IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy,

© ITT Educational Services, Inc. All rights reserved.

IS3350 Security Issues in Legal Context

Unit 6

Federal and State Laws on Privacy,Information Security, and

Breach Notification

© ITT Educational Services, Inc. All rights reserved.IS3350 Security Issues in Legal Context

Learning Objective

Describe legal compliance laws addressing public and private institutions


Key Concepts

Federal government information security and privacy regulation

Federal Government Information Security Management Act (FISMA)

Import and export laws for information technology

State regulation of privacy and information security

Data breach notification


EXPLORE: CONCEPTS


Federal Information Security Management Act (FISMA)

Categorizing information and information systems by mission impact

Complying with minimum security requirements for information systems

Selecting appropriate security controls for information systems


Federal Information Security Management Act (FISMA) continued

Assessing security controls in information systems

Determining security control effectiveness Establishing security authorization of

information systems Monitoring security controls Assuring security authorization of

information systems


FISMA Implementation ProjectDevelop and Update Security Standards to Comply with FISMA

Provide security reference materials to support the Risk Management Framework (RMF)

Apply risk management-based approach to security controls


FISMA Procedures

Categorization Based on Impact

Analysis

Select Baseline Security Controls

Implement and Document

Security Controls

Assess Security Controls

Authorize Acceptable Operational Risks

Monitor and Assess Selected Security

Controls


Data Breach Notification Laws

Requirements to inform customers of a data breach

Civil and/or criminal penalties for failure to disclose

Private right of actionExemptions from reporting


Data Breach Notification Laws (Continued)

Personal Data Privacy and Security Act of 2009 Sponsored by committee Chairman Sen. Patrick

Leahy, D-VT Requires breached organizations to notify

individuals at risk Notice not required if data was encrypted or

rendered useless

Data Breach Notification Act Endorsed by California Sen. Dianne Feinstein, D-CA


Regulatory Requirements for the Import and Export of Information Technology

Department of Commerce Export Administration Regulations (EAR) Export Administration Act of 1979 Bureau of Industry and Security Commerce Control List (CCL)

Department of State International Traffic in Arms Regulations (ITAR)

Treasury Department Office of Foreign Assets Control (OFAC).


Regulatory Requirements for the Import and Export of Information Technology

Export of Technology or Software Release of technology or software subject to the

EAR in a foreign country Release of technology or source code subject to

the EAR to a foreign national within the United States or outside.

Tansfer of source code Inspection or oral communication of code

Violations subject to civil penalties or denial of export privileges

Willful violations subject to criminal penalties


EXPLORE: ROLES


ROLES Chief Information Security Officer

• Manages investigations of possible breaches

Legal Counsel I• Handles all legal issues associated compromise of

protected data

Office of Public Affairs • Directs all internal and external communication• Manages media relations • Maintains contact with law enforcement.

Human Resources • Advises on personnel issues and communications


Summary

Federal government information security and privacy regulation

Federal Government Information Security Management Act (FISMA)

Import and export laws for information technology

State regulation of privacy and information security

Data breach notification

IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy,

Documents

Transcript of IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy,