Beruflich Dokumente
Kultur Dokumente
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Module Objective
This module
d l will
ill ffamiliarize
ili i you with:
ith
EC-Council
Fraud/Forgery
Interception
te cept o o
or Modification
od cat o o
of Data
ata
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Environmental Complexity
Multiple
p p
points of access:
Wired/wireless
Analog/remote
Multi-vendor environments:
Cisco,, checkpoint,
p
, ISS,, etc.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
New Technologies
Technology is advancing rapidly.
New technologies make old techniques ineffective or insufficient.
Security technologies change almost every day.
It often
Its
ft impossible
i
ibl to
t evolve
l our network
t
k iinfrastructure
f t t
att th
the same rapid
id pace.
Tunneling software makes it easier to bypass access controls.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Limited Focus
IT security is often allocated a small
portion of overall IT budgets
(on average, less than 3%; new
statistics say around 6%).
6%)
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Limited Expertise
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
How to Use
Enter the number of affected records in a data breach or identity theft incident
within the range of minimum 1000 and maximum 250,000.
250 000
Avoid using commas when entering a number.
The button next to the text box will increase or decrease the number of the
affected records by 500.
A user can switch the options ON or OFF according to their need.
Click each pie chart slice to check distribution of costs for each category.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Graph
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Graphical Representation
of Total Loss
Notification/Crisis
Management
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Graphical Representation of
Loss of Each Category
g y
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
In Order to Ensure...
Accurate authentication
Proper authorization
Confidentiality of data
Integrity of data
Availability of data
Non-repudiation
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Authentication
A h i i is
Authentication
i the
h process off verifying
if i the
h id
identity
i off an iindividual.
di id l
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Authorization
Authorization is the process that establishes whether a given identity or
subject can perform a given function against a given object.
For example, some users may be authorized to view data, and others may
be authorized to delete data; both must be valid users, but they have
different capabilities.
Authorization or access control is typically defined by Access Control
Lists (ACLs).
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Confidentiality
Confidentiality is the requirement that particular information be restricted
to the appropriate people.
Mechanisms that are often used to maintain confidentiality include:
Data Classification:
Encryption:
Equipment Disposal:
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Integrity
Integrity is the principle that requires information to
maintain its precision.
precision
Measures to maintain data integrity may include:
EC-Council
Checksums:
Access control:
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Availability
The availability principle ensures that our data will be available in a
timely manner. This principle underpins the whole principle of
redundant systems.
Measures to
maintain data
availability may
i l d
include:
EC-Council
Redundant systems
y
disk arrays
y and
clustered machines.
Antivirus software to stop worms
destroying our networks.
Distributed
Di t ib t d denial-of-service
d i l f
i
(DDoS) prevention systems.
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Non-Repudiation
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
We Must be Diligent
We have to secure:
The people.
The technology.
The processes.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Threat Agents
Employees:
p y
No physical security =
no security at all:
Disgruntled employee
Lack of education:
Users
Administrators
Corporate espionage
Misuse of IT privileges:
Internal
External
Organized threats:
EC-Council
Fundamentalist groups
Organized crime
Government/foreign intelligence
Terrorists
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Assessment Questions
Here are some q
questions for you
y to ponder:
p
How easy would it be for someone to steal our corporate
information?
How
H
easy would
ld it be
b ffor someone tto crash
h our network?
t
k?
What vulnerabilities exist at our Internet connection?
What is the likelihood that we will be hacked by someone?
What damage could they do?
What could one of our employees do with unauthorized access
privileges?
How easy is it to circumvent these access controls?
Is it easier for insiders than someone trying to come in from the
Internet?
How much should we spend on our IT security program?
Who is responsible for protecting our IT and informational
resources?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
First, we
have to
understand
d t d
risk:
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Risk
Risk is the
the possibility of harm or loss
loss.
