LEG523: Law of Data Security and Investigations
*New for live delivery as of October 2014: Home Depot's legal and public statements about payment card breach.
*New legal tips on confiscating and interrogating mobile devices.
*New for live delivery as of January 2014: The public response by retailer Target to a major payment card security incident.
*New for live delivery as of April 2014: Course covers lawsuit by credit card issuers against Target's QSA and security vendor, Trustwave.
New law on privacy, e-discovery, and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the IT department. The needed professional training is uniquely available in SANS' LEG523 series of courses, including skills in the analysis and use of contracts, policies, and records management procedures.
GIAC certification under LEG523 demonstrates to employers that a professional has not only attended classes, but studied and absorbed the sophisticated content of these courses. Certification distinguishes any professional, whether an IT expert, an auditor, a paralegal, or a lawyer, and the value of certification will grow in the years to come as law and security issues become even more interlocked.
This course covers the law of business, contracts, fraud, crime, IT security, IT liability and IT policy — all with a focus on electronically stored and transmitted records. The course also teaches investigators how to prepare credible, defensible reports, whether for cyber, forensics, incident response, human resources or other investigations.
This course provides training and continuing education for many compliance programs under infosec and privacy mandates such as GLBA, HIPAA, FISMA and PCI-DSS.
- Day 1: Fundamentals of IT Security Law and Policy
- Day 2: E-Records, E-Discovery and Business Law
- Day 3: Contracting for Data Security & Other Technology
- Day 4: The Law of IT Compliance: How to Conduct Investigations
- Lessons from day 4 will be invaluable to the effective and credible execution of any kind of investigation — internal, government, consultant, security incidents and the like. These lessons integrate with other tips on investigations introduced in other days of the LEGAL 523 course series.
- Day 5: Applying Law to Emerging Dangers: Cyber Defense
- In-depth review of legal response to the major security breach at TJX.
- Learn how to incorporate effective public communications into your cyber security program.
These five days of integrated education — where each successive day builds upon lessons from the earlier day(s) — will help any enterprise (public or private sector) cope with such problems as hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees and bad publicity connected with IT security.
Recent updates to the courses address hot topics such as risk, investigations and business records retention connected with cloud computing and social networks like Facebook and Twitter. Updates also teach students how to analyze and respond to the risks and opportunities surrounding OSINT (open source intelligence gathering).
This course adopts an increasingly global perspective. Non-US professionals attend the Legal-523 course because there is no training like it anywhere else in the world. A lawyer from a European police agency recently attended and expressed high praise for the course when it was over. Another lawyer -- from the national tax authority in an African country -- sought out the course because electronic filings, evidence and investigations have become so important to her work. Students like this European lawyer and this African lawyer help the instructor, US attorney Benjamin Wright, improve the course and include more non-US content as he constantly revises it.
The Legal 523 course is complementary to SANS' rigorous digital forensics program. Together, Legal 523 and the SANS' digital forensics program provide professional investigators an unparalleled suite of training resources.
Legal 523 is tied to the coveted GLEG certification. GLEG can help a forensics investigator appear more credible as a witness in court, and help a forensics consultant win more business.
|LEG523.1: Fundamentals of IT Security Law and Policy||Benjamin Wright||
Mon Mar 11th, 2013
9:00 AM - 5:00 PM
This course day number 1 is an introduction to Law and IT, serving as the foundation for the discussion in later course days. Students survey the general legal issues that must be addressed in establishing best InfoSec practices. This course day number 1 canvasses the many new laws on data security, and evaluates InfoSec as a field of growing legal liability. It covers computer crime and intellectual property laws when a network is compromised, as well as emerging topics like honeypots, and active defenses, i.e., enterprises hacking back against hackers. This course day considers the impact of future technologies on law and investigations. A key goal is to help professionals factor in legal concerns when they draft enterprise IT security policies.
This course day number 1 includes lessons on critical thinking about how to draft IT security policies, recognizing legal concerns. Students will debate what the words of an enterprise policy would mean in a courtroom.
This course day includes a case study on the drafting of policy to comply with the Payment Card Industry Data Security Standard (PCI).
CPE/CMU Credits: 6
|LEG523.2: E-Records, E-Discovery and Business Law||Benjamin Wright||
Tue Mar 12th, 2013
9:00 AM - 5:00 PM
IT professionals can advance their careers by upgrading their expertise in the hot fields of e-discovery and cyber investigations. Critical facets of those fields come forward in this course day number 2. This day number 2 emphasizes the use of computer records in disputes and litigation, with a view to teaching students how to manage requests to turn over e-records to adversaries (i.e., e-discovery), how to manage implementation of a "legal hold" over some records to prevent their destruction and how to coordinate with legal counsel to develop workable strategies to legal challenges.
Transactions that used to be conducted on paper are now done electronically. So now, commercial law applies to computer security. The IT function within an enterprise has become the custodian of the enterprises business records. This course day number 2 teaches how to craft sound policy for the retention and destruction of electronic records like email, text messages and social networking interactions. It offers methods for balancing the competing interests in electronic records management, including costs, risks, security, regulations and user cooperation.
