Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 485: Advanced Cybersecurity

Published byBennett Norris Modified over 5 years ago

Similar presentations

Presentation on theme: "CIT 485: Advanced Cybersecurity"— Presentation transcript:

1 CIT 485: Advanced Cybersecurity
Policy, Legal, and Compliance Issues

2 Topics Policy, Standards, and Procedures
US Government Security Policies (FISMA) Laws and Compliance PCI Data Security Standard (DSS) Bring Your Own Device (BYOD)

3 Policy, Standards, and Procedures
Policy provides a statement of intent. Employees must use strong passwords on all accounts. Standard provides specifics to help organization members comply with policy. Passwords must be at least 10 characters long. They must not be stored on unencrypted media. Procedures To change your password, following the following steps: Login using your current password. Type passwd Enter your current password. Enter your new password twice.

4 Compliance Information security policies must secure compliance with applicable laws and regulations. Organizations must demonstrate due care, measures taken to ensure every employee knows what is acceptable and what is not. Organizations must also demonstrate due diligence, reasonable steps taken to meet the obligations imposed by laws and regulations.

5 Data Handling Policies
Organizations must have data handling policies to ensure compliance with appropriate laws and regulations. Individual IT workers are responsible for following those policies to protect the data of customers and employees.

6 Enforcing Policies Enforceable policies must meet 5 criteria:
Dissemination. Policy must be readily available. Review. Organization must demonstrate policy is accessible to all employees, regardless of language ability. Comprehension. Organization must demonstrate employees understand policies. Online tests and other assessments can be used to ensure comprehension. Compliance. Organization must demonstrate employees agreed to policy through signatures or another specific action. Uniform enforcement. Organization must enforce policy equally on all employees.

7 Computer Security Act (1987)
Mandated baseline security standards for fed agencies. Assigned National Institute & Standards Technologies (NIST) responsibility for developing computer security standards and guidelines for federal government. NSA assigned responsibility for classified systems. Required security policies be created by agencies for computer systems with sensitive data. Mandated security awareness training for federal employees that use computers with sensitive data.

8 FISMA (2002) Federal Information Security Management Act
Repealed Computer Security Act of 1987. Mandates federal agencies establish infosec programs. Risk assessments. Policies and procedures. Security awareness training. Incident response. Periodic security assessments.

9 FIPS Federal Information Processing Standards Notable FIPS
Available on NIST web site. Some used only by federal government. Others used widely by private organizations. Notable FIPS 140-2: Standards for cryptography. Much cryptographic software comes with a FIPS version to meet 800-53: Security controls for federal government systems.

10 Sarbanes-Oxley (SOX) (2002)
Goal: reliability and accuracy of financial reporting Requires that corporate IT certify confidentiality and integrity of systems involved in financial reporting. Section 302 Requires corporate executives to personally certify the accuracy and completeness of their financial reports, Report on the effectiveness of internal controls for their financial reporting. Section 404 Mandates security assessment reports must be audited by an external firm.

11 Gramm-Leach-Bliley (1999)
Financial Services Modernization Act Requires financial institutions to disclose privacy policies on the sharing of PII. Requires due notice to customers so that they can request information not to be shared. Requires notification of customers about privacy policies annually.

12 FERPA (1974) Family Educational Rights and Privacy Act
Gives parents access to child educational records, but Requires permission of students age 18 or older. Restricts access to educational records Determines who can access PII, grades, and for which purposes. PII and grades can only be sent over secure channels. Student medical records governed by FERPA, not HIPAA.

13 HIPAA (1996) Health Insurance Portability and Accountability Act
Affects almost all organizings doing health care. Privacy requirements for sharing health care records without patient consent. Requires providers give patients access to records. Establishes standards for digital health record exchange. Discussed in more detail in other classes like PHI 310.

14 COPPA (1998) Children's Online Privacy Protection Act
Protects collection of data on children under age 13. Specifies requirements for website privacy policies. Defines consent requirements for websites. Restricts marketing to those under age 13. Enforced by the Federal Trade Commission (FTC).

15 PCI DSS Payment Card Industry (PCI) requires that organizations that accept payments must follow their Data Security Standard (DSS). Version 1.0 released in December 2004. Requires securing data at all systems and links: point-of-sale devices; mobile devices, personal computers or servers; wireless hotspots; web shopping applications; paper-based storage systems; the transmission of cardholder data to service providers; in remote access connections.

16 PCI DSS: 12 Requirements Installi and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Protect all systems against malware and regularly update anti-virus software or programs. Develop and maintain secure systems and applications.

17 PCI DSS: 12 Requirements Restrict access to cardholder data by business need-to-know. Identify and authenticate access to system components. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for all personnel.

18 Bring Your Own Device (BYOD)
BYOD Policy Employees bring own mobile device to work. Same device contains both work and personal data. Risks to Employers Work data travels with device, not protected by firewall. Device may bring malware from outside inside firewall. Work data may remain on device after employment is terminated. Risks to Employees Makes devices subject to legal discovery. Mobile device management software can wipe device.

19 References Seth Hammon. Intro to Cyber Law and Ethics Module. CLARK Michael E. Whitman, Herbert J. Mattord. Principles of Information Security, 6th Edition. Cengage Learning PCI Security Standards Council. PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version Richard Spinello. Cyberethics: Morality and Law in Cyberspace, 6th Edition. Jones & Bartlett

20 Released under CC BY-SA 3.0
This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at

21 Discuss: Aaron Schwartz
Computer Fraud and Abuse Act (CFAA) written in 1986 to amend existing computer fraud law. Makes knowingly accessing a “protected computer” without authorization or exceeding authorized access a crime. Any computer with Internet access is likely a “protected computer”. Controversy: Aaron Schwartz case Aaron Schwartz created a script to automatically download many articles from JSTOR, violating their Terms of Service. Federal prosecutors charged him with 11 violations of CFAA with maximum penalty of 35 years, $1 million fine. CIT 485: Advanced Cybersecurity

Download ppt "CIT 485: Advanced Cybersecurity"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA

Confidentiality and HIPAA
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
The Regulation Zoo: Dealing With Compliance Within The Firewall World

The Regulation Zoo: Dealing With Compliance Within The Firewall World
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
IT Legislation & Regulation CS5493. Information has become a valued asset for commerce and governments. … as a result of its value, information is a target.

IT Legislation & Regulation CS5493. Information has become a valued asset for commerce and governments. … as a result of its value, information is a target.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Ads by Google