The NIST Definition of Cloud Computing

Due on Wednesday March 15, 2017 8:30pm eastern time New York USA.

Please response to each question with least 200 words and references.  Due on Wednesday March 15, 2017 8:30pm eastern time New York USA.

Reading for #1

111009 Teacher Suit

Articles

GJD-RA

Maryland Statue House Bill 964

MCEA Contract

MCPS Nonrenewal of Contract Policy GJB-RC

MCPS Suspension and Termination of Professional Staff Policy

Student Code of Conduct POLICY 7

#1

In December, two legal experts presented conflicting views about limiting Internet communications.  Here are their articles:  http://www.slate.com/articles/news_and_politics/view_from_chicago/2015/12/isis_s_online_radicalization_efforts_present_an_unprecedented_danger.html andhttps://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/21/protecting-the-first-amendment-in-the-internet-age/?utm_term=.ce196c82b386

By Wednesday, post your argument.  For those whose last name begins from A- J, post your argument supporting Judge Posner’s position. (my last name begin with A)  All other students, post your argument supporting Professor Post’s position, Be sure to include research beyond the article.

Follow-up by posting a response, again representing your assigned position, to a posting arguing the other position.

Finally, in the Thread titled “Honest Position,” post your real position and basic rationale.

Reading for #2

 (Required Readings)

·       McQuade, S. I. (2016). Computer crime. Salem Press Encyclopedia, Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=ers&AN=95342780&site=eds-live&scope=site.

·       Cybercrime (n.d.). Cybercrime Timeline. Retrieved from:http://19623599.weebly.com/timeline.html.

·       Florida Tech (n.d.). A Brief History of Cyber Crime. Retrieved from: https://www.floridatechonline.com/blog/information-technology/a-brief-history-of-cyber-crime/.

·       KhanAcademy (n.d.). The Internet: Cybersecurity and crime.  Retrieved from:   https://www.khanacademy.org/partner-content/code-org/internet-works/v/the-internet-cybersecurity-and-crime.

·       EFF (2013). Computer Fraud and Abuse Act (CFAA).  Retrieved from:  https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(CFAA).

·       Cornell University – Legal Information Institute (n.a.). 18 U.S. Code Chapter 121 – STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS. Retrieved from: https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121.

·       Law Enforcement Cyber Center (n.d.). Understanding Digital Evidence. Retrieved from: http://www.iacpcybercenter.org/investigators/digital-evidence/understanding-digital-evidence/.

·       Cornell University – Legal Information Institute (n.a.). Fourth Amendment. Retrieved from: https://www.law.cornell.edu/constitution/fourth_amendment.

·       Federal Bureau of Investigation (FBI) (2016). Law Enforcement Cyber Incident Reporting. Retrieved from:  https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf.

·       Funk & Wagnalls (2016). New World Encyclopedia.  Tort 2016.  Retrieved from:  http://eds.a.ebscohost.com.ezproxy.umuc.edu/eds/detail/detail?vid=5&sid=1f18b6b7-394b-47ce-b6b4-c9e2ad530175%40sessionmgr4006&hid=4211&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#AN=TO072200&db=funk.

·       Koch, B.A.  (2014).  Journal of European Tort Law.  Cyber Torts:  Something Virtually New? Retrieved from:  http://eds.a.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=1&sid=1f18b6b7-394b-47ce-b6b4-c9e2ad530175%40sessionmgr4006&hid=4211.

OERs (Recommended Readings)

·       American Bar Association (2007). Cybercrime Havens.  Retrieved from: http://www.americanbar.org/content/dam/aba/publications/blt/2007/11/cybercrime-havens-200711.authcheckdam.pdf.

·       District Court, Arapahoe County, Colorado (2012). Motion to Preserve and Produce Evidence. Retrieved from: https://learn.umuc.edu/content/enforced/190519-M_013959-01-2168/Session%209/12CR1522%20Motion%20to%20Preserve%20and%20Produce%20Evidence%20%28D-3%29.pdf?_&d2lSessionVal=tvFPq7FHTRMy6W3iOl2VVohqo&ou=190519.

