Now that we've talked about laws and sort of a broad idea, let's look at a few that could be specifically significant. So the 1st 1 the first light here we look at both export and import restrictions. And if we're gonna talk about export restrictions, the law that would come to mind is called the Boston ER agreement.
And, uh, this came out in the nineties, and basically what it did, it first makes perfect sense. It made it illegal to sell munitions to terrorist states. Well, of course, that seems like a pretty reasonable law.
But where it was a little bit controversial is that it listed cryptographic algorithms that provide greater than 40 bit encryption. It considered those to be munitions. So in the nineties, it listed in the nineties. It was illegal to export,
for instance, the normal version of Windows 95 because Windows 95 at that point supported cryptography. Triple Dez that had 100 68 bit encryption.
So I remember there was a little multinational pack of AA that we had in our office of Windows 95 it had the will read sticker on the front that said this version of Windows only contains only supports 40 bit encryption and stepping in compliance with the Boston. Our agreement and the loss of the Boston agreement is still around
which nations are considered terrorist states and what's strong encryption is considered may vary, but the Boston agreement still is there in place
now. Some countries forbid import of strong crypt of systems. For instance, several countries in the Middle East were trying to bar blackberries from coming into the country because the BlackBerry messenger uses a very secure mechanism R C R S A.
For its messaging application that confide it to 2048 bit encryption in this very strong
all right trans border issues Keeping in mind if we are looking to prosecutor, even research computer crime. Every jurisdiction is different. Different countries treat computer crimes differently. Some of them sponsor computer crimes. So obviously that adds, Ah, whole new realm of challenges.
Privacy. Speaking about privacy in relation to employees monitoring, be very, very careful here, Um,
not just for the test, but in the real world. You want to make sure that your employees monitoring proper policies have been inspected by HR that ah legal signs off on them and that you as an employee or not doing anything without first getting legal consul to It's a very touchy issue.
Do employees expect privacy? Yes, they do.
Do I have to guarantee them privacy? I don't. But I have to be very careful about how I infringe upon their processing. Now again, I'm not giving any sort of legal advice here. But as far as best practices go, if you're gonna monitor your employee's email phone conversations, notify, notify, notify,
get them to sign a waiver. Make sure it's part of your company policy. Make sure that it's done randomly and you're not targeting individuals.
Those would be, you know, some of the best practices. But make sure you know, yeah, employees do expect privacy. And also remember, it's not my job to try to catch the bad guys. My job is to protect company assets. I would infinitely rather deter employees from doing something elicit,
then have to try to catch them later
so you can remind them too much. That's the purpose of log in banners, and that's the purpose of mentioning this information at weekly staff meetings or or however, that would Look, you're not trying to sneak up and catch somebody. You're trying to remind people that these air the expectations, and if they don't follow the expectations, they'll be called
All right, HIPPA specifically Health Insurance Portability and Accountability Act. It applies to health insurers, health providers and help care clearinghouse agencies. And these air the large organizations that process claims. So it's possibly testable about the three
entities hip applies to.
I also know that if I'm a health care provider and I outsource the processing of my claims to another company because I don't feel like I can maintain it, the compliance just because I have outsourced that work doesn't mean I'm off the hook. I'm now
I have that downstream liability for my business associate and how they process the work. Okay,
so just because I've outsourced doesn't mean I'm not still liable. I am because of the high tech act, and I believe the high tech act was in 2010. They have liability as well, but outsourcing does not eliminate my risk.
Gramm Leach Bliley G L B. A. The Gramm Leach Bliley Act It's all about protecting customer or information in relation to banking Ah, banks can't sell my credited at my financial information. They can't release how much money's in my checking account or any of those ideas
and several of the rules. I wouldn't get real deep here,
but, you know, it never hurts to read out just a little bit.
All right. P C i. D. S s payment card industry data security standard. This is not a law. It's not a legal mandate. As a matter of fact, the payment card industries currently self regulated, and it is in their best interest to remain self regulated. So they have a Siri's of rules regarding auditing and compliance. Security mechanisms
and the major payment card companies
provide those audits. And if an organization were to not meet the audit, they could possibly have, Ah, the ability to receive payment card payments were vote so currently itself self regulated. That could change at any point in time if the payment card industry doesn't do a good job with self regulation.
Hey, six core principles. The principles are not testable, which you can see
focuses around. Security has secure network, protect the data
vulnerability assessments, have access control measures that are strong. Monitor and test the networks and have a security policy. And obviously the requirements are much more detailed in this. For those with six core principles,
organizations don't always disclose if they've had a breach. Certain types of industries have to come forward and have to acknowledge that reaches happen. But they generally have a matter of days before they have to do. That could be 30 days regardless.
Companies don't want to do that, though, and companies feel like, you know, if I come forward. And I said, we've had a breach than that since their stocks plummeting, and that makes the customers you want to look somewhere else. So I would say it's just the tip of the iceberg, the number of breaches that actually get reported
compared to what actually happens.
Auditing role. So auditing, you know, this is where we have an evaluation of our policies and procedures and make sure that what we've put in place is being followed and that it's in fact, it's infected that it's effective two very different words there, um,
auditors again, we want them to report to the chief
operating officer rather than to the security team or the networking team. These are the folks there actually