SlideShare une entreprise Scribd logo

CISSP week 25

Télécharger en tant que PPTX, PDF
J
jemtallon
FormationTechnologie
1  sur  67
Legal, Regulations, Investigations, and Compliance Domain 9 Official CISSP CBK V3 Pages 1168-1241 Tim Jensen StaridLabs
Disclaimer • Neither StaridLabs nor any representative of StaridLabs is licensed, certified, or competent enough to offer legal advice. • This presentation is intended as training for the CISSP exam. If legal advice is necessary in a situation then we highly recommend you consult a licensed lawyer. • StaridLabs provides no guarantee that the information in the CISSP CBK and/or presented in this training is accurate or legally advisable.
Definitions • Codification • the act, process, or result of arranging in a systematic form or code • Jurisprudence • the science or philosophy of law • a system or body of law • the course of court decisions
The Law • Laws change depending on where you are located. • In the United States laws can be: Federal, State, County, and City. • The CISSP guide attempts to keep its training applicable globally but isn’t always possible.
Major Legal System Categorizations • Common Law • Civil or Code Law • Customary Law • Religious Law • Mixed Law • Maritime Law (Not applicable in CISSP CBK)
Common Law • Customary law system used by Anglo-Saxons in Northern France and England. • Still used in England and has been spread throughout the world by English colonization including United States, Canada and Australia. • Largely the European Union uses Civil Law instead of Common Law. • King of England created a unified legal system in the twelfth century that was common to the whole country. Prior to this laws were based on local practices.
What is Common Law? • Uses the adversarial approach to litigation. • Does not rely on codification of law. • Barristers (lawyers) take a very active role. • Reliance on previous court rulings. (Jurisprudence) • Judges are a fairly passive role in determining facts. • Most Common Law systems consist of three branches: Criminal Law, Tort Law, and Administrative Law.
Common Law: Criminal Law Branch • Deals with behaviors or conduct that is seen as harmful to the public or society. • An individual violates a governmental law designed to protect the public and as such the victim is society. • Government prosecutes on behalf of the public. • Punishment can be incarceration, probation, or death. Fines occur as well in some cases but loss of freedoms is the primary punishment.
Common Law: Tort Law • Deals with civil wrongs (torts) against an individual or business entity. • Monetary damages are generally the penalty. • Can sometimes be both a violation of Tort and Criminal law. • Types of torts: • • • • • • • Intentional torts Wrongs against a person or property Dignitary Wrongs Economic Wrongs Negligence Nuisance Strict Liability
Common Law: Administrative Law • Known as regulatory law in some countries. • Deals with the governance of public bodies and the designation of power to administrative agencies, commissions, boards, administrative tribunals, or professional associations. • Examples: Security Exchange Committee (SEC), Labor Relations Boards, Law Societies, Medical Boards, School Boards • Objective is to confine government power to it’s proper scope and stop potential abuse of power. • Punishments can be fines, inability to practice a profession, and in some cases incarceration.
Civil Law: A Brief History • Started in the Roman Empire • Died • Started gain in Italy and spread to Europe in the late 1700’s to early 1800’s. • At one time was the most common legal system in Europe. • Became regionalized over time with Germany, Norway, Sweden, Denmark, and Switzerland developing their own national systems. • Civil law can be subdivided into French, German, or Scandanavian civil law.
Civil Law • Has a heavy reliance on legislation as the primary source of law (vs Jurisprudence in Common Law) • System relies on codification of law. • Lower courts are not compelled to follow decisions of higher courts (Stare Decisis) • Judges are more active in determining facts of a case and in some instances direct the investigation.
Customary Law • Regional legal systems which reflect social norms and values based on tradition. • Rare to find a country who’s law structure is entirely based on customary law. • Often combined with civil or common law. This is called a ‘mixed legal system’.
Religious Law • All legal systems have been influenced by religion. • Some countries try to differentiate legal law from religious law.
Muslim Law • Islam is practiced by a large portion of the worlds population. • Many Muslim societies follow Islamic Law or Sharia. • Traditional Islamic Law is separated in to rules of worship and rules of human interaction. • Guided by the Qur'an and the Sunnah, or manner in which the prophet Muhammad lived. • Sharia covers all aspects of a person’s life (Religious practices, Diet, Dress, Family Life, Commerce, domestic justice) • Law is not man-made, it is divine will. • Lawmakers do not create the law, Jurists and clerics attempt to discover the truth of law. • Sharia has been codified, but still remains open to interpretation.
Mixed Law • Mixed law is the convergence of two or more legal systems, usually civil law and common law, but often also customary, religious, civil, or common law. • Blending of legal systems can result in political and economic pressure. • An example is the United Kingdom and Scotland.
Scotland is a silly place…
This was my first result when googling UK law…
Liability • In law, liability refers to being legally responsible. • Sanctions can be civil and/or criminal. • Negligence is acting without care, or the failure to act as a reasonable and prudent person would under similar circumstances. • The definition of “reasonable person” is murky and available for extensive interpretation.
Due care/Due Diligence • Due care is the requirement that executives with fiduciary responsibilities meet certain requirements to protect the company’s assets. • This includes the safety and protection of technology and information systems which are corporate assets. • Due diligence is conceptual and can change often. • From Webster: the care that a reasonable person exercises to avoid harm to other persons or their property • From Wikipedia: • In criminal law, due diligence is the only available defense to a crime that is one of strict liability (i.e., a crime that only requires an actus reus and no mens rea). Once the criminal offence is proven, the defendant must prove on balance that they did everything possible to prevent the act from happening. It is not enough that they took the normal standard of care in their industry – they must show that they took every reasonable precaution.
Computer Crime • Examples of computer crimes: • • • • Counterfeit Fraud Theft Child Pornography • The law still hasn’t caught up with technology. • Technology makes cyber stalking easy • Cyber stalking can be very useful in technical and non-technical cases. Murder investigations, kidnappings, drug trafficking, etc can all have information available on the public internet. • Computer crimes can occur from outside the company as well as from insiders. Inside threats are often greater overall risks to the company.
International Cooperation • Most computer crimes span multiple countries. • Borders and jurisdiction causes lots of issues. • A country can prosecute spammers, scammers, and internet criminals, but they can easily move to a country which promotes, tolerates, or ignores digital crime.