·       Offices of the United States Attorneys (2008). Application for a Wiretap Order. Retrieved from: http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/crm00092.htm.

·       United States District Court (2009). Subpoena to Produce Documents, Information, or Objects or to Permit Inspection of Premises in a Civil Action. Retrieved from: https://learn.umuc.edu/content/enforced/190519-M_013959-01-2168/Session%209/Federal%20subpoena%20form%20AO088B.pdf?_&d2lSessionVal=tvFPq7FHTRMy6W3iOl2VVohqo&ou=190519.

#2

This discussion session has two parts:

·       Vulnerability Disclosure: What are the legal and ethical issues governing the disclosure of a vulnerability by an independent technical person (e.g., cyber researcher). See this paper: https://www.eff.org/issues/coders/vulnerability-reporting-faq. What are the legal obligation of the government if they come to know about a vulnerability? Can they corner the vulnerability market and exploit a vulnerability against an adversary. See this paper Dorothy Denning: https://learn.umuc.edu/content/enforced/111374-022073-01-2158-GO1-9040/DDenning.pdf?_&d2lSessionVal=hDspQFvvJP69gBZD9LTeVUUTl. 

·       Attack Disclosure: What are the legal obligations (as well as protection for sharing) of companies about attacks on their systems and possible future attacks and vulnerabilities? Who should they disclose to: government, users of their systems who were affected by the breach and investors? See  

o   https://www.davispolk.com/sites/default/files/agesser.Cybersecurity.Law_.Report.aug15.pdf

o   https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/

o   http://insurancethoughtleadership.com/cybersecurity-five-tips-on-disclosure-requirements/

o   http://www.wsj.com/articles/should-companies-be-required-to-share-information-about-cyberattacks-1463968801

Participation on both the parts is required. 

Reading for question #3

 (Required Readings)

·       National Institute of Standards and Technology (NIST). (2012). SP800-61v2; Computer Security Incident handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

·       US-CERT (2008).  Computer Forensics.  Retrieved from: https://www.us-cert.gov/sites/default/files/publications/forensics.pdf.

·       Wegman, J. (n.d.). University of Idaho.  Computer Forensics: Admissibility of Evidence in Criminal Cases. Retrieved from: Admissibility of Evidence in Criminal Cases.

·       DoJ (n.d.). Computer Forensics: Admissibility of Evidence in Criminal Cases.Retrieved from: https://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf.

·       FEMA, DHS (n.d.). Business Continuity Plan. Retrieved from: www.ready.gov/business/implementation/continuity.

·       FEMA, DHS (n.d). Business Continuity Planning Suite. Retrieved from: www.ready.gov/business-continuity-planning-suite.

·       FEMA, DHS (n.d.). IT Disaster Recovery Plan. Retrieved from:   https://www.ready.gov/business/implementation/IT.

·       FEMA (n.d.). Planning & Templates, Retrieved from: https://www.fema.gov/planning-templates.

·       NIST (2010): NIST Special Publication 800-34 Rev. 1. Contingency Planning Guide for Federal Information Systems. Retrieved from: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf .

·       Gartner (2005). Laws Influence Business Continuity and Disaster Recovery Planning Among Industries. Retrieved from: https://www.gartner.com/doc/483265/laws-influence-business-continuity-disaster.

·       Geminare (n.d.). An Overview of U.S. Regulations Pertaining to Business Continuity. Retrieved from: http://www.geminare.com/pdf/U.S._Regulatory_Compliance_Overview.pdf.

OERs (Recommended Readings)

·       The International Federation of Red Cross and Red Crescent Societies. (IFRC). (2015). The checklist on law and disaster risk reduction. Retrieved from:  http://www.ifrc.org/PageFiles/115542/The-checklist-on-law-and-drr.pdf

Session Notes

Incident Response

After information security processes, procedures and technology have been deployed to protect the enterprise from insider and outsider threats, what do you do when a problem is detected?  It is a fact of any enterprise, small or large, that a cyber incident will happen. It is not if, but only when. NIST defines a computer security incident as a violation or imminent threat of violation of computer security policies (800-61v2, 2012). The nature of the incident can be very severe such as a massive DDoS attack or just an intrusion for reconnaissance. Incident response procedures may involve a number of different departments, including information technology, legal and audit.  They may also involve all levels of management and external groups, depending on the severity of the incident.

