Legal & regulatory issues for information security

Objectives:

At the end of this episode, I will be able to:

Understand and apply the recommended guidance pertinent to how to identify

legal & regulatory issues for information security in areas such as Intellectual
Property and export controls through your daily practice as an information
security professional.

External Resources:

Understand legal and regulatory issues that pertain to information security in

a holistic context

1. Cyber crimes and data breaches

When assessing the effect of cybercrime, you need to evaluate areas such as:

a. Loss of intellectual property and / or sensitive data

b. Damage to brand image/reputation
c. Penalties and compensatory payments
d. Cost of countermeasures

Event - something that has happened

Incident - some sort of occurrence or event that has a negative outcome (ITIL)

Breach - an occurrence or event that has a negative outcome

Disclosure - making "secret" information public

2. Licensing and intellectual property requirements

Patent - A patent is a set of exclusive rights granted by a sovereign state or

intergovernmental organization to an inventor or assignee for a limited period
of time (typically 20 years) in exchange for detailed public disclosure of an
invention. An invention is a solution to a specific technological problem and
is a product or a process.

Copyright - protects published or unpublished original work from unauthorized

duplication without due credit and compensation. Copyright covers not only books
but also advertisements, articles, graphic designs, labels, letters
(including emails), lyrics, maps, musical compositions, product designs, etc.

Works Created on or after January 1, 1978 -

The law automatically protects a work that is created and fixed in a tangible
medium of expression on or after January 1, 1978, from the moment of its creation
and gives it a term lasting for the author’s life plus an additional 70 years.
For a “joint work prepared by two or more authors who did not work for hire,” the
term lasts for 70 years after the last surviving author’s death.

For works made for hire and anonymous and pseudonymous works, the duration of
copyright is 95 years from first publication or 120 years from creation, whichever
is shorter (unless the author’s identity is later revealed in Copyright Office
records, in which case the term becomes the author’s life plus 70 years).

According to the major international intellectual-property protection treaties

(Berne Convention, Universal Copyright Convention, and WIPO Copyright Treaty)
five rights are associated with a copyright, the right to:
(1) Reproduce the work in any form, language, or medium
(2) Adapt or derive more works from it
(3) Make and distribute its copies
(4) Perform it in public
(5) Display or exhibit it in public

Trademark - a recognizable sign, design, or unique expression related to

products or services of a particular source from those of others, usually
called service marks.

3. Import/export controls

International Traffic in Arms Regulations (ITAR) - What is considered exportable

Export Administration Regulations (EAR) - Under what conditions can we export

The Wassenaar Arrangement - Dual-Use Goods

4. Trans-border data flows

OECD Declaration on Transborder Data Flows, OECD Digital Economy Paper

No. 1 (Apr. 11, 1985)

"Rapid technological developments in the field of information, computers and

communications are leading to significant structural changes in the economies of
Member countries. Flows of computerized data and information are an important
consequence of technological advances and are playing an increasing role in
national economies. With the growing economic interdependence of Member
countries, these flows acquire an international dimension, known as transborder
data flows."

5. Privacy

Organization for Economic Cooperation and Development (OECD) Guidelines

Eight Core Principles

1. Collection Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Data Controller Accountability