These requirements may also govern our processes or ability to collect information, pursue investigations, monitor networks, and any of a number of activities that we might wish to execute as part of our appointed roles. Companies that operate internationally may particularly feel the complexity of these issues, as the laws regarding data, employee information, use of encryption, and similar commonplace activities may actually change from one part of the enterprise to the next based on where they are located or the national laws based on the origin of data we are storing. Show
View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128007440000063 Securing Cloud Computing SystemsCem Gurkok, in Computer and Information Security Handbook (Third Edition), 2017 Retaining Responsibility for the Accuracy of the DataLaws and regulations will usually determine who in an organization should be responsible and held accountable for the accuracy and security of the data. If the customer is storing Health Insurance Portability and Accountability Act (HIPAA) data, then the customer must have a security-related post created to ensure compliance. The Sarbanes–Oxley Act assigns the Chief Financial Officer (CFO) and Chief Executive Officer (CEO) joint responsibility for the financial data. The Gramm-Leach-Bliley Act (GLBA) casts a wider net, making the entire board of directors responsible for security. The Federal Trade Commission (FTC) is less specific by only requiring a certain individual to be responsible for information security in a company. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128038437000636 Ensure Legal ReviewJason Sachowski, in Implementing Digital Forensic Readiness, 2016 Obtaining Legal AdviceWith legal resources trained and educated in appropriate technology laws, organizations will be better equipped to determine if the findings of an investigation are credible enough to be upheld in a court of law or if additional actions are required. Throughout the investigation, legal advice could be required to facilitate decision-making related to the following issues. ConstraintsLaws and regulations exist that impose controls over the proper and effective use of digital evidence during an investigation. Generally, the three areas where legal advice can be provided include the following: •Security controls resulting from laws and/or regulations that set a precedent to restrict the necessary identification and disclosure of information protected as privileged or confidential. •Practices governing the identification and disclosure of information within a reasonable time frame when formal legal proceedings have been filed. •Rules of evidence on the admissibility of information for legal proceedings DisputesDepending on the nature of business performed, organizations can face commercial disputes over contractual commitment and obligations. When these disputes involve external entities such as business partners, competitors, shareholders, suppliers, or customers, consultation with the legal team is required to advise and guide the organization towards resolution. EmployeesThe purpose of conducting a forensic investigation is not to find fault or blame in the actions of an employee. However, where an investigation reveals credible facts about the involvement of an employee, based on the nature of the employee’s actions a decision must be made on the most appropriate course of action to deal with the employee. Through consultation with the legal team, organizations can ensure that when it comes time to taking action and dealing with the employee, they do not go beyond the boundaries of their authority or violate any legal rights that could result in unwanted liabilities. LiabilitiesAt any point during the investigation an action, circumstance, or event might be identified which could reasonably be expected to result in some form of legal action against the organization, such as a breach of customer information. When this occurs, the investigation team should involve legal resources to determine how to properly manage the situation and the best course of action to take; such as engaging public and corporate affairs to formally manage information sharing or contacting law enforcement due to the involvement of criminal actions. ProsecutionAs digital evidence is being analyzed, investigators work to correlate and corroborate different sources of digital evidence that might lead to credible findings where prosecution or punishment, both internal and external, are possible. In these circumstances, involving the legal team could improve the likelihood for the organization to get restitution for any losses they experienced or to ensure that claims (ie, insurance) are proper substantiated. CommunicationOne possible outcome of a successful cyber attack could be the unintentional or malicious exfiltration of sensitive or confidential information (ie, personally identifiable information3). In conjunction with other teams within the organizations (ie, privacy, public, and corporate affairs), legal can assist in assessing the severity of the information disclosure, the impact it has to partners, customers, and/or investors, and establish if (when required) the notification of the data exposure must be distributed. Involving Law EnforcementDepending on the severity and impact to the organization, a decision could be made to contact appropriate law enforcement agencies to further assist with the investigation. While a decision to involve law enforcement could help to identify whether organized crime is involved, or to engage law enforcement personnel in other jurisdictions, it is important that organizations understand that they could be required to surrender control of the investigation. