Cybersecurity Standards and Law

Published on May 2016 | Categories: Types, Presentations | Downloads: 107 | Comments: 0 | Views: 465
of 15
Download PDF   Embed   Report

Leyes de Cyberseguridad

Comments

Content

Module 8:
Cybersecurity Standards and Law

Cybersecurity Standards

Standard security frameworks emerge from the need to bring order to a potentially chaotic information
systems environment. Some security architecture models are a part of the computer hardware and software you buy, and some are implemented as policies, standards and practices. All standards and frameworks strive to ensure that IT security is well understood and adequately managed.
In addition to security standard frameworks, organizations will often compare their security program to
others in the same industry, and share best practices through formal and informal peer groups and information sharing groups. In the financial services, Financial Services Information Sharing and Analysis
Center (FS-ISAC) is a good model for the successful sharing of industry-relevant information around
physical and cybersecurity threats and vulnerabilities. FS-ISAC was established in 1999, in response to
Presidential Directive 63. This is one of the sixteen critical infrastructure sectors defined by Presidential
Policy Directive 21 (PPD-21).
The Trusted Computer System Evaluation Criteria (TCSEC) is a U.S. Department of Defense
(DoD) standard architecture model that defines criteria for assessing the access controls in a computer
system. Referred to as The Orange Book, it has restricted use due to its mainframe and defense orientations. It deals primarily with ensuring confidentiality while overlooking integrity and availability. The
Trusted Network Interpretation and the Trusted Database Management System Interpretation were
added to cover network-specific security issues and database security aspects. TCSEC defines a trusted
computing base (TCB) as the combination of hardware, firmware, and software responsible for enforcing a security policy.

Module 8: Cybersecurity Standards and Law
TCSEC suggests four basic classes that are ordered in a hierarchical manner. Class D is the lowest level
security evaluation. There is no security or minimal protection at this level. Class C specifies discretionary protection, while Class B specifies mandatory protection. Class A specifies verified protection.

The Information Technology Security Evaluation Criteria (ITSEC) is the European equivalent of
the TCSEC. Its purpose is to demonstrate conformance of a product or a system (target of evaluation)
against threats. It considers the evaluation factors to be functionality and the assurance aspects of correctness and effectiveness. Functionality refers to enforcing functions of the security targets, which can
be individually specified or enforced through predefined classes. Evaluation of correctness assesses the
level at which security functions can or cannot be enforced. Evaluation of effectiveness is a measure as
to whether the security enforcing functions and mechanisms of the target of evaluation satisfy the security objectives.
ITSEC has largely been replaced by Common Criteria (CC). CC is an effort of international harmonization on information systems security standards. It is a means to select security measures and evaluate
the security requirements. In many ways, it provides a taxonomy for evaluating functionality. It includes
eleven functional classes of requirements, which are further divided into 66 families of criteria.
CC has gained significant importance in the industry, especially as a means of defining the security
needs of users. However, there are some inherent deficiencies in it. First, CC lacks clarity in defining a
product, target of evaluation, or a target of evaluation security function. It also lacks a proper definition
of threats and their characterization. It even makes specification of security policies optional. Finally, it
does not clearly provide details as to how the security requirements should be specified.

Module 8: Cybersecurity Standards and Law
The Control Objectives for Information and Related Technology (COBIT) model provides advice
about implementation of controls and control objectives for information security. COBIT was released
by ISACA in 1996, and is a business framework for the governance and management of IT. It is composed of 34 high-level objectives, spanning 215 control objectives. Many organizations with compliance
programs use the COBIT model.
The Information Technology Infrastructure Library (ITIL) is similar to COBIT. ITIL is focused on managing service levels of IT systems, whereas COBIT aligns business goals and risk management with IT
goals and processes. For organizations that want to develop more specific security controls, many turn to
the ISO/IEC 27000 series of standards.

ISO/IEC 27002 (previously ISO 17799) was initially developed from BS7799, part 1. It is an international standard that sets out best practice requirements for information security, and is one of the main IS
security standards. ISO/IEC 27002 provides best practice recommendations on information security
management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). The standard contains twelve main sections; within each section, security controls and their objectives are specified and outlined.
ISO27001 was initially developed from BS7799, part 2. It defines the specifications for an Information
Security Management System (ISMS). The standard contains twelve main sections; within each section,
security controls and their objectives are specified and outlined. ISO/IEC 27002 is an advisory standard,
which should be interpreted and applied to all types and sizes of organizations according to the particular
information security risks they face. This flexibility gives users a lot of latitude to adopt the information
security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes. On the other hand, ISO/IEC 27001 is a certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an IS management system, and lists 133 information security controls
that organizations are encouraged to adopt where appropriate within their ISMS. The controls are derived from and aligned with ISO/IEC 27002. These renumbered standard security models are some of
the most widely referenced today by security professionals.
One source of public domain management models is the National Institute of Standards and Technology
(NIST) Computing Security Resource Center .

