2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	136/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 132 133 134 135 136 137 138 139 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Federal Sentencing Guidelines

131
When preparing for the CISSP exam, be sure you’re able to briefly describe
the purpose of each law discussed in this chapter.
CFAA Amendments
In 1994, Congress recognized that the face of computer security had drastically changed
since the CFAA was last amended in 1986 and made a number of sweeping changes to the
act. Collectively, these changes are referred to as the Computer Abuse Amendments Act of
1994 and included the following provisions:
■
Outlawed the creation of any type of malicious code that might cause damage to a
computer system
■
Modified the CFAA to cover any computer used in interstate commerce rather than
just “federal interest” computer systems
■
Allowed for the imprisonment of offenders, regardless of whether they actually
intended to cause damage
■
Provided legal authority for the victims of computer crime to pursue civil action to gain
injunctive relief and compensation for damages
Since the initial CFAA amendments in 1994, Congress passed additional amendments in
1996, 2001, 2002, and 2008 as part of other cybercrime legislation. We’ll discuss those as
they come up in this chapter.
While CFAA may be used to prosecute a variety of computer crimes, it is also criticized
by many in the security and privacy community as an overbroad law. Under some interpre-
tations, CFAA criminalizes the violation of a website’s terms of service. This law was used
to prosecute MIT student Aaron Schwartz for downloading a large number of academic
research papers from a database accessible on the MIT network. Schwartz committed sui-
cide in 2013 and inspired the drafting of a CFAA amendment that would have excluded
the violation of website terms of service from CFAA. That bill, dubbed Aaron’s Law, never
reached a vote on the fl oor of Congress.
Federal Sentencing Guidelines
The Federal Sentencing Guidelines released in 1991 provided punishment guidelines to help
federal judges interpret computer crime laws. Three major provisions of these guidelines
have had a lasting impact on the information security community.
■
The guidelines formalized the
prudent man rule
, which requires senior executives to
take personal responsibility for ensuring the due care that ordinary, prudent individu-
als would exercise in the same situation. This rule, developed in the realm of fiscal
responsibility, now applies to information security as well.
■
The guidelines allowed organizations and executives to minimize punishment for
infractions by demonstrating that they used due diligence in the conduct of their infor-
mation security duties.

132
Chapter 4
■
Laws, Regulations, and Compliance
■
The guidelines outlined three burdens of proof for negligence. First, the person accused
of negligence must have a legally recognized obligation. Second, the person must have
failed to comply with recognized standards. Finally, there must be a causal relationship
between the act of negligence and subsequent damages.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 132 133 134 135 136 137 138 139 ... 881