In this course we cover a few laws, policies, and regulations you should be familiar with because they may influence your implementation of the Risk Management Framework process. Let's start with the Privacy Act. The Privacy Act balances the governments need to maintain information about individuals with the rights of the individual. The Act focuses on four basic policy objectives. Restrict disclosure, increase rights of access to agency records, grant individuals the right to seek amendments and establishes a code of fair information practices. It was originally passed as a response to the Watergate scandal in the early 1970s and now covers personally identifiable information that the US government utilizes and retains in their normal course of action and activities. Next, we have the Computer Fraud and Abuse Act. It was intended to reduce cracking of computer systems and to address federal computer related offenses. It governs cases with a compelling federal interest where computers of the federal government or certain financial institutions are involved, or where the crime itself is interstate in nature, or when computers are used in interstate and foreign commerce. The only computers in theory covered by the Computer Fraud and Abuse Act are defined as protected computers, which are further defined to mean a computer exclusively for the use of a financial institution or the United States government, or any computer when the conduct constituting the offense affects the computer's use by or for the financial institution or the government, which is used in or affecting interstate or foreign commerce or communications, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communications of the United States. However, in practice and through multiple court cases over the past 25 years, any ordinary computer has come under the jurisdiction of this law, including cell phones, due to the interstate nature of most internet communications nowadays. Next we have the Electronic Communications Privacy Act of 1986. This extended the government's restrictions on wiretaps from telephone calls to include transmission of electronic data by computers. It added new provisions prohibiting access to stored electronic communications and add it so-called penetration trap provisions that permit the tracing of telephone communications. Electronic communications means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectric, or photo optical system that affects interstate or foreign commerce. But it excludes wire or oral communications, communications made through a tone only paging device, communications from a tracking device, or electronic funds transfers information stored by a financial institution in a communication system used for the electronic storage and transfer of funds. Title 1 of the Electronic Communications Privacy Act protects wire, oral, and electronic communications while in transit. It sets down requirements for search warrants that are more stringent than the other settings. Title 2 of the Electronic Communications Privacy Act, called the Stored Communications Act, protects communications held in electronic storage, most notably messages stored on computers. Its protections are weaker than those of Title 1 and do not impose heightened standards for warrants. Title 3 of the Electronic Communications Privacy Act prohibits the use of penetration registers and or trap and trace devices to record dialing, routing, addressing, and signaling information used in the process of transmitting wire or electronic communications without a court order. Here we have the Computer Security Act of 1987, also known as Public Law 100-235, Title 101, Statute 1724. This is the one that you've probably heard the most about and are probably more familiar with. It improves security and privacy of sensitive information in federal systems and it helps federally agencies to establish standards and guidelines under the National Institute of Standards and Technologies direction and guidance. It requires that any federal computer system that processes sensitive information have a customized system security plan SSP, and Authorization Accreditation A&A, also previously known as a Certification and Accreditation package. It also requires that users of those systems undergo initial and annual security awareness and training. The act assigned the National Institute of Standards and Technology NIST, at the time named National Bureau of Standards, to develop standards of minimum acceptable practices with the help of the National Security Agency, it required the establishment of security policies for federal computer systems that contain sensitive information and mandated security awareness training for federal employees that use those systems. Under Public Law 100-235, Title 101, Statute 1724, NIST is responsible and NSA advises. In assessing the vulnerability of federal computer systems, developing standards, providing technical assistance with National Security Agency support and developing and training guidelines for federal employees. On this slide, we're showing the Information Technology Management Reform Act of 1996, also known as the Clinger-Cohen Act. This has played a critical role in the evolution of security policy. It requires a CIO, Chief Information Officer, for each agency and it also requires that agencies have some form of Enterprise Architecture, Office of Management and Budget, OMB, Federal Enterprise Architecture, or the Department of Defense Architecture Framework DoDAF as an example. It also requires the conduct of annual IT reporting to Congress. This Act implemented the Capital Planning Investment Control, CPIC, IT planning budget process, it granted to the Director of Office of Management and Budget, OMB, authority to oversee the acquisition, use, and disposal of IT by the federal government, it established a Chief Information Officer position in every department and agency in the federal government, it established the CIO console with 28 major agencies and OMB, Office