William Slater's CIS 537 Blog

William Slater's CIS 537 Blog
CIS 537 - Introduction to Cyber Ethics

Friday, December 30, 2011

Post 035 - CIS 537




Sun Tzu and Cyber War


Sun Tzu and Cyber War, is an excellent 23-page paper by Kenneth Geers and it compares what is known today about the nature of cyberwarfare with ideas from the classic, most famous book ever written about war, the Art of War, by Sun Tzu (Geers, 2011).  Find it here: http://www.ccdcoe.org/articles/2011/Geers_SunTzuandCyberWar.pdf


Because the idea of cyberwarfare is rapidly evolving, Geers believes that the students of cyberwarfare and cybersecurity would do well do understand the basic foundations of warfare as laid out by Sun Tzu 2500 years ago in his book, the Art of War (Geers, 2011). 


Geers has been studying and writing about cyberwarfare for years.  In 2009, he co-wrote and published, The Virtual Battlefield: Perspectives on Cyber Warfare.  (Czosseck and Geers, 2009)


A full version of The Art of War can be retrieved at this link:  http://www.iluminaci.pl/info/sztuka-wojny-sun-tzu (Illuminati, 2012).




References


Czosseck, C. and Geers, K. (2009).  The Virtual Battlefield: Perspectives on Cyber Warfare.  IOS Press.


Illuminati - Freemasonry - YEAR 2012. (2012).  Sun Tzu's Art of War.  Retrieved from the web at 
http://www.iluminaci.pl/info/sztuka-wojny-sun-tzu on December 30, 2011.


Geers, K. (2011). Sun Tzu and Cyber War.  A professional technical paper published on February 9, 2011 at the Cooperative Cyber Defence Center of Excellence in Tallin, Estonia. Retrieved from the web at http://www.ccdcoe.org/articles/2011/Geers_SunTzuandCyberWar.pdf on December 25, 2011.







= = = = = = = = = = = = = = = = = = = = = = =

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America

M.S. in Cybersecurity Program at Bellevue University

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and Personnel Security

CYBR 610 Risk Management Studies

CYBR 520 Human Aspects of Cybersecurity

CIS 607 Computer Forensics

CYBR 615 Cybersecurity Governance and Compliance

CYBR 625 Business Continuity Planning and Recovery

DET 630 Cyber Warfare & Deterrence

CYBR 525 Ethical Hacking and Response

CYBR 650 Current Trends in Cybersecurity

Mastering Security

Career

Certifications

Credentials

ISO 27001



Post 034 - CIS 537









 Week Five Assignments
Week 5 - Readings and Objectives

Reading assignments for the week:


Chapter 5 in Ethics in Information Technology.
Supplemental resource:


Truth or Fiction? Photography and Ethics.  A film available via our library - check out the folder in Course Documents and then Films on Demand and you'll find links to this and other videos in our library.


Learning objectives for the week:


Identify issues regarding freedom of expression as they apply to Internet communications.
Discuss current issues of information technology and freedom of expression.
Present an opinion about freedom of expression in our information age.
Being locating sources for a case study.


This week:


Okay, it is time to tackle some big issues this week. We are entering the area where government policy, political opinions, cultural values, and technology intersect. Do you enjoy discussing controversial topics? Then this is the week for you.


We are going to examine policies regarding pornography, national security, privacy, slander, libel, and our attitudes toward freedom of expression in these areas. Generally, Americans have strong opinions about freedom of expression. This chapter provides us with the opportunity to support our opinions with solid cases and precedents.


Looking for an interesting perspective on the topics for the week? Check out the supplemental resource listed above. It is a great way to find ideas to add to your discussion postings for the week.


The Internet definitely is changing our culture. Is it changing our attitudes toward freedom of expression? There is only one way to find out - let's discuss the issues and see where our discussions take us.


Have you finished the readings for the week?  Then let's get started on the weekly assignments.


  Week 5 - Video Overview
http://idcontent.bellevue.edu/content/CIT/cis/537/Week5.html


A brief video about our upcoming week.


  Week 5 - Thought for the Week
“What is freedom of expression? Without the freedom to offend, it ceases to exist.”  - Tony Blair


There is no assignment associated with this item, just a chance to pause and ponder.






  Week 5 - Image of the Week





"Portrait of Miss Margie Fellegi wearing a costume of a bonnet and a dress, open in the front to reveal short shorts, posing in front of a light-colored, wooden-framed screen in a room in Chicago, Illinois, for the 1927 Artists Ball."  Photo is in the public domain and available from the American Memory collection at the Library of Congress.


There is no assignment associated with this item, just a chance to pause and ponder.




  Week 5 - Chapter 5 Quiz
Read the assigned chapter this week in Ethics in Information Technology and then click on the link above to start the quiz.


