0
Computer Security Law
Computer security means protecting the confidentiality, integrity, and availability of information stored on, processed by, and transmitted by computers. In order to achieve this, various governments and organizations have established laws, regulations, and standards for securing computers and the data stored, processed, and transmitted by them. This category is for questions about existing and proposed laws and standards specifically related to computer security including the contents of the laws & regulations, who is legally responsible, who/what the laws/regulations/standards apply to, how the security is evaluated, and how it is documented.
310 Questions
What are the answers to the IASO certification course final exam management level 1?
I'm unable to provide specific answers to exam questions as they are typically confidential and subject to change. I recommend studying the course material thoroughly to prepare for the final exam. Good luck with your certification exam!
Why was the data protection act 1998 introduced?
The Data Protection Act 1998 was introduced in the UK to regulate the processing of personal data to protect individuals' privacy rights. It aimed to give individuals more control over how their personal data is used by organizations and to ensure that data is processed fairly and lawfully.
In simple words: "statutory" means "the laws and regulations". Complying with central and state acts will keep the company safe from legal risks. In terms of Computer Security this relates to local, state, national, and international laws governing the use of computers as well as the data they hold, process, and transmit. Examples of this would be complying with Sarbanes-Oxley and/or HIPPA in the USA and the EU Data Protection Directive in the EU.
In more detail:
Statutory compliance Statutory means "of or related to statutes," or what we normally call laws or regulations. Compliance just means to comply with or adhere to. So statutory compliance means you are following the laws on a given issue. The term is most often used with organizations, who must follow lots of regulations. When they forget or refuse to follow some of those regulations, they are out of statutory compliance. A company that follows all the rules, is in statutory compliance. Many companies are out of statutory compliance, in part because the cost of following the rule is too high, and/or the consequence is too small to worry about. For example, when you start a new business in most USA cities, you are supposed to go down to the courthouse and file a form stating what business you are now in. If you don't file it, few people will ever notice, and if they do, they usually just tell you to file it now. It behooves any company that uses computers to know what the relevant regulations are for their business, especially if they use computers to store, process, or transmit customer or employee data. If they are publicly traded, there will also be laws about handling, storing, transmitting, retaining, destroying, and disseminating that financial information.
The Defense Information Systems Agency (DISA) is responsible for ensuring that each DoD information system has a designated Information Assurance Manager (IAM) with the necessary support, authority, and resources to fulfill their responsibilities for information assurance. This is to ensure that the information systems adhere to the DoD's security requirements and guidelines.
What must information assurance personnel complete?
Information assurance personnel must complete training on security policies, procedures, and technologies to ensure the confidentiality, integrity, and availability of organizational information. They are also required to stay up-to-date on emerging threats and vulnerabilities through ongoing education and certifications. Regular security audits and compliance assessments are essential to evaluate and enhance the effectiveness of information security measures.
What are the duties of the information assurance manager?
An information assurance manager is responsible for overseeing the security of an organization's information systems, including implementing security policies, conducting risk assessments, and ensuring compliance with security regulations. They also manage security incidents, provide security awareness training, and work to continuously improve the organization's security posture.
According to DODI 8510.01:
5.16. The Program Manager (PM) or System Manager (SM) for DoD ISs shall:
5.16.1. Ensure that each assigned DoD IS has a designated IA manager (IAM) with the support, authority, and resources to satisfy the responsibilities established in Reference (d) and this Instruction.
The IASO (Information Assurance Security Officer) is responsible for ensuring the implementation and maintenance of security controls within an organization. Therefore, any document that involves sensitive or classified information, such as security policies, procedures, or incident reports, would require the involvement and approval of the IASO. This is to ensure that proper security measures are in place to protect the information from unauthorized access or disclosure.
The in-document summary of AR 25-2 states:
This regulation provides Information Assurance policy, mandates, roles, responsibilities, and procedures for implementing the Army Information Assurance Program, consistent with today's technological advancements for achieving acceptable levels of security in engineering, implementation, operation, and maintenance for information systems connecting to or crossing any U.S. Army
What circumstances can the DAA waive the certification requirements?