of Management and Budget, and it defined an IT architecture for evolving and acquiring IT. Under this act, OMB grades IT projects and funds accordingly. This graph represents a link between implementing system security and management using the various elements of the Clinger-Cohen Act, CCA. Here we have the US Patriot Act of 2001, Uniting and Strengthening America by providing appropriate tools required to intercept and obstruct Terrorism Act. This amended the definition of electronic surveillance to exclude the interception of communications done through or from a protected computer where the owner allows interception or is lawfully involved in an investigation. The Federal Information Security Management Act - Title III of the E-Government Act of 2002 Public Law 107-347 is where OMB established oversight of e-government. It also allowed for federal government organizations and inspector generals to report the information assurance status to the Office of Management and Budget annually and quarterly. OMB provides reports to congress annually and congress provides congressional cybersecurity grades. Here we have the Federal Information Security Modernization Act, FISMA 2014, which updates the federal government cybersecurity practices by codifying the Department of Homeland Security as the authority to administer the implementation of information security policies for non-national security federal executive branch systems, including providing technical assistance. It also amended and clarified the Office of Management and Budget OMB as oversight authority over federal agency information security practices, and by requiring OMB to amend or revise OMB A-130 to eliminate inefficient and wasteful reporting. All the security policies and practices in the federal government trace its roots back to the Federal Information Security Management Act, FISMA. FISMA itself represents the culmination of a decade long legislative trail that includes such relics as the Computer Security Act of 1987, and the Government Information Security Reform Act. These are some additional laws you should be familiar with. The Gramm-Leach-Bliley Act, GLBA, which requires financial institutions, companies, that offer consumer financial products or services like loans, financial or investment advice or insurance to explain their information sharing practices to their customers and to safeguard sensitive information. GLBA somewhat relaxed the regulations concerning the services each organization could provide. When Congress passed this law, it realized that this increased latitude could have far-reaching privacy implications. Because of this concern, it included a number of limitations on the type of information that could be exchanged, even amongst subsidiaries of the same corporation, and requires financial institutions to provide written privacy policies for all their customers. You also have Sarbanes-Oxley Act. The act was designed to oversee the financial reporting landscape for financial professionals. It's purpose is to review legislative audit requirements and to protect investors by improving the accuracy and reliability of corporate disclosures. It's a legislative response to a number of corporate scandals that sent shock waves through the world financial markets like Enron. Sarbanes-Oxley requires that the management of public companies assesses the effectiveness of internal controls of issuers for financial reporting. Section 404 B requires a publicly held company to have its auditors attest to and report on management's assessments of its internal controls. The act is administered by the Securities and Exchange Commission, which sets deadlines for companies and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records. Rather, it defines which records are to be stored and for how long. The Health Insurance Portability and Accountability Act, HIPAA, has provisions for privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information, also known as Protected Health Information, PHI, about individuals. HIPAA also clearly defines the right of individuals who are the subject of medical records and requires organizations that maintain these records to disclose these rights in writing. Protected health information, PHI, is individually identifiable health information created or received by health care providers, health plans, health care, clearinghouses, and related to past, present, or future physical or mental health conditions of an individual with respect to which there is a reasonable basis to believe the information can be used to identify an individual. The Health Information Technology for Economic and Clinical Health HITECH Act, which updated many of HIPAAS privacy and security requirements. One of the changes mandated is a change in the way the law treats business associates which are organizations that handle protected health information on behalf of a HIPAA covered entity. Any relationship between a covered entity and the business associate must be governed by a written contract known as a business associate agreement BAA. Under HITECH, business associates are directly subjects to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. HIPAA also introduced new data breach notification requirements. Under the HITECH Breach Notification Rule, HIPAA covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the security of Health and Human Services and the media when the breach affects more than 500 individuals. In summary, in this course we discussed several laws, policies, and regulations which impact a risk management framework implementation. We highlighted the Privacy Act, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Computer Security Act, the Information Technology Management Reform Act, the US Patriot Act, FISMA, the Federal Information Security Management Act, both the 2002 and 2014, the Gramm-Leach-Bliley Act, Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, as well as HITECH, the Health Information Technology for Economic and Clinical Health Act.