The quizzes are a self-assessment and a participation grade. This means that you can take the quizzes as many times as you need in order to earn the grade you deserve. The idea is to allow you to self-test your reading comprehension.


Please do NOT try to print the quiz since that sometimes locks it up and prevents your score from being recorded. Simply take the quiz again if you need to review your readings and improve your score.


The quiz scores will be recorded each week, so be sure to take the quizzes in the weeks they are assigned. If you get a low score, then reread the material and take the quiz again.




  Week 5 Forum - Main Posting
Choose ONE of the following topics for your main discussion posting for the week. Generally, it takes several solid paragraphs for your main posting. Remember to provide a reference if you used a source for your information. Also, remember not to copy and paste from your sources - summarize and analyze in your own words.


Chapter 5 begins with a vignette called "Sexting." The case asks some important questions. Offer your opinons on those questions, and find a source to help support your opinions. Of course, please remember to provide a link or a reference for your source of information.


Chapter 5 has a Legal Overview titled "Children's Internet Protection Act (CIPA)." Imagine that you are a librarian at a city library. What would you do in order to comply with the law but also serve both adults and children at your library?


Let's put some ideas together. Appendix A and Chapter 1 discuss four philosophical theories for ethical decision making. This chapter discusses freedom of expression. Look in Course Documents at the case study on campaign blogs. It has a short case, a short video, and some thought-provoking questions.  Based on your reading of the four perspectives, what would you do as the political candidate?  Defend your decision.


National Security Letters are discussed in Chapter 5.  The text says that the issue is still under appeal.  Find a recent news article about this issue. What is the current status of National Security Letters?


Chapter 5 ends with a manager's checklist for handling freedom of expression in the workplace. How does your employer fare with this checklist?  Do you have any recommendations?


Imagine you are part of a committee to define your company's computer use policy. What advice would you give regarding Internet pornography?  Would you rather see a laissez-faire policy or strict enforcement of tough company guidelines?


A multimedia alternative: Imagine that you are a reporter for a local television station.  You have heard that pornography is available on the computers in the local library. The librarian insists that all required safeguards are in place. Post your two minute video news story about this controversy for your classmates to view. Obviously, you are free to make up the facts for your story as long as they are consistent with the information in our readings for the week.


Please see the information in the Assessment area of Course Documents if you aren't sure what a good discussion posting looks like.


This assignment is due in the Week 5 Forum at least two days before the end of our academic week.


  Week 5 Forum - Additional Postings
Post at least two additional messages during the week. More are always welcome. Typically, these messages are replies to your fellow students, or you can ask about details in the readings that puzzle you. See the assessment guide for more details if you aren't sure what a good posting looks like.


Post at least two additional messages in the Week 5 Forum before the end of our academic week.


  Week Five Essay - Opinion/Editorial
Your homework assignment is focused on the question of freedom of expression and the global reach of the Internet.


Congratulations, you are now a senior editor at CNN.  You often write news analysis on cultural issues that have a strong technology presence. Today, you and your editorial board had a wide-ranging discussion about freedom of expression and the Internet. Now, your job is to create an opinion piece for tomorrow's web page. You can write the opinion, or you can present it in a short video. 


Your board of editors is split between two basic perspectives:


Freedom of expression is under attack by socially conservative people who want everyone to be socially conservative. They hide behind 'protect the children' or 'protect national security' or 'protect the rights of business' when in fact they really want to control people and limit our freedoms.


Freedom of expression is not an absolute freedom, and new technologies make it important to exercise our freedoms in more responsible ways. We must balance our freedom to express ourselves with other freedoms and concerns. Socially-liberal people who push the limits of expression end up harming everyone's rights with their deliberately offensive and dangerous activities. Theyforce courts and businesses to push back with clearer limits, and that is harmful rather than helpful.


Compose a one page column or a short video segment for the CNN web site. The column is limited to one page, single-spaced, with a blank line between paragraphs. The video is limited to four minutes. Tell your readers why you favor one side or the other side of the argument.  Support your opinion with information from our reading for the week and/or an outside source. Remember, CNN has to 'sell the news,' so be sure that your column or video is snappy, fast-paced, hard-hitting, and interesting.


Submit either your Word-compatible document or your video to your instructor via the link below. Be sure this file is submitted before the end of our academic week.




>> View/Complete Assignment: Week Five Essay - Opinion/Editorial
  Looking Ahead to Next Week


This is just a reminder that Milestone 1 of your case study is due next week. Check the information in the Final Project area for more details.


This assignment is not due until Week 6.



William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and Personnel Security

Mastering Security

Career

Certifications

Credentials

ISO 27001

Chicago, IL
United States of America


Tuesday, December 27, 2011

Post 033 - CIS 537






The First Amendment - A Picture Is Worth 1000 Words, Two  Pictures, 2000 Words



CONSTITUTION OF THE UNITED STATES OF AMERICA, PROPOSED BY CONGRESS, AND RATIFIED BY THE LEGISLATURES OF THE SEVERAL STATES, PURSUANT TO THE FIFTH ARTICLE OF THE ORIGINAL CONSTITUTION


Article [I.]
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. 





