1
00:00:00,005 --> 00:00:02,004
- [Narrator] Information
security professionals

2
00:00:02,004 --> 00:00:05,000
increasingly find
themselves becoming legal

3
00:00:05,000 --> 00:00:08,000
and regulatory compliance experts.

4
00:00:08,000 --> 00:00:11,001
As governments and other
regulators become more aware

5
00:00:11,001 --> 00:00:14,003
of the impact that
information security may have

6
00:00:14,003 --> 00:00:17,009
on the confidentiality,
integrity and availability

7
00:00:17,009 --> 00:00:22,000
of information, these agencies
continue to create laws

8
00:00:22,000 --> 00:00:26,005
and regulations that seek to
enforce security safeguards.

9
00:00:26,005 --> 00:00:29,004
There are four main types
of compliance obligations

10
00:00:29,004 --> 00:00:31,005
that you'll need to be familiar with:

11
00:00:31,005 --> 00:00:36,001
criminal law, civil
law, administrative law

12
00:00:36,001 --> 00:00:38,004
and private regulations.

13
00:00:38,004 --> 00:00:42,000
Criminal law is designed to
deter people from taking actions

14
00:00:42,000 --> 00:00:44,005
that would be detrimental to society

15
00:00:44,005 --> 00:00:48,001
and to punish those who
do take such actions.

16
00:00:48,001 --> 00:00:50,005
Criminal offenses include a wide range

17
00:00:50,005 --> 00:00:54,004
of unacceptable activities,
such as, murder, robbery,

18
00:00:54,004 --> 00:00:59,001
hacking, insider trading and espionage.

19
00:00:59,001 --> 00:01:01,008
Criminal laws have one
important characteristic

20
00:01:01,008 --> 00:01:04,008
that is not found in
any other type of law.

21
00:01:04,008 --> 00:01:08,001
Violations of criminal
law may be punishable

22
00:01:08,001 --> 00:01:10,002
by the deprivation of liberty,

23
00:01:10,002 --> 00:01:13,001
such as a jail sentence or probation.

24
00:01:13,001 --> 00:01:16,004
Criminal laws must be
created by a legislative body

25
00:01:16,004 --> 00:01:18,007
at the national, state or local level,

26
00:01:18,007 --> 00:01:21,003
such as the United States Congress.

27
00:01:21,003 --> 00:01:25,003
Civil law is designed to resolve
disputes among individuals,

28
00:01:25,003 --> 00:01:28,007
organizations and or governments agencies.

29
00:01:28,007 --> 00:01:32,001
Civil laws cover almost any
matter that is not addressed

30
00:01:32,001 --> 00:01:37,001
by criminal law, including
liability claims, estate probate,

31
00:01:37,001 --> 00:01:40,003
contractual disputes and other matters.

32
00:01:40,003 --> 00:01:43,004
As with criminal laws,
civil laws must be passed

33
00:01:43,004 --> 00:01:47,002
by a legislative body, but
civil laws due not provide

34
00:01:47,002 --> 00:01:49,006
for the possibility of jail time.

35
00:01:49,006 --> 00:01:53,000
The most common outcomes of
a successful civil lawsuit

36
00:01:53,000 --> 00:01:56,000
are monetary damages
or orders by the court

37
00:01:56,000 --> 00:02:00,000
that someone perform or
refrain from an action.

38
00:02:00,000 --> 00:02:03,000
Administrative law allows
for the effective operation

39
00:02:03,000 --> 00:02:06,005
of government by allowing
executive branch agencies

40
00:02:06,005 --> 00:02:08,003
to promulgate regulations

41
00:02:08,003 --> 00:02:11,003
that facilitate carrying out their duties.

42
00:02:11,003 --> 00:02:15,002
These regulations often provide
details missing from the law

43
00:02:15,002 --> 00:02:19,002
or provide procedural rules for
the operation of government.

