0
Computer Security Law
Computer security means protecting the confidentiality, integrity, and availability of information stored on, processed by, and transmitted by computers. In order to achieve this, various governments and organizations have established laws, regulations, and standards for securing computers and the data stored, processed, and transmitted by them. This category is for questions about existing and proposed laws and standards specifically related to computer security including the contents of the laws & regulations, who is legally responsible, who/what the laws/regulations/standards apply to, how the security is evaluated, and how it is documented.
310 Questions
What is Verizon's email address to report scam from fake bill?
If you feel your account is being threatened by any type of fraud or similar abuse, send Verizon an email at abuse@verizon.com.
Should spyware be legal or illegal?
To the degree that spyware extracts information without the clear consent of the individual whose information is being extracted, it should be illegal. It is invasion of privacy and theft of information and services. Most spyware is installed without the knowledge of the user and is correctly classified as malware. Note that some companies install software that can be used to monitor employees and their use of the company computer resources. Such software could be considered "spyware" but in this case there is a significant distinction: the company has required the user to sign an "acceptable use" agreement and posted a disclaimer informing the employee that they will be subject to monitoring - thus the employee has given consent for the information to be collected.
Another reason why malware like spyware should be illegal is that it consumes system CPU cycles and bandwidth, thus stealing performance from the unwitting user.
Can anyone get the list of websites that one browsed from ones service provider?
There is a certain presumption of privacy that would preclude the service provider from handing over that information to just anyone, but there is certainly not a problem with extracting that information from the logs that most service providers maintain.
What certifications would satisfy DODI 8570 for IAT level I II and III?
For the different levels only 1 certification is required at that particular level, in other words, only one cert off the list is required as long as it is under that category.
IAT Level I
A+
Network+
SSCP
IAT Level II
GSEC
Security+
SCNP
SSCP
IAT Level III
CISA
GSE
SCNA
CISSP (or CISSP Associate)
GCIH
What does UK Data Protection Act 1998 cover?
The Act covers any data held by a company, organization, or government about a living and identifiable individual. It does not include data held by an individual for their own use such as a person's personal address book. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way.The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.
It regulates the "processing" of "personal data". According to the Act:
"personal data" means data which relate to a living individual who can be identified-
(a)from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-
(a)organisation, adaptation or alteration of the information or data,
(b)retrieval, consultation or use of the information or data,
(c)disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d)alignment, combination, blocking, erasure or destruction of the information or data;
False
What is source for DIACAP resources?
There are several good sources for DIACAP information. The attached links point to some of them. Note that they generally require a CAC to access.
How often does the DIACAP require you to review your IA posture?
According to DoD 8510.01 (DIACAP), paragraph 4.9:
"All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing."
And according to paragraph 5.16.8, the Program Manager (PM) or System Manager (SM) shall:
"Ensure annual reviews of assigned ISs required by FISMA are conducted."
So reviews must occur at least once a year.
Is Jim required to assist the PM in this activity?
This question cannot be answered without first specifying the activity.
The Defense Information Systems Agency (DISA).
AR 25-2 requires all users to what?
As per Section 4-5, paragraph a.(8)(a):
All users must receive IA awareness training tailored to the system and information accessible before issuance of a password for network access. The training will include the following:
- Threats, vulnerabilities, and risks associated with the system. This portion will include specific information regarding measures to reduce malicious logic threats, principles of shared risk, external and internal threat concerns, acceptable use, privacy issues, prohibitions on loading unauthorized software or hardware devices, and the requirement for frequent backups.
- Information security objectives (that is, what needs to be protected).
- Responsibilities and accountability associated with IA.
- Information accessibility, handling, and storage considerations.
- Physical and environmental considerations necessary to protect the system.
- System data and access controls.
- Emergency and disaster plans.
- Authorized systems configuration and associated CM requirements.
- Incident, intrusion, malicious logic, virus, abnormal program, or system response reporting requirements.
- INFOCON requirements and definitions.
- AUP requirements.
DAA may waive the certification requirement under severe operational or personnel constraints
In accordance with the army training and BBP certification, the DAA can waive the certification requirements for the army and training due to several operational and personnel constraints.
source for DIACAP resources and knowledge services
How often does DIACAP allow you to review your IA posture?
DIACAP sets a minimum on how frequently you MUST conduct reviews but does not limit you to only do it that often.
According to DoD 8510.01 (DIACAP), paragraph 4.9:
"All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing."
And according to paragraph 5.16.8, the Program Manager (PM) or System Manager (SM) shall:
"Ensure annual reviews of assigned ISs required by FISMA are conducted."
So reviews must occur at least once a year.
You are free to conduct reviews more frequently if you feel it is beneficial and justified. The IG can conduct reviews of your system as often as they wish as can DISA.
Which are the DIACAP team members?
According to DODI 8500.2, the "DIACAP team members" are defined as:
E2.25. DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS. At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives.
Installation of software, configuration of an IS or connecting any ISs to a distributed computing environment with prior approval.