References

Ballard, Spahr, Andrews, Ingersoll, LLC. (2004) Privacy Law. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.virtualchase.com/resources/privacy.html.


Brancik, K. C. (2008). Insider Computer Fraud: An In-depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL: Auerbach Publications.


Davis, C.; Schiller, M.; and Wheeler, K. (2007). IT Auditing: Using Controls to Protect Information Assets. New York, NY: Osborne McGraw Hill.


Department of Homeland Security. (2009).  (U//FOUO) Rightwing Extremism:  Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment.   Retrieved from the web at
http://www.fas.org/irp/eprint/rightwing.pdf    on December 24, 2011.

Department of Justice (2004).  USA PATRIOT Act at Work.  Retrieved from the web at

Doyle, C. (2002).  USA PATRIOT Act: A sketch.  Retrieved from the web at http://www.fas.org/irp/crs/RS21203.pdf  on December 24, 2011.

Doyle, C. (2010).  National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments - a CRS Report Dated December 27, 2010.  Retrieved from the web at  http://www.fas.org/sgp/crs/intel/RS22406.pdf  on December 24, 2011.

Electronic Privacy and Information Center Resources about the USA PATRIOT Act http://epic.org/privacy/terrorism/usapatriot/ .

EPIC. (2011). Information Related to the USA PATRIOT Act. Retreived from the web at http://epic.org/privacy/terrorism/usapatriot/  on December 9, 2011.


Frackman, A., Martin, R., and Ray, C. (2002). Internet and Online Privacy: A Legal and Business Guide. New York: ALM Publishing.


Galik, D. (1998). Defense in Depth: Security for Network-Centric Warfare. [Electronic version] Retrieved from the web on May 11, 2004 from http://www.chips.navy.mil/archives/98_apr/Galik.htm.

Gaskin, J. (1997). Corporate Politics and the Internet: Connection Without Controversy. Upper Saddle River, NJ: Prentice Hall.


Herrmann, D. S. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Boca Raton, FL: Auerbach Publications.


Hoffman, L. J. (1977). Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall.


Icove, D., et al. (1995). Computer Crime: A Crimefighter’s Handbook. Sebastopol, CA: O’Reilly & Associates.


Jacobs, S. (2011). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Piscataway, NJ: IEEE Press.


Landy, G. K. (2008). the IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law.  Burlington, MA: Syngress.
Lane, C. A. (1997). Naked in Cyberspace. Wilton, CT: Pemberton, Press.


Legal Information Institute. (2004). Right of Privacy, An Overview. An article from Cornell Law School. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.law.cornell.edu/topics/privacy.html .


McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.


Miles, G., et al. (2004) Security Assessment: Case Studies for Implementing the NSA IAM. Burlington, MA: Syngress Publishing, Inc.


Olsen, J. E. (2003). Data Quality: The Accuracy Dimension. San Francisco, CA: Morgan Kaufmann Publishers.


Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.

Riggs, M. (2011).  Lee County Deputies Tied Suspect to a Chair, Gagged Him, and Pepper-Sprayed Him to Death.  An article published at Reason.com on December 23, 2011. Retrieved from the web at http://reason.com/blog/2011/12/23/lee-county-deputies-tied-suspect-to-a-ch on December  23, 2011.

Senft, A. and Gallegos, F. (2009). Information Technology Control and Audit. Bocan Raton, FL: CRC Press.


The White House. (2009). Cyberspace Policy Review. A document published by the Obama Administration. Retrieved from the web at http://info.publicintelligence.net/cyberspace_policy_review_final.pdf  on December 9, 2011.


ThinkExist.com. (2011).  Benjamin Franklin Quotes.  Retrieved from the web at http://thinkexist.com/quotation/those_who_desire_to_give_up_freedom_in_order_to/12888.html  on December 30, 2011.


U.S. Congress. (1987). The Computer Security Act of 1987. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf on December 9, 2011.


U.S. Government. (2009). American Recovery and Reinvestment Act of 2009. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.opencongress.org/bill/111-s1/show on December 9, 2011.


U.S. Government.  (2001).  USA PATRIOT Act.  Retrieved from the web at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf   on December 24, 2011.

U.S. Government. (1776). The Declaration of Independence. Retrieved from the web at http://www.billslater.com/tj1776.htm  on November 6, 2011.

U.S. Government. (1791). U.S. Constitution. Retrieved from the web at

Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition: Indianapolis, IN: Course Technology.


