1 / 21

CIT 485: Advanced Cybersecurity

Learn about cybersecurity policy, legal and compliance issues, including FISMA, PCI DSS, BYOD policy, and more. Understand the importance of data handling policies and how to enforce them effectively.

leslieh
Download Presentation

CIT 485: Advanced Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIT 485: Advanced Cybersecurity Policy, Legal, and Compliance Issues

  2. Topics • Policy, Standards, and Procedures • US Government Security Policies (FISMA) • Laws and Compliance • PCI Data Security Standard (DSS) • Bring Your Own Device (BYOD)

  3. Policy, Standards, and Procedures Policy provides a statement of intent. • Employees must use strong passwords on all accounts. Standard provides specifics to help organization members comply with policy. • Passwords must be at least 10 characters long. They must not be stored on unencrypted media. Procedures • To change your password, following the following steps: • Login using your current password. • Type passwd • Enter your current password. • Enter your new password twice.

  4. Compliance Information security policies must secure compliance with applicable laws and regulations. • Organizations must demonstrate due care, measures taken to ensure every employee knows what is acceptable and what is not. • Organizations must also demonstrate due diligence, reasonable steps taken to meet the obligations imposed by laws and regulations.

  5. Data Handling Policies • Organizations must have data handling policies to ensure compliance with appropriate laws and regulations. • Individual IT workers are responsible for following those policies to protect the data of customers and employees.

  6. Enforcing Policies Enforceable policies must meet 5 criteria: • Dissemination. Policy must be readily available. • Review. Organization must demonstrate policy is accessible to all employees, regardless of language ability. • Comprehension. Organization must demonstrate employees understand policies. Online tests and other assessments can be used to ensure comprehension. • Compliance. Organization must demonstrate employees agreed to policy through signatures or another specific action. • Uniform enforcement. Organization must enforce policy equally on all employees.

  7. Computer Security Act (1987) • Mandated baseline security standards for fed agencies. • Assigned National Institute & Standards Technologies (NIST) responsibility for developing computer security standards and guidelines for federal government. • NSA assigned responsibility for classified systems. • Required security policies be created by agencies for computer systems with sensitive data. • Mandated security awareness training for federal employees that use computers with sensitive data.

  8. FISMA (2002) • Federal Information Security Management Act • Repealed Computer Security Act of 1987. • Mandates federal agencies establish infosec programs. • Risk assessments. • Policies and procedures. • Security awareness training. • Incident response. • Periodic security assessments.

  9. FIPS Federal Information Processing Standards • Available on NIST web site. • Some used only by federal government. • Others used widely by private organizations. Notable FIPS • 140-2: Standards for cryptography. Much cryptographic software comes with a FIPS version to meet 140-2. • 800-53: Security controls for federal government systems.

  10. Sarbanes-Oxley (SOX) (2002) • Goal: reliability and accuracy of financial reporting • Requires that corporate IT certify confidentiality and integrity of systems involved in financial reporting. • Section 302 • Requires corporate executives to personally certify the accuracy and completeness of their financial reports, • Report on the effectiveness of internal controls for their financial reporting. • Section 404 • Mandates security assessment reports must be audited by an external firm.

  11. Gramm-Leach-Bliley (1999) • Financial Services Modernization Act • Requires financial institutions to disclose privacy policies on the sharing of PII. • Requires due notice to customers so that they can request information not to be shared. • Requires notification of customers about privacy policies annually.

  12. FERPA (1974) Family Educational Rights and Privacy Act • Gives parents access to child educational records, but • Requires permission of students age 18 or older. Restricts access to educational records • Determines who can access PII, grades, and for which purposes. • PII and grades can only be sent over secure channels. Student medical records governed by FERPA, not HIPAA.

  13. HIPAA (1996) Health Insurance Portability and Accountability Act • Affects almost all organizings doing health care. • Privacy requirements for sharing health care records without patient consent. • Requires providers give patients access to records. • Establishes standards for digital health record exchange. Discussed in more detail in other classes like PHI 310.

  14. COPPA (1998) Children's Online Privacy Protection Act • Protects collection of data on children under age 13. • Specifies requirements for website privacy policies. • Defines consent requirements for websites. • Restricts marketing to those under age 13. Enforced by the Federal Trade Commission (FTC).

  15. PCI DSS Payment Card Industry (PCI) requires that organizations that accept payments must follow their Data Security Standard (DSS). Version 1.0 released in December 2004. Requires securing data at all systems and links: • point-of-sale devices; • mobile devices, personal computers or servers; • wireless hotspots; • web shopping applications; • paper-based storage systems; • the transmission of cardholder data to service providers; • in remote access connections.

  16. PCI DSS: 12 Requirements • Installi and maintain a firewall configuration to protect cardholder data. • Do not use vendor-supplied defaults for system passwords and other security parameters. • Protect stored cardholder data. • Encrypt transmission of cardholder data across open, public networks. • Protect all systems against malware and regularly update anti-virus software or programs. • Develop and maintain secure systems and applications.

  17. PCI DSS: 12 Requirements • Restrict access to cardholder data by business need-to-know. • Identify and authenticate access to system components. • Restrict physical access to cardholder data. • Track and monitor all access to network resources and cardholder data. • Regularly test security systems and processes. • Maintain a policy that addresses information security for all personnel.

  18. Bring Your Own Device (BYOD) BYOD Policy • Employees bring own mobile device to work. • Same device contains both work and personal data. Risks to Employers • Work data travels with device, not protected by firewall. • Device may bring malware from outside inside firewall. • Work data may remain on device after employment is terminated. Risks to Employees • Makes devices subject to legal discovery. • Mobile device management software can wipe device.

  19. References • Seth Hammon. Intro to Cyber Law and Ethics Module. CLARK. 2018. • Michael E. Whitman, Herbert J. Mattord. Principles of Information Security, 6th Edition. Cengage Learning. 2017. • PCI Security Standards Council. PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1. 2018. • Richard Spinello. Cyberethics: Morality and Law in Cyberspace, 6th Edition. Jones & Bartlett. 2016.

  20. Released under CC BY-SA 3.0 • This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license • You are free: • to Share — to copy and redistribute the material in any medium • to Adapt— to remix, build, and transform upon the material • to use part or all of this presentation in your own classes • Under the following conditions: • Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. • Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. • Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/

  21. Discuss: Aaron Schwartz Computer Fraud and Abuse Act (CFAA) written in 1986 to amend existing computer fraud law. • Makes knowingly accessing a “protected computer” without authorization or exceeding authorized access a crime. • Any computer with Internet access is likely a “protected computer”. Controversy: Aaron Schwartz case • Aaron Schwartz created a script to automatically download many articles from JSTOR, violating their Terms of Service. • Federal prosecutors charged him with 11 violations of CFAA with maximum penalty of 35 years, $1 million fine. CIT 485: Advanced Cybersecurity

More Related