Computer Security Law

According to DoD regulations, the IA posture of any DoD organization must be reviewed at least annually. FISMA requires that the IA posture of all US government organizations be reviewed at least annually. Many other nations have adopted similar requirements for organizations that they regulate. It should be noted however that the IA postures of paticularly sensitive and/or critical systems need to be reviewed more frequently - perhaps twice a year or even more often depending on the system.

As an individual, you can't. An information system is what gets accredited for use in the military environment. If you are interested in individual security certification, start with the CompTIA Security+ certification and when you have lots of experience and knowledge, try the Certified Information Systems Security Professional (CISSP) exam.

For the information system accreditation, you start by identifying the military Information Assurance (IA) office that will be handling your system, and then work closely with them to identify and then fulfill their requirements to obtain an Authorization to Operate (ATO).

DoD Information Assurance Certification and Accreditation Process.

The term is general to all of DoD, not just the Army.

For US DoD systems: under DIACAP, the IA posture of an organization should be reviewed at least annually. All systems must undergo a complete review at least every 3 years but should also undergo at least a partial review every year (annual security review). More sensitive and more critical systems may be required to undergo review more often - some as often as every 6 months.

NIST recommends pretty much the same.

classified,sensitive,public.

IASO stands for Information Assurance Security Officer. It is a position described in the Army Information Assurance document AR 25-2. It is equivalent to the IAO pesition described in DoDI 8500.2 and DoDI 8510.01.

Information Awareness Security Officer

(1) Classified (2) Sensitive (3) Public

Even if terminology can vary depending on jurisdictions, I would make the following distinction (Sorry in advance but I will have to generalise):

- "Depository" is generally (or historically) used to talk about central institutions (nearly utilities) that register the initial deposit of securities on request of the issuer. CSDs are most of the time local organisations built to accomodate the clearing and settlement needs of local traditional exchanges.

- "Custodian" describes a firm (generally banks) that holds securtities on behalf of trading firms.

Patent synergies exists between both activities so the above mentionned distinction is blured in a number of cases:

- A custodian can offer initial depository services to issuers. This model is notably very efficient when the securities are not 100% freely transferable (basically not bearer shares) or when it comes to organising clearing and settlement in multiple currencies.

- A well known European custodian owns several local CSDs and indifferently offers equivalent services via the different entities of the group.

If I stick to the general picture I have just drawn, the custodians are the typical clients of CSDs. To sum up a (very simple) trade life cycle:

1- A trade is carried out on the exchange between two trading firms.

1'- The trade is notified by the exchange to countperparts.

2- It is sent to CCP/Clearing/Settlement agent(s)

2'- The trade is notified by CCP/Clearing

Any deliberate action that compromises the confidentiality, integrity, or availability of a computer would be considered sabotage. Examples would include writing and releasing a virus, worm, or trojan, sending out spam, initiating a denial of service attack, installing a "back door", altering or deleting data, damaging computer equipment, causing data on someone else's computer to become corrupted, encrypting someone's hard drive and holding it hostage until they pay a ransom for the decryption key, intercepting computer traffic and altering it before sending it along (a type of man-in-the middle attack), or causing physical damage to a computer system by deliberate malicious actions. This list is not exhaustive, but it should give you a sense of the types of things that constitute "computer sabotage". One of the most worrisome current threats is the possibility for someone to hack into a control system for some utility and cause it to malfunction. This has already happened when someone hacked into a sewage treatment system in Australia and caused valves to open that caused raw sewage to be discharged without treatment. Other systems such as telephone, electrical power, and transportation remain potentially vulnerable to criminals.

Relating to the data protection act 1998

Transborder data flow deals with the movement of personally identifiable data from one country to another. Hence, "Trans-border"

- Data has to be kept well secure

-Data isn't allowed to be transferred to any country outside the EU, without similar legislation

-It allows the induvidual the right to access any electronically stored information relating to that individual

-Data is only allowed to be held for only as long as it's neccessary

Hope that's helpful, because I didn't have an clue! I only got the homework a week ago, and then I researched the answer.

From a legal standpoint, it's a group of laws designed to protect the rights (and incomes) of creators. From a moral standpoint, it's essentially the same: protecting the rights of creators. Because copyright violations are so easy and so frequent, law enforcement has no chance of monitoring and prosecuting every violator; thus, it functions more on the "honor system," relying heavily on individuals' ethical and moral codes to ensure the rights of creators are respected.

Classified information data must be handled and stored properly based on classification markings and handling caveats.

According to AR 25-2, paragraph 4-3a (5), an IASO must

Complete an IASO Course within 6 months of appointment.

IASO

Although copyright does apply to computer software and related IP, the law consistently fails to keep up with technology. As a result, we rely on ethics to fill in the gray areas: this action may not be explicitly prohibited in the law, but it seems like it would hurt someone else, so I won't do it.

The 8 principles of data protection are as follows:

1. Processed fairly and lawfully.

2. Obtained for specified and lawful purposes.

3. Adequate, relevant and not excessive.

4. Accurate and up to date.

5. Not kept any longer than necessary.

6. Processed in accordance with the "data subject's" (the individuals) rights.

7. Securely kept.

8. Not transferred to any other country without adequate protection.

There are no mistakes list to determine which are mistakes. To make sure no mistakes are committed consult a professional.

The Data Protection Act 1998 governs the handling of personal data in the UK, including health-related information such as medication records. It mandates that any data collected about an individual's medication must be processed fairly, stored securely, and used only for legitimate purposes. Patients have the right to access their medication records and request corrections if the data is inaccurate. Compliance with this Act is crucial for healthcare providers to ensure patient confidentiality and data integrity.

The essential (basic or foundation) protections to protect information systems must consist of a three tier approach: Technical, Physical and Administrative. Within these tiers are the core building blocks of managing a dynamically changing security posture. Before moving on, seriously consider, no protection can be more consistently effective without situational awareness, due diligence, and enforcement. Broken down succinctly you must ensure certain hardware and software are installed, implemented well and the latest security patches is kept updated: Network Router/Switch, Operating System (OS), Firewall, Anti-Virus, Spyware Protection and any security updates available for your other software. Remember these are basic protections. In addition, a great back up plan: External drives and/or High Capacity storage Media (the former is usually faster), and a real time backup application for both the data as well as the system itself. It will allow for recovery of not only your important data but you can also fully restore your information system in a shortened amount of time (as opposed to reloading the OS and each application). Finally, you need encryption; two types: 1. Data-at- Rest (stored on hard drives and/or other media) and 2. Data-in-Transit (Sending your data from one location to another and keeping it from prying and spying eyes). All of the above is the beginning of your "defense in depth" information systems protection program.

Technical security controls are devices, processes, protocols, and other measures used to protect the information system; examples include but not limited to; encryption, anti virus, firewalls, Spyware Protection, etc.

Physical security controls are physical ways and means you prevent access to the information systems; locked doors, fences, alarms, cameras etc.

Administrative controls are essentially the polices and procedures put in place to ensure your information system doesn't become vulnerable by following some basic rules and acceptable use policy (not to mention what information you authorize to give out and who can access your information system).