Module 3 - Information Security Framework
The course is part of this learning path
This course looks at where the security function fits within the organizational structure and the role of the Information Security Officer in developing information security policies, standards and procedures. It then provides an understanding of the principles of information security governance, how to carry out a security audit and the importance of stakeholder engagement in implementing the organization’s information assurance programme. Finally, it looks at the incident management process and investigates the role digital forensics play in this, before reviewing the legal framework information security operates within.
The objectives of this course are to provide you with and understanding of:
- Where the security function fits within the organizational structure
- The role of the Information Security Officer
- Developing information security policies, standards and procedures
- The principles of information security governance
- How to carry out a security audit
- Implementing an information assurance programme and the importance of stakeholder engagement
- The incident management process and the role of digital forensics
- The legal information security framework
- Information assurance standards and how they should be applied within an organization
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on the legal framework.
There are many general principles of law, legal jurisdiction and guidelines that affect information security management. These cover a broad spectrum from the security implications of handling personal data, to the misuse of computers and the handling of an organization’s intellectual property.
This video will take a brief tour through the legal framework by looking at:
· The organizations that have legal authority in the EU and United States;
· Data protection legislation, including the General Data Protection Regulation;
· Employment issues and employee rights;
· Copyright and intellectual property legislation; and
· The Computer Misuse Act.
We’ll also look at some of the important digital considerations, including the collection of admissible evidence, securing digital signatures and the restrictions on the purchase, use and movement of cryptographic technology.
The Information Security Manager needs to understand who has legal authority over the organization and which laws the business must comply with. In the European Union, directives need to be implemented by member state law, although how they’re implemented can vary between member states.
Regulations, on the other hand, must be incorporated directly into member state law, with limited opportunity to deviate. This provides a more consistent implementation across member states.
In the US, Federal Laws apply nationally but state laws can vary. This adds a layer of complexity for organizations doing business in the US.
Due to the differences between laws in different countries, it’s advisable to seek legal advice before doing business in an unfamiliar territory.
The ISO/IEC 27000 series of standards contains guidance on complying with legal requirements in the following areas:
· Intellectual property rights;
· Records management;
· Data protection and privacy regulations;
· Prevention of misuse of information processing facilities; and
· Regulation of cryptographic technology and key material.
Ignorance of the law in a jurisdiction is not a legal defence.
Let’s start by looking at the laws which protect the collection and storage of personal and private data.
In the EU, the right to personal privacy is protected through the General Data Protection Regulation (GDPR). The UK Government adopted GDPR through the 2018 Data Protection Act.
The right to privacy, like other human rights in Europe, is derived from the European Convention on Human Rights which was incorporated into UK domestic law as the Human Rights Act 1998.
In the US, there’s no Federal overarching right of privacy, although there are Federal sector-based laws protecting privacy, such as the Health Insurance Portability and Accountability Act (HIPAA), which protects personal medical data. There are also state-based privacy laws.
Under GDPR, there’s provision to ensure that organizations processing and storing personal information adequately protect it, and that any transfer of information outside of the EU is handled in an appropriate way. This is significant for transfer of data to the US.
GDPR defines the roles of a Data Controller and a Data Processor. The Data Controller determines how it uses personal data and the Data Processor acts on the Data Controller’s behalf. They are responsible for, and must be able to demonstrate, compliance with GDPR.
GDPR places specific legal obligations on Data Processors, including the requirement to maintain records of personal data and processing activities. It applies to data processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU. However, it doesn’t apply to processing covered by the Law Enforcement Directive, processing for national security purposes, or processing carried out by individuals purely for personal or household activities.
The Information Commissioner’s Office is the body in the UK responsible for upholding information rights under GDPR.
GDPR defines personal data as:
‘Any information relating to an identified or identifiable natural person (the ‘data subject’)…who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
GDPR applies to both automated personal data and manual filing systems, which includes chronologically ordered sets of manual records containing personal data. It also now includes online identifiers, for example an IP address.
Personal data that has been pseudonymised, for example, key-coded, can fall within the scope of GDPR if the pseudonym can be attributed to a specific individual.
Special category personal data is defined as:
‘Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.’
As you can see, this includes genetic and biometric data used to identify an individual. Personal data relating to criminal convictions and offences are not included, but extra safeguards apply in these cases.
GDPR is based on six data protection principles:
· The first principle states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
· The second principle requires that any personal data collected is for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
· The third principle states that when personal data is collected or processed, it’s adequate, relevant and limited to what is necessary in relation to the purposes for which it’s processed.
· The fourth principle requires personal data to be accurate and, where necessary, kept up to date in relation to the purpose for which it’s processed.
· The fifth principle requires that personal data is kept for no longer than is necessary for the purposes for which it’s processed. When personal data is no longer needed it must be destroyed.
· The final principle requires data processors to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
It’s the responsibility of the Data Controller to ensure that any processing of personal data complies with these six principles.
The lack of personal privacy protection at the Federal level in the US has caused problems for organizations in the EU wanting to transfer personal data to the US. In 2016, the European Commission and the United States agreed on a new framework for transatlantic data flows – the EU-US Privacy Shield. Switzerland also followed suit with the Swiss-U.S. Privacy Shield Framework.
These frameworks protect the fundamental rights of EU citizens where their data is transferred to the United States and ensure legal certainty for organizations.
The Privacy Shield program, which is administered by the International Trade Administration within the U.S. Department of Commerce, enables US-based organizations to join one or both Privacy Shield Frameworks and benefit from their adequacy determinations.
Whilst joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the requirements, the commitment will become enforceable under US law.
