Not heavily tested due to the fact that the CISSP is now very international.

Liabilities - who is at fault?

  • Failure of management to execute Due Care/ Due Diligence can be termed negligence
    • Culpable negligence can lead to prove liability (holding those who failed to handle risk at fault)
  • Prudent Man Rule
    • Perform duties that prudent people would exercise in similar circumstances
    • Due Diligence; researching industry standards and best practices
    • Due Care: setting and enforcing policy to bring organization into compliance(SOC, PCI, etc)
  • Downstream Liabilities
  • Integrate technology with other companies can extend one’s responsibility outside the normal bounds.

** Consider the Following **

A Kubernetes cluster you control is compromised by an attacker, which is used to make a substantial attack on another organization causing millions of dollars in damage. Are you liable for the damages? Maybe(?)

Can you secure a system that is impossible to breach? …No You cannot guarantee compromise protection. You can implement Due Care, and Due Diligence to protect systems. Be a Prudent person with responsibility to protect systems.

Due Diligence is the research. Due Care is the action.

Types of Laws

  • Criminal
  • Civil
  • Regulator
  • Intellectual Property

Criminal Law

Difficult to prosecute before a jury, so rarely result in guilty verdicts.

  • Beyond reasonable doubt- difficult to meet burden of proof in computer related crimes
  • Penalties: Financial, Jail-time, death
    • Felonies: heaviest penalties, incarceration of at least a year
    • Misdemeanors: fines & jail time(< 1 year)
  • Criminal system goals: Punishment and Deterrence of future crime.

Civil(Tort) Law

  • Prepoderance of evidence is the burden of proof
    • Majority of evidence indicates a ruling
  • Damages
    • Compensatory: Paying for damages, legal fees, various costs
    • Punitive: Punishment for the offender
    • Statutory: An amount stipulated within the law, rather than calculated based on the degree of harm to the plaintiff.
  • Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent in Civil and Administrative Law

Administrative(Regulatory) Law

  • Defines standards of performance and regulates conduct for specific industries
    • Banking(Basel II)
    • Energy(EPAct of 2005)
    • Health Care(HIPAA)
  • Burden of Proof is more likely than not (Majority of evidence)
  • Penalties: Financial or Imprisionment(Enron)

Intellectual Property

  • Protecting products of the mind/creative
  • Company must take steps to protect resources covered by these laws or these laws may not protect them
  • Main International organization run by the UN is the World Intellectual Property Organization: WIPO
  • Licensing is the most prevalent violation > plagarism > piracy > corporate espionage (descending)

Trade Secrets

  • Resource must provide competitive value
  • Must be reasonably protected from unauthorized use or disclosure
  • Proprietary to a company and important for survival
  • Must be genuine and not obvious

Knowledge Transfer

Train your people. x3 Treat your trainers well! Goal: Modify Behavior for the better. Training is unsucessful if behavior did not improve.

  • Awarenes, Training, Education

People are often weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them seecurely, and educatin in security measures and practices are of critical importance for the success of an organization’s security program.

  • Goal of Knowledge Transfer is to modify employee behavior.

Help users understand why they need to modify behavior with concious transparent communication.

Being Aware of the Rules

Security Awareness Training

Security training works best when it’s related to the position being trained. Customize based on the role within the organization.

  • Employees cannot and will not follow the directives and procedures if they do not know about them.
  • Employees must know expectations and ramifications( if not met )
  • Employee recognition award program
    • Encourage secure behavior
  • Part of Due Care
  • Administrative Control(s?)

Overriding Benefits

  • Modifies employee behavior and improves attitudes towards information security
  • Increases ability to hold employees accountable for their actions
  • Raises collective security awareness level of the organization