The Council of Europe Convention on Cybercrime • Ratified by 30 countries including Canada, the United States, and Japan • Came into effect July 1, 2004 • Contains 48 articles • Summary: • Parties must establish laws against cybercrime and offenses related to child pornography • Ensure law enforcement officials have the necessary procedural authority to investigate and prosecute cybercrime effectively. • Provide international cooperation to other parties in the fight against computer related crime.
Intellectual Property Laws • Designed to protect tangible and intangible items or property • Goal is to protect property from people wishing to copy or use it without due compensation to the inventor or creator. • The idea is that copying someone else's idea entails far less work that what is required for the original development. • Intellectual property is divided into two categories: • Industrial Property • Inventions (patents), trademarks, industrial designs, and geographical indications of source • Copyright • Literary and artistic works (novels, poems, plays, films, music, drawings, paintings, photographs, sculptures, architectural designs)
Patent • Grants the owner the legally enforceable right to exclude others from practicing the invention for a specific period of time (generally 20 years) • Strongest form of intellectual property protection. • Protects novel, useful, and nonobvious inventions. • Requires formal application to a government entity. • When the patent is granted it is published in the public domain, to stimulate other innovations. • When the patent expires the protection ends and the invention enters the public domain. • WIPO, a part of the United Nations (UN), is in charge of the filing and processing of international patents.
Trademark • Designed to protect the goodwill an organization invests in it’s products, services or image. • Allows exclusive rights to the owner of markings that the public uses to identify a vendor, merchant, products, or goods. • Can consist of any word, name, symbol, color, sound, product shape, device, or combination of these. • Must be distinctive and cannot mislead or deceive consumers or violate public order or morality. • Registered with the government registrar • WIPO oversees international trademark efforts.
Copyright • Covers the expression of ideas rather than the ideas themselves. • Protects artistic property such as writing, recordings, databases, and computer programs. • In many countries once the work or property is completed or in a tangible form, the copyright protection is automatically assumed. • Weaker than patent protection, but duration is longer. (50 years after creators death or 70 years total under US law) • If the artist’s country is a member of the International BERNE convention then the protection afforded will be the minimum level afforded in all participating countries.
Trade Secret • Refers to proprietary business or technical information, processes, designs, practices, etc that are confidential and critical to the business. (Pepsi’s secret formula) • To be categorized as a trade secret it must not be generally known and must provide economic benefit ot the company. • Must be reasonable steps taken to protect its secrecy. • In a dispute, the contents of the trade secret do not need to be disclosed. • Often the main complaint in industrial and economic espionage cases.
Import/Export • Some software may be illegal to import or export. Example is some types of encryption software. • Information Security professionals should check local laws especially when working internationally (or choosing employees or datacenters overseas).
Trans-Border Data Flow • As information moves between systems or cloud hosting companies, the location where the data is stored matters. • If the information is transferred and/or stored in 3 countries, you may have to edeal with three or more jurisdictions and three different legal systems. • If the organization who owns the server is a member of a different country, sometimes their home country can gain jurisdiction over the server even if it’s in another country.
Privacy • A lot of personally identifiable information (PII) is stored online or electronically. • Data compromises happen often. • There are now many regulations for the responsible protection, use, and transfer of PII. • An example of a common guideline is the Organization for Economic Cooperation and Development (OECD). (Pages 1185-1187. Read it)
Employee Monitoring and Surveillance • Monitoring of employees must be done carefully. • On the one hand you need to curb abuse, theft, etc. (Due Diligence) • On the other hand the employee has rights to privacy. • Over monitoring can cause hostile employes. (This is bad) • The EU created 7 principals called the Directive on Data Protection which is a guideline for monitoring. These regulations are similar to the ones in the US, Canada, and the UK and can be used as a guideline.
Directive on Data Protection • Notice: Individuals must be informed about what is collected and the uses for the information. • Choice: Individuals must be given the opportunity to decline data sharing with 3rd parties or to be used for purposes not stated in the notice. • Onward transfer: 3rd parties receiving data must also subscribe to this directive. • Security: Organizations must take reasonable precautions to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. • Data Integrity: Data should be reliable and only the data necessary should be collected. • Access: Individuals must have access to the personal information about them. They must be able to correct, amend, or delete the information. • Enforcement: A compliance program must exist to enforce this directive.
Professional Ethics • The creation of computers started a large debate on ethics. • Computers can be used inappropriately and can replace humans which could cause widespread job loss. • Another fear is that humans will become seen more as machines and will be treated as such. • Quite a few regulations exist regarding professional ethics. • Ethics programs can be very beneficial. If an ethics program is in place then some criminal cases will have substantially reduced penalties. • The FSGO has requirements to show that an Ethics program is continuously being improved and that it is effective.
Common Ethics Dilemmas
Computers in the Workplace • Computers can pose a threat to jobs. • People may feel they are being replaced. • Computers require operators, which changes many of the jobs to require different skills.
Computer Crime • Criminals can reach systems from anywhere in the world, and the payffs are larger. • An inside employee can steal all the company data and walk out with it in his/her pocket.
Privacy and Anonymity • Private information is passed around constantly. People like their privacy and have concerns about data being shared and what can be inferred based on data from different sources.
Intellectual Property • Ethics around IP are tough. • People like music and software to be free, but companies, programmers and artists won’t create the IP if they won’t get their investment back in licenses, fees, or profit of some sort.
Common Computer Ethics Fallacies
Computer Game Fallacy • Computer users tend to think that computers will generally prevent them from cheating and doing wrong. • Programmers believe that an error in programming syntax will prevent the program from working. So if the program works then it must be working correctly.
