Computer Security Law

DodM 5200.1 vol 4

If the data is copyright protected, the copyright holder has the right to control how the data is distributed. If the person who originally viewed the archived data went to a source that was authorized to share the data there is no problem. If the source was not not granted permission to share it, the person viewing it is probably not guilty of much (unless it can be shown that they did something illegal in order to access he source). Being granted permission to view the data does not grant the right to send it to someone else. That permission must be sought from the copyright holder. Think of it like buying and reading a book. If you buy the book, you have permission to read it. You can even give the book to someone else - but if you copy the book and send it to someone you have now violated the copyright.

DIACAP (DoD Information Assurance Certification and Accreditation Process) requires a comprehensive review of an information system's security controls, including its policies, procedures, and risk management practices. This involves assessing the system's compliance with security requirements, identifying vulnerabilities, and implementing necessary mitigations. Additionally, DIACAP mandates ongoing monitoring and periodic reassessment to ensure that security measures remain effective throughout the system's lifecycle.

For the same reason as you when you look over the fence towards your neighbour, they want to know what others are up to, what other would like to eat, what cars they would like to drive Etc. so that they can maybe build more factories to supply more of those cars or more of that food or maybe to stop them from making bombs .

This is a very short version of the reasons.

A commissioner is a senior official that is responsible for administering policies as defined by a law. For example, the Information Commissioner's office is responsible for implementing the provisions of the Data Protection Act of 1998.

Unless you configure your machine to be publicly accessible - i.e. allow others to connect to it remotely, Google will not see any of your files. If you use a Google service like Google Docs or a Google cloud service to store your Quicken files and do not encrypt them, Google CAN look at them but it's not in their business model to invest the resources to do so.

DIACAP, or the DoD Information Assurance Certification and Accreditation Process, was a framework used by the U.S. Department of Defense to ensure that information systems met security standards. It provided a structured approach to assess and manage risks associated with information systems throughout their lifecycle. DIACAP has since been replaced by the Risk Management Framework (RMF) to better align with modern security practices and requirements.

It depends on the nature of the information. It is certainly only common courtesy to ask permission.

If you are printing contents of files from the computer without permission it falls into the realm of theft of information if the information you print is not already in the public domain.

Information assurance is about minimizing risks when dealing with information and data. It is an important practice when dealing with the storage and processing of digital data.

If ethical issues arise, they should be brought to a board of ethics at your company or school. They will determine whether or not ethics have been breached and how to rectify the problem if there is one.

The court that has jurisdiction depends on the type of case and the laws of the state or country where the issue occurred. It gets even more complicated when the issue crosses national state or national boundaries. In general there are three kinds of cases: civil, criminal, and national security.

Civil cases deal with when someone does damage to you through cyber methods. It might be theft of information, corruption to the information of your system, or denying you access to your cyber resources. Civil cases seek to get the responsible party to pay for the damage they did. It would include cases of commercial espionage where business information is stolen, damage to the reputation of a company, stealing your personal information, intruding on your privacy, stealing resources for unauthorized use, erasing the database containing billing information, launching a denial of service (DOS) attack against a company, or any of a multitude of other damaging actions. Civil courts have jurisdiction in these kind of cases.

Criminal cases are those where a law has been violated. Because of the complexity of what you can do in the cyber universe there are a lot of very unethical and dishonest things people can do that are not technically illegal but are still fundamentally wrong. There are also a lot of perfectly legitimate things that people do that can run them afoul of laws that are either poorly written or deliberately written to grant power to repressive political regimes. China, North Korea, and Middle Eastern countries are notorious for making legitimate cyber activities illegal, but even countries that consider themselves to be free and enlightened are often guilty of passing laws that make reasonable actions illegal. Because of the complexities of what can be done, governments struggle to find a balance. Criminal cases almost always fall under the jurisdiction of criminal courts. Note that in many instances criminal cases have legitimate victims who can follow up the criminal case with another case filed in civil courts.