Module 8: Cybersecurity Standards and Law
“NIST

Special Publication 800-12, Computer Security Handbook,” is an excellent reference, but offers
little help with the design and implementation of new security systems. “NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems,” covers recommended
practices and common information security principles. “NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems,” is a widely used publication with details on the assessment,
design and implementation of security controls. “NIST SP 800-53A, Guide for Assessing the Security
Controls in Federal Information Systems: Building Effective Security Assessment Plans,” replaces SP
800-26 and provides a systems development life cycle approach to security assessments. Finally, “NIST
SP 800-30, Risk Management Guide for Information Technology,” provides a good overview for developing an effective risk management program.

Figure 1. NIST Risk Management Framework, Retrieved from http://www.nist.gov/
The Federal Information Processing Standard, FIPS 199, is a U.S. government standard that establishes categories of information systems. Along with “FIPS 200, Minimum Security Requirements for
Federal Information and Information Systems,” these two NIST standards form the minimum security
requirements under the Federal Information Security Management Act (FISMA).

Module 8: Cybersecurity Standards and Law

The International Telecommunication Union (ITU) has developed a standard security architecture for
open systems interconnection (OSI) applications. The standard, ITU_T x.800, establishes a framework
for applying security concepts to attacks on information systems and networks. It defines a security attack as any action that compromises the security of information systems. A security mechanism is defined as any control that is designed to detect, prevent or recover from an attack. A security service is defined as any service that enhances the security of data processing systems and the information transfers of
an organization. Security services make use of one or more security mechanisms, and are intended to
counter the five categories of attacks: destruction, corruption, removal, disclosure, and interruption.

Figure 2. ITU-T X.800 provides a threat model that describes 5 categories of attack. Retrieved from
http://www.itu.int/

These security services are broken up into eight categories: access control, authentication, nonrepudiation, data confidentiality, communication security, data integrity, availability, and privacy.

Module 8: Cybersecurity Standards and Law

Figure 3. IT Security Services are broken up by ITU-T X.800 into 8 categories. These processing or communications services give specific protection for attacks against confidentiality, integrity and availability.
Retrieved from http://www.itu.int/

There are several miscellaneous standards and guidelines that are worth mentioning. RFC 2196 Site Security Handbook is a framework to develop computer security policies and procedures. It provides practical guidance to system and network administrators on security issues with lists of factors and issues that
a site must consider in order to have effective security. “ISO/IEC TR 13335 Guidelines for the Management of IT Security” (GMITS) is a technical report that covers IT security rather than IS security.
Generally Accepted Information Security Principles (GAISP) intends to develop a common international body of knowledge on security and aims to enable a self-regulated information security profession.
OECD Guidelines for the Security of Information Systems would help in the development and implementation of coherent measures, practices, and procedures for the security of information systems.

Module 8: Cybersecurity Standards and Law
Laws and Regulations
The government helps to identify and fill gaps that cannot be met through industry best practices and
self-regulation. In particular, laws and regulations are used to address crimes that leverage technology in
a unique way. In some cases, organizations are forced to comply with regulations; hospitals must be
compliant with healthcare regulations, and banks with financial regulations. Legal compliance can drive
improvements in security, but it is often said that compliance sets the floor and not the ceiling, as far as
security best practices are concerned.
The following are some examples of the types of activities laws seek to regulate:
Child protection
Cybercrime
Espionage
Fraud
Identity theft
Internet commerce and competition
Liability and safety
National security
Privacy
Theft of intellectual property
It can take a number of years for new legislation to be instituted in order to adequately address a new
technology. For example, eavesdropping may still be covered under wiretapping laws, because these
laws can be interpreted and applied to the interception of digital communications. On the other hand, the
Internet opened up new avenues for the theft of intellectual property and copyrighted material, so the
Digital Millennium Copyright Act (DMCA) was developed.
The DMCA is a U.S. law that criminalizes the production and distribution of tools that circumvent digital
rights management (DRM) on copyrighted material, such as music and movies. This law was a response
to a growth in computer technology and the Internet as methods of pirating copyrighted materials and
sharing them on peer-to-peer networks. Because new peer-to-peer technologies were advancing rapidly,
the copyright holders, represented by groups such as the Motion Picture Association of America (MPAA)
and the Recording Industry Association of America (RIAA), were unable to develop technology fast
enough to keep up. This is an example of the federal government stepping in to address a gap that standards and industry self-regulation could not remedy alone. This regulation opened the door for many
lawsuits, as well as groups such as the Electronic Freedom Foundation (EFF) who argued that DMCA
did little to actually prevent piracy

