthorized or harmful software on a system Availability – the security goal of making sure information systems operate reliably, ensures that data is accesible when it needs to be - can also help ensure that individuals with the proper permissions can use systems and retrieve data in a dependable and timely manner - Systems and information are available during peak hours when customer demand is high; system maintenance should be scheduled for off hours when customer demand is low ◦ Disaster Recovery Plans – information systems must recover quickly from disturbances/failures ▪ these plans specify how long systems may be offline before an organization starts to lose money or fails to meet its business goals
◦ Single Poin of Failure – a piece of hardware or application that is key to the functioning of the entire system ▪ if that single item fails, a critical portion of the system could fail ▪ companies want to design systems that DO NOT have a single point of failure ◦ Redundant Equiptment – in the event of a failure, the extra elements make sure that the piece of equiptment is still able to operate for a certain period ◦ Back ups – help protect availability of information ◦ DoS – disrupts information systems so they are no longer available to users ▪ disable internet-based services by consuming large amounts of bandwidth or processing power ▪ can disable an organization's website ◦ Unplanned Outages – interruption of service (service cable being cut, power failure) Vulnerabilities - a weakness or flaw in an information system
- may be construction or design mistakes, as well as flaws in how an internal safeguard is used or not used
- can be exploited (used in an unjust way) to harm information security ◦ People – ie: one employee could know too much about a critical function in an organization ▪ ^ violation of seperation of duties principle
- This rule requires that two or more employees must split critical task functions so that no one employee knows all of the steps of the critical task ◦ Process – flaws or weaknesses in an organization's procedures that an attacker can exploit t harm security ▪ IE: missing steps in a checklist, as well as not having a checklist ▪ failure to apply hardware and software vendor patches in a timely manner ◦ Facility – weaknesses in physical security ▪ Buildings, equiptment, and other property resources an organization must protect ▪ IE: no fence around property, unlocked server room, etc ◦ Technology – Design flaws that allow people to access information systems without permissions ▪ IE: improperly designed information systems, unpatched and outdated applications, improperly configured equiptment (firewalls and routers) ◦ Vulnerability Management – programs that make sure that vendors find any flaws in their products quickly and correct them ▪ also ensures that customers are made aware of problems so they can take protective action ◦ Exploits – successful attacks against a vulnerability ▪ take place in a period known as the window of vulnerability ▪ this window opens when someone discovers a vulnerability and closes when a vendor reduces or eliminates it ▪ **Window of Vulnerability = decreasing, # of vulnerabilities = increasing Threats – anything that can harm an information system
- succesful exploits against vulnerabilities
- a threat source (person or circumstance) carries out a threat or causes it to take place ◦ Human – threats carried out by people ▪ ie: internal and external hackers ◦ Natural – uncontrollable events such as earthquakes, tornadoes, fires, and floods ▪ not predictable, and organizations cannot control these types of threats ◦ Technological and Operational – threats that operate inside information systems to harm information security goals
o Technical – also called logical safeguards, rules that state how systems will operate and are applied in the hardware and software of information systems Include automated logging and access-control mechanisms, firewalls, and antivirus programs Least privilege Administrators have most, power users less, local users the least o Physical – actions that an organization takes to protect its actual, tangible resources Keep unauthorized individuals out of controlled areas and people away from sensitive equipment IE: key cards, fences, doors, locks, security lighting, surveillance cameras, security guards, etc Mantrap – method of controlled entry into a facility that provides access to secure areas such as a research lab or data center Has two sets of doors on either end of a small room; first door must close before the second set can open Classification Levels o Preventative – used to prevent security incidents o Detective – safeguards put in place in order to detect and sometimes report a security incident while it is in progress o Corrective – automated or manual controls put in place in order to limit the damage caused by a security incident Somet types of databases allow an administrator to “roll back” to the last known good copy of the database in the event of an incident Guides for Choosing Safeguards ISO/IEC 27002:2013, Information Technology – Security Techniques – Code of Practice for Information Security Controls o International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) first published this in December 2000 o Has 14 major sections: each discusses a different category of information security safeguards or controls o Explains why organizations should use the listed controls and how to use them o Security practitioners often use ISO/IEC 27002 as a practical guide for developing security standards and best practices NIST Special Publication 800-53 (Rev. 4), Security and Privacy Controls for Federal Information Systems and Organizations (2013) o Published in 2013 and updated in 2015 by the National Institute of Standards and Technology (NIST) o States the minimum safeguards required in order to create an effective information security program o Developed this guidance specifically for federal agency use on federal information systems Common Information Security Concerns Shoulder Surfing Social Engineering Phishing and Targeted Phishing Scams o Spear phishing Malware Spyware and Keystroke Loggers
Logic Bombs Backdoors DoS Attacks Mechanisms that Ensure Information Security Laws and Legal Duties Contracts Organizational Governance Data Protection Models US National Security Information Executive Order 13526 (Dec. 2009) – describes a system or classifying national security information o Establishes 3 classification levels – confidential, secret, and top secret Confidential – information that could cause damage to US security if disclosed to an unauthorized person Secret – information that could cause serious damage to US security if disclosed to an unauthorized person Top Secret – information that could cause exceptionally grave damage to US security if disclosed to an unauthorized person o States how the information must be marked an identified o Gives instructions on how long it must remain classified o Specifies when to release such information to the public Voluntary Organizations Groups that seek to promote information security Group members often have rules that they agree to follow; these rules usually set forth behavior expectations and are usually ethical in nature; code of ethics Do Special Kinds of Data Require Special Kinds of Protection? The US does not have one comprehensive data protection law; many laws focus on different types of data found in different industries and how said data is used o HIPAA – regulates health information; overseen by Health and Human Services (HHS) and Office of Civil Rights (OCR) o GLBA – (Gramm-Leach Bliley Act) protects some types of consumer financial information; the Federal Trade Commission (FTC) ensures compliance o Red Flags Rule – consumer financial information; FTC o Payment Card Industry Standards – credit card information; credit card issuers via contract provisions o Children’s Online Privacy Protection Act – information from children under the age of 13; FTC o Children’s Internet Protection Act – internet access in certain schools and libraries; FTC o Family Educational Rights and Privacy Act – student educational records; US Department of Education o Federal Information Systems Management Act – federal information systems; Office of Management and Budget, Dept. of Homeland Security o State breach notification acts – state information systems containing protected health information; varies among states Chapter 2 – Privacy Issues Brought About by the Internet Increased Access to Information
Untitled 1 - Notes for Legal Issues textbook
Course: Legal Issues in Information Security (C 841)
University: Western Governors University
