0
Computer Security Law
Computer security means protecting the confidentiality, integrity, and availability of information stored on, processed by, and transmitted by computers. In order to achieve this, various governments and organizations have established laws, regulations, and standards for securing computers and the data stored, processed, and transmitted by them. This category is for questions about existing and proposed laws and standards specifically related to computer security including the contents of the laws & regulations, who is legally responsible, who/what the laws/regulations/standards apply to, how the security is evaluated, and how it is documented.
310 Questions
What circumstances can the DAA waive the certification requirements?
The DAA (Designated Approving Authority) can waive the certification requirements in exceptional cases, such as during emergency situations where the immediate use of a system is necessary to protect national security or during time-sensitive operations. The DAA may also waive the certification requirements if an alternative method of assurance is utilized to adequately address the risk associated with the system. However, such waivers are typically granted on a case-by-case basis and are subject to specific conditions.
What is the answers for iaso certification course final exam management level 1?
b
d
d
b
b
c
b
b
a
b
a
c
c
d
d
b
c
b
a
d
c
a
b
c
d
a
b
c
c
a
a
d
b
d
d
b
a
a
d
b
c
a
c
d
d
c
b
b
a
Minimum password length required by AR 25-2?
10 characters minimum
15 or more is recommended
According to AR 25-2, Section IV, paragraph 4-12 b:
The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.
BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:
(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).
(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.
From these two documents it would appear that the 10 character minimum is an outdated recommendation.
From this it would appear that the frequently repeated "8 character minimum" is outdated. Note that the only conditions where an 8 character password is allowed is:
(8) The use of eight character passwords are authorized when:
(I) The password generated is a purely random-generated authenticator from the complete alpha/numeric and special character sets and no user-configured passwords can replace, be generated, or accepted in lieu of the generated password. (For example: Credentialing system issues randomly generated authenticator AND enforce use of that authenticator to network resources.)
Or:
(II) Access to private applications is conducted over an approved 128-bit encrypted session between systems, and the application does not enforce local user access credentialing to a local network resources. (For example: User accesses local LAN connected system through traditional access procedures then accesses a web portal application over an SSL connection; the web portal password may be 8 characters.)
--- from 04-IA-O-0001, paragraph 5A
What could be the consequences for computer hacking?
- Up to thirty years in jail
- Up to a $100,000 fine
- Loss of electronic privileges
- A felony record.
Another consequence which is also the key motivation for hackers to do what they do is understanding of new technology. Hacking allows hackers to learn about technology, security, and safety. In a way, hacking improves security instead of the commonly held view of the opposite. Please note: Hackers in this perspective should not be confused with "crackers" who attack systems for their own personal gain or to "just cause havoc".
8510.01M was signed in 2000 was written to go with DITSCAP (DoDI 5200.40 - signed in 1997), which has since been superseded by DIACAP (DODI 8510.01 - signed in 2007)
Ultimately, responsibility for ensuring the training rests with the IAM, but the IAM can, and often does, delegate the responsibility to the IAO.
C3.4.4 requires preparation of the Environment and Threat Description, which, in turn requires:
C3.4.4.2.1.8. Training. Identify the training for individuals associated with the system's operation and determine if the training is appropriate to their level and area of responsibility. This training should provide information about the security policy governing the information being processed as well as potential threats and the nature of the appropriate countermeasures.
C3.4.7 requires identifying C&A Organizations and the Resources Required, which includes:
C3.4.7.2.3. Resources and Training Requirements. Describe the training requirements, types of training, who is responsible for preparing and conducting the training, what equipment is required, and what training devices must be developed to conduct the training, if training is required. Funding for the training must be identified.
C5.1.2 discusses certifying, among other things, "security education, training, and awareness requirements".
C5.2.4.3 requires: The program manager, user representative, and ISSO should ensure that the proper security operating procedures, configuration guidance, and training is delivered with the system. Note that the term ISSO has since been replaced by IASO in current IA terminology.
C5.3.9.2 requires: "that security Rules of Behavior, a Security Awareness and Training Program, and an Incident Response Program are in place and are current."
Appendix 2, the "MINIMAL SECURITY ACTIVITY CHECKLIST" includes the questions:
Table AP2.T11.
10.(h) Do the ISSO duties include the following:
Implementing or overseeing the implementation of the Security and Training
and Awareness Program?
Table AP2.T12.
3.(o) Do employees receive periodic training in the following areas:
(1) Power shut down and start up procedures?
(2) Operation of emergency power?
(3) Operation of fire detection and alarm systems?
(4) Operation of fire suppression equipment?
(5) Building evacuation procedures?
If you examine DoDI 8500.2, you will find requirements dealing with training including:
5.9 Each IA Manager, in addition to satisfying all responsibilities of an Authorized User, shall: (5.9.2) Ensure that all IAOs and privileged users receive the necessary technical and IA training, education, and certification to carry out their IA duties.
