© ITT Educational Services, Inc. All rights reserved.

IS3350 Security Issues in Legal Context

Unit 1

Information Systems Security Overview

© ITT Educational Services, Inc. All rights reserved.Page 2IS3350 Security Issues in Legal Context

Learning Objective

Recognize the legal aspects of the information security triad: Availability Integrity Confidentiality

© ITT Educational Services, Inc. All rights reserved.Page 3IS3350 Security Issues in Legal Context

Key ConceptsAvailability, Integrity, and Confidentiality

(AIC Triad)Basic information system security conceptsRisk analysis and mitigationMechanisms for organizational information

securityData classifications requiring specialized

legal consideration

© ITT Educational Services, Inc. All rights reserved.Page 4IS3350 Security Issues in Legal Context

EXPLORE: CONCEPTS

© ITT Educational Services, Inc. All rights reserved.Page 5IS3350 Security Issues in Legal Context

Confidentiality

Integrity Availability

Information Security

CIA Triad

© ITT Educational Services, Inc. All rights reserved.Page 6IS3350 Security Issues in Legal Context

Shoulder Surfing Social Engineering Spear Phishing Malware Spyware Logic Bomb Back Door Denial of Service

Information Security Common Concerns

© ITT Educational Services, Inc. All rights reserved.Page 7IS3350 Security Issues in Legal Context

General Military Classification

General Corporate Classification

Top SecretCorporate

Confidential

Secret Client Confidential

Confidential Proprietary

RestrictedPublic

Unclassified

Data Classification

© ITT Educational Services, Inc. All rights reserved.Page 8IS3350 Security Issues in Legal Context

Legal Mechanisms to Ensure Information Security

Laws• Gramm-Leach-Bliley Act, HIPPA,

Sarbanes-Oxley (SOX), and others Information Regulations• Financial, credit card, health, etc.

Agencies• FTC, Banks, DHHS, SEC, DOE, etc.

© ITT Educational Services, Inc. All rights reserved.Page 9IS3350 Security Issues in Legal Context

Vulnerability ~ asset weaknesses

Mitigation ~ safeguard assets

Threat Agent ~ hacker or malware

Exploits ~ threats carried out

Risks ~ minimized by asset owner

Risk Management Concepts

© ITT Educational Services, Inc. All rights reserved.Page 10IS3350 Security Issues in Legal Context

EXPLORE: PROCESS

© ITT Educational Services, Inc. All rights reserved.Page 11IS3350 Security Issues in Legal Context

Owner

Safeguard

Vulnerability

Risk

Asset

Threat Agent

Threat

Risk Management Process

© ITT Educational Services, Inc. All rights reserved.Page 12IS3350 Security Issues in Legal Context

EXPLORE: ROLES

© ITT Educational Services, Inc. All rights reserved.Page 13IS3350 Security Issues in Legal Context

Senior Management

Information Technology Department

Legal Department

Chief Information Security Officer

Roles in Risk Management

© ITT Educational Services, Inc. All rights reserved.Page 14IS3350 Security Issues in Legal Context

EXPLORE: CONTEXT

© ITT Educational Services, Inc. All rights reserved.Page 15IS3350 Security Issues in Legal Context

Information Security in Different Contexts

Government Organizations

Corporations

High Interest in Confidentiality

High Interest in Availability

Mandatory Access

Lattice-Based Models

Discretionary Access

Role-Based Models

© ITT Educational Services, Inc. All rights reserved.Page 16IS3350 Security Issues in Legal Context

Discretionary Access Control (DAC):

discretion of the owner

Mandatory Access Control (MAC):

security labels & classifications

Role-Based Access Control (RBAC):

job function or role

Access Control Models

© ITT Educational Services, Inc. All rights reserved.Page 17IS3350 Security Issues in Legal Context

EXPLORE: RATIONALE

© ITT Educational Services, Inc. All rights reserved.Page 18IS3350 Security Issues in Legal Context

Cyberspace theft

Internet extortion

Online pedophilia

Jurisdiction issues

Electronic signature issues

Law and Information Security

© ITT Educational Services, Inc. All rights reserved.Page 19IS3350 Security Issues in Legal Context

Summary

Availability, Integrity, and Confidentiality (AIC Triad)

Basic information system security conceptsRisk analysis and mitigationMechanisms for organizational information

securityData classifications requiring specialized

legal consideration