CyberLaw

Assignment Review

Cyber LawCyberLaw 6/23/2016 CyberLaw 3 Securing an Organization  This Chat: CyberLaw and Compliance –Forensics –Privacy –Intellectual property protection –Due diligence –E-Discovery –Compliance

Cyber LawCyberLaw 6/23/2016 CyberLaw 4 Forensics  Science of showing the unseen  Based in scientific principles  Use when presentation on court likely  Forensic Examiner is an expert witness –By virtue of education, training, experience, and procedures

Cyber LawCyberLaw 6/23/2016 CyberLaw 5 Forensics  Starts with forensic duplication of subject's hard drive –Write blocker prevents accidental updates –Forensic image exact and complete copy  Analyze a copy of hard drive  Discover deleted or concealed evidence  Discover evidence in system files –Expensive

Cyber LawCyberLaw 6/23/2016 CyberLaw 6 Chain of Custody  Essential to present evidence in court  Demonstrates no tampering with evidence  Log of every person accessing evidence and why  Created at beginning of incident/seizure

Cyber LawCyberLaw 6/23/2016 CyberLaw 7 Forensics used to:  In criminal cases by law enforcement to prosecute  In HR cases in organizations to show HR action appropriate  In Incident Response to hacking to determine loss and attack vector  In E-Discovery to determine facts

Cyber LawCyberLaw 6/23/2016 CyberLaw 8 Law and the Individual  We are subject to civil and criminal law  We do have rights –Privacy –To be informed  Data breach laws, some states

Cyber LawCyberLaw 6/23/2016 CyberLaw 9 Law and the Business  Also have individual rights  Additional responsibilities in case

Cyber LawCyberLaw 6/23/2016 CyberLaw 10 Intellectual Property Rights  The creator (usually) has rights in the event of: –Copyright –Trademark/Service Mark –Patent –Trade Secrets

Cyber LawCyberLaw 6/23/2016 CyberLaw 11 Due diligence  Obligation to perform as a reasonable person would under similar circumstances  Corporate officers also have added fiduciary responsibility  Professionals (InfoSEC) have a higher standard –Some buying “malpractice” insurance

Cyber LawCyberLaw Civil Law  Allows for one person to sue another for wrong doing  If one party has information that the other needs, they are bound to provide – and pay costs of production  Process called Discovery 6/23/2016 CyberLaw 12

Cyber LawCyberLaw 6/23/2016 CyberLaw 13 E-Discovery  Discovery is process of getting information from another  Most information now has origins in electronic form  E-Discovery is now big business  If you are sued you have a duty to protect information

Cyber LawCyberLaw 6/23/2016 CyberLaw 14 Compliance Requirements  We all have them –US –PCI-DSS –EU  Field in administrative law

Cyber LawCyberLaw 6/23/2016 CyberLaw 15 US  HIPAA  GLB  Sarbanes-Oxley  Privacy Act  FERPA  FERC  Common Law

PCI-DSS  No legislation needed  Credit Card Industry  Applies to all merchants and card processors  Sets minimum standards  Always a good springboard for discussion 6/23/2016 Cyber LawCyberLaw 16

Cyber LawCyberLaw 6/23/2016 CyberLaw 17 EU  PCI-DSS of course  Strong privacy requirements  US has safe harbor agreement w/ EU so US companies can do business in EU –Applies high privacy protection standard to company but not EU auditing –ICO

Data Breach Disclosure  Required by 46 states  All slightly different –What is a breach –What remediation is needed  Major driver behind increase in incident responders 6/23/2016 Cyber LawCyberLaw 18

Cyber LawCyberLaw 6/23/2016 CyberLaw 19 Standards  Frameworks –ISO –NIST –CoBIT –ITIL –SANS 20 Critical Controls

Cyber LawCyberLaw 6/23/2016 CyberLaw 20 Question for you  What did you find most interesting in the reading so far?

Cyber LawCyberLaw 6/23/2016 CyberLaw 21 Questions ?