- Introduction
- The Basics of a Network
- Basic Network Utilities
- The OSI Model
- What Does This Mean for Security?
- Assessing Likely Threats to the Network
- Classifications of Threats
- Likely Attacks
- Threat Assessment
- Understanding Security Terminology
- Choosing a Network Security Approach
- Network Security and the Law
- Using Security Resources
- Summary
This chapter is from the book
This chapter is from the book
This chapter is from the book
Network Security and the Law
An increasing number of legal issues affect how administrators approach network security. If your organization is a publicly traded company, a government agency, or does business with either, there may be legal constraints to choosing your security approach. Legal constraints include any laws that affect how information is stored or accessed. Sarbanes-Oxley (discussed in more detail later in this section) is one example. Even if your network is not legally bound to these security guidelines, reviewing the various laws impacting computer security and perhaps deriving ideas that can apply to your own security standards is useful.
One of the oldest pieces of legislation in the United States affecting computer security is the Computer Security Act of 1987 (100th Congress, 1987). This act requires government agencies to identify sensitive systems, conduct computer security training, and develop computer security plans. This law is a vague mandate ordering federal agencies in the United States to establish security measures without specifying any standards.
This legislation established a legal mandate to enact specific standards, paving the way for future guidelines and regulations. It also helped define certain terms, such as what information is indeed “sensitive,” according to the following quote found in the legislation itself:
Sensitive information is any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
Keep this definition in mind, for it is not just Social Security information or medical history that must be secured. When considering what information needs to be secure, simply ask the question: Would the unauthorized access or modification of this information adversely affect my organization? If the answer is “yes,” then you must consider that information “sensitive” and in need of security precautions.
Another more specific federal law that applies to mandated security for government systems is OMB Circular A-130 (specifically, Appendix III). This document requires that federal agencies establish security programs containing specified elements. This document describes requirements for developing standards for computer systems and for records held by government agencies.
Most states have specific laws regarding computer security, such as legislation like the Computer Crimes Act of Florida, the Computer Crime Act of Alabama, and the Computer Crimes Act of Oklahoma. Any person responsible for network security might potentially be involved in a criminal investigation. This could be an investigation into a hacking incident or employee misuse of computer resources. Whatever the nature of the crime instigating the investigation, being aware of the computer crime laws in your state is invaluable. A list of computer crime laws by state is available at http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws. This government list is from the Advanced Laboratory Workstation (ALW), National Institutes for Health (NIH), and Center for Information Technology.
Keep in mind that any law that governs privacy (such as the Health Insurance Portability and Accountability Act [HIPAA], for medical records) also has a direct impact on computer security. If a system is compromised and data that is covered under any privacy statute is compromised, you might need to prove that you exercised due diligence to protect that data. A finding that you did not take proper precautions can result in civil liability.
A law that is probably even more pertinent to business network security is Sarbanes-Oxley, often called SOX (http://www.soxlaw.com/) This law governs how publicly traded companies store and report on financial data, and keeping that data secure is a vital part of this. Obviously, full coverage of this law is beyond the scope of this chapter, or even this book. It is mentioned to point out to you that in addition to network security being a technical discipline, you must also consider business and legal ramifications.
