C841 Legal Issues in Information Security C841 Task 1

Legal Issues in Information Security – C841 Task 1 Western Governors University Relevancy of the Computer Fraud and Abuse Act (CFAA) CFAA addresses the compromise of confidentiality against a protected computer, whic ...

Legal Issues in Information Security – C841 Task 1 Western Governors University Relevancy of the Computer Fraud and Abuse Act (CFAA) CFAA addresses the compromise of confidentiality against a protected computer, which is any federal computer, financial computer, or any computer used in interstate or foreign commerce. Within the case study, the Business Intelligence (BI) Unit of TechFite utilized fake user accounts to gain unauthorized access to computers in TechFite’s financial department which resulted in the loss of confidentiality of these systems. By compromising the confidentiality of these finance computers, the Business Intelligence Unit violated the Computer Fraud and Abuse Act because the TechFite finance computers are considered protected computers due to their role in interstate. Relevancy of the Electronic Communications Privacy Act (ECPA) The ECPA addresses unauthorized access to electronic communications, whether stored on a hard drive or in transit over the network. Within the case study, Sarah Miller from TechFite’s BI unit conducted scanning activity into the private networks of several Internet-based companies. Because these internal communications were within the private networks of outside companies, Sarah Miller violated the Electronic Communications Privacy Act. Three Laws that Justify Legal Action Three laws that can be used in the justification of legal action against negligent activity observed within the TechFite case study are the Computer Fraud and Abuse Act (CFAA), the Sarbanes-Oxley Act of 2002 (SOX), and the Electronic Communications Privacy Act (ECPA). Computer Fraud and Abuse Act The CFAA addresses the unauthorized trafficking of computer access information that allows people to access other computers without authorization and with the intent to defraud. Within the case file, fake company accounts were created then given increased privileges which were used to access computers from the legal, human resources, and finance departments without authorization. The Chief Information Security Officer was negligent by not ensuring that all user accounts are valid and have the appropriate permissions. The CFAA applies to this instance because the fake user accounts gave unauthorized access to several departments' computer systems which the criminals intended to use to defraud the company. Sarbanes-Oxley Act of 2002 SOX addresses the retention and control that companies must maintain over internal financial documents. SOX applies in the justification of legal action for this case because the company was negligent in providing internal oversight within the company, which is required by SOX to ensure the company is employing appropriate controls to protect the integrity and confidentiality of its internal documentation. Electronic Communications Privacy Act The ECPA addresses the restriction of accessing stored electronic communications. These electronic communications can be in transit over airways or across the wire. Within the case study, Sarah Miller from the TechFite’s Business Intelligence Unit performed illegal network scans of several Internet-based companies, which is a direct violation of the ECPA. Duty of Care Duty