Rugged is knowing the limits of the law on the cyber frontier, understanding standards for self protection, and knowing whom to turn to if you are a victim.
As on the western frontier 150 years ago, there are few laws that protect us on the cyber frontier. It takes time and outrage to spur politicians to enacting safeguards and for the most part laws regulating the Internet or setting standards for consumer protection aren’t mature. To protect themselves organizations and businesses must maintain sufficient basic processes over time so as not to be found negligent.
This section is divided into several pages about cyber law for specific groups:
- Individual home user
- Small business/non-profit
- Public business
- Federal government
- State or Local government
Areas each group needs to examine for itself are:
- What data must I safeguard from computer compromise?
- What laws/regulations exist that I must not break?
- What is due diligence for me?
- When do I need outside help
Metrics for Management Decisions
FISMA (the Federal Information Security Management Act of 2002) was an attempt to update old laws regarding computers to set standards for the US government to protect its digital assets. It had good intentions in spirit, but it became apparent that it was possible to skip the intent of the law and become compliant on paper without improving actual system security, as evidenced by the 26 million account breach in the Veterans Administration in 2006. In the last couple of years, SANS has reorganized many of the controls in the NIST 800-53A into a prioritized list. The SANS Consensus Audit Guidelines (CAG) have been adapted by the Office of Management and Budget (OMB) to become the foundation for determining the quantity, distribution and use of hardware, platforms, software, vulnerabilities, patches, connections and more across civilian computer systems: FISMA requirements for 2011. All this information is sporadically being loaded into a large database called Cyberscope which will become mandatory as more agencies acquire the tools to upload the data into Cyberscope. One of the requirements for Cyberscope is to identify the security products used across government and encourage vendors to develop products where the data from them are transferable between each other. This open source effort, to develop the Security Content Automation Protocol (SCAP) is what the name implies: to have the security content from various programs speak a common language and structure (protocol) to allow automated exchange of data between programs. One of the Cyberscope criteria is to list what products each agency and its bureaus have that are SCAP compliant. A summary of SCAP (as explained in the NIST 800-126) is available from the above X. Legal – SCAP drop down menu.
Because of the Google lawsuit against the Department of the Interior, there is a lot of press around cloud services (Google and Microsoft) being “FISMA certified”. FISMA does not specify any required certification. Other regulations require that government computer systems be “Certified and Accredited” meaning that a set of standards published by NIST was used in the setup and maintenance of a government computer system. Certification and Accreditation of a government system was 2 points out of 100 on the “FISMA scorecard”. Federal guidelines on cloud computing are specified in FedRAMP (Federal Risk and Authorization Management Program) but FedRAMP is very general. NIST has also released Draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) and Draft A NIST Definition of Cloud Computing (SP 800-145).
Negligence and Due Diligence — Much of IT security comes down to maintaining “due diligence“. Businesses want to have enough precautions in place that they cannot be accused of negligence in protecting PII they store as well as other data/information (definition of negligence and discussion of negligence). Unfortunately, IT security is not a “set it and forget it” job and good security requires processes and procedures that are repeatedly, routinely maintained on a daily, weekly and monthly basis. It requires good management to maintain that level of diligence over time, maintaining the focus on protecting data.
Victims — Whom to report what to, and where to get help
- US Secret Service: report identity crimes, credit card crimes, electronic crimes
- US Federal Trade Commission (FTC): The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. Report consumer fraud, online shopping fraud, violations of children’s privacy, deceptive commercial email (forward to firstname.lastname@example.org), if “remove me” or “unsubscribe” requests don’t work.
- Your Internet provider: report spam to their abuse mailbox (usually abuse@ provider’s name.com )
- Internet Crime Complaint Center (IC3) is a partnership among the FBI, The National White Collar Crime Center (NW3C) and the Bureau of Justice Assisstance (BJA). Their mission is to receive, develop and refer criminal complaints. They provide victims of cyber crimes an easy to use reporting mechanism. When complaints reach a critical mass the FBI will launch an investigation.
- Internal Revenue Service (IRS): check with them to verify if charitable organizations are legitimate. Report Identity theft to IRS
- Add suspected phishing sites to http://phishtank.com (free registration required)
To post a comment enter a Name (first, initials or an alias. Name is visible to everyone that visits this website). You must also enter your valid email address (not visible on website; only visible to IT Security) which will be used to validate RBST.