E3.3.7. Requires that:
All DoD employees and IT users shall maintain a degree of understanding
of IA policies and doctrine commensurate with their responsibilities. They shall be capable of appropriately responding to and reporting suspicious activities and conditions, and they shall know how to protect the information and IT they access. To achieve this understanding, all DoD employees and IT users shall receive both initial and periodic refresher IA training. Required versus actual IA awareness training shall be a management review item.
E3.4.6. Information Assurance Managers (IAMs) are responsible for establishing,
implementing and maintaining the DoD information system IA program, and for
documenting the IA program through the DoD IA C&A process. The program shall include procedures for:
E3.4.6.6. Tracking compliance with the IA Controls applicable to the DoD information system and reporting IA management review items, such as C&A status, compliance with personnel security requirements, compliance with training and education requirements, and compliance with CTOs, IAVAs, and other directed solutions.
Within the controls of 8500.2, you will find the following controls:
VIIR-1 Incident Response Planning
An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually.
VIIR-2 Incident Response Planning
An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least every 6 months.
PETN-1 Environmental Control Training
Employees receive initial and periodic training in the operation of environmental controls.
PRTN-1 Information Assurance Training
A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.
Templates for validation of the controls by system validators include the following instructions:
For PRRB-1:
1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.
2. The rules shall include the consequences of inconsistent behavior or non-compliance.
3. Signed acknowledgement of the rules shall be a condition of access.
4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.
For PRTN-1
1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.
2. The rules shall include the consequences of inconsistent behavior or non-compliance.
3. Signed acknowledgment of the rules shall be a condition of access.
4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.
Where should DoD employees look for guidance on safeguarding controlled unclassified information?
DodM 5200.1 vol 4
If the data is copyright protected, the copyright holder has the right to control how the data is distributed. If the person who originally viewed the archived data went to a source that was authorized to share the data there is no problem. If the source was not not granted permission to share it, the person viewing it is probably not guilty of much (unless it can be shown that they did something illegal in order to access he source). Being granted permission to view the data does not grant the right to send it to someone else. That permission must be sought from the copyright holder. Think of it like buying and reading a book. If you buy the book, you have permission to read it. You can even give the book to someone else - but if you copy the book and send it to someone you have now violated the copyright.
What does DIACAP requires you to review?
DIACAP (DoD Information Assurance Certification and Accreditation Process) requires a comprehensive review of an information system's security controls, including its policies, procedures, and risk management practices. This involves assessing the system's compliance with security requirements, identifying vulnerabilities, and implementing necessary mitigations. Additionally, DIACAP mandates ongoing monitoring and periodic reassessment to ensure that security measures remain effective throughout the system's lifecycle.
Why does Google and the NSA want to spy on everybody without any cause?
For the same reason as you when you look over the fence towards your neighbour, they want to know what others are up to, what other would like to eat, what cars they would like to drive Etc. so that they can maybe build more factories to supply more of those cars or more of that food or maybe to stop them from making bombs .
This is a very short version of the reasons.
What type of job does a commissioner do?
A commissioner is a senior official that is responsible for administering policies as defined by a law. For example, the Information Commissioner's office is responsible for implementing the provisions of the Data Protection Act of 1998.
Can Google look at your Quicken files?
Unless you configure your machine to be publicly accessible - i.e. allow others to connect to it remotely, Google will not see any of your files. If you use a Google service like Google Docs or a Google cloud service to store your Quicken files and do not encrypt them, Google CAN look at them but it's not in their business model to invest the resources to do so.
DIACAP, or the DoD Information Assurance Certification and Accreditation Process, was a framework used by the U.S. Department of Defense to ensure that information systems met security standards. It provided a structured approach to assess and manage risks associated with information systems throughout their lifecycle. DIACAP has since been replaced by the Risk Management Framework (RMF) to better align with modern security practices and requirements.
Is it illegal to print information from someone's computer without given permission?
It depends on the nature of the information. It is certainly only common courtesy to ask permission.
If you are printing contents of files from the computer without permission it falls into the realm of theft of information if the information you print is not already in the public domain.
What kind of practice is information assurance?
Information assurance is about minimizing risks when dealing with information and data. It is an important practice when dealing with the storage and processing of digital data.
What steps to take to address ethical and IPR issues?
If ethical issues arise, they should be brought to a board of ethics at your company or school. They will determine whether or not ethics have been breached and how to rectify the problem if there is one.
What type of court has jurisdiction for cyber cases?
The court that has jurisdiction depends on the type of case and the laws of the state or country where the issue occurred. It gets even more complicated when the issue crosses national state or national boundaries. In general there are three kinds of cases: civil, criminal, and national security.