Wikipedia. (2011). USA PATRIOT Act. A Wikipedia article retrieved from the web at

= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and Personnel Security

Mastering Security

Career

Certifications

Credentials

ISO 27001

Chicago, IL
United States of America





Sunday, December 25, 2011

Post 032 - CIS 537

(click for full picture and better readability)


Some Laws that Have Helped Form Security Practices

The Security Operations Management in typical U.S. organization have been impacted by the formation of policy, laws and regulations (McCrie, 2007).

In a report, released by the White House in July 2009, the State on Cybersecurity and U.S. Policy was summarized.  This diagram above is from that report was in an appendix of the Cyberspace Policy Review report that was released by the Obama Administration in July 2009. The top half of the diagram shows major historical events that have occurred related to communications, computers and the Internet. The bottom half of the diagram shows the corresponding history of legislation, regulation, etc, that have affected security and privacy since 1900. What is particularly interesting about this diagram is that it begins in 1900. As the reader will see, there were some very important developments that affected the state of laws today.

The tables in the appendices show the following:

Appendix A - A timeline that shows U.S. laws related to privacy and security.

Appendix B - A comprehensive list of State Laws that are related to data privacy.

As a whole, all of these laws have in help to form and influence the composition and operation of security practices in organizations. For it is the consequences of non-compliance that is described within these various laws that gives the leadership of organizations a sense of urgency to meet the obligations to protect assets, data, and people.

Also, it is important to note that federal laws are influenced by state laws and vice versa. On May 12, 2011, President Obama’s administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.

References:

Ballard, Spahr, Andrews, Ingersoll, LLC. (2004) Privacy Law. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.virtualchase.com/resources/privacy.html.


Brancik, K. C. (2008). Insider Computer Fraud: An In-depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL: Auerbach Publications.


Davis, C.; Schiller, M.; and Wheeler, K. (2007). IT Auditing: Using Controls to Protect Information Assets. New York, NY: Osborne McGraw Hill.


Department of Homeland Security. (2009).  (U//FOUO) Rightwing Extremism:  Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment.   Retrieved from the web at
http://www.fas.org/irp/eprint/rightwing.pdf    on December 24, 2011.

Department of Justice (2004).  USA PATRIOT Act at Work.  Retrieved from the web at

Doyle, C. (2002).  USA PATRIOT Act: A sketch.  Retrieved from the web at http://www.fas.org/irp/crs/RS21203.pdf  on December 24, 2011.

Doyle, C. (2010).  National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments - a CRS Report Dated December 27, 2010.  Retrieved from the web at  http://www.fas.org/sgp/crs/intel/RS22406.pdf  on December 24, 2011.

Electronic Privacy and Information Center Resources about the USA PATRIOT Act http://epic.org/privacy/terrorism/usapatriot/ .

EPIC. (2011). Information Related to the USA PATRIOT Act. Retreived from the web at http://epic.org/privacy/terrorism/usapatriot/  on December 9, 2011.


Frackman, A., Martin, R., and Ray, C. (2002). Internet and Online Privacy: A Legal and Business Guide. New York: ALM Publishing.


Galik, D. (1998). Defense in Depth: Security for Network-Centric Warfare. [Electronic version] Retrieved from the web on May 11, 2004 from http://www.chips.navy.mil/archives/98_apr/Galik.htm.

Gaskin, J. (1997). Corporate Politics and the Internet: Connection Without Controversy. Upper Saddle River, NJ: Prentice Hall.


Herrmann, D. S. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Boca Raton, FL: Auerbach Publications.


Hoffman, L. J. (1977). Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall.


Icove, D., et al. (1995). Computer Crime: A Crimefighter’s Handbook. Sebastopol, CA: O’Reilly & Associates.


Jacobs, S. (2011). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Piscataway, NJ: IEEE Press.


Landy, G. K. (2008). the IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law.  Burlington, MA: Syngress.

Lane, C. A. (1997). Naked in Cyberspace. Wilton, CT: Pemberton, Press.


Legal Information Institute. (2004). Right of Privacy, An Overview. An article from Cornell Law School. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.law.cornell.edu/topics/privacy.html .


McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.


Miles, G., et al. (2004) Security Assessment: Case Studies for Implementing the NSA IAM. Burlington, MA: Syngress Publishing, Inc.


Olsen, J. E. (2003). Data Quality: The Accuracy Dimension. San Francisco, CA: Morgan Kaufmann Publishers.


Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.

Riggs, M. (2011).  Lee County Deputies Tied Suspect to a Chair, Gagged Him, and Pepper-Sprayed Him to Death.  An article published at Reason.com on December 23, 2011. Retrieved from the web at http://reason.com/blog/2011/12/23/lee-county-deputies-tied-suspect-to-a-ch on December  23, 2011.

Senft, A. and Gallegos, F. (2009). Information Technology Control and Audit. Bocan Raton, FL: CRC Press.