Law-Abiding Citizen Fallacy • Users sometimes confuse what is legal with regards to computer use, with what is reasonable behavior for using a computer. • Users do not realize that they have a responsibility to consider the ramifications of their actions and to behave accordingly.
Shatterproof Fallacy • Most computer users believe that they can do little harm accidentally with a computer. • If a user sends a mass mailing which is discriminatory, this could hurt a large group of people. • Most people realize that certain activities in public is illegal, but still do it online thinking it’s ok or anonymous. • Ultimately users don’t consider the impact of their actions before doing them.
Candy-from-a-Baby Fallacy • Stealing software, books, etc is very easy on a computer. • Copying retail software without paying for it is theft. • Just because it’s easy and it may be hard to catch you doesn’t mean it’s ethical, legal, or acceptable.
Hacker Fallacy • Commonly accepted hacker believe is that it’s acceptable to do anything with a computer as long as the motivation is to learn and not to gain a profit.
Free Information Fallacy • Notion that “information wants to be free.” • Copying and distribution of data is completely under the control of the people who do it and the people who allow it to happen.
Hacking and Hacktivism • A hacker was originally a person who sought to understand computers as thoroughly as possible. Soon hacking came to be associated with phreaking, breaking into phone networks to make free calls, etc which is illegal.
MIT Hacker Ethic • Access computers should be unlimited and total. • All information should be free. • Authority should be mistrusted and decentralization promoted. • Hackers should be judged solely by their skills at hacking, rather than by race, class, age, gender, or position. • Computers can be used to create art and beauty. • Computers can change your life for the better.
Various Codes of ethics • Most professional organizations have their own code of ethics. • I’m not going to re-type 20 pages. Read up on these (1203-foo) • • • • • • • The Code of Fair Information Practices Internet Activities Board Computer Ethics Institute National Conference on Computing and Values The Working Group on Computer Ethics National Computer Ethics and Responsibilities Campaign (NCERC) ISC Code of Professional Ethics (1208-1209)
Ethics Principals • Treat others as you wish to be treated • If an action is not right for everyone, it is not right for anyone. • If an action is not repeatable at all times, it is not right at any time. • Take the action that achieves the most good. • Incur least harm or cost • Do No Harm • Assume that all property and information belongs to someone. • Is it against the law • Is the action contrary to codes of ethics • Is there hard evidence to support or deny the value of taking an action • Let the people affected decide • Will the costs and benefits be equitably distributed • Are you comparing against competing companies • Compassion • Are decisions biased in favor of one group • Full Disclosure • Can the data be adequately protected to avoid disclosure • Does IT stand behind ethical principals
Ethical Conflicts • If you need to do something that may be perceived as unethical, inform all parties about your intentions. (Preferably in writing) • If a conflict exists between two codes of ethics, the higher ethic wins. • Consider precedence. An action taken by you on a small scale could result in significant harm If carried out on a larger scale. (But TIM did it so we 98 million people thought it was ok to ping google too!) • Whoever owns or is responsible for information must ensure that it is reasonably protected and that users are aware of how to use it responsibly. • As an information user, always assume others own it and that their interests must be protected unless explicitly notified that the information is able to be used freely.
Computer Forensics • Digital Investigations can become court cases. • Phases of an investigation: • • • • Identify Evidence (Also protect the scene) Collect Evidence Examine Evidence Present Findings • Live evidence is digital evidence gathered from a running system or process (RAM) • Dead evidence is from a shutdown/at rest system (hard Disk) • Only individuals with knowledge of basic crime scene analysis should be allowed to deal with the scene.
General Forensic Guidelines • Upon seizing digital evidence, actions taken should not change that evidence. • When it’s necessary for a person to access original digital evidence, that person should be trained for the purpose. • All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. • An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession. • Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principals.
More General Forensic Guidelines • • • • • • • • • • • Minimize handling/corruption of original data Account for any changes and keep detailed logs of your actions. Comply with the five rules of evidence Do not exceed your knowledge Follow your local security policy and obtain written permission. Capture as accurate an image of the system as possible. Be prepared to testify Ensure your actions are repeatable Work fast Proceed from volatile to persistent evidence Do not run any programs on the affected system
Incident Handling • Triage Phase • Determine if this is a real incident • Investigative Phase • Containment • Analysis and Tracking • Recovery Phase • Recover/repair the system and prevent the incident from re-occurring.
Chain of Custody • Refers to who, what, when, where, and how the evidence was handled throughout the entire case lifecycle. From the first person on the scene until the court case is over. • For digital evidence file hashes are very common and useful. Use SHA256 hashes to prove files have not changed from initial gather time. • Have chain of custody forms where people sign over evidence to each other.
Interviewing • Interviewing witnesses and suspects is delicate. • Before starting the interview review policies, notify management, and consult legal council. • Never conduct the interview alone. • Preferably video tape the interview. • Have an expert do it if at all possible. (Risk is high, don’t mug yourself) • Legal council should be in the room.
Reporting and Documenting • A clear report should be written. • Assume it’ll be read in court with the media watching. • Once the whole incident is wrapped up, review the incident and try to learn some lessons: • How could it have been avoided? • How did the incident response go? Could we have done better? • How did the forensic case go?
Forensic Procedure • Evidence should have some sort of value • Evidence should be relevant to the case at hand • Should meet the five rules of evidence • • • • • Be authentic Be accurate Be complete Be convincing Be admissible
Media Analysis • Involves recovery of evidence from information media • Hard drives, DVD’s, CD-ROMS, portable memory devices • Media may have been damaged, overwritten, degaussed, or reused • If the investigator is unable to collect sufficient evidence, media forensic investigators exist to help. (Very Expensive)
Network Analysis • Analysis and examination of data from network logs and network activity for use as potential evidence. • Must have proper evidence collection and handling (chain of custody) for the evidence to be admissible.
Software Analysis • Analysis of program code (source code, compiled code, machine code, etc) • Decompiling and reverse engineering often used. • Can locate author identification, author attributes, programming styles, etc.
Hardware/Embedded Device Analysis • Smart phones, PDA’s, CMOS chips, etc can all be useful as evidence.

