Please response to each question with least 200 words and references. Due on Wednesday March 15 2017 8:30pm eastern time New York USA.
Reading for #1
111009 Teacher Suit
Articles
GJD-RA
Maryland Statue House Bill 964
MCEA Contract
MCPS Nonrenewal of Contract Policy GJB-RC
MCPS Suspension and Termination of Professional Staff Policy
Student Code of Conduct POLICY 7
#1
In December two legal experts presented conflicting views about limiting Internet communications. Here are their articles:http://www.slate.com/articles/news_and_politics/view_from_chicago/2015/12/isis_s_online_radicalization_efforts_present_an_unprecedented_danger.html andhttps://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/21/protecting-the-first-amendment-in-the-internet-age/?utm_term=.ce196c82b386
By Wednesday post your argument. For those whose last name begins from A- J post your argument supporting Judge Posner’s position.(my last name begin with A) All other students post your argument supporting Professor Post’s positionBe sure to include research beyond the article.
Follow-up by posting a response again representing your assigned position to a posting arguing the other position.
Finally in the Thread titled Honest Position post your real position and basic rationale.
Reading for #2
(Required Readings)
McQuade S. I. (2016). Computer crime. Salem Press Encyclopedia Retrieved fromhttp://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=ers&AN=95342780&site=eds-live&scope=site.
Cybercrime (n.d.).Cybercrime Timeline. Retrieved from:http://19623599.weebly.com/timeline.html.
Florida Tech (n.d.). A Brief History of Cyber Crime. Retrieved from:https://www.floridatechonline.com/blog/information-technology/a-brief-history-of-cyber-crime/.
KhanAcademy (n.d.).The Internet: Cybersecurity and crime. Retrieved from:https://www.khanacademy.org/partner-content/code-org/internet-works/v/the-internet-cybersecurity-and-crime.
EFF (2013).Computer Fraud and Abuse Act (CFAA).Retrieved from:https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(CFAA).
Cornell University Legal Information Institute (n.a.). 18 U.S. Code Chapter 121 – STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS. Retrieved from:https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121.
Law Enforcement Cyber Center (n.d.).Understanding Digital Evidence. Retrieved from:http://www.iacpcybercenter.org/investigators/digital-evidence/understanding-digital-evidence/.
Cornell University Legal Information Institute (n.a.).Fourth Amendment. Retrieved from:https://www.law.cornell.edu/constitution/fourth_amendment.
Federal Bureau of Investigation (FBI) (2016).Law Enforcement Cyber Incident Reporting. Retrieved from:https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf.
Funk & Wagnalls (2016). New World Encyclopedia.Tort 2016. Retrieved from:http://eds.a.ebscohost.com.ezproxy.umuc.edu/eds/detail/detail?vid=5&sid=1f18b6b7-394b-47ce-b6b4-c9e2ad530175%40sessionmgr4006&hid=4211&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#AN=TO072200&db=funk.
Koch B.A. (2014). Journal of European Tort Law.Cyber Torts: Something Virtually New?Retrieved from:http://eds.a.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=1&sid=1f18b6b7-394b-47ce-b6b4-c9e2ad530175%40sessionmgr4006&hid=4211.
OERs (Recommended Readings)
American Bar Association (2007).Cybercrime Havens. Retrieved from:http://www.americanbar.org/content/dam/aba/publications/blt/2007/11/cybercrime-havens-200711.authcheckdam.pdf.
District Court Arapahoe County Colorado (2012). Motion to Preserve and Produce Evidence. Retrieved from:https://learn.umuc.edu/content/enforced/190519-M_013959-01-2168/Session%209/12CR1522%20Motion%20to%20Preserve%20and%20Produce%20Evidence%20%28D-3%29.pdf?_&d2lSessionVal=tvFPq7FHTRMy6W3iOl2VVohqo&ou=190519.
Offices of the United States Attorneys (2008). Application for a Wiretap Order. Retrieved from:http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/crm00092.htm.
United States District Court (2009). Subpoena to Produce Documents Information or Objects or to Permit Inspection of Premises in a Civil Action. Retrieved from:https://learn.umuc.edu/content/enforced/190519-M_013959-01-2168/Session%209/Federal%20subpoena%20form%20AO088B.pdf?_&d2lSessionVal=tvFPq7FHTRMy6W3iOl2VVohqo&ou=190519.
#2
This discussion session has two parts:
Vulnerability Disclosure: What are the legal and ethical issues governing the disclosure of a vulnerability by an independent technical person (e.g. cyber researcher). See this paper:https://www.eff.org/issues/coders/vulnerability-reporting-faq. What are the legal obligation of the government if they come to know about a vulnerability? Can they corner the vulnerability market and exploit a vulnerability against an adversary. See this paper Dorothy Denning:https://learn.umuc.edu/content/enforced/111374-022073-01-2158-GO1-9040/DDenning.pdf?_&d2lSessionVal=hDspQFvvJP69gBZD9LTeVUUTl.