It refers to the uncertainty about events and outcomes that could have an
undesirable
d i bl effect
ff t on th
the organization
i ti and
d it
its goals.
l
The central element of risk is uncertainty, the probability of experiencing
loss as a result of a threat event.
event
The outcome is uncertain, but the threat is very real.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Simplifying Risk
R = Risk
A = Asset value
T = Perceived
d threat
h
V = Vulnerabilityy
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Risk Analysis
There are many types of risk analysis.
Common security risk analysis methods and tools include:
CRAMM.
SARAH.
IS1 and IS3.
VISART.
Delphi.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Step 5: Communication
Communicate results to the appropriate parties.
Step 6: Monitoring
Continuously analyze new threats and modify controls as necessary. Significant organizational
changes should lead to a new risk assessment.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Security Policies
Security policies are the foundation of your security infrastructure.
Without them,
them you cannot protect your company from possible lawsuits
lawsuits,
lost revenue, and bad publicity, not to mention basic security attacks.
A security policy is a document or set of documents that describes, at a
high level, the security controls that will be implemented by the company.
Policies are not technology specific and do three
things for a company:
Reduce or eliminate legal liability to employees and third parties.
Protect confidential, proprietary information from theft, misuse,
unauthorized
u
aut o ed disclosure,
d sc osu e, or
o modification.
od cat o .
Prevent waste of company computing resources.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Encryption mechanisms.
Access control devices.
y
Authentication systems.
Firewalls.
Anti-virus systems.
Websites.
Gateways.
Routers and switches.
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Types of Policies
Promiscuous Policy
Firewall-Management Policy
Permissive Policy
Special-Access Policy
P d tP
Prudent
Policy
li
Paranoid Policy
Business-Partner Policy
Acceptable-Use Policy
User-Account Policy
Remote-Access Policy
Information-Protection Policy
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Promiscuous Policy
No restrictions on Internet/remote access
Good luck to your network administrator, you have our
blessings...
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Permissive Policy
Known dangerous services/attacks blocked
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Prudent Policy
Provides maximum security while allowing known, but necessary,
dangers
All services are blocked; nothing is allowed
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Paranoid Policy
Everything is
forbidden
EC-Council
No Internet
connection, or
severely limited
Internet usage
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Acceptable-Use Policy
Should users read and copy files that are not their own, but are accessible to them?
Should users modify files that they have write access to, but are not their own?
Should users make copies of system configuration files (for example, /etc/passwd
and SAM) for their own personal use or to provide to other people?
Should users be allowed to use .rhosts files? Which entries are acceptable?
Should users be allowed to share accounts?
Should users have the ability to make copies of copyrighted software?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
User-Account Policy
Who has the authority to approve account requests?
Who (employees, spouses, children, company visitors, for example) is allowed
to use the computing resources?
May users have multiple accounts on a single system?
May users share accounts?
What are the users' rights and responsibilities?
Wh should
When
h ld an accountt be
b disabled
di bl d and
d archived?
hi d?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Remote-Access Policy
Who is allowed to have remote access?
What specific methods (such as cable modem/DSL or dial-up) does the
company support?
Are dial-out modems allowed on the internal network?
Are there any extra requirements, such as mandatory anti-virus and
security software, on the remote system?
May other members of a household use the company network?
Do any restrictions exist on what data may be accessed remotely?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Information-Protection Policy
What are the sensitivity levels of information?
Who may have access to sensitive information?
How is sensitive information stored and transmitted?
What levels of sensitive information may be printed in public
printers?
i t ?
How should sensitive information be deleted from storage media
(
(paper
shredding,
h ddi
scrubbing
bbi hard
h d drives,
d i
d
degaussing
i disks,
di k etc.)?
t )?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Firewall-Management Policy
Who has access to the firewall systems?
y
Who should receive requests to make a change to the firewall
configuration?
fi
ti ?
Who may approve requests to make a change to the firewall
configuration?
fi
i ?
Who may see the firewall configuration rules and access lists?
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Special-Access Policy
Who should receive requests for special access?
Who may approve requests for special access?
What are the password rules for special-access accounts?