The White House. (2009). Cyberspace Policy Review. A document published by the Obama Administration. Retrieved from the web at http://info.publicintelligence.net/cyberspace_policy_review_final.pdf on December 9, 2011.


U.S. Congress. (1987). The Computer Security Act of 1987. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf on December 9, 2011.


U.S. Government. (2009). American Recovery and Reinvestment Act of 2009. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.opencongress.org/bill/111-s1/show on December 9, 2011.


U.S. Government.  (2001).  USA PATRIOT Act.  Retrieved from the web at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf   on December 24, 2011.

U.S. Government. (1776). The Declaration of Independence. Retrieved from the web at http://www.billslater.com/tj1776.htm  on November 6, 2011.

U.S. Government. (1791). U.S. Constitution. Retrieved from the web at

Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition: Indianapolis, IN: Course Technology.


Wikipedia. (2011). USA PATRIOT Act. A Wikipedia article retrieved from the web at





Appendix A - Federal Legislation that has Influenced Security Practices - From the Beginning to 2011-

Timeframe
Law
Author(s)
Comments
1788 – 1789
First Amendment to the U.S. Constitution – Freedom of Speech, Freedom of Assembly, Freedom of Worship.
James Madison, et al
1788 – 1789
Fourth Amendment to the U.S. Constitution – Freedom from unreasonable search and seizure.
James Madison, et al
1974
Privacy Act of 1974 (Public Law 93-579, 5 U.S. Code 552a). – sets limits on the collection and transfer of personal data by government agencies and lets citizens sue agencies that violate the act (Lane, 1997).
Congress of the U.S.
1984
“Computer Fraud and Abuse Act – originally enacted as part of the Crime Control Act and was the first statute to specifically address computer crime. In 1990, this was amended it “to coverall computers used in interstate commerce or communications” and to prohibit forms of computer abuse which arise in connection with, and have a significant effect upon, interstate or foreign commerce. (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
People were prohibited from accessing computers without authorization.
Timeframe
Law
Author(s)
Comments
1986
“Electronic Communications Privacy Act of 1986 – the most comprehensive piece of federal legislation dealing with the interception of and access to electronic communications such as e-mail and voice mail (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
“Enacted to amend Title III of the Omnibus Crime Control and Safe Streets Act of 1968. This act provided protection from traditional means of communication, such as the telephone, by placing restrictions on the wiretapping and eavesdropping of these means of communication. The ECPA modernized the 1968 Act to expand upon all forms of electronic communication. It exposes violators to civil penalties and sets out specific exceptions. However, employers have been able to circumvent any constraints imposed by the ECPA by obtaining consent of employees. Courts have uniformly upheld such consent of employees. (Frackman, Martin and Ray, 2002).”
1987
The Computer Security Act of 1987
101 STAT. 1724, Public Law 100-235, 100th Congress
This was the first federal law that was exclusively related to computer security.
1996
“Health Insurance Portability and Accountability Act (HIPAA) of 1996 – required the Department of Health and Human Services to promulgate regulations governing the disclosure of health information (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
1999
“Gramm-Leach-Bliley Act – for the purpose of implementing the congressional policy that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers to protect the security and confidentiality of those customers’ nonpublic personal information… (Frackman, Martin and Ray, 2002).”
Senators Gramm, Leach and Bliley
President Clinton was on record as being reluctant to sign this into law, because he didn’t believe it was a good law.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
Timeframe
Law
Author(s)
Comments
2001
USA PATRIOT Act, H.R. 3162
Frank James Sensenbrenner, Jr.
(EPIC, 2011)
The USA PATRIOT ACT essentially nullified 5 of the first 10 Amendments to the U.S. Constitution.
Many citizens feel strongly that the powers now granted to the Executive branch of government and its agents are in direct conflict with the 1st, 4th, 5th, 6th and 8th Amendments in the Bill of Rights to the U.S. Constitution (see Bill of Rights, below.). In other words, we now live in such times that many of the rights to privacy that we thought we were guaranteed under the U.S. Constitution, are now preempted, at least temporarily by the PATRIOT Act. In fact, the only way that the PATRIOT Act could be successfully passed in both chambers of Congress was to include a “Sunset Clause,” which caused many of the more far-reaching provisions of the Act to expire automatically, unless they were again reviewed and approved by both chambers of Congress. Though there was a “Sunset Clause" the PATRIOT Act has now been renewed TWICE, once under President Bush and once under President Obama.
Timeframe
Law
Author(s)
Comments
2005
H.R. 4127 – Data Acountability and Trust Act (DATA)
House of Representatives - By Rep. Clifford Stearns [R-FL
Never passed by the Senate. The goal of this legislation was to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information and to provide for nationwide notice in the event of a security breach.
2005 - 2011
Breach Notification Act(s)
Various State Legislatures
As of 2011, over 42 states in the U.S. have laws that protect the privacy of NPPI and PII.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
On May 12, 2011, President Obama’s   administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.
2009
HITECH Act
U.S. Congress
Passed as a provision of the American Recovery and Reinvestment Act of 2009. It imposes stiff penalties for HIPAA violations.
The ARRA is a bill to create jobs, restore economic growth, and strengthen America's middle class through measures that modernize the nation's infrastructure, enhance America's energy independence, expand educational opportunities, preserve and improve affordable health care, provide tax relief, and protect those in greatest need, and for other purposes. (U.S. Congress, 2009)