Attack Disclosure:What are the legal obligations (as well as protection for sharing) of companies about attacks on their systems and possible future attacks and vulnerabilities? Who should they disclose to: government users of their systems who were affected by the breach and investors? See
o https://www.davispolk.com/sites/default/files/agesser.Cybersecurity.Law_.Report.aug15.pdf
o https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/
o http://insurancethoughtleadership.com/cybersecurity-five-tips-on-disclosure-requirements/
o http://www.wsj.com/articles/should-companies-be-required-to-share-information-about-cyberattacks-1463968801
Participation on both the parts is required.
Reading for question #3
(Required Readings)
National Institute of Standards and Technology (NIST). (2012).SP800-61v2; Computer Security Incident handling Guide.Retrieved fromhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
US-CERT (2008).Computer Forensics. Retrieved from:https://www.us-cert.gov/sites/default/files/publications/forensics.pdf.
Wegman J. (n.d.). University of Idaho. Computer Forensics: Admissibility of Evidence in Criminal Cases. Retrieved from:Admissibility of Evidence in Criminal Cases.
DoJ (n.d.). Computer Forensics: Admissibility of Evidence in Criminal Cases.Retrieved from:https://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf.
FEMA DHS (n.d.).Business Continuity Plan. Retrieved from:www.ready.gov/business/implementation/continuity.
FEMA DHS (n.d).Business Continuity Planning Suite. Retrieved from:www.ready.gov/business-continuity-planning-suite.
FEMA DHS (n.d.).IT Disaster Recovery Plan.Retrieved from:https://www.ready.gov/business/implementation/IT.
FEMA (n.d.). Planning & Templates Retrieved from:https://www.fema.gov/planning-templates.
NIST (2010): NIST Special Publication 800-34 Rev. 1.Contingency Planning Guide for Federal Information Systems. Retrieved from:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf.
Gartner (2005).Laws Influence Business Continuity and Disaster Recovery Planning Among Industries. Retrieved from:https://www.gartner.com/doc/483265/laws-influence-business-continuity-disaster.
Geminare (n.d.). An Overview of U.S. Regulations Pertaining to Business Continuity. Retrieved from:http://www.geminare.com/pdf/U.S._Regulatory_Compliance_Overview.pdf.
OERs (Recommended Readings)
The International Federation of Red Cross and Red Crescent Societies. (IFRC). (2015).Thechecklist on law and disaster risk reduction. Retrieved from:http://www.ifrc.org/PageFiles/115542/The-checklist-on-law-and-drr.pdf
Session Notes
Incident Response
After information security processes procedures and technology have been deployed to protect the enterprise from insider and outsider threats what do you do when a problem is detected? It is a fact of any enterprise small or large that a cyber incident will happen. It is not if but only when. NIST defines acomputer security incidentas a violation or imminent threat of violation of computer security policies (800-61v2 2012). The nature of the incident can be very severe such as a massive DDoS attack or just an intrusion for reconnaissance. Incident response procedures may involve a number of different departments including information technology legal and audit. They may also involve all levels of management and external groups depending on the severity of the incident.
NIST SP 800-61 v2 provides guidelines to develop capabilities for incident handling that include:
Creating an incident response policy and plan
Developing procedures for performing incident handling and reporting
Setting guidelines for communicating with outside parties regarding incidents
Selecting a team structure and staffing model
Establishing relationships and lines of communication between the incident response team and
other groups both internal (e.g. legal department) and external (e.g. law enforcement agencies)
Legal action as a part of Incident response may be necessary at the end of a potentially lengthy investigative process for criminal and civil prosecution. Digital Forensics is the area that is devoted to collecting and preserving evidence and presenting it in a court of law. You learnt a variety of digital forensics techniques for collecting and preserving evidence in volatile memory network traffic disk and from various logs and intrusion detection systems in INFA 650 and INFA 630. To have evidence admissible in a court you have to have good understanding of:
The Fourth and the Fifth Amendments of the Constitution
The three statutory laws the Wiretap Act the Pen Registers and Trap and Trace Devices Statute and the Stored Wire and Electronic Communications Act
The U.S. Federal Rules of Evidence
An easy-to-read introduction to Digital Forensics Law can be found here:US CERT Computer Forensics 2008. Another source is:Admissibility of Evidence in Criminal Cases.A more authoritative document on the topic is from the DoJ and can be found at:DoJ: Computer Forensics: Admissibility of Evidence in Criminal Cases.
Business Continuity/Disaster Recovery
Disasterrecovery(DR) andbusiness continuity(BC) are terms that are used often inter-changeably to describe an organizations ability to recover from a compromise intentional or otherwise. DR is often data-centric and BC is business-centric.