Recommandé

Chapter 14 power point
Chapter 14 power pointChapter 14 power point
Chapter 14 power pointmckenziewood
 
Resolving Disputes
Resolving Disputes Resolving Disputes
Resolving Disputes Mr Shipp
 
Business environment 1
Business environment 1Business environment 1
Business environment 1anmolverma24
 
Legal environment of business 1
Legal environment of business 1Legal environment of business 1
Legal environment of business 1Mitul Sharma
 
Legal Environment - International Business - Manu Melwin Joy
Legal Environment - International Business - Manu Melwin JoyLegal Environment - International Business - Manu Melwin Joy
Legal Environment - International Business - Manu Melwin Joymanumelwin
 
Common law
Common lawCommon law
Common lawShah alam
 
Bases for legal systems
Bases for legal systemsBases for legal systems
Bases for legal systemsCourage Masuka
 
5517492 Legal Environment Of Business
5517492 Legal Environment Of Business5517492 Legal Environment Of Business
5517492 Legal Environment Of Businessmayank2012
 

Recommandé

Chapter 14 power point
Chapter 14 power pointChapter 14 power point
Chapter 14 power pointmckenziewood
 
Resolving Disputes
Resolving Disputes Resolving Disputes
Resolving Disputes Mr Shipp
 
Business environment 1
Business environment 1Business environment 1
Business environment 1anmolverma24
 
Legal environment of business 1
Legal environment of business 1Legal environment of business 1
Legal environment of business 1Mitul Sharma
 
Legal Environment - International Business - Manu Melwin Joy
Legal Environment - International Business - Manu Melwin JoyLegal Environment - International Business - Manu Melwin Joy
Legal Environment - International Business - Manu Melwin Joymanumelwin
 
Common law
Common lawCommon law
Common lawShah alam
 
Bases for legal systems
Bases for legal systemsBases for legal systems
Bases for legal systemsCourage Masuka
 
5517492 Legal Environment Of Business
5517492 Legal Environment Of Business5517492 Legal Environment Of Business
5517492 Legal Environment Of Businessmayank2012
 
Providing legal advice for the public - Anne Hudson
Providing legal advice for the public - Anne HudsonProviding legal advice for the public - Anne Hudson
Providing legal advice for the public - Anne HudsonSINTO
 
Prof William Kosar Lawyers Guns & Money Africa 2012
Prof William Kosar Lawyers Guns & Money Africa 2012Prof William Kosar Lawyers Guns & Money Africa 2012
Prof William Kosar Lawyers Guns & Money Africa 2012William Kosar
 
Mcinnes ch01 3e
Mcinnes ch01 3eMcinnes ch01 3e
Mcinnes ch01 3eMorteza Litkoohi
 
Rise of the Private Police
Rise of the Private PoliceRise of the Private Police
Rise of the Private PoliceDavid Ramirez
 
Chapter 11 power point
Chapter 11 power pointChapter 11 power point
Chapter 11 power pointmckenziewood
 
Basis of legal environment & court system
Basis of legal environment & court systemBasis of legal environment & court system
Basis of legal environment & court systemRajThakuri
 
An engineer's perspective on law
An engineer's perspective on lawAn engineer's perspective on law
An engineer's perspective on lawBrent Britton
 
Pob stage 2 lecture 7 introduction post ole set
Pob stage 2 lecture 7 introduction post ole setPob stage 2 lecture 7 introduction post ole set
Pob stage 2 lecture 7 introduction post ole setDiana Shore
 
Legal environment of business
Legal environment of businessLegal environment of business
Legal environment of businessManu Melwin Joy
 
Elonheimo THL April 9, 2018 RJ in Finland
Elonheimo THL April 9, 2018 RJ in FinlandElonheimo THL April 9, 2018 RJ in Finland
Elonheimo THL April 9, 2018 RJ in FinlandHenrik Elonheimo
 
Rights and Responsibilites
Rights and ResponsibilitesRights and Responsibilites
Rights and ResponsibilitesMr Shipp
 
02 -the_law
02 -the_law02 -the_law
02 -the_law8662
 
Legal framework of business
Legal framework of businessLegal framework of business
Legal framework of businessShubham Singhal
 
Classification of law 1
Classification of law 1Classification of law 1
Classification of law 1Mr Shipp
 
What is law
What is lawWhat is law
What is lawtaratoot
 
Legalities 2013
Legalities 2013Legalities 2013
Legalities 2013Nhelia Santos Perez
 
Elonheimo slides tirana 2018
Elonheimo slides tirana 2018Elonheimo slides tirana 2018
Elonheimo slides tirana 2018Henrik Elonheimo
 
Introduction To Law
Introduction To LawIntroduction To Law
Introduction To LawAlex Olteanu
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 

Contenu connexe

Tendances

Providing legal advice for the public - Anne Hudson
Providing legal advice for the public - Anne HudsonProviding legal advice for the public - Anne Hudson
Providing legal advice for the public - Anne HudsonSINTO
 
Prof William Kosar Lawyers Guns & Money Africa 2012
Prof William Kosar Lawyers Guns & Money Africa 2012Prof William Kosar Lawyers Guns & Money Africa 2012
Prof William Kosar Lawyers Guns & Money Africa 2012William Kosar
 
Rise of the Private Police
Rise of the Private PoliceRise of the Private Police
Rise of the Private PoliceDavid Ramirez
 
Chapter 11 power point
Chapter 11 power pointChapter 11 power point
Chapter 11 power pointmckenziewood
 
Basis of legal environment & court system
Basis of legal environment & court systemBasis of legal environment & court system
Basis of legal environment & court systemRajThakuri
 
An engineer's perspective on law
An engineer's perspective on lawAn engineer's perspective on law
An engineer's perspective on lawBrent Britton
 
Pob stage 2 lecture 7 introduction post ole set
Pob stage 2 lecture 7 introduction post ole setPob stage 2 lecture 7 introduction post ole set
Pob stage 2 lecture 7 introduction post ole setDiana Shore
 
Legal environment of business
Legal environment of businessLegal environment of business
Legal environment of businessManu Melwin Joy
 
Elonheimo THL April 9, 2018 RJ in Finland
Elonheimo THL April 9, 2018 RJ in FinlandElonheimo THL April 9, 2018 RJ in Finland
Elonheimo THL April 9, 2018 RJ in FinlandHenrik Elonheimo
 
Rights and Responsibilites
Rights and ResponsibilitesRights and Responsibilites
Rights and ResponsibilitesMr Shipp
 
02 -the_law
02 -the_law02 -the_law
02 -the_law8662
 
Legal framework of business
Legal framework of businessLegal framework of business
Legal framework of businessShubham Singhal
 
Classification of law 1
Classification of law 1Classification of law 1
Classification of law 1Mr Shipp
 
What is law
What is lawWhat is law
What is lawtaratoot
 
Elonheimo slides tirana 2018
Elonheimo slides tirana 2018Elonheimo slides tirana 2018
Elonheimo slides tirana 2018Henrik Elonheimo
 
Introduction To Law
Introduction To LawIntroduction To Law
Introduction To LawAlex Olteanu
 