NIST SP 800-61 v2 provides guidelines to develop capabilities for incident handling that include:

·       Creating an incident response policy and plan

·       Developing procedures for performing incident handling and reporting

·       Setting guidelines for communicating with outside parties regarding incidents

·       Selecting a team structure and staffing model

·       Establishing relationships and lines of communication between the incident response team and

·       other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)

Legal action as a part of Incident response may be necessary at the end of a potentially lengthy investigative process for criminal and civil prosecution. Digital Forensics is the area that is devoted to collecting and preserving evidence and presenting it in a court of law. You learnt a variety of digital forensics techniques for collecting and preserving evidence in volatile memory, network traffic, disk and from various logs and intrusion detection systems in INFA 650 and INFA 630. To have evidence admissible in a court, you have to have good understanding of:

·       The Fourth and the Fifth Amendments of the Constitution

·       The three statutory laws, the Wiretap Act , the Pen Registers and Trap and Trace Devices Statute and the Stored Wire and Electronic Communications Act

·       The U.S. Federal Rules of Evidence

An easy-to-read introduction to Digital Forensics Law can be found here: US CERT Computer Forensics, 2008. Another source is: Admissibility of Evidence in Criminal Cases. A more authoritative document on the topic is from the DoJ and can be found at: DoJ: Computer Forensics: Admissibility of Evidence in Criminal Cases.

Business Continuity/Disaster Recovery

Disaster recovery (DR) and business continuity (BC) are terms that are used often inter-changeably to describe an organization’s ability to recover from a compromise, intentional or otherwise.  DR is often data-centric and BC is business-centric.

Many organizations separate information security (or (IT) disaster recovery) and business continuity, so they may not be tied together organizationally, but they are certainly logically connected.  Business continuity ensures availability, one of the three foundations of the CIA Triad.

The good news is that there are numerous resources available to assist an organization in BC/DR processes from agencies such as FEMA, DHS and NIST. Here are a few resources:

Business Continuity Plan

Business Continuity Planning Suite

FEMA Planning & Templates

NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems

IT Disaster Recovery Plan

There are various laws and regulations that either imply or require Business Continuity (BC) /Disaster Recovery (DR) processes and procedures to be in place in various industries, specifically Health Care, Government, Finance and Utility industries. To support   BC/DR in these industries, high integrity and availability of data/information is a must.  Gartner (2005): Laws Influence Business Continuity and Disaster Recovery Planning Among Industries is an excellent resource that succinctly captures the laws and regulations in these sectors. Regulation and Standards Pertaining to Business Continuity lists both the laws/regulations and applicable standards  an enterprise needs to follow in finance and healthcare sectors.

#3

Assume you are a CISO. These are the laws governing evidence collection, preservation and presentation in a court of law:

·       The Fourth Amendment of the Constitution

·       The Fifth Amendment of the Constitution

·       The three statutory laws, the Wiretap Act , the Pen Registers and Trap and Trace Devices Statute and the Stored Wire and Electronic Communications Act

·       The U.S. Federal Rules of Evidence

Explain how your digital evidence processes will be//is compliant to one of the above. (They have to be complaint to all, but, for this exercise, you just focus on one.)

Reading for #4

(Required Readings)

·       Deakins, O. (2013). Let’s get physical:  five legal issues and telecommuting.  Retrieved from:http://www.lexology.com/library/detail.aspx?g=410cefff-dae1-4370-b30d-5fd103545324.

·       Gossett, D. (2012).   On the road-legal considerations for telecommuting employers.  Retrieved from:http://www.lexology.com/library/detail.aspx?g=f1be8aed-5673-4f9a-b860-2a8eea4294c5.