Many organizations separate information security (or (IT) disaster recovery) and business continuity so they may not be tied together organizationally but they are certainly logically connected. Business continuity ensures availability one of the three foundations of the CIA Triad.
The good news is that there are numerous resources available to assist an organization in BC/DR processes from agencies such as FEMA DHS and NIST. Here are a few resources:
Business Continuity Plan
Business Continuity Planning Suite
FEMA Planning & Templates
NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems
IT Disaster Recovery Plan
There are various laws and regulations that either imply or require Business Continuity (BC) /Disaster Recovery (DR) processes and procedures to be in place in various industries specifically Health Care Government Finance and Utility industries. To support BC/DR in these industries high integrity and availability of data/information is a must. Gartner (2005): Laws Influence Business Continuity and Disaster Recovery Planning Among Industriesis an excellent resource that succinctly captures the laws and regulations in these sectors.Regulation and Standards Pertaining to Business Continuitylists both the laws/regulations and applicable standards an enterprise needs to follow in finance and healthcare sectors.
#3
Assume you are a CISO. These are the laws governing evidence collection preservation and presentation in a court of law:
The Fourth Amendment of the Constitution
The Fifth Amendment of the Constitution
The three statutory laws the Wiretap Act the Pen Registers and Trap and Trace Devices Statute and the Stored Wire and Electronic Communications Act
The U.S. Federal Rules of Evidence
Explain how your digital evidence processes will be//is compliant to one of the above. (They have to be complaint to all but for this exercise you just focus on one.)
Reading for #4
(Required Readings)
Deakins O. (2013).Lets get physical: five legal issues and telecommuting. Retrieved from:http://www.lexology.com/library/detail.aspx?g=410cefff-dae1-4370-b30d-5fd103545324.
Gossett D. (2012). On the road-legal considerations for telecommuting employers. Retrieved from:http://www.lexology.com/library/detail.aspx?g=f1be8aed-5673-4f9a-b860-2a8eea4294c5.
Magruder J.S. (2015). Journal of Accounting and Finance.Bring Your Own Device (BYOD) –Who Is Running Organizations?.
IT Pro (2014). Hess K.Mobile Device Management Features That Matter.Retrieved from:http://www.tomsitpro.com/articles/mdm-solutions-comparison2-745.html.
Mell P. (2011).The NIST Definition of Cloud Computing. Retrieved from:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
Badger L. (2012). NISTSP800-146: Cloud Computing Synopsis and Recommendations. Retrieved from:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-146.pdf.
NIST. (2013).SP500-291v2: NIST Cloud computing Standards Roadmap. Retrieved from:http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf.
InfoWorld (2016).The dirty dozen: 12 cloud security threats. Retrieved from:http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html.
IMPERVA INCAPSULA (2015).Top 10 Security Concerns for Cloud-Based Services. Retrieved from:https://www.incapsula.com/blog/top-10-cloud-security-concerns.html.
OERs (Recommended Readings)
Telecommuting Policies-A Reading Room. Retrieved from:https://lsntap.org/telecommuting_reading_room.
U.S. Office of Personnel management. (2011).Guide to Telework in the Federal Government. Retrieved fromhttps://www.telework.gov/guidance-legislation/telework-guidance/telework-guide/guide-to-telework-in-the-federal-government.pdf.
NIST (2016). Users Guide to Telework and Bring Your Own Device (BYOD) Security. NIST Special Publication 800-114. Revision 1. Retrieved from: https://dx.doi.org/10.6028/NIST.SP.800-124r1. lsntap.org. (n.d.).
SANS.(2012).Legal Issues within Corporate Bring Your Own Device Programs. Retrieved from:https://www.sans.org/reading-room/whitepapers/legal/legal-issues-corporate-bring-device-programs-34060.
Cloud Security Alliance. (2009).Security Guidance for Critical Areas of Focus in Cloud Computing v2.1. Retrieved from:CSA: Cloud Security Guidance
NIST (2013). Cloud Computing Security Reference Architecture. Special Publication 500-299. DRAFT. Retrieved from:http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf.
U.S. Whitehouse. (2012). Digital Government:Bring Your Own Device.Retrieved from:https://www.whitehouse.gov/digitalgov/bring-your-own-device#ttb.
Session Notes
Teleworking
The number of mobile workers and telecommuters has grown significantly over the past few years due to many factors including:
Advances in technology including faster networks/Internet and secure connections through VPN.
Need to access a larger pool of talent an specialized talent
Need to match and field employees to job sites and customers
Teleworking is a work arrangement in which employees do not commute to a central place of work. A person who telecommutes is known as a telecommuter teleworker and sometimes as a home-sourced or work-at-home employee. An employer has many legal responsibilities to employees whether they work from a central facility or from home.
