The Official (ISC)2 CISSP CBK Reference. Aaron Kraus
Читать онлайн книгу.
that govern the privacy of that data.
UNDERSTAND LEGAL AND REGULATORY ISSUES THAT PERTAIN TO INFORMATION SECURITY IN A HOLISTIC CONTEXT
As a CISSP, you must be aware of the legal and regulatory requirements that pertain to information security — both broadly and within your particular industry and/or geographic regions. Having a strong understanding of legal and regulatory issues involves being familiar with the security threats that face information systems as well as the national, state, and local regulations that govern your organization's handling of sensitive data and systems. For both the CISSP exam and the “real world,” you must be familiar with the laws and regulations that govern handling of cybercrimes and data breaches, licensing and intellectual property handling, import/export controls, transborder data flow, and (of course) privacy.
NOTE Misdemeanor and felony are two legal terms that you'll see throughout this section; these two terms describe criminal acts of varying degrees. In U.S. law, a misdemeanor is any “lesser” criminal act that is punishable by less than 12 months in prison. Prison time is often (but, not always) substituted with fines, probation, or community service are often (not always) for misdemeanor charges. A felony, under U.S. law, is a more serious criminal offense that carries more serious penalties, including jail time over 12 months (and as high as one's lifetime). In other countries, such as France, Germany, and Switzerland, serious offenses (i.e., “felonies” in the United States) are described as crimes, while less serious offenses are called misdemeanors or delicts. Other countries, such as Brazil, use the term contravention to describe less serious offenses.
Cybercrimes and Data Breaches
A cybercrime is any criminal activity that directly involves computers or the internet. In a cybercrime, a computer may be the tool used to execute the criminal activity, or it may be the target of the criminal activity. There are three major categories of cybercrimes:
Crimes against people: These crimes include cyberstalking, online harassment, identity theft, and credit card fraud.
Crimes against property: Property in this case may include information stored within a computer, or the computer itself. These crimes include hacking, distribution of computer viruses, computer vandalism, intellectual property (IP) theft, and copyright infringement.
Crimes against government: Any cybercrime committed against a government organization is considered an attack on that nation's sovereignty. This category of cybercrime may include hacking, theft of confidential information, or cyber terrorism. Hacktivism is another cybercrime that involves hackers seeking to make a political statement with their attacks. Hacktivists often target government entities but may also target other organizations with whom they disagree.
A data breach is a specific cybercrime where information is accessed or stolen by a cybercriminal without authorization. The target of a data breach is the information system and the data stored within it. Data breaches, and cybercrimes more broadly, may pose a threat to a person, a company, or an entire nation. As such, there are many laws that govern and regulate how cybercrimes are prevented, detected, and handled.
As a CISSP, you should be familiar with the following global cybercrime and information security laws and regulations:
U.S. Computer Fraud and Abuse Act of 1986
U.S. Electronic Communications Privacy Act (ECPA) of 1986
U.S. Economic Espionage Act of 1996
U.S. Child Pornography Prevention Act of 1996
U.S. Identity Theft and Assumption Deterrence Act of 1998
USA PATRIOT Act of 2001
U.S. Homeland Security Act of 2002
U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003
U.S. Intelligence Reform and Terrorism Prevention Act of 2004
The Council of Europe's Convention on Cybercrime of 2001
The Computer Misuse Act 1990 (U.K.)
Information Technology Act of 2000 (India)
Cybercrime Act 2001 (Australia)
NOTE Many of the regulations in this section have been around for decades. While most of them are still relevant as of this book's writing, the legal landscape is dynamic and changes every year.
U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030
The U.S. Computer Fraud and Abuse Act of 1986 is the oldest and, yet, still possibly the most relevant cybercrime law currently in effect in the United States. The law has been revised over the years, and you should be familiar with both its original form and the revisions discussed in this section.
The Computer Fraud and Abuse Act (CFAA) is a cybercrime bill that was enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. The CFAA was created to clarify definitions of computer fraud and abuse and to extend existing law to include intangible property such as computer data. Although the CFAA now covers all computing devices, the original law was written to cover “federal interest computers” — a term that was changed to “protected computers” in a 1996 amendment to the act. Section 1030(e)(2) defines a protected computer as one that is
“[E]xclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government”
“[U]sed in or affecting interstate or foreign commerce or communication”
In plain English, a protected computer is a computer used by the U.S. government or financial institutions, or one used for interstate and foreign communications and financial transactions. It's important to note here that this definition is broad enough to apply to any computer that is “used in or affecting” government and commerce — a computer does not need to be directly used or targeted by a cybercriminal to be considered protected under this definition.
The CFAA establishes seven criminal offenses related to computer fraud and abuse and identifies the penalties for each:
Obtaining national security information: §1030(a)(1) describes the felony act of knowingly accessing a computer without or in excess of authorization, obtaining national security or foreign relations information, and willfully retaining or transmitting that information to an unauthorized party.
Accessing a computer and obtaining information: §1030(a)(2) describes the misdemeanor act of intentionally accessing a computer without or in excess of authorization and obtaining information from a protected computer. This crime is upgraded to a felony if the act is committed to gain commercial advantage or private financial gain, if the act is committed in furtherance of any other criminal or tortious act, or if the value of the obtained information exceeds $5,000.
Trespassing in a government computer: §1030(a)(3) extends the definition of trespassing to the computing world and describes a misdemeanor act of intentionally accessing a nonpublic protected computer, without authorization, and affecting the use of that computer by or for the U.S. government. §1030(a)(2) applies to many of that same cases that §1030(a)(3) could be charged, but §1030(a)(2) may be charged even when no information is obtained from the computer. In other words, section 1030(a)(3) protects against simply trespassing into a protected computer, with or without information theft.
Accessing to defraud and obtain value: §1030(a)(4) was a key addition to the 1984 act, and it describes the