44
00:02:19,002 --> 00:02:21,008
For example, the Health
Insurance Portability

45
00:02:21,008 --> 00:02:24,009
and Accountability Act,
HIPAA, provides criminal

46
00:02:24,009 --> 00:02:28,003
and civil law, governing the
uses of health information

47
00:02:28,003 --> 00:02:31,004
but doesn't go into great detail.

48
00:02:31,004 --> 00:02:34,003
The Center for Medicare and
Medicaid Services publishes

49
00:02:34,003 --> 00:02:38,003
security and privacy regulations
that provide the specific

50
00:02:38,003 --> 00:02:41,004
requirements that covered
entities must follow.

51
00:02:41,004 --> 00:02:43,006
Those security and privacy regulations

52
00:02:43,006 --> 00:02:46,004
are an example of administrative law.

53
00:02:46,004 --> 00:02:49,005
At the federal level,
administrative law is found

54
00:02:49,005 --> 00:02:53,001
in the Code of Federal Regulations or CFR.

55
00:02:53,001 --> 00:02:56,002
Private regulations also
govern many activities

56
00:02:56,002 --> 00:02:59,000
of individuals and organizations.

57
00:02:59,000 --> 00:03:02,005
These regulations don't have
the force of law on their own,

58
00:03:02,005 --> 00:03:06,000
but compliance is often
required by contract.

59
00:03:06,000 --> 00:03:08,005
The most common example
of a private regulation

60
00:03:08,005 --> 00:03:10,004
in the world of cyber security,

61
00:03:10,004 --> 00:03:13,004
is the Payment Card Industry
Data Security Standard

62
00:03:13,004 --> 00:03:15,009
or PCIDSS.

63
00:03:15,009 --> 00:03:19,003
PCIDSS was created by a
consortium of companies

64
00:03:19,003 --> 00:03:22,007
without the involvement
of a government agency.

65
00:03:22,007 --> 00:03:26,000
This consortium then included
language in the contracts

66
00:03:26,000 --> 00:03:28,009
for those excepting and
processing credit cards

67
00:03:28,009 --> 00:03:32,005
that requires compliance with PCIDSS.

68
00:03:32,005 --> 00:03:36,001
Remember, that in the United
States, the highest form of law

69
00:03:36,001 --> 00:03:38,001
is the U.S. Constitution.

70
00:03:38,001 --> 00:03:41,002
The most common intersection
between security professionals

71
00:03:41,002 --> 00:03:43,004
and constitutional law involves

72
00:03:43,004 --> 00:03:46,001
the Fourth Amendment to the Constitution.

73
00:03:46,001 --> 00:03:49,003
Part of the Bill of
Rights, it reads, in part,

74
00:03:49,003 --> 00:03:52,006
"The right of the people to
be secure in their persons,

75
00:03:52,006 --> 00:03:57,001
houses, papers, and effects,
against unreasonable searches

76
00:03:57,001 --> 00:04:00,002
and seizures, shall not be violated..."

77
00:04:00,002 --> 00:04:02,009
The Fourth Amendment
comes into play any time

78
00:04:02,009 --> 00:04:06,004
that government agents, including
law enforcement officers,

79
00:04:06,004 --> 00:04:09,008
wish to collect private
information from computing systems

80
00:04:09,008 --> 00:04:11,008
without the owners consent.

81
00:04:11,008 --> 00:04:14,003
If they do this without a
warrant, they run the risk

82
00:04:14,003 --> 00:04:17,001
of the evidence being
inadmissible in court.

83
00:04:17,001 --> 00:04:21,002
The Federal Information
Security Management Act, FISMA,

84
00:04:21,002 --> 00:04:24,000
is a law that governs
information security matters

85
00:04:24,000 --> 00:04:27,006
for federal agencies and
government contractors.

86
00:04:27,006 --> 00:04:30,003
It requires the creation
of security programs

87
00:04:30,003 --> 00:04:33,003
throughout the federal
government and provides details

88
00:04:33,003 --> 00:04:36,009
on the controls necessary
to run information systems

89
00:04:36,009 --> 00:04:40,005
that are categorized as
FISMA High, FISMA Moderate

90
00:04:40,005 --> 00:04:41,006
or FISMA Low.