Tendances (18)

Providing legal advice for the public - Anne Hudson
Providing legal advice for the public - Anne HudsonProviding legal advice for the public - Anne Hudson
Providing legal advice for the public - Anne Hudson
 
Prof William Kosar Lawyers Guns & Money Africa 2012
Prof William Kosar Lawyers Guns & Money Africa 2012Prof William Kosar Lawyers Guns & Money Africa 2012
Prof William Kosar Lawyers Guns & Money Africa 2012
 
Mcinnes ch01 3e
Mcinnes ch01 3eMcinnes ch01 3e
Mcinnes ch01 3e
 
Rise of the Private Police
Rise of the Private PoliceRise of the Private Police
Rise of the Private Police
 
Chapter 11 power point
Chapter 11 power pointChapter 11 power point
Chapter 11 power point
 
Basis of legal environment & court system
Basis of legal environment & court systemBasis of legal environment & court system
Basis of legal environment & court system
 
An engineer's perspective on law
An engineer's perspective on lawAn engineer's perspective on law
An engineer's perspective on law
 
Pob stage 2 lecture 7 introduction post ole set
Pob stage 2 lecture 7 introduction post ole setPob stage 2 lecture 7 introduction post ole set
Pob stage 2 lecture 7 introduction post ole set
 
Legal environment of business
Legal environment of businessLegal environment of business
Legal environment of business
 
Elonheimo THL April 9, 2018 RJ in Finland
Elonheimo THL April 9, 2018 RJ in FinlandElonheimo THL April 9, 2018 RJ in Finland
Elonheimo THL April 9, 2018 RJ in Finland
 
Rights and Responsibilites
Rights and ResponsibilitesRights and Responsibilites
Rights and Responsibilites
 
02 -the_law
02 -the_law02 -the_law
02 -the_law
 
Legal framework of business
Legal framework of businessLegal framework of business
Legal framework of business
 
Classification of law 1
Classification of law 1Classification of law 1
Classification of law 1
 
What is law
What is lawWhat is law
What is law
 
Legalities 2013
Legalities 2013Legalities 2013
Legalities 2013
 
Elonheimo slides tirana 2018
Elonheimo slides tirana 2018Elonheimo slides tirana 2018
Elonheimo slides tirana 2018
 
Introduction To Law
Introduction To LawIntroduction To Law
Introduction To Law
 

En vedette

access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20jemtallon
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21jemtallon
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18jemtallon
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2infosecedu
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4jemtallon
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5jemtallon
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposaljemtallon
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3jemtallon
 

En vedette (20)

access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposal
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 

Similaire à CISSP week 25

CYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfCYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfHari319621
 
The Australian Legal System
The Australian Legal SystemThe Australian Legal System
The Australian Legal Systemorrenprunckun
 
Business environment 1
Business environment 1Business environment 1
Business environment 1anmolverma24
 
Ethics, definitions & theories
Ethics, definitions & theoriesEthics, definitions & theories
Ethics, definitions & theoriesTobore Oshobe
 
Pollock ethics 8e_ch08
Pollock ethics 8e_ch08Pollock ethics 8e_ch08
Pollock ethics 8e_ch08windleh
 
Privacy In Emerging Technology
Privacy In Emerging TechnologyPrivacy In Emerging Technology
Privacy In Emerging Technologyorrenprunckun
 
Legal issues in international business
Legal issues in international businessLegal issues in international business
Legal issues in international businessJitin Kollamkudy
 
spousal support Greater Toronto Area.pdf
spousal support Greater Toronto Area.pdfspousal support Greater Toronto Area.pdf
spousal support Greater Toronto Area.pdfjaala01
 
Pob stage 2 lecture 7 introduction advance ole set (1)
Pob stage 2 lecture 7 introduction advance ole set (1)Pob stage 2 lecture 7 introduction advance ole set (1)
Pob stage 2 lecture 7 introduction advance ole set (1)Diana Shore
 
Criminal Justice System.pptx
Criminal Justice System.pptxCriminal Justice System.pptx
Criminal Justice System.pptxDon Caeiro
 
International Marketing The International Legal Environment
International Marketing The International Legal EnvironmentInternational Marketing The International Legal Environment
International Marketing The International Legal EnvironmentDr. John V. Padua
 
Classification of Law
Classification of LawClassification of Law
Classification of LawMr Shipp
 
English legal system
English legal systemEnglish legal system
English legal systemNavid01
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)Sam Bowne
 

Similaire à CISSP week 25 (20)

CYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfCYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdf
 
Business law
Business lawBusiness law
Business law
 
The Australian Legal System
The Australian Legal SystemThe Australian Legal System
The Australian Legal System
 
Business environment 1
Business environment 1Business environment 1
Business environment 1
 
Ethics, definitions & theories
Ethics, definitions & theoriesEthics, definitions & theories
Ethics, definitions & theories
 
CLE PPT NO-3.pptx
CLE PPT NO-3.pptxCLE PPT NO-3.pptx
CLE PPT NO-3.pptx
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
 
Pollock ethics 8e_ch08
Pollock ethics 8e_ch08Pollock ethics 8e_ch08
Pollock ethics 8e_ch08
 
Privacy In Emerging Technology
Privacy In Emerging TechnologyPrivacy In Emerging Technology
Privacy In Emerging Technology
 
Legal issues in international business
Legal issues in international businessLegal issues in international business
Legal issues in international business
 
spousal support Greater Toronto Area.pdf
spousal support Greater Toronto Area.pdfspousal support Greater Toronto Area.pdf
spousal support Greater Toronto Area.pdf
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
Pob stage 2 lecture 7 introduction advance ole set (1)
Pob stage 2 lecture 7 introduction advance ole set (1)Pob stage 2 lecture 7 introduction advance ole set (1)
Pob stage 2 lecture 7 introduction advance ole set (1)
 
Criminal Justice System.pptx
Criminal Justice System.pptxCriminal Justice System.pptx
Criminal Justice System.pptx
 
International Marketing The International Legal Environment
International Marketing The International Legal EnvironmentInternational Marketing The International Legal Environment
International Marketing The International Legal Environment
 
