Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts PDF

Summary

This document discusses various cybersecurity regulatory frameworks, including the Digital Millennium Copyright Act (DMCA) and the Federal Information Security Management Act (FISMA). It covers topics such as copyright law and information security standards relevant to protecting digital information.

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 The Digital Millennium Copyright Act (DIVICA) The DMCA is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO) It defines the legal prohibitions against the circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information https://www.copyright.gov Copyright © by EC-Council All Rights Reserved. Reproductionis Strictly Prohibited. The Digital Millennium Copyright Act (DIVICA) Source: https://www.copyright.gov The DMCA is an American copyright law that implements two 1996 treaties from the World Intellectual Property Organization (WIPO): the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. In order to implement US treaty obligations, the DMCA defines legal prohibitions against circumvention of the technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information. The DMCA contains five titles: = Title I: WIPO TREATY IMPLEMENTATION Title | implements the WIPO treaties. First, it makes certain technical amendments to US law in order to provide the appropriate references and links to the treaties. Second, it creates two new prohibitions in Title 17 of the U.S. Code—one on circumvention of the technological measures used by copyright owners to protect their works and one on tampering with copyright management information—and adds civil remedies and criminal penalties for violating the prohibitions. = Title Il: ONLINE COPYRIGHT INFRINGEMENT LIABILITY LIMITATION Title Il of the DMCA adds a new section 512 to the Copyright Act to create four new limitations on liability for copyright infringement by online service providers. A service provider bases these limitations on the following four categories of conduct: o Transitory communications o System caching o The user-directed storage of information on systems or networks Module 05 Page 532 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls o Exam 212-82 Information location tools New section 512 also includes special rules concerning the application of these limitations to nonprofit educational institutions. = Title I1l: COMPUTER MAINTENANCE OR REPAIR Title Il of the DMCA allows the adaptations when necessary to amendment permits the owner making of a copy of a computer computer. = owner of a copy of a program to make use the program in conjunction with or lessee of a computer to make or program in the course of maintaining reproductions or a computer. The to authorize the or repairing that Title IV: MISCELLANEOUS PROVISIONS Title IV contains six miscellaneous provisions. The first provision announces the Clarification of the Authority of the Copyright Office; the second grants exemption for the making of “ephemeral recordings”; the third promotes study by distance education; the fourth provides an exemption for Nonprofit Libraries and Archives; the fifth allows Webcasting Amendments to the Digital Performance Right in Sound Recordings, and, finally, the sixth provision addresses concerns about the ability of writers, directors and screen actors to obtain residual payments for the exploitation of motion pictures in situations where the producer is no longer able to make these payments. = Title V: PROTECTION OF CERTAIN ORIGINAL DESIGNS Title V of the DMCA, entitles the Vessel Hull Design Protection Act (VHDPA). This act creates a new system for protecting the original designs of certain useful articles that make the article attractive or distinctive in appearance. For purposes of the VHDPA, “useful articles” are limited to the hulls (including the decks) of vessels no longer than 200 feet. Module 05 Page 533 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 The Federal Information Security Management Act (FISIVIA) lni@l#fi%@@ififfifllgfim effecti s framework \IU'@IEEJ‘TBQL of information security cor over information @@@@@@ I'!GE@J"?I “E‘L@IDE@JL Federal @DQEX'GUFDB‘UEE@.) It includes Standards for categorizing information and information systems by mission impact Standards for minimum security requirements for information and information systems Guidance for selecting appropriate security controls for information systems Guidance for assessing security controls in information systems and determining security control effectiveness Guidance for security authorization of information systems hetps.//csre.nist.gov Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited The Federal Information Security Management Act (FISIVMIA) Source: https://csrc.nist.gov The Federal Information Security Management Act of 2002 was enacted to produce several key security standards and guidelines required by Congressional legislation. The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or another source. The FISMA framework includes: » Standards for categorizing information and information systems by mission impact = Standards systems * Guidance for selecting appropriate security controls for information systems * Guidance for assessing security controls in information systems and determining their effectiveness = Guidance for the security authorization of information systems Module 05 Page 534 for the minimum security requirements for information and information Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Other Information Security Acts and Laws a USA Patriot Act 2001. Freedom of Information Act (FOIA) 2 The Electronic Communications Privacy Act 1 ‘ 3 The Human Rights Act 1998 The Freedom of Information Act 2000. e Computer Fraud and Abuse Act. 4 5 6 Other Information Security Acts and Laws USA Patriot Act 2001 Source: https://www.fincen.gov The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the U.S. and around the world and enhance law enforcement investigatory tools, including = To strengthen U.S. measures to prevent, detect, and prosecute international money laundering and financing of terrorism; * To subject to special scrutiny foreign jurisdictions, foreign financial institutions, and classes of international transactions or types of accounts that are susceptible to criminal abuse; * To require all appropriate elements of the financial services industry to report potential money laundering; and = To strengthen measures to prevent use of the U.S. financial system for personal gain by corrupt foreign officials and facilitate repatriation of stolen assets to the citizens of countries to whom such assets belong. Freedom of Information Act (FOIA) Source: http://www.foia.gov The Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens informed about their government. Module 05 Page 535 Federal agencies are required to disclose any information requested Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Administrative Controls under the FOIA unless it falls under one of nine exemptions personal privacy, national security, and law enforcement. that protect interests such as The Electronic Communications Privacy Act Source: https.//it.ojp.gov The Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act are commonly referred together as the Electronic Communications Privacy Act (ECPA) of 1986. The ECPA updated the Federal Wiretap Act of 1968, which addressed interception of conversations using "hard" telephone lines but did not apply to interception of computer and other digital and electronic communications. Several subsequent pieces of legislation, including The USA PATRIOT Act, clarify and update the ECPA in order to keep pace with the evolution of new communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases. The Human Rights Act 1998 Source: https.//www.legislation.gov.uk This Act buttresses the rights and freedoms guaranteed under the European Convention on Human Rights; it makes provision with respect to holders of certain judicial offices who become judges of the European Court of Human Rights, and for other related purposes. The Freedom of Information Act 2000 Source: https://www.legislation.gov.uk This Act makes provision for the disclosure of information held by public authorities or by persons providing services for them and to amend the Data Protection Act 1998 and the Public Records Act 1958, and for related purposes. Computer Fraud and Abuse Act Source: https://ilt.eff.org The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act 1984, and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer, and if the conduct involves an interstate or foreign communication, shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer” 18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and address federal computer offenses, an amendment in 1994 allows civil actions to be brought under the statute as well. Module 05 Page 536 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.