According to Deakins(Deakins 2013) some of the unique legal challenges associated with telecommuters that an organization needs to address fall into these categories:
Company Property
Security
Worker’s Compensation
Payroll Records
Compensation
Gossett(Gossett 2012)echoes the Deakins legal concerns associated with telecommuting and highlights the following:
The Fair Labor Standards Act (FLSA): Employers need to ensure that teleworkers are working the expected number of hours (usually 40 per week) and no less or no more.
Occupational Health and Safety Administration (OSHA): Employers expect teleworkers to work in a safe environment; however OSHA limits the employers liability and specifies that employers are not expected to visit the teleworkers home to ensure safe conditions.
Liability Insurance: Teleworkers have the same rights as all employees unless otherwise stipulated.
Taxes: If the teleworker is located in s state other than the one of the company both parties should be aware of all tax issues including withholding and tax filing requirements of the various local and state governments.
Other considerations: This is a broad category including consideration of reasonable accommodation without undue hardship under the American with Disabilities Act.
These issues discussed by Gossett need to be formally addressed in a written agreement between the employer and the teleworker to prevent any misunderstanding and ensure the rights and responsibilities of both parties are clear.
Bring Your Own Device (BYOD) to Work
A major source of vulnerabilities by employees is when they bring their own devices known as the BYOD (Bring Your Own Device) to work. These devices include laptops smartphones and portable drives and other media capable of both storing sensitive data and transferring malicious data onto the employers network. The arguments in favor of a BYOD to work are: (1) increased productivity through familiarity of the device (2) convenience of carrying only one or fewer devices by an employee and (3) lower enterprise capital equipment cost as the devices are bought and paid by the employees.
Magruder(Magruder 2015)lists the following steps organizations need to take to safeguard their information systems from any malicious or accidental data breach when BYOD is permitted:
Limit the types devices (e.g. iPhone iPad and Android smart phones and tablets) and operating systems (e.g. iOS & Android) to be permitted on the network.
Limit the applications to be used on the devices.
Limit which employees can use the devices and what services they can access on the network.
Inform the employees what is expected of them.
To permit an employee to bring her device to work the employee needs to agree to be monitored for the enforcement of the enterprise device policy through mobile device management (MDM) software. An MDM can ensure that only the permitted Apps are running and that Apps and OS are up-to-date with patches and that antivirus software with the latest updates is running on the device. The MDM software can also ensure the device is protected by authentication software and the device locks itself after certain amount of inactivity. Many MDM solutions in the market are capable of wiping all the data (including personal data) stored in the device remotely in case the device is stolen or lost to prevent the enterprise data getting into the wrong hand. Employees should be warned that their private data and use of their private applications (e.g. chat gmail) may be monitored and their device and data on the device may be seized as evidence in a legal proceeding. That is why it is important that the user/employee agrees to be monitored.
SeeMobile Device Management Featuresfor typical MDM features and comparison of MDM solutions.
Cloud Computing
Cloud computingaccording to (Badger 2012) allows computer users to conveniently rent computing infrastructure assets including CPU and storage entire software development and deployment environments (including middleware OS DBMS development tools) and access to fully featured applications. It is a pay as you use model instead of owning the resources.
The National Institute of Standards and Technology has been developing framework and architecture to help federal organizations employ the technology effectively and securely. These documents by NIST are worth reading at least browsing:
NIST SP 800-145; The NIST Definition of Cloud Computing (Mell 2012)
NIST SP 800-146; Cloud Computing Synopsis and Recommendations (Badger 2012)
NIST SP 500-291v2; Cloud Computing Standards Roadmap (Roadmap 2013)
NIST SP 500-299.NIST Cloud Computing Security Reference Architecture
Standards are expected to mapped into five major areas: (1) accessibility (2) interoperability (3) performance (4) portability and (5) security. While there are only a few approved cloud computing specific standards at present the standards landscaping is changing fast; relevant standardization is under way in a number of Standards Developing Organizations (SDOs). Standards are critical for developing policies implementing SLAs with Ccloud vendors and providing direction for mitigating risk.
As a shared infrastructure cloud computings security issues include: (1) loss of data (2) sharing of data in volatile and permanent with other cloud users i.e. loss of confidentiality and privacy (3) loss of integrity of data because of unwanted interaction among users (4) DoS and DDoS attacks affecting availability and (5) lack of adequate forensics support because of multi-tenancy. There is much overlap on the security threats facing cloud computing as listed and discussed by these recent resources:INFOWorld: Security ThreatsandImperva: Security Threats.
#4
Now that you have a good idea of legal and technical issues with teleworking and BYOD to Work are you in favor of teleworking and BYOD to Work in your organization?
How will you make it work in your organization? Whatrestrictions will you put in place to make it work?
If your last name begins with A-K you focus on teleworking. If your last name begins with L-Z your focus should be onBYOD to Work.