Anum Hasan

Information Security
BESE-27

Lecture 3
Lecture Outline

• Cyber Law
• Security policy
• ISMS
• Security Controls
• Security Standards
Cyber Law

• The term “Cyber Law” Refers to all the

legal and regulatory aspects of the
Internet and its users
Need for Cyber Law

• A hacker changed the value of insulin in

a patient’s online prescription who was
admitted in a hospital the nurse
injected that quantity and patient
expired.
⦁ The Electronic Transaction Ordinance 2002

⦁ Prevention of Electronic Crime Ordinance 2008

⦁ PECA 2016
Overview

⦁ The Electronic Transactions Ordinance (ETO), 2002, was the

first IT-relevant legislation created by national lawmakers.

⦁ Protection for Pakistani e-Commerce locally and globally.

⦁ Protect Pakistan’s critical infrastructure
⦁ It is heavily taken from foreign law related to cyber crime.
⦁ No recognition of electronic documentation
⦁ No recognition of electronic records
⦁ No recognition of evidential basis of documents/records
⦁ Failure to authenticate or identify digital or electronic
signatures or forms of authentication
⦁ No online transaction system on legal basis.
⦁ Electronic Data & Forensic Evidence not covered.
⦁ No Rules for all of these …
⦁ Electronic Documentation & Records recognized
⦁ Electronic & Digital forms of authentication &
identification
⦁ Messages through email, fax, mobile phones,
Plastic Cards, Online recognized.
Sections
 There are 43 sections in this ordinance

 It deals with following 8 main areas relating to e-Commerce.

◦ Recognition of Electronic Documents
◦ Electronic Communications
◦ Web Site
◦ Digital Signatures Certification Providers
◦ Stamp Duty
◦ Attestation, certified copies
◦ Jurisdiction
◦ Offences
⦁ “Prevention of Electronic Crimes Ordinance, 2007″
is enforced now
⦁ It was promulgated by the President of Pakistan on
the 31st December 2007
⦁ The bill deals with the electronic crimes included:
◦ Cyber terrorism
◦ Data damage
◦ Electronic fraud
◦ Electronic forgery
◦ Unauthorized access to code
◦ Cyber stalking
◦ Cyber Spamming/spoofing
⦁ It will apply to every person who commits an offence,
irrespective of his nationality or citizenship.

⦁ It gives exclusive powers to the Federal Investigation

Agency (FIA) to investigate and charge cases against such
crimes.
Punishments

⦁ Every respective offence under this law has its distinctive

punishment which can be imprisonment or/and fine.
Data Damage:

⦁ Whoever with intent to illegal gain or cause harm to the public or

any person, damages any data, shall come under this section.

Punishment:
⦁ 3 years
⦁ 3 Lac
Electronic fraud:
⦁ People for illegal gain get in the way or use any data, electronic
system or device or with intent to deceive any person, which act or
omissions is likely to cause damage or harm.

Punishment:
⦁ 7 years
⦁ 7 Lac
Electronic Forgery:

⦁ Whoever for unlawful gain interferes with data, electronic system

or device, with intent to cause harm or to commit fraud by any
input, alteration, or suppression of data, resulting in unauthentic
data that it be considered or acted upon for legal purposes as if it
were authentic

Punishment:
⦁ 7years
⦁ 7 Lac
Malicious code:

⦁ Whoever willfully writes, offers, makes available, distributes or

transmits malicious code through an electronic system or device,
with intent to cause harm to any electronic system or resulting in
the theft or loss of data commits the offence of malicious code.

Punishment:
⦁ 5 years
⦁ 5 Lac
Cyber stalking:

⦁ Whoever with intent to harass any person uses computer, computer network,
internet, or any other similar means of communication to communicate obscene,
indecent language, picture or image.

⦁ Threaten any illegal or immoral act

⦁ Take or distribute pictures or photographs of any person without his knowledge

⦁ Commits the offence of cyber stalking.

Punishment:
⦁ 3 Years
⦁ 3 Lac
Spamming:

⦁ Illegal electronic messages to any person without the

permission of the recipient.