The rights of an individual staff member working for an organization are dictated by the laws of the country. In the UK and the EU, an employee has the right to have their privacy protected. This means that covert monitoring of emails, communications and personal conversations is not permitted. However, it can be undertaken on a case-by-case basis if there’s a compelling reason, for example, if fraud is suspected.
If covert monitoring is deemed necessary, the advice of the Legal department and the HR department should be sought and a data protection impact assessment for the target should be carried out.
Although not controlled through GDPR, some corporate documents, like board meeting minutes, financial records and technical documents, must be strictly controlled and retained for inspection over a pre-defined time period, which varies depending on the relevant legislation.
In some cases, legislation also dictates that data must be destroyed after a specified time period. An organization could be asked to produce records, or show proof of their destruction, in the event of a criminal investigation or legal dispute. Failure to produce the required information could lead to fines and even imprisonment of the data owner.
Whereas GDPR relates to personal data, Intellectual Property Rights (IPR) offer protection to individuals and companies for creative works they’ve produced. IPR can be used to protect many kinds of work, including literary works, like novels and plays, brands, product names, trademarks and logos.
Patents grant exclusive rights to exploit an ‘invention’ for a limited period, typically 20 years depending on the jurisdiction and type of patent. However, they’re costly and onerous to obtain and might not provide protection in certain jurisdictions.
An alternative, which is not always feasible, is to keep an invention confidential as a trade secret. However, this offers no legal protection if the secret becomes known. An NDA can also provide a legal remedy against revealing a trade secret.
Registered trademarks provide protection against someone else using an organization’s logos and identification marks. They help to maintain the distinctive identity of the organization as well as protecting its brand.
Copyright is the IPR protection that’s most widely used. Copyright protection is used to protect software programmes and databases, in the same way that literary works and plays are protected. The duration of copyright protection differs depending on which country the work was created in. In the UK, the default period for copyright protection is the lifetime of the individual or organization that created it, plus an additional 70 years.
In many jurisdictions, copyright is assigned automatically to all published works, but it should be clearly stated on the work by the publisher to make sure there’s no ground for contesting it. In jurisdictions where there’s the ability to register a copyright, doing so will provide evidence of ownership.
Protecting copyright abroad is only possible in countries that have agreements to uphold the copyright laws of other countries.
When contracting a third party to provide a service, organizations should consider including clauses in the contract that directly relate to information security. These clauses should be legally binding and vetted by the legal department.
The areas that should be considered include:
· Regular assurance reviews, where representatives of the organization meet with the contractor to discuss how they comply with the organization’s information security requirements;
· Health checks, where the organization may request that the contractor’s systems are subject to a penetration test to ensure that they meet the expected baseline;
· A security patching schedule including the timeframe over which critical security patches are deployed;
· Staff vetting requirements; and
· How the contractor deals with reported incidents.
In relation to the contract, the following areas should be considered:
· A review of the security requirements in the context of the services being provided or the information being handled on the organization’s behalf; and
· The penalties imposed in the event of a breach and how ongoing business might be affected.
We’re now going to look range of other legal areas that affect information security, including:
· Access to computers;
· Sector specific regulations;
· Digital signatures; and
· Cryptographic technology.
Let’s start with access to computers.
The Computer Misuse Act (1990) was introduced in the UK to add three new criminal offences:
· Unauthorised access to a computer;
· Unauthorised access with the intent to facilitate further offences; and
· Unauthorised modification of computer material.
In the US, the 1984 Computer Fraud and Abuse Act provides a similar legal framework for prosecuting illegal activities where the crimes relate to computer misuse.
Sector-specific regulations relate to the control of operations in specific industries. For example, the UK Medicines and Healthcare Products Regulatory Agency (MHRA) specify provisions for the pharmaceutical sector; in the US it’s the Food and Drug Administration (FDA).
The Payment Card Industry Data Security Standard (PCI-DSS) defines regulations for credit card information storage.
Some regulators have guidelines dictating that they should be informed of an incident or breach. In some cases, regulators may have the authority to suspend licenses whilst an investigation is underway.
Finally, let’s look at two areas that relate directly to maintaining the security and integrity of technology; digital signatures and cryptography.
Digital signatures are the electronic equivalent of handwritten signatures applied to electronic documents. In the EU, they’re legally binding if the underlying mechanism for creating them is trusted and approved.
Electronic signatures are admissible in court to support the authenticity of a message and are used to prove that a copy of data or a document being presented in court is the same as the original; matching the signatures of the copies against the original gives the same result, proving the data is exactly the same.
Digital signatures provide several security advantages, including:
· Proof that the message is genuine;
· An indisputable time record of when a message was sent;
· Proof of who the sender is;
· Proof that there’s been no tampering with the content of the message; and
· Proof that the message was sent in the first place – which is known as non-repudiation.
Microsoft Word and Adobe PDF files allow documents with a digital signature to be shared amongst a group of people. These services allow multiple recipients to digitally sign a document.
The use of cryptographic technology is essential for keeping information confidential, including when it’s in transit.
A government will often control how cryptographic technologies can be used and who’s allowed to use different strengths of algorithm. They’ll also control the export of cryptographic technologies to other nations, treating the stronger, proprietary algorithms with the same level of protection as they would for guns and missiles.
Suppliers of cryptographic technologies generally face strict export controls from the country they supply to.
The Wassenaar Arrangement was set up in 1996 to add a level of export control so that cryptographic technologies don’t fall into the wrong hands. This is designed to prevent countries who’ve signed up to the arrangement from selling strong cryptographic material to rogue governments or nations where the technology might be used against the selling nation.
If an organization is planning to implement encryption technologies, they should seek expert advice and ensure that they comply with all the local laws and regulations.
That’s the end of this video on the Legal Framework.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.