The DAA (Designated Approving Authority) can waive the certification requirements in exceptional cases, such as during emergency situations where the immediate use of a system is necessary to protect national security or during time-sensitive operations. The DAA may also waive the certification requirements if an alternative method of assurance is utilized to adequately address the risk associated with the system. However, such waivers are typically granted on a case-by-case basis and are subject to specific conditions.
What is the answers for iaso certification course final exam management level 1?
b
d
d
b
b
c
b
b
a
b
a
c
c
d
d
b
c
b
a
d
c
a
b
c
d
a
b
c
c
a
a
d
b
d
d
b
a
a
d
b
c
a
c
d
d
c
b
b
a
Minimum password length required by AR 25-2?
10 characters minimum
15 or more is recommended
According to AR 25-2, Section IV, paragraph 4-12 b:
The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.
BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:
(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).
(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.
From these two documents it would appear that the 10 character minimum is an outdated recommendation.
From this it would appear that the frequently repeated "8 character minimum" is outdated. Note that the only conditions where an 8 character password is allowed is:
(8) The use of eight character passwords are authorized when:
(I) The password generated is a purely random-generated authenticator from the complete alpha/numeric and special character sets and no user-configured passwords can replace, be generated, or accepted in lieu of the generated password. (For example: Credentialing system issues randomly generated authenticator AND enforce use of that authenticator to network resources.)
Or:
(II) Access to private applications is conducted over an approved 128-bit encrypted session between systems, and the application does not enforce local user access credentialing to a local network resources. (For example: User accesses local LAN connected system through traditional access procedures then accesses a web portal application over an SSL connection; the web portal password may be 8 characters.)
--- from 04-IA-O-0001, paragraph 5A
What could be the consequences for computer hacking?
- Up to thirty years in jail
- Up to a $100,000 fine
- Loss of electronic privileges
- A felony record.
Another consequence which is also the key motivation for hackers to do what they do is understanding of new technology. Hacking allows hackers to learn about technology, security, and safety. In a way, hacking improves security instead of the commonly held view of the opposite. Please note: Hackers in this perspective should not be confused with "crackers" who attack systems for their own personal gain or to "just cause havoc".
8510.01M was signed in 2000 was written to go with DITSCAP (DoDI 5200.40 - signed in 1997), which has since been superseded by DIACAP (DODI 8510.01 - signed in 2007)
Ultimately, responsibility for ensuring the training rests with the IAM, but the IAM can, and often does, delegate the responsibility to the IAO.
C3.4.4 requires preparation of the Environment and Threat Description, which, in turn requires:
C3.4.4.2.1.8. Training. Identify the training for individuals associated with the system's operation and determine if the training is appropriate to their level and area of responsibility. This training should provide information about the security policy governing the information being processed as well as potential threats and the nature of the appropriate countermeasures.
C3.4.7 requires identifying C&A Organizations and the Resources Required, which includes:
C3.4.7.2.3. Resources and Training Requirements. Describe the training requirements, types of training, who is responsible for preparing and conducting the training, what equipment is required, and what training devices must be developed to conduct the training, if training is required. Funding for the training must be identified.
C5.1.2 discusses certifying, among other things, "security education, training, and awareness requirements".
C5.2.4.3 requires: The program manager, user representative, and ISSO should ensure that the proper security operating procedures, configuration guidance, and training is delivered with the system. Note that the term ISSO has since been replaced by IASO in current IA terminology.
C5.3.9.2 requires: "that security Rules of Behavior, a Security Awareness and Training Program, and an Incident Response Program are in place and are current."
Appendix 2, the "MINIMAL SECURITY ACTIVITY CHECKLIST" includes the questions:
Table AP2.T11.
10.(h) Do the ISSO duties include the following:
Implementing or overseeing the implementation of the Security and Training
and Awareness Program?
Table AP2.T12.
3.(o) Do employees receive periodic training in the following areas:
(1) Power shut down and start up procedures?
(2) Operation of emergency power?
(3) Operation of fire detection and alarm systems?
(4) Operation of fire suppression equipment?
(5) Building evacuation procedures?
