Legal, Regulations, Compliance and Investigations Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012 Legal, Regulations, Compliance and Investigations
Domain Objectives International Legal Issues Incident Management Forensic Investigation Compliance
Jurisdiction Law, economics, beliefs and politics Sovereignty of nations
International Cooperation Initiatives related to international cooperation in dealing with computer crime The Council of Europe (CoE) Cybercrime Convention
Computer Crime vs. Traditional Crime Violent Property Public Order Computer Crime Real Property Virtual Property
Intellectual Property Protection Organizations must protect intellectual property (IP) Theft Loss Corporate espionage Improper duplication Intellectual property must have value Organization must demonstrate actions to protect IP
Intellectual Property: Patent Definition Advantages
Intellectual Property: Trademark Purpose of a trademark Characteristics of a trademark Word Name Symbol Color Sound Product shape
Intellectual Property: Copyright Covers the expression of ideas Writings Recordings Computer programs Weaker than patent protection
Intellectual Property: Trade Secrets Must be confidential Protection of trade secret
Import and Export Law Strong encryption No terrorist states
Liability Legal responsibility Penalties Negligence and liability
Negligence Acting without care Due care
Transborder Data Flow Political boundaries Privacy Investigations Jurisdiction
Personally Identifiable Information (PII) Identify or locate Not anonymous Global effort
Privacy Laws and Regulations Rights and obligations of: Individuals Organizations
International Privacy Organization for Economic Co-operation and Development (OECD) 8 core principles
Privacy Law Examples Health Insurance Portability and Accountability Act (HIPAA) Personal Information Protection and Electronics Document Act (PIPEDA) European Union Data Protection Directive
Employee Privacy Employee monitoring Training Authorized usage policies Internet usage Email Telephone Training
Domain Objectives International Legal Issues Incident Management Forensic Investigation Compliance
Incident Management Prepare, sustain, improve Protect infrastructure Prepare, detect respond
Collection of Digital Evidence Volatile and fragile Short life span Collect quickly By order of volatility Document, document, document!
Chain of Custody for Evidence Who What When Where How
Investigation Process Identify suspects Identify witnesses Identify system Identify team Search warrants
Investigation Techniques Ownership and possession analysis Means, opportunity and motives (MOM)
Behavior of Computer Criminals Computer criminals have specific MO’s Hacking software / tools Types of systems or networks attacked, etc. Signature behaviors MO and signature behaviors Profiling
Interviewing vs. Interrogation General gathering Cooperation Seek truth Specific aim Hostile Dangerous
Evidence: Hearsay Hearsay Business records exception Second hand evidence Normally not admissible Business records exception Computer generated information Process of creation description
Reporting and Documentation Law Court proceedings Policy Regulations
Communication About the Incident Public disclosure Authorized personnel only
Domain Objectives International Legal Issues Incident Management Forensic Investigation Compliance
Computer Forensics: Evidence Potential evidence Evidence and legal system
Computer Forensics Key components Crime scenes Digital evidence Guidelines
Computer Forensics: Evidence Identification of evidence Collection of evidence Use appropriate collection techniques Reduce contamination Protect scene Maintain the chain of custody and authentication
Computer Forensics: Evidence Scientific methods for analysis Characteristics of the evidence Comparison of evidence Presentation of findings Interpretation and analysis Format appropriate for the intended audience
Forensic Evidence Procedure Receive media Disk write blocker Bit for bit image Cryptographic checksum Store the source drive
Forensic Evidence Analysis Procedure Recent activity Keyword search Slack space Documented
Media Analysis Recognizing operating system artifacts File system Timeline analysis Searching data
Software Analysis What it does What files it creates
Network Analysis Data on the wire Ports Traffic hiding
Domain Objectives International Legal Issues Incident Management Forensic Investigation Compliance
Compliance Knowing legislation Following legislation
Regulatory Environment Examples Sarbanes-Oxley (SOX)) Gramm-Leach-Bliley Act (GLBA) Basel II
Compliance Audit Audit = a formal written examination of controls Auditor role = 3rd party evaluator Continuous auditing = automation
Audit Report Format Introduction Executive summary Background Audit perspective Scope and objectives Executive summary Internal audit opinion Detail report including auditee responses Appendix Exhibits
Key Performance Indicators (KPI) Illegal software Privacy Security related incidents
Domain Summary This domain reviewed the areas a CISSP candidate should know regarding : International legal issues Incident management Forensic investigation Compliance