Civil cases deal with when someone does damage to you through cyber methods. It might be theft of information, corruption to the information of your system, or denying you access to your cyber resources. Civil cases seek to get the responsible party to pay for the damage they did. It would include cases of commercial espionage where business information is stolen, damage to the reputation of a company, stealing your personal information, intruding on your privacy, stealing resources for unauthorized use, erasing the database containing billing information, launching a denial of service (DOS) attack against a company, or any of a multitude of other damaging actions. Civil courts have jurisdiction in these kind of cases.
Criminal cases are those where a law has been violated. Because of the complexity of what you can do in the cyber universe there are a lot of very unethical and dishonest things people can do that are not technically illegal but are still fundamentally wrong. There are also a lot of perfectly legitimate things that people do that can run them afoul of laws that are either poorly written or deliberately written to grant power to repressive political regimes. China, North Korea, and Middle Eastern countries are notorious for making legitimate cyber activities illegal, but even countries that consider themselves to be free and enlightened are often guilty of passing laws that make reasonable actions illegal. Because of the complexities of what can be done, governments struggle to find a balance. Criminal cases almost always fall under the jurisdiction of criminal courts. Note that in many instances criminal cases have legitimate victims who can follow up the criminal case with another case filed in civil courts.
The third situation is cases that involve national security. Technically these cases are usually criminal, but sometimes the law lags behind the problems that deal with national security and special courts are required to address them. They can also involve activities conducted by military personnel which are dealt with by military courts outside the usual civil and criminal courts. Depending on the jurisdiction, national security cases may fall under the jurisdiction of special courts or review boards who only have power to revoke security clearances, military courts that impose penalties only for those working for the military, or, in some jurisdictions, tribunals run by government security forces.
To make this more general, we probably should also include religious courts for those areas where a violation may not be against the law of the land but is considered a violation of the tenets or principles of the dominant local religion. Some countries grant religious courts power to enforce their beliefs independent of the rest of the government. In some cases these courts only have jurisdiction over those who are officially members of the religion. In other places, they can enforce their beliefs on all people within the country. An example would be punishing someone who posted an article on-line critical of a member of the clergy or posting something in a blog that the religion considers heresy.
Your best bet is to contact whoever is hosting the email server and discuss deleting your account. If you are able to demonstrate to their satisfaction that you are indeed the the person the account was supposed to belong to you may be able to get the account closed. A word of warning however: there are a number of situations where the email service provider is required by law to archive the emails for a period of time. Many service providers do this just as part of their business practices as part of their contingency plan, continuity of operations, or disaster recovery plan. Even if the account is closed and the emails "deleted" on the active servers they may still be sitting out there on some storage media for years to come.
Who is responsible for Information Assurance?
Normally, a Senior Information Assurance Officer is responsible for Information Assurance.
Typically the jurisdiction (state, country, whatever) has the authority to prosecute - IF - they have any statues on their books that make the scam illegal. It is surprising how many nations have not enacted such laws. Some have chosen not to because the illegal activities provide revenue for them. Sometimes you will even find government officials involved in the illegal activities - mostly via bribes and such.
If the US has an extradition treaty with the nation where the perpetrator resides, they file charges and seek to extradite the perpetrator to the USA for prosecution.
Is it correct for a business to send unsolicited mailers?
Generally the sending of unsolicited mailers via email is classified as "SPAM". Many jurisdictions have passed legislation making the sending of SPAM illegal. Examples include (but are not limited to):
USA- "CAN-SPAM" Act of 2003 passed by the US congress.
- E-Privacy Directive: Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002 O.J. (L 201) 37
- E-Commerce Directive: Directive 2000/31/EC on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market, 2000 O.J. (L 178) 1
- Personal Data Act (adopted March 1999)
- Legislative Decree Implementing Distance Contracts Directive (May 22, 1999)
- Telecommunications Act articles 11.7, 11.8
- Act No. 47 of 16 June 1972 relating to the Control of Marketing and Contract Terms and Conditions (Marketing Control Act) § 2a (as amended effective March 1, 2001)
- Marknadsföringslag (1995:450) (Marketing Practices Act)
- Spam Act 2003
- Personal Information Protection and Electronic Documents Act, Bill C-6 (enacted Apr. 4, 2000)
Can a police chief on suspension still access your computer accounts?
Typically when a member of the police is placed on suspension it also entails them being cut off from access to the resources they had as a member of the police - whether it be a beat-cop or chief of police. They don't go into the office, they don't have access to the phones, radios, or computers unless one of their buddies does it for them. A police chief would only be granted access to your computer accounts as part of their official duties, and within the constraints of the law. If they are suspended, they are not allowed to perform their duties until re-instated, so they should not be able to access your accounts while suspended.