·       Magruder, J.S. (2015). Journal of Accounting and Finance.Bring Your Own Device (BYOD) –Who Is Running Organizations?.

·       IT Pro (2014). Hess, K.,   Mobile Device Management Features That Matter. Retrieved from: http://www.tomsitpro.com/articles/mdm-solutions-comparison,2-745.html.

·       Mell, P. (2011). The NIST Definition of Cloud Computing. Retrieved from:  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

·       Badger, L. (2012). NIST SP800-146: Cloud Computing Synopsis and Recommendations.  Retrieved from:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-146.pdf.

·       NIST. (2013). SP500-291v2: NIST Cloud computing Standards Roadmap.  Retrieved from:http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf.

·       InfoWorld (2016). The dirty dozen: 12 cloud security threats. Retrieved from: http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html.

·       IMPERVA INCAPSULA (2015).  Top 10 Security Concerns for Cloud-Based Services. Retrieved from: https://www.incapsula.com/blog/top-10-cloud-security-concerns.html.

OERs (Recommended Readings)

·       Telecommuting Policies-A Reading Room. Retrieved from:  https://lsntap.org/telecommuting_reading_room.

·       U.S. Office of Personnel management. (2011). Guide to Telework in the Federal Government.  Retrieved from https://www.telework.gov/guidance-legislation/telework-guidance/telework-guide/guide-to-telework-in-the-federal-government.pdf.

·       NIST (2016). User’s Guide to Telework and Bring Your Own Device (BYOD) Security. NIST Special Publication 800-114. Revision 1. Retrieved from: https://dx.doi.org/10.6028/NIST.SP.800-124r1. lsntap.org. (n.d.).

·       SANS. (2012). Legal Issues within Corporate “Bring Your Own Device” Programs. Retrieved from: https://www.sans.org/reading-room/whitepapers/legal/legal-issues-corporate-bring-device-programs-34060.

·       Cloud Security Alliance. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing v2.1. Retrieved from: CSA: Cloud Security Guidance

·       NIST (2013). Cloud Computing Security Reference Architecture. Special Publication 500-299. DRAFT. Retrieved from: http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf.

·       U.S. Whitehouse. (2012).  Digital Government:  Bring Your Own Device.  Retrieved from:  https://www.whitehouse.gov/digitalgov/bring-your-own-device#ttb.

Session Notes

Teleworking

The number of mobile workers and telecommuters has grown significantly over the past few years due to many factors, including:

·       Advances in technology including faster networks/Internet and secure connections through VPN.

·       Need to access a larger pool of talent an specialized talent

·       Need to match and field employees to job sites and customers

Teleworking is a work arrangement in which employees do not commute to a central place of work. A person who telecommutes is known as a “telecommuter,” “teleworker,” and sometimes as a “home-sourced,” or “work-at-home” employee.” An employer has many legal responsibilities to employees whether they work from a central facility or from home.

According to Deakins (Deakins, 2013), some of the unique legal challenges associated with telecommuters that an organization needs to address fall into these categories:

·       Company Property

·       Security

·       Worker’s Compensation

·       Payroll Records

·       Compensation

Gossett Gossett, 2012 ) echoes the Deakins’ legal concerns associated with telecommuting, and highlights the following:

·       The Fair Labor Standards Act (FLSA): Employers need to ensure that teleworkers are working the expected number of hours (usually 40 per week), and no less or no more.

·       Occupational Health and Safety Administration (OSHA): Employers expect teleworkers to work in a safe environment; however OSHA limits the employer’s liability, and specifies that employers are not expected to visit the teleworkers home to ensure safe conditions.

·       Liability Insurance: Teleworkers have the same rights as all employees, unless otherwise stipulated.

·       Taxes: If the teleworker is located in s state other than the one of the company, both parties should be aware of all tax issues including withholding and tax filing requirements of the various local and state governments.

·       Other considerations:  This is a broad category, including consideration of reasonable accommodation without undue hardship under the American with Disabilities Act.