Module 8: Cybersecurity Standards and Law
The DMCA was based on the World Intellectual Property Organization (WIPO) Copyright Treaty of
1996. It was open to very broad interpretation, and led to laws like the DMCA and the European Union
Copyright Directive (2001).
Another U.S. law that was intended to protect against offensive and pornographic material that was
widely available on the Internet was the Communications Decency Act (CDA) of 1996. It was intended to regulate indecency on the Internet and protect children. CDA was another broad-brush measure aimed at providing a regulatory means of addressing a problem that arose from the rapid introduction
and growth of new technologies, namely computers and the Internet. It was opposed by groups such as
the American Civil Liberties Union (ACLU) on the grounds that it infringed on the free speech of adults.
CDA was struck down in 2006 by a U.S. Supreme Court decision.
CDA led to the Child Online Protection Act (COPA), which attempted to protect children from obscene material online. It failed to be implemented, however other laws passed, such as the Children’s
Online Privacy Protection Act of 1998 (COPPA), which limits the information companies can collect on
minors, and the Children’s Internet Protection Act of 2000 (CIPA), which requires K-12 schools to use
Internet filters to protect children from certain categories of material, such as obscene and pornographic
material.

The Computer Fraud and Abuse Act (CFAA) was passed in 1984. It is aimed at protecting classified
information, financial records, and credit information stored within federal government computers. The
definition of "federal computers" was later amended and extended to include all computers involved in
interstate and international commerce, whether or not the U.S. government had a vested interest in a
given computer or storage device.
The CFAA defines the legal elements of computer fraud as: acting knowingly and with intent to defraud; accessing a protected computer without authorization, or exceeding authorization; and obtaining
anything of value other than minimal computer time.

Module 8: Cybersecurity Standards and Law
The Computer Security Act (CSA) was passed in 1987. It is aimed at standardizing and tightening security controls on computers in use throughout the federal government and its contractors, and training
its workforce to maintain appropriate security levels.
There are four major requirements in the CSA. First, it requires the identification of systems and the establishment of security plans. Second, it requires mandatory periodic training in computer security
awareness and accepted computer security practices. Third, it requires the National Institute of Standards
and Technology (NIST) to establish a computer standards program to develop standards and guidelines
to control loss and unauthorized modification or disclosure of sensitive information and to prevent computer-related fraud and misuse. Finally, it requires the establishment of the Computer System Security
and Privacy Advisory Board within the Department of Commerce. CSA was superseded by the Federal
Information Security Management Act (FISMA).
FISMA was passed in 2002. It is aimed at mandating that federal organizations establish a framework
that facilitates the effective management of security controls in their IT domain.
FISMA has four components. First, it requires the Chief Information Officer of each federal agency to
define and implement an information security program. Second, it requires all impacted agencies to report their compliance with the requirements at regular intervals. Third, it holds IT executives accountable for the management of a security policy. Fourth, it makes the Office of Management and Budget
responsible for the creation of policies, standards, and guidelines that each agency must adhere to in
their information security program.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It is aimed
at improving Medicare under titles XVIII and XIX of the Social Security Act and enhancing the efficiency and effectiveness of the healthcare system through the development of a health information system with established standards and requirements for the electronic transmission of health information.
There are five major areas of HIPAA regarding personal history information (PHI) privacy and security.
The first is the standardization of electronic patient administrative and financial data. The second is the
establishment of unique identifiers for providers, health plans, and employers. The third area makes
changes to most healthcare transaction and administrative information systems. The fourth area deals
with privacy regulation and the confidentiality of patient information. Finally, the fifth is technical practices and procedures to insure data integrity, security, and availability of healthcare information.