If you examine DoDI 8500.2, you will find requirements dealing with training including:
5.9 Each IA Manager, in addition to satisfying all responsibilities of an Authorized User, shall: (5.9.2) Ensure that all IAOs and privileged users receive the necessary technical and IA training, education, and certification to carry out their IA duties.
E3.3.7. Requires that:
All DoD employees and IT users shall maintain a degree of understanding
of IA policies and doctrine commensurate with their responsibilities. They shall be capable of appropriately responding to and reporting suspicious activities and conditions, and they shall know how to protect the information and IT they access. To achieve this understanding, all DoD employees and IT users shall receive both initial and periodic refresher IA training. Required versus actual IA awareness training shall be a management review item.
E3.4.6. Information Assurance Managers (IAMs) are responsible for establishing,
implementing and maintaining the DoD information system IA program, and for
documenting the IA program through the DoD IA C&A process. The program shall include procedures for:
E3.4.6.6. Tracking compliance with the IA Controls applicable to the DoD information system and reporting IA management review items, such as C&A status, compliance with personnel security requirements, compliance with training and education requirements, and compliance with CTOs, IAVAs, and other directed solutions.
Within the controls of 8500.2, you will find the following controls:
VIIR-1 Incident Response Planning
An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually.
VIIR-2 Incident Response Planning
An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least every 6 months.
PETN-1 Environmental Control Training
Employees receive initial and periodic training in the operation of environmental controls.
PRTN-1 Information Assurance Training
A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.
Templates for validation of the controls by system validators include the following instructions:
For PRRB-1:
1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.
2. The rules shall include the consequences of inconsistent behavior or non-compliance.
3. Signed acknowledgement of the rules shall be a condition of access.
4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.
For PRTN-1
1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.
2. The rules shall include the consequences of inconsistent behavior or non-compliance.
3. Signed acknowledgment of the rules shall be a condition of access.
4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.
Where should DoD employees look for guidance on safeguarding controlled unclassified information?
DodM 5200.1 vol 4
If the data is copyright protected, the copyright holder has the right to control how the data is distributed. If the person who originally viewed the archived data went to a source that was authorized to share the data there is no problem. If the source was not not granted permission to share it, the person viewing it is probably not guilty of much (unless it can be shown that they did something illegal in order to access he source). Being granted permission to view the data does not grant the right to send it to someone else. That permission must be sought from the copyright holder. Think of it like buying and reading a book. If you buy the book, you have permission to read it. You can even give the book to someone else - but if you copy the book and send it to someone you have now violated the copyright.
What does DIACAP requires you to review?
DIACAP (DoD Information Assurance Certification and Accreditation Process) requires a comprehensive review of an information system's security controls, including its policies, procedures, and risk management practices. This involves assessing the system's compliance with security requirements, identifying vulnerabilities, and implementing necessary mitigations. Additionally, DIACAP mandates ongoing monitoring and periodic reassessment to ensure that security measures remain effective throughout the system's lifecycle.
Why does Google and the NSA want to spy on everybody without any cause?
For the same reason as you when you look over the fence towards your neighbour, they want to know what others are up to, what other would like to eat, what cars they would like to drive Etc. so that they can maybe build more factories to supply more of those cars or more of that food or maybe to stop them from making bombs .
This is a very short version of the reasons.
What type of job does a commissioner do?
A commissioner is a senior official that is responsible for administering policies as defined by a law. For example, the Information Commissioner's office is responsible for implementing the provisions of the Data Protection Act of 1998.
Can Google look at your Quicken files?
Unless you configure your machine to be publicly accessible - i.e. allow others to connect to it remotely, Google will not see any of your files. If you use a Google service like Google Docs or a Google cloud service to store your Quicken files and do not encrypt them, Google CAN look at them but it's not in their business model to invest the resources to do so.
DIACAP, or the DoD Information Assurance Certification and Accreditation Process, was a framework used by the U.S. Department of Defense to ensure that information systems met security standards. It provided a structured approach to assess and manage risks associated with information systems throughout their lifecycle. DIACAP has since been replaced by the Risk Management Framework (RMF) to better align with modern security practices and requirements.
