150 likes | 381 Views
IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy, Information Security, and Breach Notification. Learning Objective. Describe legal compliance laws addressing public and private institutions. Key Concepts.
E N D
IS3350 Security Issues in Legal Context Unit 6 Federal and State Laws on Privacy, Information Security, and Breach Notification
Learning Objective Describe legal compliance laws addressing public and private institutions
Key Concepts • Federal government information security and privacy regulation • Federal Government Information Security Management Act (FISMA) • Import and export laws for information technology • State regulation of privacy and information security • Data breach notification
Federal Information Security Management Act (FISMA) Categorizing information and information systems by mission impact Complying with minimum security requirements for information systems Selecting appropriate security controls for information systems
Federal Information Security Management Act (FISMA) continued Assessing security controls in information systems Determining security control effectiveness Establishing security authorization of information systems Monitoring security controls Assuring security authorization of information systems
Data Breach Notification Laws Requirements to inform customers of a data breach Civil and/or criminal penalties for failure to disclose Private right of action Exemptions from reporting
Data Breach Notification Laws (Continued) Personal Data Privacy and Security Act of 2009 Sponsored by committee Chairman Sen. Patrick Leahy, D-VT Requires breached organizations to notify individuals at risk Notice not required if data was encrypted or rendered useless Data Breach Notification Act Endorsed by California Sen. Dianne Feinstein, D-CA
Regulatory Requirements for the Import and Export of Information Technology Department of Commerce Export Administration Regulations (EAR) Export Administration Act of 1979 Bureau of Industry and Security Commerce Control List (CCL) Department of State International Traffic in Arms Regulations (ITAR) Treasury Department Office of Foreign Assets Control (OFAC).
Regulatory Requirements for the Import and Export of Information Technology Export of Technology or Software Release of technology or software subject to the EAR in a foreign country Release of technology or source code subject to the EAR to a foreign national within the United States or outside. Tansfer of source code Inspection or oral communication of code Violations subject to civil penalties or denial of export privileges Willful violations subject to criminal penalties
ROLES • Chief Information Security Officer • Manages investigations of possible breaches • Legal Counsel I • Handles all legal issues associated compromise of protected data • Office of Public Affairs • Directs all internal and external communication • Manages media relations • Maintains contact with law enforcement. • Human Resources • Advises on personnel issues and communications
Summary • Federal government information security and privacy regulation • Federal Government Information Security Management Act (FISMA) • Import and export laws for information technology • State regulation of privacy and information security • Data breach notification