Classification of Law
Classification of LawClassification of Law
Classification of Law
 
lecture 1.pptx
lecture 1.pptxlecture 1.pptx
lecture 1.pptx
 
Gbe unit 2
Gbe unit 2Gbe unit 2
Gbe unit 2
 
English legal system
English legal systemEnglish legal system
English legal system
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
 

Dernier

What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 

Dernier (20)

What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 

CISSP week 25

  • 1. Legal, Regulations, Investigations, and Compliance Domain 9 Official CISSP CBK V3 Pages 1168-1241 Tim Jensen StaridLabs
  • 2. Disclaimer • Neither StaridLabs nor any representative of StaridLabs is licensed, certified, or competent enough to offer legal advice. • This presentation is intended as training for the CISSP exam. If legal advice is necessary in a situation then we highly recommend you consult a licensed lawyer. • StaridLabs provides no guarantee that the information in the CISSP CBK and/or presented in this training is accurate or legally advisable.
  • 3.
  • 4. Definitions • Codification • the act, process, or result of arranging in a systematic form or code • Jurisprudence • the science or philosophy of law • a system or body of law • the course of court decisions
  • 5. The Law • Laws change depending on where you are located. • In the United States laws can be: Federal, State, County, and City. • The CISSP guide attempts to keep its training applicable globally but isn’t always possible.
  • 6. Major Legal System Categorizations • Common Law • Civil or Code Law • Customary Law • Religious Law • Mixed Law • Maritime Law (Not applicable in CISSP CBK)
  • 7. Common Law • Customary law system used by Anglo-Saxons in Northern France and England. • Still used in England and has been spread throughout the world by English colonization including United States, Canada and Australia. • Largely the European Union uses Civil Law instead of Common Law. • King of England created a unified legal system in the twelfth century that was common to the whole country. Prior to this laws were based on local practices.
  • 8. What is Common Law? • Uses the adversarial approach to litigation. • Does not rely on codification of law. • Barristers (lawyers) take a very active role. • Reliance on previous court rulings. (Jurisprudence) • Judges are a fairly passive role in determining facts. • Most Common Law systems consist of three branches: Criminal Law, Tort Law, and Administrative Law.
  • 9. Common Law: Criminal Law Branch • Deals with behaviors or conduct that is seen as harmful to the public or society. • An individual violates a governmental law designed to protect the public and as such the victim is society. • Government prosecutes on behalf of the public. • Punishment can be incarceration, probation, or death. Fines occur as well in some cases but loss of freedoms is the primary punishment.
  • 10. Common Law: Tort Law • Deals with civil wrongs (torts) against an individual or business entity. • Monetary damages are generally the penalty. • Can sometimes be both a violation of Tort and Criminal law. • Types of torts: • • • • • • • Intentional torts Wrongs against a person or property Dignitary Wrongs Economic Wrongs Negligence Nuisance Strict Liability
  • 11. Common Law: Administrative Law • Known as regulatory law in some countries. • Deals with the governance of public bodies and the designation of power to administrative agencies, commissions, boards, administrative tribunals, or professional associations. • Examples: Security Exchange Committee (SEC), Labor Relations Boards, Law Societies, Medical Boards, School Boards • Objective is to confine government power to it’s proper scope and stop potential abuse of power. • Punishments can be fines, inability to practice a profession, and in some cases incarceration.
  • 12.
  • 13. Civil Law: A Brief History • Started in the Roman Empire • Died • Started gain in Italy and spread to Europe in the late 1700’s to early 1800’s. • At one time was the most common legal system in Europe. • Became regionalized over time with Germany, Norway, Sweden, Denmark, and Switzerland developing their own national systems. • Civil law can be subdivided into French, German, or Scandanavian civil law.
  • 14. Civil Law • Has a heavy reliance on legislation as the primary source of law (vs Jurisprudence in Common Law) • System relies on codification of law. • Lower courts are not compelled to follow decisions of higher courts (Stare Decisis) • Judges are more active in determining facts of a case and in some instances direct the investigation.
  • 15. Customary Law • Regional legal systems which reflect social norms and values based on tradition. • Rare to find a country who’s law structure is entirely based on customary law. • Often combined with civil or common law. This is called a ‘mixed legal system’.
  • 16. Religious Law • All legal systems have been influenced by religion. • Some countries try to differentiate legal law from religious law.
  • 17. Muslim Law • Islam is practiced by a large portion of the worlds population. • Many Muslim societies follow Islamic Law or Sharia. • Traditional Islamic Law is separated in to rules of worship and rules of human interaction. • Guided by the Qur'an and the Sunnah, or manner in which the prophet Muhammad lived. • Sharia covers all aspects of a person’s life (Religious practices, Diet, Dress, Family Life, Commerce, domestic justice) • Law is not man-made, it is divine will. • Lawmakers do not create the law, Jurists and clerics attempt to discover the truth of law. • Sharia has been codified, but still remains open to interpretation.
  • 18. Mixed Law • Mixed law is the convergence of two or more legal systems, usually civil law and common law, but often also customary, religious, civil, or common law. • Blending of legal systems can result in political and economic pressure. • An example is the United Kingdom and Scotland.
  • 19. Scotland is a silly place…
  • 20. This was my first result when googling UK law…
  • 21. Liability • In law, liability refers to being legally responsible. • Sanctions can be civil and/or criminal. • Negligence is acting without care, or the failure to act as a reasonable and prudent person would under similar circumstances. • The definition of “reasonable person” is murky and available for extensive interpretation.
  • 22. Due care/Due Diligence • Due care is the requirement that executives with fiduciary responsibilities meet certain requirements to protect the company’s assets. • This includes the safety and protection of technology and information systems which are corporate assets. • Due diligence is conceptual and can change often. • From Webster: the care that a reasonable person exercises to avoid harm to other persons or their property • From Wikipedia: • In criminal law, due diligence is the only available defense to a crime that is one of strict liability (i.e., a crime that only requires an actus reus and no mens rea). Once the criminal offence is proven, the defendant must prove on balance that they did everything possible to prevent the act from happening. It is not enough that they took the normal standard of care in their industry – they must show that they took every reasonable precaution.
  • 23. Computer Crime • Examples of computer crimes: • • • • Counterfeit Fraud Theft Child Pornography • The law still hasn’t caught up with technology. • Technology makes cyber stalking easy • Cyber stalking can be very useful in technical and non-technical cases. Murder investigations, kidnappings, drug trafficking, etc can all have information available on the public internet. • Computer crimes can occur from outside the company as well as from insiders. Inside threats are often greater overall risks to the company.