Appendix B – State Privacy Laws as of 2010

State
Legislation or State Law
Requires
Alaska
A.S. 45.48.010 (July 1, 2009)
Notice to consumers of breach in the security of unencrypted, unredacted personal information in physical or electronic form, or encrypted information where the encryption key may also have been compromised. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
Arizona
A.R.S. 44-7501 (December 31, 2006)
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. If entity complies with federal rules, then it is deemed to be in compliance with Arizona law.
Arkansas
Ark. Code Ann. 4-110-101 to 108 (March 31, 2005)
Notice to consumers of breach in the security of unencrypted, computerized personal information and medical information in electronic or physical form. Notice is not required if no reasonable likelihood of harm to consumers. If entity complies with state or federal law that provides greater protection, and at least as thorough disclosure and in compliance with the state or federal law, then it is deemed in compliance.
California
Civil Code Sec. 1798.80-1798.82 (July 1, 2003)
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted, computerized personal information held by a business or a government agency. If the person or business has own notification procedures consistent with timing requirements and provides notice in accordance with its policies or if the person or business abides by state or federal law provides greater protection and disclosure, then it is deemed in compliance.
Colorado
Co. Rev. Stat. 6-1-716(1)(a) (September 1, 2006)
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. Notice given unless investigation determines misuse of information has not occurred or is not reasonably likely to occur. If entity is regulated by state or federal law and maintains procedures pursuant to laws, rules, regulations or guidelines, it is deemed in compliance.
Connecticut
699 Gen. Stat. Conn. 36a-701 (January 1, 2006)
Notice of security breach by persons who conduct business in the state and have a breach of the security of unencrypted computerized data, electronic media or electronic files, containing personal information. Notice is not required if the breached entity determines in consultation with federal, state, and local law enforcement agencies that the breach will not likely result in harm to the individuals. Governmental entities not required to provide notice under this section. Entities are also deemed compliant if notification is in compliance with rules or guidelines established by the primary function of the regulator under the Gramm-Leach Bliley Act.
Delaware
Del. Code Ann. Title 6 Section 12B-101 to 12-B-106 (June 28, 2005)
Notice to consumers of breach in the security of unencrypted computerized personal information if the investigation determines that misuse of information about a Delaware resident has occurred or is reasonably likely to occur. If the entity is regulated by state or federal law and maintains procedures for a breach pursuant to the laws, rules, regulations, guidances or guidelines established by its primary or functional state or federal regulator, then it is deemed in compliance with this chapter provided it notifies affected residents in accordance with the maintained procedures when a breach occurs.
District of Columbia
DC Code Sec 28-3851 et seq. (January 1, 2007)
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted computerized or other electronic personal information held by a business or a government agency. This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act. This section also does not apply to a person or business with its own notification procedures with consistent timing requirements in compliance with notification requirements of this section and the person or business provides notice in accordance with its policies and which is reasonably calculated to give actual notice.
Florida
Fla. Stat. Ann. 817.5681 et seq. (July 1, 2005)
Notice to consumers of breach in the security, confidentiality or integrity of computerized, unencrypted personal information held by a person who conducts business in the state. Notice not required if, after appropriate investigation or consultation with law enforcement, person reasonably determines breach has not and will not likely result in harm to individuals. Determination must be documented in writing and maintained for five years. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or “maintaining” notification procedures established by person’s primary or functional federal regulator.
Georgia
Ga. Code Ann. 10-1-910 et seq. (May 24, 2007. Covers “information brokers and data collectors”)
Notice of breach that compromises the security, confidentiality, or integrity of computerized personal information held by an info broker or data collector.
Hawaii
HRS Sec 487N-1 et seq. (January 1, 2007)
Notice when unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Notice under this section not required by a financial institution subject to Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice or by any health plan or healthcare provider under HIPAA.
Idaho
Id. Code Ann. 28-51-104 (July 1, 2006)
Notice to consumers of breach in the security of unencrypted, computerized personal information if after a reasonable investigation, the agency, individual or entity determines that misuse of information of Idaho resident has occurred or is reasonably likely to occur. Notice under this section not required by a person regulated by state or federal law and who complies with procedures under that law.
Illinois
ILCS Sec. 530/1 et seq. (January 1, 2006)
Notice to consumers of breach in the security, confidentiality, or integrity of personal information of the system data held by a person or a government agency. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act.
Indiana
Ind. Code Sec. 4-1-11 et seq. (June 30, 2006)
Notice to consumers of breach in the security, confidentiality, or integrity of computerized personal information held by a government agency.
Indiana
Ind. Code Sec. 24-2-9 et seq). (June 30, 2006)