Punishment:
⦁ 6 month
⦁ 50,000
Spoofing:

⦁ Whoever establishes a website, or sends an electronic message

with a fake source intended to be believed by the recipient or
visitor or its electronic system to be an authentic source with
intent to gain unauthorized access or obtain valuable information

Punishment:
⦁ 3 Years
⦁ 3 Lac
Offence Imprisonment (years) Fine
Criminal Access 3 3 Lac
Criminal Data Access 3 3 Lac
Data Damage 3 3 Lac
System Damage 3 3 Lac
Electronic Fraud 7 7 Lac
Electronic Forgery 7 7 Lac
Misuse of Device 3 3 Lac
Unauthorized access to code 3 3 Lac
Malicious code 5 5 Lac
Defamation 5 5 Lac
Cyber stalking 3 3 Lac
Cyber Spamming 6 months 50,000
Spoofing 3 3 Lac
Pornography 10 -----

Cyber terrorism Life 10 Million

Definition
 A symbol, word, or words legally registered or established by use as
representing a company or product.

 In cyber world URL’s are more like trademarks

 Provides the rights of the owner of a name, symbol, mark for

protection to avoid consumer confusion. This applies specifically in
the acquisition of domain names that are appropriate for a business'
trademark. Trademark protection has typically resided at the nation
state level, and the global nature of the internet has caused problems
with the use of certain domain names. A secondary issue is the
difference in countries with respect to "first to use" versus "first to
file".

Cyber Security
 Provision to own over a specific period of time

 Examples are books, music, research journals, website etc.

 License is description given by the owner on how to use the property

 Copy right protection

 Fair use Clause

 Expansion of Top Level Domains (TLD’s)

 A patent is a government authority or license conferring a right or title
for a set period, especially the sole right to exclude others from making,
using, or selling an invention

 Patent Right

 Patent Ordinance

 Patent Rules

 Patents Granted by IPO (Intellectual Property Organization of Pakistan)

 Patents Expired
Security Policy, standard and guideline

Policies:High level statements that provide guidance to workers

who must make present and future decision
Standards:Requirement statements that provide specific
technical specifications
Guidelines:Optional but recommended specifications
Passwords
will be 8 Access to
characters network resource
long will be granted
through a unique
user ID and
Passwords should password
include one non-alpha
and not found in
dictionary
Information Security management
Program
• To reduce risk with policies and guidelines
95752:11-27

User-level Policy

• Authentication: Method, Protection,

Disclosure
• Importing software: Process, Safeguards,
Location
• File protection: Default, Variations
• Equipment management: Process, Physical
Security
• Backups: How, When
• Problem reporting: Who, How, Emergencies
95752:11-28

System-level Policy

• Default configuration
• Installed Software
• Backups
• Logging
• Auditing
• Updates
• Principle servers or clients
95752:11-29

Network-level Policy

• Supported services
• Exported services: Authentication,
Protection, Restriction
• Imported services: Authentication,
Protection, Privacy
• Network security mechanisms
Types of Security Policy
Example-Policy for Ex-Employee
NDA and SLA
95752:11-33

General Tips (1)

• Replace welcome messages with warning

messages
• Put ownership or copyright notices on each
source file
• Be certain users are notified of usage policy
• Notify all users on what may be monitored
• Keep good backups in safe location
• When you get suspicious, start a
diary/journal of observations
95752:11-34

General Tips (2)

• Define, in writing, authorization of each user

and employee & have them sign it
• Ensure employees return equipment on
termination
• Do not allow users to conduct their own
investigations
• Make contingency plans with lawyer and
insurance
• Identify qualified law enforcement at local,
federal
Information Security Management
System
 Security v/s Compliance
Compliance in IT is defined as the process of meeting a
third party’s requirements relating to security & related
facilities with the aim of running business operations in a
particular market or adhering to laws or even with a
particular customer.
Compliance

It’s focused on the grounds of third-party

requirements
• Industry regulations
• Government policies
• Security frameworks
• Client/customer contractual terms
Compliance and Security-Based
on Specific Frameworks
• Compliance studies a company’s security
processes.
• These requirements come in the form of
legislation, industry regulations, or
standards created from best practices.
• Many standards are as follows:
• HIPAA
• SOX
• PCI-DSS
• ISO/IEC 27000 family
 HIPAA
• HIPAA compliance is a fundamental aspect
of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
• focused on protecting sensitive patient
health information from being disclosed
without the patient's consent or knowledge.
SOX

• The Sarbanes-Oxley Act (also called SOX)

applies to the corporate care and
maintenance of the financial data of public
companies.
PCI-DSS
• PCI DSS compliance is the Payment Card
Industry Data Security Standard created by a
group of companies who wanted to standardize
how they guarded consumers’ financial information.
ISO/IEC 27000 Family

• The ISO 27000 family of standards outlines

minimum requirements for securing information.
 GDPR
• General Data Protection Regulation is a set of
rules about how companies should process the
personal data of data subjects.
Reference

• McGraw-Hill CISSP All-in-One Exam Guide

6th Ed Shon Harris