Liability

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Liability is one of those terms that as
00:00
a senior executive strikes fear in our heart.
00:00
We don't want to be held liable for loss.
00:00
In this section, we're going to talk about
00:00
some ideas about what being found
00:00
liable is and discuss the idea of culpable negligence.
00:00
Then we're going to cover some other terms
00:00
like due diligence,
00:00
due care, and also the prudent person rule.
00:00
Now, what I'm going to give you,
00:00
these aren't necessarily definitions I
00:00
would run back to law school with,
00:00
but what I'm going to tell you
00:00
is I'll give you the definitions
00:00
for how they fit into the context of the CISSP exam.
00:00
Those of you who are attorneys out there may say,
00:00
well, that's a little bit simplistic.
00:00
Yes, it is. I'm no lawyer,
00:00
but we're going to frame it in context of the exam.
00:00
I'm going to give you a little scenario.
00:00
Let's say I have a company and we own 100 computers,
00:00
and these computers are all connected to the Internet.
00:00
Now, they're my computers.
00:00
These systems are compromised and used to launch
00:00
a downstream attack on
00:00
another network and they
00:00
cost thousands of dollars worth of damage.
00:00
They're my computers,
00:00
I had no ill will,
00:00
but my computers were compromised and they wound up
00:00
launching an attack downstream
00:00
costing thousands of dollars worth of damage.
00:00
The question is, am I liable?
00:00
Am I culpably negligent?
00:00
Now, the best answer whenever
00:00
I ask you a question is probably going to be maybe.
00:00
Maybe is one of those safe answers.
00:00
Maybe, and that's the perfect answer here.
00:00
The question is, can I be held liable? I can.
00:00
Am I necessarily going to be? Who knows.
00:00
Because my question to you to follow up with this is,
00:00
can I secure a system in such a way we can
00:00
guarantee there is
00:00
no possible opportunity for compromise?
00:00
Can I build a rock hard system that can't be compromised,
00:00
breached, that can't be manipulated? The answer is no.
00:00
As a matter of fact,
00:00
as soon as you think you've built that system,
00:00
I can tell you someone is going to come along and
00:00
crack it. What can I do?
00:00
I don't want to be found liable,
00:00
I don't want to be responsible for
00:00
thousands of dollars or even
00:00
more worth of loss. What can I do?
00:00
I can do what's right.
00:00
I can do research,
00:00
I can implement best practices,
00:00
I can have good security policies
00:00
and procedures in place.
00:00
In short, I can use some terms
00:00
like due diligence and due care.
00:00
Like I said, don't take these to
00:00
law school, but the quick,
00:00
easy definition, due diligence is my research.
00:00
I have to do my research.
00:00
I have to know what
00:00
other organizations in the same industry are doing.
00:00
I have to make myself
00:00
knowledgeable in relation to threats and vulnerabilities.
00:00
So I have to do my research and that's due diligence.
00:00
But the most important piece
00:00
is to act upon that knowledge,
00:00
doesn't matter so much what I know,
00:00
it matters what I do,
00:00
and that's due care.
00:00
You can remember it by thinking,
00:00
if I care, I will act.
00:00
I have to do the research, that's due diligent.
00:00
But then once I find out what industry
00:00
standard best practices are or what
00:00
laws and regulations I have to adhere to,
00:00
I need to create and develop
00:00
a security program that will ensure I'm in compliance,
00:00
that will show I've acted responsibly and
00:00
cautiously as a prudent person would do.
00:00
This is the prudent gender nonspecific individual rule.
00:00
In all seriousness,
00:00
at one point in time,
00:00
this used to be called the prudent man rule.
00:00
If you look at some of your older readings,
00:00
you'll still hear it referenced that way.
00:00
But of course, now we're politically correct.
00:00
It is the gender nonspecific individual rule.
00:00
What this simply means is based on a judge's discretion,
00:00
I have acted responsibly and
00:00
cautiously as a prudent person would do.
00:00
In short, I can do the right thing.
00:00
I can prove that I've used due diligence and due care.
00:00
Like I said, due diligence being the research,
00:00
doing things like attending conferences,
00:00
hiring subject matter experts
00:00
and having them provide input,
00:00
conducting vulnerability assessments so
00:00
I know what the weaknesses are in my organization.
00:00
Those fall under the category of due diligence.
00:00
Now, due care is where I act.
00:00
This is the development of my security policies.
00:00
This is the enforcement of my security policies because
00:00
really a policy is only as good as its enforcement.
00:00
This is the auditing to make
00:00
sure policies and procedures are being followed.
00:00
It's that do care piece that's super important.
00:00
As a matter of fact, if they were to ask you,
00:00
which is the most important element of
00:00
avoiding liability or culpable negligence?
00:00
It really is due care above all else.
00:00
Due diligence is great,
00:00
but if you only
00:00
research and you don't act, that doesn't matter.
00:00
Now, long story short,
00:00
do the right thing and be
00:00
able to prove you've done the right thing,
00:00
leave that paper trail of how you can
00:00
demonstrate or how you have
00:00
demonstrated due diligence and due care.
00:00
One other issue with liability.
00:00
The last bullet point, the question is,
00:00
who is ultimately responsible
00:00
for the security of the organization?
00:00
Anytime you see that word, ultimately,
00:00
I want your mind to go directly to
00:00
senior management because at the end of the day,
00:00
no matter what, its senior management that is
00:00
accountable and they might
00:00
also use the phrase ultimately responsible.
00:00
That's a little tricky because accountable and
00:00
responsible are different words
00:00
with different definitions.
00:00
But accountable, they'll use
00:00
interchangeably with ultimately responsible,
00:00
comes down to senior management.
00:00
Who's going to get sued?
00:00
You can think about it in that way.
00:00
With your liabilities, we talked
00:00
about the need to avoid liabilities.
00:00
We don't want to be found culpably negligent.
00:00
The key to doing that is to exercise
00:00
due diligence, due care,
00:00
and ideally demonstrate that we've acted
00:00
responsibly and cautiously in
00:00
alignment with the prudent person rule.
Up Next