Module 8: Cybersecurity Standards and Law
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act (USA PATRIOT Act) was passed in 2001. It is aimed at equipping law
enforcement agencies with the tools necessary to investigate and apprehend people that are suspected of
planning or carrying out terrorist acts.
The USA PATRIOT Act covers a wide range of topics. First, the law broadens the category of things
that can be subpoenaed. Second, it extends a previous rule by allowing ISPs to disclose the content of
electronic communication when there is fear of physical threat to people without prior notification to the
user. Third, it includes Internet communication in the types of things for which surveillance can be undertaken using pen and trap methods. Fourth, it protects ISPs from prosecution for assisting with wiretaps/surveillance of electronic communication. Finally, it extends and clarifies some of the key points of
the CFAA.
The Public Company Accounting Reform and Investor Protection Act (a.k.a. the Sarbanes-Oxley
Act or SOX) was passed in 2002 in the wake of the Enron and WorldCom financial scandals. It is
aimed at strengthening corporate governance of enterprise financial practices.
SOX covers five major areas. They are as follows:
External audit oversight and standards
Internal audit committee responsibility
Executive management accountability
Financial disclosure strengthening
Criminal penalty for violations

The right to privacy is strongly defended in Europe, as demonstrated by the European Union (EU) Data
Privacy Directive (Directive 95/46/EC). This directive regulates the processing of personal data. It goes
further than the sectorial approach taken by the United States, which is more laissez-faire and involves
industry standards and self-regulation. The U.S. approach protects free speech, and interprets privacy as
an implicit right, constitutionally. The EU takes a stronger stance on the unchecked use of personal information. As companies do business globally, they must comply with laws and regulations in many jurisdictions. This means identifying legal and compliance subject matter experts to protect their interests
as they operate globally.

Module 8: Cybersecurity Standards and Law

Ethical and Cultural Issues

Security standards and best practices provide a framework for developing a cybersecurity program.
When standards and self-regulation are insufficient, the government may institute laws and regulations
to govern the use of technology. However, even with all of these standards and laws, they cannot keep
up with the pace of change of technology or its myriad uses. Standards and laws serve a broad role, but
it is up to the cybersecurity professional to interpret and apply them in an ethical manner.
The cybersecurity professional must make decisions based on:
Business objectives
Industry standards and best practices
Legal and regulatory compliance
Ethical and cultural considerations
While there are many regulations that apply to information protection and privacy, they only provide
high-level direction and fail to prescribe technologies and detailed plans for implementation. The cybersecurity or IT professional must understand how their choices can affect the organization and make ethical choices in how they use technology and apply data protection.
We live in a highly connected world, where data is at our fingertips. This is a marked change from how
most of us lived and worked in the 20th century. Data is being collected about ourselves, our employees,
and our customers. All of this information can provide a competitive advantage in the business world.
However, along with this information comes the risk that it can be misused. Additionally, with large data
sets and complex computer programs, it can be easy to make a clerical error during data entry, or when
writing computer code, and simple errors can have a significant impact. For example, a typo could affect
an individual’s credit score, and because of that they may fail to secure an educational loan or home
mortgage. Programming errors can open the door for attacks by cybercriminals, exposing your personal
and financial information.

Module 8: Cybersecurity Standards and Law
Acting ethically, as an information technology or security professional, involves:
Maintaining privacy and confidentiality.
Obeying laws and regulations.
Acting in the best interest of your employer.
Working within the boundaries of your job description.
Notifying your employer of any breach or ethical concern.
Performing your due diligence to minimize mistakes and programming errors.
Respecting intellectual property rights.
Despite the potential for conflict, these four ethical frameworks should complement one another. However, when the conclusion is difficult to ascertain, there is one additional framework that can be employed, that of principalism. The application of normative principles can help to sort through a complex
dilemma. The following are complementary and derived from the four frameworks, previously discussed:
Autonomy
Non-maleficence
Beneficence
Justice
Autonomy involves the respect for the individual, and respect for their choices which do not contradict
the other normative principles. Non-maleficence basically involves not taking actions that harm others.
Beneficence is the principle of being willing to help others, when their need is justified and you have the
ability. Justice is the principle of fairness, equity and impartiality.
Another factor that influences ethical decision-making is the appreciation of cultural differences that influence the values and viewpoint of different groups. This is particularly relevant when dealing with diverse and global groups, where people are affected by different laws and societal influences.
The application of ethics is a three-step method:
Start by evaluating your ‘gut feeling’.
Test against utility, duty, rights and normative principles.
Consider legal and regulatory requirements and cultural context.