These issues discussed by Gossett need to be formally addressed in a written agreement between the employer and the teleworker to prevent any misunderstanding and ensure the rights and responsibilities of both parties are clear.

Bring Your Own Device (BYOD) to Work

A major source of vulnerabilities by employees is when they bring their own devices, known as the BYOD (Bring Your Own Device) to work. These devices include laptops, smartphones, and portable drives and other media capable of both storing sensitive data and transferring malicious data onto the employer’s network.  The arguments in favor of a BYOD to work are: (1) increased productivity through familiarity of the device, (2) convenience of carrying only one or fewer devices by an employee, and (3) lower enterprise capital equipment cost, as the devices are bought and paid by the employees.

Magruder (Magruder, 2015) lists the following steps organizations need to take to safeguard their information systems from any malicious or accidental data breach when BYOD is permitted:

·       Limit the types devices (e.g., iPhone, iPad and Android smart phones and tablets) and operating systems (e.g., iOS & Android) to be permitted on the network.

·       Limit the applications to be used on the devices.

·       Limit which employees can use the devices and what services they can access on the network.

·       Inform the employees what is expected of them.

To permit an employee to bring her device to work, the employee needs to agree to be monitored for the enforcement of the enterprise device policy through mobile device management (MDM) software.  An MDM can ensure that only the permitted App’s are running and that  App’s and OS are up-to-date with patches and that antivirus software with the latest updates is running on the device. The MDM software can also ensure the device is protected by authentication software and the device locks itself after certain amount of inactivity.  Many MDM solutions in the market are capable of wiping all the data (including personal data) stored in the device remotely in case the device is stolen or lost to prevent the enterprise data getting into the wrong hand. Employees should be warned that their private data and use of their private applications (e.g., chat, gmail) may be monitored and their device and data on the device may be seized as evidence in a legal proceeding. That is why it is important that the user/employee agrees to be monitored.

See Mobile Device Management Features for typical MDM features and comparison of MDM solutions.

Cloud Computing

Cloud computing, according to (Badger, 2012), allows computer users to conveniently rent computing infrastructure assets including CPU and storage, entire software development and deployment environments (including middleware,  OS, DBMS, development tools), and access to fully featured applications. It is a “pay as you use model” instead of owning the resources.

The National Institute of Standards and Technology has been developing framework   and architecture to help federal organizations employ the technology effectively and securely. These documents by NIST are worth reading, at least browsing:

·       NIST SP 800-145; The NIST Definition of Cloud Computing (Mell, 2012)

·       NIST SP 800-146; Cloud Computing Synopsis and Recommendations ( Badger, 2012 )

·       NIST SP 500-291v2; Cloud Computing Standards Roadmap (Roadmap, 2013)

·        NIST SP 500-299 NIST Cloud Computing Security Reference Architecture,

Standards  are expected to mapped into five major  areas: (1) accessibility, (2) interoperability, (3) performance, (4) portability, and (5) security. While there are only a few approved cloud computing specific standards at present, the standards landscaping is changing fast; relevant standardization is under way in a number of Standards Developing Organizations (SDOs).  Standards are critical for developing policies, implementing SLAs with Ccloud vendors, and providing direction for mitigating risk.

As a shared infrastructure, cloud computing’s security issues include: (1) loss of data, (2) sharing of data in volatile and permanent with other cloud users, i.e., loss of confidentiality and privacy, (3) loss of integrity of data because of unwanted interaction among users, (4) DoS and DDoS attacks affecting availability, and (5) lack of adequate forensics support because of multi-tenancy. There is much overlap on the security threats facing cloud computing, as listed and discussed by these recent resources:  INFOWorld: Security Threats and Imperva: Security Threats.

#4

Now that you have a good idea of legal and technical issues with teleworking and BYOD to Work, are you in favor of teleworking and BYOD to Work in your organization? 

How will you make it work in your organization? What  restrictions will you put in place to make it work?

If your last name begins with A-K, you focus on teleworking. If your last name begins with L-Z, your focus should be on BYOD to Work.

"Is this question part of your assignment? We can help"

ORDER NOW