The third situation is cases that involve national security. Technically these cases are usually criminal, but sometimes the law lags behind the problems that deal with national security and special courts are required to address them. They can also involve activities conducted by military personnel which are dealt with by military courts outside the usual civil and criminal courts. Depending on the jurisdiction, national security cases may fall under the jurisdiction of special courts or review boards who only have power to revoke security clearances, military courts that impose penalties only for those working for the military, or, in some jurisdictions, tribunals run by government security forces.

To make this more general, we probably should also include religious courts for those areas where a violation may not be against the law of the land but is considered a violation of the tenets or principles of the dominant local religion. Some countries grant religious courts power to enforce their beliefs independent of the rest of the government. In some cases these courts only have jurisdiction over those who are officially members of the religion. In other places, they can enforce their beliefs on all people within the country. An example would be punishing someone who posted an article on-line critical of a member of the clergy or posting something in a blog that the religion considers heresy.

Your best bet is to contact whoever is hosting the email server and discuss deleting your account. If you are able to demonstrate to their satisfaction that you are indeed the the person the account was supposed to belong to you may be able to get the account closed. A word of warning however: there are a number of situations where the email service provider is required by law to archive the emails for a period of time. Many service providers do this just as part of their business practices as part of their contingency plan, continuity of operations, or disaster recovery plan. Even if the account is closed and the emails "deleted" on the active servers they may still be sitting out there on some storage media for years to come.

Normally, a Senior Information Assurance Officer is responsible for Information Assurance.

Typically the jurisdiction (state, country, whatever) has the authority to prosecute - IF - they have any statues on their books that make the scam illegal. It is surprising how many nations have not enacted such laws. Some have chosen not to because the illegal activities provide revenue for them. Sometimes you will even find government officials involved in the illegal activities - mostly via bribes and such.

If the US has an extradition treaty with the nation where the perpetrator resides, they file charges and seek to extradite the perpetrator to the USA for prosecution.

Typically when a member of the police is placed on suspension it also entails them being cut off from access to the resources they had as a member of the police - whether it be a beat-cop or chief of police. They don't go into the office, they don't have access to the phones, radios, or computers unless one of their buddies does it for them. A police chief would only be granted access to your computer accounts as part of their official duties, and within the constraints of the law. If they are suspended, they are not allowed to perform their duties until re-instated, so they should not be able to access your accounts while suspended.

You can report fake billing or scam emails from Verizon by forwarding them to their official phishing report email — simply send the suspicious message to their security team’s phishing address.

Make sure not to click on any links or attachments before forwarding, and delete the email afterward to stay safe.

To the degree that spyware extracts information without the clear consent of the individual whose information is being extracted, it should be illegal. It is invasion of privacy and theft of information and services. Most spyware is installed without the knowledge of the user and is correctly classified as malware. Note that some companies install software that can be used to monitor employees and their use of the company computer resources. Such software could be considered "spyware" but in this case there is a significant distinction: the company has required the user to sign an "acceptable use" agreement and posted a disclaimer informing the employee that they will be subject to monitoring - thus the employee has given consent for the information to be collected.

Another reason why malware like spyware should be illegal is that it consumes system CPU cycles and bandwidth, thus stealing performance from the unwitting user.

Logoff their computers at the end of the work day

There is a certain presumption of privacy that would preclude the service provider from handing over that information to just anyone, but there is certainly not a problem with extracting that information from the logs that most service providers maintain.

The Act covers any data held by a company, organization, or government about a living and identifiable individual. It does not include data held by an individual for their own use such as a person's personal address book. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way.The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.

It regulates the "processing" of "personal data". According to the Act:

"personal data" means data which relate to a living individual who can be identified-

(a)from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-

(a)organisation, adaptation or alteration of the information or data,

(b)retrieval, consultation or use of the information or data,

(c)disclosure of the information or data by transmission, dissemination or otherwise making available, or

(d)alignment, combination, blocking, erasure or destruction of the information or data;

False

There are several good sources for DIACAP information. The attached links point to some of them. Note that they generally require a CAC to access.

Information System Security Officer