Module 8: Cybersecurity Standards and Law
Utility has to do with feelings of happiness or pleasure when doing something right and feelings of unhappiness or displeasure when doing something wrong. Duty is an action, or an act, that is required by
moral obligation. For example, if you witness something illegal or improper happening, it is your duty
to report it. Rights are what is due to you based on ethical principles, and also what is due to others.
Normative principles involve the attempt to answer specific moral questions about what people should
do or believe.
Then we consider different scenarios and dilemmas, we make better ethical decisions. There are many
opportunities in our work and personal lives to make ethical decisions about the use of information.
Some examples include:
How we protect privacy data of others and our own
How we log and monitor employees
How we manage intellectual property that belongs to our employer
How we consume digital media, where others own the copyright
Freedom of speech on the Internet
IT administrators and security professionals tend to have greater access to information than others, which
means they have a responsibility to be good stewards of this data. They need to protect its confidentiality,
integrity and availability. It could be an easy thing for an email administrator to read an executive’s
email, for example, but it is pretty clear it would be unethical and an invasion of privacy.
This brings up an important consideration for IT staff: Who watches the watchers? IT and security professionals need to not only make ethical decisions, but they must not give others cause to doubt their integrity. Ethical behavior not only involves practice, but perception, and whether your job is in law enforcement, computer programming or computer security, you need to set an example so that others can
see you not only enforce rules, but also follow them. This is a key component of an overall awareness
program to educate end users on the proper and ethical use of the organization’s data and systems, and
inculcate a culture of security.
Another area where ethics come into question is in counterintelligence and nation-state warfare. It seems
much more evident that an individual is behaving unethically if they attack systems belonging to another
person, organization or nation. Even organizations that retaliate against attackers, or who lure in attackers
with the intention of entrapment, are probably crossing the line. When is it appropriate for law enforcement, military groups or nation-states to attack another group: as retaliation or preemptively?
One recent example is the Stuxnet cyber-attack on Iran. This was a case where sophisticated computer
code was developed and deployed, anonymously and from a distance, against targets in another country.
The fact that cyber-attacks can be asymmetric and anonymous makes them different from conventional
warfare. Also, the distance and dissociative nature of cyber-attacks can make it difficult to ensure that no
harm comes to non-combatants.

Module 8: Cybersecurity Standards and Law
Professionalizing the Cybersecurity Workforce

There is a growing global demand for cybersecurity professionals. Information technology is vital to
commerce and communication, and at the same time, threats are becoming more sophisticated and widespread. Threats against corporations put intellectual property at risk. Threats against consumers put privacy and identity at risk. Cybercriminals attack targets for profit; terrorists attack a nation’s critical infrastructure.
Cybersecurity positions can encompass different roles and require different skill sets. The National Initiative for Cyberspace Careers and Studies (NICCS) defines 31 common specialty areas of cybersecurity
work. These different specialty areas may require different training and education, as well as certifications. In order to plan for the anticipated capacity and capabilities, and develop the necessary skills in
the cybersecurity workforce, efforts are being made to formalize the career paths available to cybersecurity professionals.
Today, there are many educational degree and certificate programs in the field of cybersecurity. In addition, there are many educational opportunities available from information security training providers
which develop skills, such as the SANS Institute, Global Information Assurance Certification (GIAC)
and (ISC)². Training and certification may be required for jobs in certain industries or the government
sector, and may lend credibility to a person’s background when they must testify in court as an expert
witness or when they work with law enforcement.
In addition to developing technical and professional skills and maintaining their currency through ongoing training and certification, the cybersecurity professional has a responsibility to abide by a standard
code of ethics and professional conduct as they represent their profession. One way that professionals
can demonstrate this is by membership in technical and professional societies that have a code of ethics.
Other ways the cybersecurity professional can contribute to the profession and demonstrate their commitment is by serving on industry boards and committees, helping to organize training and conferences,
and through writing, teaching, and speaking on cybersecurity topics.

Module 8: Cybersecurity Standards and Law
Module Summary
Cybersecurity standards provide a framework of rules and best practices to follow to protect the confidentiality, integrity and availability of data and systems. These standards are applied based on the business context and regulatory environment. The cybersecurity professional is responsible for developing
and implementing security policy in a consistent and ethical manner. This is especially important when
dealing with legal and cultural issues that vary from state to state, and country to country. In order to
maintain skills, cybersecurity professionals develop themselves through training, certification and participation with professional societies and groups, and abiding by a code of ethics and professional behavior.
References
Department of Homeland Security. (n.d.). National initiative for cyberspace careers and studies. Retrieved from http://niccs.us-cert.gov/training/tc/framework/specialty-areas
Electronic Frontier Foundation. (n.d). Digital millennium copyright act. Retrieved from https://
www.eff.org/issues/dmca
Financial Services. (2013). Information Sharing and Analysis Center. Retrieved from https://
www.fsisac.com/.
ITU. (2013). The International Telecommunication Union .Retrieved from http://www.itu.int/en/Pages/
default.aspx

NSIT.(2013, September 15). Computer Security Division. Computer Security resource Center. Retrieved
from http://csrc.nist.gov/
U.S. Department of Justice. (n.d.). The USA PATRIOT act: Preserving life and liberty. Retrieved from
http://www.justice.gov/archive/ll/highlights.htm

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close