  • 24. International Cooperation • Most computer crimes span multiple countries. • Borders and jurisdiction causes lots of issues. • A country can prosecute spammers, scammers, and internet criminals, but they can easily move to a country which promotes, tolerates, or ignores digital crime.
  • 25. The Council of Europe Convention on Cybercrime • Ratified by 30 countries including Canada, the United States, and Japan • Came into effect July 1, 2004 • Contains 48 articles • Summary: • Parties must establish laws against cybercrime and offenses related to child pornography • Ensure law enforcement officials have the necessary procedural authority to investigate and prosecute cybercrime effectively. • Provide international cooperation to other parties in the fight against computer related crime.
  • 26.
  • 27. Intellectual Property Laws • Designed to protect tangible and intangible items or property • Goal is to protect property from people wishing to copy or use it without due compensation to the inventor or creator. • The idea is that copying someone else's idea entails far less work that what is required for the original development. • Intellectual property is divided into two categories: • Industrial Property • Inventions (patents), trademarks, industrial designs, and geographical indications of source • Copyright • Literary and artistic works (novels, poems, plays, films, music, drawings, paintings, photographs, sculptures, architectural designs)
  • 28. Patent • Grants the owner the legally enforceable right to exclude others from practicing the invention for a specific period of time (generally 20 years) • Strongest form of intellectual property protection. • Protects novel, useful, and nonobvious inventions. • Requires formal application to a government entity. • When the patent is granted it is published in the public domain, to stimulate other innovations. • When the patent expires the protection ends and the invention enters the public domain. • WIPO, a part of the United Nations (UN), is in charge of the filing and processing of international patents.
  • 29. Trademark • Designed to protect the goodwill an organization invests in it’s products, services or image. • Allows exclusive rights to the owner of markings that the public uses to identify a vendor, merchant, products, or goods. • Can consist of any word, name, symbol, color, sound, product shape, device, or combination of these. • Must be distinctive and cannot mislead or deceive consumers or violate public order or morality. • Registered with the government registrar • WIPO oversees international trademark efforts.
  • 30. Copyright • Covers the expression of ideas rather than the ideas themselves. • Protects artistic property such as writing, recordings, databases, and computer programs. • In many countries once the work or property is completed or in a tangible form, the copyright protection is automatically assumed. • Weaker than patent protection, but duration is longer. (50 years after creators death or 70 years total under US law) • If the artist’s country is a member of the International BERNE convention then the protection afforded will be the minimum level afforded in all participating countries.
  • 31. Trade Secret • Refers to proprietary business or technical information, processes, designs, practices, etc that are confidential and critical to the business. (Pepsi’s secret formula) • To be categorized as a trade secret it must not be generally known and must provide economic benefit ot the company. • Must be reasonable steps taken to protect its secrecy. • In a dispute, the contents of the trade secret do not need to be disclosed. • Often the main complaint in industrial and economic espionage cases.
  • 32.
  • 33. Import/Export • Some software may be illegal to import or export. Example is some types of encryption software. • Information Security professionals should check local laws especially when working internationally (or choosing employees or datacenters overseas).
  • 34. Trans-Border Data Flow • As information moves between systems or cloud hosting companies, the location where the data is stored matters. • If the information is transferred and/or stored in 3 countries, you may have to edeal with three or more jurisdictions and three different legal systems. • If the organization who owns the server is a member of a different country, sometimes their home country can gain jurisdiction over the server even if it’s in another country.
  • 35. Privacy • A lot of personally identifiable information (PII) is stored online or electronically. • Data compromises happen often. • There are now many regulations for the responsible protection, use, and transfer of PII. • An example of a common guideline is the Organization for Economic Cooperation and Development (OECD). (Pages 1185-1187. Read it)
  • 36. Employee Monitoring and Surveillance • Monitoring of employees must be done carefully. • On the one hand you need to curb abuse, theft, etc. (Due Diligence) • On the other hand the employee has rights to privacy. • Over monitoring can cause hostile employes. (This is bad) • The EU created 7 principals called the Directive on Data Protection which is a guideline for monitoring. These regulations are similar to the ones in the US, Canada, and the UK and can be used as a guideline.
  • 37. Directive on Data Protection • Notice: Individuals must be informed about what is collected and the uses for the information. • Choice: Individuals must be given the opportunity to decline data sharing with 3rd parties or to be used for purposes not stated in the notice. • Onward transfer: 3rd parties receiving data must also subscribe to this directive. • Security: Organizations must take reasonable precautions to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. • Data Integrity: Data should be reliable and only the data necessary should be collected. • Access: Individuals must have access to the personal information about them. They must be able to correct, amend, or delete the information. • Enforcement: A compliance program must exist to enforce this directive.
  • 38. Professional Ethics • The creation of computers started a large debate on ethics. • Computers can be used inappropriately and can replace humans which could cause widespread job loss. • Another fear is that humans will become seen more as machines and will be treated as such. • Quite a few regulations exist regarding professional ethics. • Ethics programs can be very beneficial. If an ethics program is in place then some criminal cases will have substantially reduced penalties. • The FSGO has requirements to show that an Ethics program is continuously being improved and that it is effective.
  • 40. Computers in the Workplace • Computers can pose a threat to jobs. • People may feel they are being replaced. • Computers require operators, which changes many of the jobs to require different skills.
  • 41. Computer Crime • Criminals can reach systems from anywhere in the world, and the payffs are larger. • An inside employee can steal all the company data and walk out with it in his/her pocket.
  • 42. Privacy and Anonymity • Private information is passed around constantly. People like their privacy and have concerns about data being shared and what can be inferred based on data from different sources.
  • 43. Intellectual Property • Ethics around IP are tough. • People like music and software to be free, but companies, programmers and artists won’t create the IP if they won’t get their investment back in licenses, fees, or profit of some sort.
  • 45. Computer Game Fallacy • Computer users tend to think that computers will generally prevent them from cheating and doing wrong. • Programmers believe that an error in programming syntax will prevent the program from working. So if the program works then it must be working correctly.