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128044544000149 Volume 3Bobby George, in Encyclopedia of Tissue Engineering and Regenerative Medicine, 2019 Regulatory LandscapeDifferent laws and regulations govern drugs, biological products, and devices in the United States. Although similarities exist between the regulations for drugs, devices, and biological products, each set of regulations has certain unique reporting requirements, standards, and timeframes based in part on the characteristics of the type of product. Drugs and devices are defined in the Federal Food Drug and Cosmetics (FD&C) Act—Title 21 Chapter 9. Biological products on the other hand are defined in the Public Health Service (PHS) Act—Title 42 Chapter 6A. Added to these general rules are additional considerations for “human cells, tissues and cellular and tissue-based products” (HCT/Ps). These are defined in 21 CFR 1271.3(d) as articles containing or consisting of human cells or tissues that are intended for implantation, transplantation, infusion, or transfer into a human recipient. The corresponding regulations can be found in the Code of Federal Regulations (CFR) Title 21: •Drugs: 21 CFR Parts 200–299 and 300–369 •Devices: 21 CFR Parts 800–898. •Biological products: 21 CFR Parts 600–680 •HCT/Ps: 21 CFR Parts 1270/1271 View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128012383655824 Domain 1Eric Conrad, ... Joshua Feldman, in CISSP Study Guide, 2010 Compliance with Laws and RegulationsComplying with laws and regulations is a top information security management priority: both in the real world and on the exam. An organization must be in compliance with all laws and regulations that apply to it. Ignorance of the law is never a valid excuse for breaking law. Details of specific laws are covered in Chapter 11: Domain 10: Legal, Regulations, Investigations, and Compliance. Exam Warning The exam will hold you to a very high standard in regard to compliance with laws and regulations. We are not expected to know the law as well as a lawyer, but we are expected to know when to call a lawyer. Confusing the technical details of a security control such as Kerberos may or may not cause a significant negative consequence, for example. Breaking search and seizure laws due to confusion over the legality of searching an employee's personal property, for example, is likely to cause very negative consequences. The most legally correct answer is often the best for the exam. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597495639000020 Domain 1: Security and Risk Management (e.g., Security, Risk, Compliance, Law, Regulations, Business Continuity)Eric Conrad, ... Joshua Feldman, in CISSP Study Guide (Third Edition), 2016 Compliance with Laws and RegulationsComplying with laws and regulations is a top information security management priority: both in the real world and on the exam. An organization must be in compliance with all laws and regulations that apply to it. Ignorance of the law is never a valid excuse for breaking the law. Details of specific laws are covered in Chapter 10: Domain 9: Legal, Regulations, Investigations, and Compliance. Exam WarningThe exam will hold you to a very high standard in regard to compliance with laws and regulations. We are not expected to know the law as well as a lawyer, but we are expected to know when to call a lawyer. Confusing the technical details of a security control such as Kerberos may or may not cause a significant negative consequence, for example. Breaking search and seizure laws due to confusion over the legality of searching an employee’s personal property, for example, is likely to cause very negative consequences. The most legally correct answer is often the best for the exam. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128024379000023 Domain 3Eric Conrad, ... Joshua Feldman, in CISSP Study Guide (Second Edition), 2012 Compliance with laws and regulationsComplying with laws and regulations is a top information security management priority, both in the real world and on the exam. An organization must be in compliance with all laws and regulations that apply to it. Ignorance of the law is never a valid excuse for breaking law. Details of specific laws are covered in Chapter 10, Domain 9: Legal, Regulations, Investigations, and Compliance. Exam Warning The exam will hold you to a very high standard with regard to compliance with laws and regulations. We are not expected to know the law as well as a lawyer, but we are expected to know when to call a lawyer. Confusing the technical details of a security control such as Kerberos may or may not cause a significant negative consequence, for example; however, breaking search and seizure laws due to confusion over the legality of searching an employee's personal property, for example, is likely to cause very negative consequences. The most legally correct answer is often the best for the exam. PrivacyPrivacy is the protection of the confidentiality of personal information. Many organizations host personal information about their users, such as Social Security numbers, financial information such as annual salary and bank account information required for payroll deposits, and healthcare information for insurance purposes. The confidentiality of this information must be assured. |
