Exam Essentials: Chapter 4

Chapter 4: Laws, Regulations & Compliance

Understand the difference between criminal law, civil law & administrative law

• Criminal law protects society against acts that violate the basic principles we believe in.
• Violations of criminal law are prosecuted by federal & state governments.
• Civil law provides the framework for the transaction of business between people & organisations.
• Violations of civil law are brought to the court and argued by the two affected parties.
• Administrative law is used by government agencies to effectively carry out their day-to-day business.

Be able to explain the basic provisions of major laws designed to protect society against computer crime

• The Computer Fraud & Abuse Act (as amended) protects computers used by the government or in interstate commerce from a variety of abuses.
• The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual.

Know the differences among copyrights, trademarks, patents & trade secrets

• Copyrights protect original works of authorship, such as books, articles, poems & songs.
• Trademarks are names, slogans & logos that identify a company, product or service.
• Patents provide protection to the creators of new inventions.
• Trade secret law protects the operating secrets of a firm.

Be able to explain the basic provisions of the DMCA

• The Digital Millennium Copyright Act (1998) prohibits the circumvention of copy protection mechanisms placed on digital media and limits the liability of Internet service providers for the activities of their users.

Know the basic provisions of the Economic Espionage Act

• The Economic Espionage Act (1996) provides penalties for individuals found guilty of theft of trade secrets.
• Harsher penalties apply when the individual knows that the information will benefit a foreign government.

Understand the various types of software license agreements

• Contractual license agreements are written agreements between a software vendor and user.
• Shrink-wrap agreements are written on software packaging and take effect when a user opens the package.
• Click-through agreements are included in a package but require the user to accept the terms during the software installation process.

Understand the notification requirements placed on organisations that experience a data breach

• California’s SB 1386 implemented the first statewide requirement to notify individuals of a breach of their personal information.
• All but three states eventually followed suit with similar laws.
• Currently, federal law only requires the notification of individuals when a HIPAA-covered entity breaches their protected health information (PHI).

Understand the major laws that govern privacy of personal information in both the US and the EU

• The US has a number of privacy laws that affect the government’s use of information as well as the use of information by specific industries, such as financial services companies and healthcare organisations that handle sensitive information.
• The EU has a more comprehensive General Data Protection Regulation (GDPR) that governs the use and exchange of personal information.

Explain the importance of a well-rounded compliance program

• Most organisations are subject to a wide variety of legal & regulatory requirements related to information security.
• Building a compliance program ensures that you become and remain compliant with these often overlapping requirements.

Know how to incorporate security into the procurement & vendor governance process

• The expanded use of cloud services by many organisations requires added attention to conducting reviews of information security controls during the vendor selection process and as part of ongoing vendor governance.