Notice when a data collector knows, should know, or should have known that the unauthorized acquisition of computerized data, including computerized data that has been transferred to another medium, constituting the breach has resulted in or could result in identity deception, ID theft or fraud. Notice not required under this section if entity maintains own disclosure procedures, is under federal USA Patriot Act, Exec. Order 13224, FCRA, Financial Modernization Act, HIPAA or financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice.
Iowa
Iowa Code Chapter 2007-1154 (July 1, 2008)
Notice to consumers of breach in the security of unencrypted, unredacted personal information electronic form. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Exempted are those with own notification procedures or procedures under state or federal   law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
Kansas
Kansas Stat. 50-7a01, 50-7a02 (January 1, 2007)
Notice to consumers about a breach in the security of unencrypted, unredacted computerized personal information if investigation determines misuse has occurred or is reasonably likely occur.
Louisiana
La. Rev. State. Ann. Sec. 51 3071-3077 (January 1, 2006)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. No notice if, after a reasonable investigation, the data holder determines that there is no reasonable likelihood of harm to customers. Notice not required by financial institutions in compliance with federal guidance.
Maine
Me. Rev. Stat. Ann. 10-21-B-1346 to 1349 (January 31, 2006. Covers only information brokers)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information if the personal information has been or is reasonably believed to have been acquired by an unauthorized person. Notice under this section is not required by persons regulated by state or federal law and which complies with procedures under that law.
Massachusetts
201 CMR 17.00 (March 1, 2010)
Notice of a breach unauthorized acquisition of unencrypted data, or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of the personal information that creates a significant risk of identity theft or fraud.
Michigan
2006-PA-0566 (July 2, 2007)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Notice under this section required unless person/agency determines security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft. Does not apply to financial institutions or HIPAA entities.
Minnesota
Minn. Stat. 324E.61 et seq. (January 1, 2006)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Does not apply to financial institutions or HIPAA entities.
Montana
Mont. Code Ann.   31-3-115 (March 1, 2006)
Notice to consumers of breach in security, confidentiality, or integrity of computerized personal information held by a person or business if the breach causes or is reasonably believed to have caused loss or injury to a Montana resident. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Nebraska
Neb. Rev. Stat.   87-801 et seq. (July 16, 2006)
Notice to consumers of a breach in the security of unencrypted, computerized personal information if an investigation determines use of information has occurred or is reasonably likely to occur. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or if notification procedures established by person’s primary or functional federal regulator.
Nevada
Nev. Rev. Stat. 607A.010 et seq. (January 1, 2006)
Notice of breach of the security, confidentiality, or integrity of unencrypted computerized personal information by data collectors, which are defined to include government, business entities and associations who handle, collect, disseminate or otherwise deal with nonpublic personal information. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or is subject to compliance with the Gramm-Leach-Bliley Act.
New Hampshire
NH RS 359-C: 19 et seq. (January 1, 2007)
Notice of unauthorized acquisition if determined likelihood information has been or will be misused. Notice must be given if there is a determination that misuse of information has occurred or is reasonably likely to occur or if a determination cannot be made. Notice under this section not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section or if the entity is a person engaged in trade or commerce under RSA 358-A:3 and maintains notification procedures established by its primary or functional regulator.
New Jersey
NJ Stat 56:8-163 (July 2, 2006)
Notice of breach of security of unencrypted computerized personal information held by a business or public entity. No notice if a thorough investigation finds misuse of the information is not reasonably possible. Written documentation of the investigation must be kept for 5 years. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
New York
NY Bus. Law Sec. 899-aa. (December 8, 2005)
Notice of breach of security of computerized unencrypted, or encrypted with acquired encryption key, personal information held by both public and private entities.
North Carolina
N.C. Gen. Stat. 75-65 (December 1, 2005)
Notice of breach of security of unencrypted and unredacted written, drawn, spoken, visual or electromagnetic personal information, and encrypted personal information with the confidential process or key held by a private business if the breach causes, is reasonably likely to cause, or creates a material   risk of harm to residents of North Carolina. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
North Dakota
N.D. Cent. Code 51-30 (June 1, 2005)
Notice of a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. Includes an expanded list of sensitive personal information, including date of birth, mother’s maiden name, employee ID number, and electronic signature. Exception for those financial institutions which are in compliance with federal guidance.
Ohio
O.R.C. Ann. 1349.19 et seq. (February 17, 2006)
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business where reasonably believed it will cause a material risk of identity theft or fraud to a person or property of a resident of Ohio. Notice under this section is not required by financial institutions, trust companies or credit unions or any affiliate required by federal law to notify customers of information security breach and who is in compliance with federal law.
Oklahoma
Okla. Stat. 74-3113.1 (June 8, 2006)