How often are passwords changed?
What are the reasons or situations that would lead to
revocation of special
special-access
access privileges?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Network-Connection Policy
Who may install new resources on the network?
Who must be notified that new devices are being added to the network?
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Business-Partner Policy
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Data Classification
Policies
There is the need to classify data according to its use,
sensitivity, and importance.
Thus, data is classified into three classes:
High risk: Data that attracts legal penalties if lost or damaged.
Confidential: Data that is to be protected against unauthorized
disclosure.
Public: Data that is freely available.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Data Classification
Policies (contd)
(
)
Do data owners determine the data classification and ensure data
protection?
Is high risk data encrypted during transmission over insecure
channels?
Is confidential data encrypted during transmission over insecure
channels?
h
l ?
Is all data backed up?
p
Are all backups handled with the same security precaution as that of
the original data?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Intrusion Detection
Policies
Is intrusion detection implemented
p
on all servers and workstations that
contain high risk data?
Are the alarm and alert functions, as well as logging and monitoring
systems, working as intended?
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
U d t anti-virus
Update
ti i
software
ft
as per th
the recommendation
d ti off th
the vendor.
d
S
Secure
all
ll servers and
d workstations
k t ti
that
th t are vulnerable
l
bl tto viruses
i
or worm attacks.
tt k
Scan headers of all incoming data including electronic mail for viruses by the email
server.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
All the people related to the organization must protect their assets.
All the people must be trained about their responsibilities and organizations
information security.
Employee handbook must consists of information about the security responsibilities.
All employees must sign organizations non-disclosure agreement.
Chief security officer must implement system for security related issues.
Human resource manager must ensure background checks of the employees.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Cryptography Policy
Cryptography secures data and protects privacy of the
organization.
People of the organization should know about
cryptographic techniques and how to implement them to
get data secured.
Strong cryptographic algorithms should be selected,
subjected to applicable law, and implemented.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Data classification
Prevention, as well as detection
Consumer request policies
Consumer notification
Employment
p y
p
policies and p
procedures
Data destruction policies
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
A lab policy discusses how to protect the internal network from the
insecurities of a test lab.
The best option is to keep the test lab on a completely separate Internet
connection and not have it connected in any way to the internal corporate
network.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Policy Statements
The policy is as effective as the policy statements that it contains. Policy statements
must be
b written
i
iin a very clear
l
and
d fformall style.
l
Good examples
p of p
policyy statements are:
All computers must have antivirus protection activated to provide real-time,
continuous protection.
All servers must be configured with the minimum of services to perform their
designated functions.
All access to data will be based on a valid business need and subject to a formal
approval process.
All computer software must always be purchased by the IT department in
accordance with the organizations procurement policy.
A copy of the backup and restoration media must be kept with the off-site
backups.
While using the Internet, no person is allowed to abuse, defame, stalk, harass,
or threaten any other person or violate local or international legal rights.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
ISO 17799
Another option when you are developing policies is to follow the
internationally recognized International Standards Organization (ISO)
17799, a set of recommendations organized into 10 major sections
covering all facets of information systems policies and procedures.
Many organizations and consulting firms use ISO 17799 as the baseline
for policy best practices.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
System
development and
maintenance:
Physical and
environmental
security:
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Personnel
security:
Manage
g information securityy within the organization
g
Maintain the security of organizational information-processing facilities and information
assets accessed by third parties
Security
Maintain the security of information when the responsibility for information processing
organization: has been outsourced to another organization
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Security policy:
Provide management direction and support for information security
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
No Simple Solutions
Rapid emergence of new exploits
Concentration on performance
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
U.S. Legislation
California SB 1386
Sarbanes-Oxley 2002
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act
(HIPAA)
USA Patriot
P t i t Act
A t 2001
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
California SB 1386
In cases involving over 500,000 people, the organization can warn the
potential victims en masse through a website and by alerting the media.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Sarbanes-Oxley 2002
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Sarbanes-Oxley 2002
Section 201:
Relating to auditor independence, it is no longer allowed for your auditor to perform such
activities
i i i as financial
fi
i l iinformation
f
i systems d
design
i and
d iimplementation;
l
i
iinternall audit
di
outsourcing services; and legal services and expert services (including security).
