Regulatory and Legal Considerations

00:00

less than 1.4 regulatory and legal considerations.

00:04

In this lesson, we're going to look at three things. One. Understand the legal and regulatory issues facing incident response programs and incidents in general

00:14

number to identify legal considerations when responding to and remediating a cyber incident. And three how you may interact with law enforcement during an incident.

00:26

Some example. Regulations that you might find yourself being required to comply with is PC I. D. S s. So that's the payment card industry regulations that organizations comply with and go through assessments relative to this.

00:43

And if you're have if you have a breach or something with PC I data, you may be required to bring in a PC I DSS

00:51

certified or approved

00:53

Incident response team. Digital forensics people to come in and help you with that incident.

00:58

HIPPA has to do with medical information, and you very well may get involved in incidents involving medical information and have to deal with HIPPA considerations.

01:10

Fisma is regarding the federal government in the United States, and this is the federal Information Security Management Act, and it talks about how cybersecurity and risk and all of the security controls and inventories of federal information systems have to be

01:27

abided by. So if you're a federal employee or contractor, you probably know about fisma. Already.

01:36

Nerve has to do with utilities and specifically critical infrastructure and electrical grids, and there may be some requirements there.

01:45

California has sent a bill 13 86. That's a statewide requirement about cybersecurity. New York State also has a law under the financial services

01:56

organization there, and you can look it up under D. F s 500.

02:00

The S E C. Has plenty of regulations relative to cybersecurity, and then GDP are. Although it applies to the European Union, the you there are plenty of implications for United States organizations as well. Whether you do business with people in the U or

02:17

have people from the U visiting your websites, you may in fact have to comply with GDP Are

02:23

I know there's other courses in Sai Buri on many of these regulations that will talk more in depth for the purposes of this course, though I just want to make you aware that all of these that I mentioned may have some requirements or discussion about incident response.

02:42

So let's talk about a couple of legal considerations that you should have in the back of your mind when you're doing incident response and writing the incident response plan.

02:52

Now there are different touchpoints with legal throughout the whole life cycle of incident response. And I've mentioned already when I talked about stakeholders for incident response, how important it is to have legal and HR identified as stakeholders and already forge a partnership with those organizations

03:10

long before you actually have a cyber incident.

03:14

So here's a couple things to think through many of these. We will deep dive later on in this course, but I want to introduce them now.

03:21

The 1st 1 is the this disconnect versus the watch and learn decision.

03:27

What this really is talking about is if, in fact, your organization is compromised,

03:32

are you going to just disconnect altogether from the Internet? There's plenty of organizations that have done that and continue to do that as a strategy.

03:39

Are you only going to disconnect the infected hosts or are you going to do what's called watch and learn where that is that you allow the Attackers to remain in your network while you gather intelligence about who they might be what they are after, where they're headed,

03:58

and there's pros and cons to both of these, and I will walk through those later. But there could be legal implications as well to either decision.

04:05

The option to contact law enforcement is something to consider as well. I'll talk about the pros and cons of getting law enforcement involved later, As you remember from my background, I spent 11 years in law enforcement, and seven of those were specifically dealing with cyber crimes.

04:21

And I was involved with the FBI, deputized by them and assigned to a task force on Cyber.

04:29

So I had the opportunity from a law enforcement perspective

04:31

to have been called by organizations about breaches and intrusions and go investigate those. I also had times where I was notifying people that they had been the victim of a cyber crime that they were unaware of before my call.

04:46

And based on my experience and just additional experience from others, I have talked Teoh, I'll walk you through that decision framework that you should go through. If you are thinking about getting law enforcement involved

04:58

in something within your organization

05:00

evidence chain of custody and this is extremely important. If you are collecting evidence as part of an incident response process, which most of the time you will be the handling of that evidence, the documentation of the storage of it

05:16

are all critically important. If you ever want to be able to use that evidence

05:21

against someone in a criminal proceeding in an administrative fashion or for some other type of legal proceeding, you want to make sure that it is handled correctly. Otherwise, the evidence itself could be spoiled, tainted and not allowed to be presented

05:40

in any type of hearing or

05:43

legal case. And then finally, the privacy considerations and employees, acceptable use policies. And what this is talking about is, Do you have an expectation of privacy within your work or organizational computers? Do you have a policy that states this

06:00

so most organizations will have some sort of a log on banner or

06:05

and or an acceptable use policy that is written that people must sign as part of their employment?

06:14

And with this,

06:15

the acceptable use policy typically states things like they won't use their computer to try and introduce malware to the network, They won't look a inappropriate websites they won't violate policy, knowingly or willfully

06:31

of the organization. They won't insert malicious software or even install any software if that's part of

06:39

the policy. But there's also generally Cem wording in there about the privacy considerations. So

06:46

do your employees have an expectation of privacy on their work computers? Usually they do not, and this is important to get out there and identified. So if you're doing an incident response activity and you're pulling memory images, you're looking at hard drive space. You are recovering deleted files and you find something that

07:05

ends up being used against an employee.

07:09

What are their expectations of privacy and have you put them on notice about that is very important to get those things figured out.

07:16

So on that short lesson, let's go through a quiz question

07:19

of the below regulations, which is most applicable to the U. S. Federal government.

07:26

A PC I DSS

07:29

be GDP are

07:30

see fisma or D. None of the above.

07:39

The answer to this one is See Fisma. That's the federal Information Security Management Act that is the one that is applicability to the U. S. Federal government.

07:47

Second quiz question. Who should make the decision to contact law enforcement during a cyber incident. A The incident handler on duty

07:57

Be the chief information officer.

08:00

See the Service Desk

08:01

or D Chief executive and consultation with Legal.

08:09

The right answer for this one is D, the chief executive in consultation with Legal. As I mentioned, contacting law enforcement is a little bit tricky. There's some pros and cons to it. I walk through them or in depth later.

08:22

But for now, make sure that you understand that's not a decision that should be made without the full involvement of legal and that partnership,

08:30

as well as senior leadership within the organization.

08:33

So in summary on this lesson, we talked about possible options when deciding to disconnect or watch and learn during a cyber incident. We talked about some common regulations that may play into IR plans, some considerations when contacting law enforcement and also the chain of custody, and how important it is

08:52

for maintaining evidence within