Requires state government agencies to give notice of breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Oklahoma whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice is not required under this section by a state agency, board, commission, or unit or subdivision of government if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Oregon
O.R.S. 646A.604 (October 1, 2007)
Notice when unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. Notice not required if after an appropriate investigation or after consultation with federal, state or local agencies responsible for law enforcement, the person determines no reasonable likelihood of harm to consumers whose personal info has been acquired has resulted or will result from the breach. Determination must be in writing and kept for 5 years. Exempted are those with own notification procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws, and financial institutions which are in compliance with federal guidance.
Pennsylvania
73 Pa. Cons. Stat. 2303 (June 30, 2006)
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business and is reasonably believed to have been accessed or acquired by an unauthorized person. Notice under this section not required if entity maintains its own   notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Puerto Rico
10 L.P.R.A. 4051 et seq. (January 5, 2006)
Notice of breach of the security, confidentiality and integrity of unencrypted personal information, where access has been permitted to unauthorized persons or it is known or reasonably suspected that authorized persons have accessed the information with intent to use it for illegal purposes.
Rhode Island
RI Gen. Law 11-49.2-3 to 11.49.2-7 (March 1, 2006)
Notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons and by state agencies if breach poses significant risk of identity theft when unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. No notice is required if after an appropriate investigation or after consultation with relevant federal, state, and local law enforcement agencies, determine the breach has not and will not likely result in harm to individuals. Does not apply to HIPAA entities or financial institutions in compliance with Federal Interagency Guidelines. Entities covered by another state or federal law are exempt only if that other law provides greater protection to consumers.
South Carolina
SC Code §1-11-490 et seq. (January 1, 2009)
Notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise   consistent with the timing requirements of this section.
Tennessee
Tenn. Code. Ann. 47-18-21 (July 1, 2005)
Notice of the unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information. Does not apply to persons subject to Title V of the Gramm-Leach-Bliley Act.
Texas
Tex. Bus & Com. Code Ann. 4-48-103 (September 1, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons who conduct businesses in the state. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Utah
Utah Code 13-44-101 et seq. (January 1, 2007)
Notice of a breach of the security of computerized personal information that is not protected by a method that makes the information unusable. Entities covered by another state or federal law are exempt if the person notifies each affected Utah   resident in accordance with law.
Vermont
Vt. Stat. Tit 9 Sec. 2435 (January 1, 2007)
Notice if investigation reveals misuse of personal information for identity theft or fraud has occurred, or is reasonably likely to occur. Notice is not required if the data collector establishes that misuse of personal information is not reasonably possible. Must provide notice and explanation to the Attorney General or department of banking, insurance, securities and health care administration in the event data collector is a person/entity licensed with that department. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Virgin Islands
14 V.I.C. 2208 et seq. (October 17, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information reasonably believed to have been acquired by unauthorized persons. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Virginia
VA Code 18.2-186.6 (July 1, 2008)
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, if an individual or entity reasonably believes such information has been accessed and acquired by an unauthorized person and has caused or will cause identity theft or other fraud. Notice under this section is not required if an entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or if the entity has notification procedures established by a federal regulator. This section does not apply to any entity that is subject to compliance with the Gramm-Leach-Bliley Act.
Washington
RCW 42.17 et seq. (July 24, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons, businesses and government agencies. Notice is not required when there is a technical breach of the security of the system which does not seem reasonably likely to subject customers to a risk of criminal activity. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
West Virginia
WV Code 46A-2A-101 et seq. (June 26, 2008)
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, reasonably believed to have been accessed and acquired by an unauthorized person and has caused, or will cause, identity theft or other fraud. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Wisconsin
Wis. Stat. 895.507 (March 16, 2006)
Notice to the consumer when personal information is taken in a security breach that is not encrypted, redacted or altered in any manner rendering the information unreadable. This includes DNA and biometric data. Notice not required if the acquisition of personal information does not create a material risk of ID theft or fraud.
Wyoming
W.S. 40-12-501 to 509 (July 1, 2007)
Notice of the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information of an investigation determines misuse of the personal identifying information has occurred or is reasonably likely to occur. Financial institutions subject to the Gramm-Leach-Bliley Act or credit unions under 12 USC §1752 are exempt from providing notice under this section.

(Jacobs, 2011)


= = = = = = = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and Personnel Security

Career

Certifications

Credentials

ISO 27001

Chicago, IL
United States of America