Deck 12: Protection Mechanisms

What is another name for the Kennedy-Kassebaum Act (1996), and why is it important to organizations that are not in the health care industry?

If you work for a financial service organization (such as a bank or credit union), which law from 1999 affects your use of customer data? What other effects does it have?

Iris was a little unsure of what to do next. She had just left the meeting with the other executives of RWW, Inc. At the meeting they confirmed the need for action on the matter of the critical information offered for sale on a public auction site. That was the last point of agreement. This was a risk they had simply not planned for and they were completely unprepared.
Just before the meeting broke up, they had made assignments to various people in the meeting. Robin, the CEO, was going to contact the members of the board of directors to brief them so that if the story became public, they would not be surprised. Jerry, the corporate counsel, was going to start an intensive effort to discover what peer companies had done in situations like this. Mike, the CIO, was assigned to contact the auction site to get the auction shut down and lay the groundwork for working with whatever authorities were brought in for the criminal aspects of the case.
Iris was assigned to investigate which law enforcement agency should be involved in the investigation. She reached for her business card box and began thumbing through the contacts she had.
Do you think the response of the company so far indicates any errors in the matter of this incident?

Which 1997 law provides guidance on the use of encryption?

What does CISSP stand for? Using the Internet, find out what continuing education is required for the holder of a CISSP to remain current and in good standing

What is intellectual property? Is it offered the same protection in every country? What laws currently protect intellectual property in the United States and Europe?

What is the difference between criminal law and civil law?

What is a policy? How does it differ from a law?

Iris was a little unsure of what to do next. She had just left the meeting with the other executives of RWW, Inc. At the meeting they confirmed the need for action on the matter of the critical information offered for sale on a public auction site. That was the last point of agreement. This was a risk they had simply not planned for and they were completely unprepared.
Just before the meeting broke up, they had made assignments to various people in the meeting. Robin, the CEO, was going to contact the members of the board of directors to brief them so that if the story became public, they would not be surprised. Jerry, the corporate counsel, was going to start an intensive effort to discover what peer companies had done in situations like this. Mike, the CIO, was assigned to contact the auction site to get the auction shut down and lay the groundwork for working with whatever authorities were brought in for the criminal aspects of the case.
Iris was assigned to investigate which law enforcement agency should be involved in the investigation. She reached for her business card box and began thumbing through the contacts she had.
With which agency do you think Iris should start? On what factors do you base that recommendation?

What are the three general categories of unethical and illegal behavior?

For what kind of information security jobs does the NSA recruit? Use the Internet to visit its Web page and find a listing.

What is the best method for preventing illegal or unethical behavior?

What is tort law and what does it permit an individual to do?

Of the professional organizations discussed in this chapter, which has been in existence the longest time? When was it founded?

Iris was a little unsure of what to do next. She had just left the meeting with the other executives of RWW, Inc. At the meeting they confirmed the need for action on the matter of the critical information offered for sale on a public auction site. That was the last point of agreement. This was a risk they had simply not planned for and they were completely unprepared.
Just before the meeting broke up, they had made assignments to various people in the meeting. Robin, the CEO, was going to contact the members of the board of directors to brief them so that if the story became public, they would not be surprised. Jerry, the corporate counsel, was going to start an intensive effort to discover what peer companies had done in situations like this. Mike, the CIO, was assigned to contact the auction site to get the auction shut down and lay the groundwork for working with whatever authorities were brought in for the criminal aspects of the case.
Iris was assigned to investigate which law enforcement agency should be involved in the investigation. She reached for her business card box and began thumbing through the contacts she had.
What criminal acts do you think are involved in this situation? What do you think the relationship of the perpetrator to RWW, Inc., might be?

Of the professional organizations discussed in this chapter, which is focused on auditing and control?

Using the resources available in your library, find out what laws your state has passed to prosecute computer crime.

What is the stated purpose of the SANS organization? In what ways is it involved in professional certification for InfoSec professionals?

What are the three primary types of public law?

Which U.S. federal agency sponsors the InfraGard program? Which agency has taken control of the overall National Infrastructure Protection mission?

Using the Web, go to www.eff.org. What are the current top concerns of this organization?

What is due care? Why would an organization want to make sure it exercises due care in its usual course of operations?

Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change?

What can be done to deter someone from committing a crime?

Using the ethical scenarios presented in this chapter, consider each scenario and note your response. Bring your answers to class to compare them with those of your peers.

How does due diligence differ from due care? Why are both important?

Which organization led the efforts to overturn the Computer Decency Act? What happened to the law it opposed?