  • 46. Law-Abiding Citizen Fallacy • Users sometimes confuse what is legal with regards to computer use, with what is reasonable behavior for using a computer. • Users do not realize that they have a responsibility to consider the ramifications of their actions and to behave accordingly.
  • 47. Shatterproof Fallacy • Most computer users believe that they can do little harm accidentally with a computer. • If a user sends a mass mailing which is discriminatory, this could hurt a large group of people. • Most people realize that certain activities in public is illegal, but still do it online thinking it’s ok or anonymous. • Ultimately users don’t consider the impact of their actions before doing them.
  • 48. Candy-from-a-Baby Fallacy • Stealing software, books, etc is very easy on a computer. • Copying retail software without paying for it is theft. • Just because it’s easy and it may be hard to catch you doesn’t mean it’s ethical, legal, or acceptable.
  • 49. Hacker Fallacy • Commonly accepted hacker believe is that it’s acceptable to do anything with a computer as long as the motivation is to learn and not to gain a profit.
  • 50. Free Information Fallacy • Notion that “information wants to be free.” • Copying and distribution of data is completely under the control of the people who do it and the people who allow it to happen.
  • 51. Hacking and Hacktivism • A hacker was originally a person who sought to understand computers as thoroughly as possible. Soon hacking came to be associated with phreaking, breaking into phone networks to make free calls, etc which is illegal.
  • 52. MIT Hacker Ethic • Access computers should be unlimited and total. • All information should be free. • Authority should be mistrusted and decentralization promoted. • Hackers should be judged solely by their skills at hacking, rather than by race, class, age, gender, or position. • Computers can be used to create art and beauty. • Computers can change your life for the better.
  • 53. Various Codes of ethics • Most professional organizations have their own code of ethics. • I’m not going to re-type 20 pages. Read up on these (1203-foo) • • • • • • • The Code of Fair Information Practices Internet Activities Board Computer Ethics Institute National Conference on Computing and Values The Working Group on Computer Ethics National Computer Ethics and Responsibilities Campaign (NCERC) ISC Code of Professional Ethics (1208-1209)
  • 54. Ethics Principals • Treat others as you wish to be treated • If an action is not right for everyone, it is not right for anyone. • If an action is not repeatable at all times, it is not right at any time. • Take the action that achieves the most good. • Incur least harm or cost • Do No Harm • Assume that all property and information belongs to someone. • Is it against the law • Is the action contrary to codes of ethics • Is there hard evidence to support or deny the value of taking an action • Let the people affected decide • Will the costs and benefits be equitably distributed • Are you comparing against competing companies • Compassion • Are decisions biased in favor of one group • Full Disclosure • Can the data be adequately protected to avoid disclosure • Does IT stand behind ethical principals
  • 55. Ethical Conflicts • If you need to do something that may be perceived as unethical, inform all parties about your intentions. (Preferably in writing) • If a conflict exists between two codes of ethics, the higher ethic wins. • Consider precedence. An action taken by you on a small scale could result in significant harm If carried out on a larger scale. (But TIM did it so we 98 million people thought it was ok to ping google too!) • Whoever owns or is responsible for information must ensure that it is reasonably protected and that users are aware of how to use it responsibly. • As an information user, always assume others own it and that their interests must be protected unless explicitly notified that the information is able to be used freely.
  • 56. Computer Forensics • Digital Investigations can become court cases. • Phases of an investigation: • • • • Identify Evidence (Also protect the scene) Collect Evidence Examine Evidence Present Findings • Live evidence is digital evidence gathered from a running system or process (RAM) • Dead evidence is from a shutdown/at rest system (hard Disk) • Only individuals with knowledge of basic crime scene analysis should be allowed to deal with the scene.
  • 57. General Forensic Guidelines • Upon seizing digital evidence, actions taken should not change that evidence. • When it’s necessary for a person to access original digital evidence, that person should be trained for the purpose. • All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. • An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession. • Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principals.
  • 58. More General Forensic Guidelines • • • • • • • • • • • Minimize handling/corruption of original data Account for any changes and keep detailed logs of your actions. Comply with the five rules of evidence Do not exceed your knowledge Follow your local security policy and obtain written permission. Capture as accurate an image of the system as possible. Be prepared to testify Ensure your actions are repeatable Work fast Proceed from volatile to persistent evidence Do not run any programs on the affected system
  • 59. Incident Handling • Triage Phase • Determine if this is a real incident • Investigative Phase • Containment • Analysis and Tracking • Recovery Phase • Recover/repair the system and prevent the incident from re-occurring.
  • 60. Chain of Custody • Refers to who, what, when, where, and how the evidence was handled throughout the entire case lifecycle. From the first person on the scene until the court case is over. • For digital evidence file hashes are very common and useful. Use SHA256 hashes to prove files have not changed from initial gather time. • Have chain of custody forms where people sign over evidence to each other.
  • 61. Interviewing • Interviewing witnesses and suspects is delicate. • Before starting the interview review policies, notify management, and consult legal council. • Never conduct the interview alone. • Preferably video tape the interview. • Have an expert do it if at all possible. (Risk is high, don’t mug yourself) • Legal council should be in the room.
  • 62. Reporting and Documenting • A clear report should be written. • Assume it’ll be read in court with the media watching. • Once the whole incident is wrapped up, review the incident and try to learn some lessons: • How could it have been avoided? • How did the incident response go? Could we have done better? • How did the forensic case go?
  • 63. Forensic Procedure • Evidence should have some sort of value • Evidence should be relevant to the case at hand • Should meet the five rules of evidence • • • • • Be authentic Be accurate Be complete Be convincing Be admissible
  • 64. Media Analysis • Involves recovery of evidence from information media • Hard drives, DVD’s, CD-ROMS, portable memory devices • Media may have been damaged, overwritten, degaussed, or reused • If the investigator is unable to collect sufficient evidence, media forensic investigators exist to help. (Very Expensive)
  • 65. Network Analysis • Analysis and examination of data from network logs and network activity for use as potential evidence. • Must have proper evidence collection and handling (chain of custody) for the evidence to be admissible.
  • 66. Software Analysis • Analysis of program code (source code, compiled code, machine code, etc) • Decompiling and reverse engineering often used. • Can locate author identification, author attributes, programming styles, etc.
  • 67. Hardware/Embedded Device Analysis • Smart phones, PDA’s, CMOS chips, etc can all be useful as evidence.