Section 302:
The CEOs and CFOs of the accounting companys clients must sign statements verifying
the completeness and accuracy of financial reports.
Section 404:
CEOs, CFOs, and auditors must report on and attest to the effectiveness of internal
controls for financial reporting. This report shall:
State the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
Contain an assessment,
assessment as of the end of the most recent fiscal year of the issuer
issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial
reporting
Each registered public accounting firm that prepares or issues the audit report for the
issuer shall attest to, and report on, the assessment made by the management of the
i
issuer.
An attestation
i made
d under
d this
hi subsection
b
i shall
h ll b
be made
d iin accordance
d
with
ih
standards for attestation engagements issued or adopted by the Board. Any such
attestation shall not be the subject of a separate engagement
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Although the penalty is small, it is easy to see how it could impact a bank.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
The
h primary
i
objective
bj i off the
h security
i rule
l iis to protect the
h confidentiality,
fid i li
integrity, and availability of data when it is managed (i.e., stored, maintained, or
transmitted) by a health care provider.
Health care providers must provide notice of privacy policies and procedures to
patients, obtain consent and authorization for use of information, and tell how
generallyy shared and how p
patients can access, inspect,
p
copy,
py and
information is g
amend their own medical records.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
U.K. Legislation
The Computer Misuse Act 1990 creates three distinct criminal
offenses:
Unauthorized access to computers, including the illicit copying of software
h ld in
held
i any computer. This
Thi carries
i a penalty
l off up to six
i months
h
imprisonment or up to a 5000 fine and will be dealt with by a magistrate.
This covers hobby hacking and, potentially, penetration testing.
Unauthorized access with intent to commit or facilitate commission of further
offenses (such as fraud or theft), which covers more serious cases of hacking
with a criminal intent. This has a penalty of up to five years imprisonment and
an unlimited fine. Because it is a serious offense, it will be a trial by jury.
Unauthorized
U
th i d modification
difi ti off computer
t material,
t i l which
hi h iincludes
l d th
the
intentional and unauthorized destruction of software or data; the circulation
of infected materials online (viruses); and the unauthorized addition of a
password to a data file (crypto viruses). This offense also carries a penalty of
up to five years imprisonment and an unlimited fine. It is also a serious
offense, so it too will be a trial by jury.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
The act covers manual and computerized records and is concerned with
the processing of personal data. It works in two ways:
Giving individuals (data subjects) certain rights over the way that their data is
processed.
Requiring those who decide how and why personal data is processed (data
p about their use of that data and to comply
p y with the data
controllers) to be open
protection principles in their information-handling practices.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Interception of Communications
The Telecommunications Regulations 2000 provided that an
employer retains the right to carry out monitoring despite the
fact the employee has not given his or her express consent, if
such monitoring is required to carry out the following:
Recording evidence of business transactions.
Ensuring compliance with regulatory or self-regulatory guidelines.
Maintaining the effective operation of the employers systems (for
example, preventing viruses).
Monitoring standards of training and service.
Preventing or detecting criminal activity.
Preventing the unauthorized use of the computer or telephone system.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Central government.
Local authorities.
NHS.
Schools.
Police departments.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Should an inspector discover that information has been withheld, the directors will be liable to
imprisonment and/or a fine.
The act also contains a whistleblower protection clause that excludes liability for breach of confidence for
those who provide information to authorities.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Summary
In this module, weve discussed the statistics and importance of vulnerabilities and
their impact on business.
We have reviewed the various challenges against security.
Weve discussed the challenges and how to simplify risk.
We have discussed security policies and postures.
We have discussed ISO 17799 standard for security policies.
Last, but not least, we went over a few important
p
laws and regulations
g
related to
information security.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.