IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy,
-
Upload
simone-castro -
Category
Documents
-
view
78 -
download
1
description
Transcript of IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy,
© ITT Educational Services, Inc. All rights reserved.
IS3350 Security Issues in Legal Context
Unit 6
Federal and State Laws on Privacy,Information Security, and
Breach Notification
© ITT Educational Services, Inc. All rights reserved.Page 2IS3350 Security Issues in Legal Context
Learning Objective
Describe legal compliance laws addressing public and private institutions
© ITT Educational Services, Inc. All rights reserved.Page 3IS3350 Security Issues in Legal Context
Key Concepts
Federal government information security and privacy regulation
Federal Government Information Security Management Act (FISMA)
Import and export laws for information technology
State regulation of privacy and information security
Data breach notification
© ITT Educational Services, Inc. All rights reserved.Page 4IS3350 Security Issues in Legal Context
EXPLORE: CONCEPTS
© ITT Educational Services, Inc. All rights reserved.Page 5IS3350 Security Issues in Legal Context
Federal Information Security Management Act (FISMA)
Categorizing information and information systems by mission impact
Complying with minimum security requirements for information systems
Selecting appropriate security controls for information systems
© ITT Educational Services, Inc. All rights reserved.Page 6IS3350 Security Issues in Legal Context
Federal Information Security Management Act (FISMA) continued
Assessing security controls in information systems
Determining security control effectiveness Establishing security authorization of
information systems Monitoring security controls Assuring security authorization of
information systems
© ITT Educational Services, Inc. All rights reserved.Page 7IS3350 Security Issues in Legal Context
FISMA Implementation ProjectDevelop and Update Security Standards to Comply with FISMA
Provide security reference materials to support the Risk Management Framework (RMF)
Apply risk management-based approach to security controls
© ITT Educational Services, Inc. All rights reserved.Page 8IS3350 Security Issues in Legal Context
FISMA Procedures
Categorization Based on Impact
Analysis
Select Baseline Security Controls
Implement and Document
Security Controls
Assess Security Controls
Authorize Acceptable Operational Risks
Monitor and Assess Selected Security
Controls
© ITT Educational Services, Inc. All rights reserved.Page 9IS3350 Security Issues in Legal Context
Data Breach Notification Laws
Requirements to inform customers of a data breach
Civil and/or criminal penalties for failure to disclose
Private right of actionExemptions from reporting
© ITT Educational Services, Inc. All rights reserved.Page 10IS3350 Security Issues in Legal Context
Data Breach Notification Laws (Continued)
Personal Data Privacy and Security Act of 2009 Sponsored by committee Chairman Sen. Patrick
Leahy, D-VT Requires breached organizations to notify
individuals at risk Notice not required if data was encrypted or
rendered useless
Data Breach Notification Act Endorsed by California Sen. Dianne Feinstein, D-CA
© ITT Educational Services, Inc. All rights reserved.Page 11IS3350 Security Issues in Legal Context
Regulatory Requirements for the Import and Export of Information Technology
Department of Commerce Export Administration Regulations (EAR) Export Administration Act of 1979 Bureau of Industry and Security Commerce Control List (CCL)
Department of State International Traffic in Arms Regulations (ITAR)
Treasury Department Office of Foreign Assets Control (OFAC).
© ITT Educational Services, Inc. All rights reserved.Page 12IS3350 Security Issues in Legal Context
Regulatory Requirements for the Import and Export of Information Technology
Export of Technology or Software Release of technology or software subject to the
EAR in a foreign country Release of technology or source code subject to
the EAR to a foreign national within the United States or outside.
Tansfer of source code Inspection or oral communication of code
Violations subject to civil penalties or denial of export privileges
Willful violations subject to criminal penalties
© ITT Educational Services, Inc. All rights reserved.Page 13IS3350 Security Issues in Legal Context
EXPLORE: ROLES
© ITT Educational Services, Inc. All rights reserved.Page 14IS3350 Security Issues in Legal Context
ROLES Chief Information Security Officer
• Manages investigations of possible breaches
Legal Counsel I• Handles all legal issues associated compromise of
protected data
Office of Public Affairs • Directs all internal and external communication• Manages media relations • Maintains contact with law enforcement.
Human Resources • Advises on personnel issues and communications
© ITT Educational Services, Inc. All rights reserved.Page 15IS3350 Security Issues in Legal Context
Summary
Federal government information security and privacy regulation
Federal Government Information Security Management Act (FISMA)
Import and export laws for information technology
State regulation of privacy and information security
Data breach notification