Law and technology are changing quickly, and it is impossible for any professionals to comprehend all the laws that apply to their work. But they can comprehend the big trends in law, and they can possess a mindset for finding solutions to legal problems. A key goal of this course day 2 is to equip students with analytical skills and general tools for addressing technology law issues as they arise, both in the U.S. and around the world.
This course day number 2 is chock full of actual court case studies dealing with privacy, computer records, digital evidence, electronic contracts, regulatory investigations and liability for shortfalls in security. The purpose of the case studies is to draw practical lessons that students can take back to their jobs.
CPE/CMU Credits: 6
|LEG523.3: Contracting for Data Security & Other Technology||Benjamin Wright||
Wed Mar 13th, 2013
9:00 AM - 5:00 PM
This course day number 3 is focused on the essentials of contract law sensitive to the current legislative requirements for security. Compliance with many of the new data security laws requires contracts. Because IT pulls together the products and services of many vendors, consultants and outsourcers, enterprises need appropriate contracts to comply with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, EU Data Directive, California Senate Bill 1386 and others.
When appropriate, this course day 3 leaves the student with practical steps and tools to be applied in his or her enterprise. It includes a lab at the end of the day to help students learn about writing contract-related documents relevant to their professional responsibility. Students will learn the language of common IT contract clauses. They will learn the meaning of and issues surrounding those clauses and become familiar with specific legal cases to show how different disputes have resolved in litigation.
Recognizing that enterprises today operate increasingly on global basis, this course day teaches cases and contract drafting styles applicable to a multinational setting.
Contracts covered in this course day include agreements for software, consulting, non-disclosure, application services and private investigation services. Special emphasis is applied to cloud computing issues.
This course day number 3 teaches students how to exploit the surprising power of informal contract records and communications.
CPE/CMU Credits: 6
|LEG523.4: The Law of IT Compliance: How to Conduct Investigations||Benjamin Wright||
Thu Mar 14th, 2013
9:00 AM - 5:00 PM
New for live delivery as of October 2014: Tips on how to conduct legal and audit investigations of advanced phenomena like Bitcoin.
InfoSec professionals and cyber investigators operate in a world of ambiguity, rapid change and legal uncertainty. To address these challenges, this course day number 4 presents methods for analyzing a situation and then acting in a way that is ethical and defensible and that reduces risk.
Lessons from this course day number 4 will be invaluable to the effective and credible execution of any kind of investigation -- internal, government, consultant, security incident and the like. These lessons integrate with other tips on investigations introduced in other days of the LEGAL 523 course series.
This course day number 4 surveys white collar fraud, with an emphasis on the role of technology in the commission and prevention of that fraud. It teaches IT managers practical, case-study driven, lessons about the monitoring of employees and employee privacy.
IT is often expected to 'comply' with many mandates, whether stated in regulations, contracts, internal policies or industry standards (such as PCI-DSS). This course day 4 teaches many broadly-applicable techniques to help technical professionals establish that they and their organizations are in fact in compliance . . . or to reduce risk if they are not in perfect compliance. This course day draws lessons from models such as the Sarbanes-Oxley Act.
As IT security professionals garner more responsibility for the controls throughout an enterprise, it is natural that they worry about fraud. Fraud starts to become a new part of their domain. Indeed, the primary objective of Sarbanes-Oxley is not to keep hackers out; it is to snuff out fraud inside the enterprise.
This course day 4 covers what fraud is, where it occurs, what the law says about it, and how it can be avoided and remedied.
Scattered through the course are numerous descriptions of actual fraud cases involving IT. The purpose is to acquaint the student with the range of modern business crimes, whether committed by executives, employees, suppliers or whole companies.
More importantly, this course day number 4 draws from the law of fraud and corporate misconduct to teach larger, general lessons about legal compliance and proper professional conduct in difficult case scenarios.
This course day 4 teaches how to conduct social media (social networking) forensics investigations.
This course day 4 trains IT administrators how to stay out of jail.
CPE/CMU Credits: 6
|LEG523.5: Applying Law to Emerging Dangers: Cyber Defense||Benjamin Wright||
Fri Mar 15th, 2013
9:00 AM - 5:00 PM
"In-depth review of legal response to the major security breach at TJX."
New as of SANSFire, July 2012: How to Develop a Bring Your Own Device (BYOD) Policy for an Enterprise and its Employees.
Knowing some rules of law is not the same as knowing how to deal strategically with real-world legal problems. This course Day Number 5 is organized around extended case studies in security law -- break-ins, investigations, piracy, extortion, rootkits, phishing, botnets, espionage, defamation. The studies lay out the chronology of events and critique what the good guys did right and what they did wrong. The goal is to learn to apply principles and skills for addressing incidents in your day-to-day work.
The skills to be learned are a form of crisis management, with focus on how your enterprise will be judged in a courtroom, a regulatory agency or a contract relationship. Emphasis will be on how to present your side of a story to others, such as law enforcement, Internet gatekeepers or the public at large, so that a security incident does not turn into a legal fiasco.
In addition to case studies, the core material in this course Day Number 5 will include tutorials on relevant legislation and judicial decisions in such areas as privacy, negligence, contracts, e-investigations and computer crime.
In part, this course Day Number 5 draws from knowledge learned in other course days in the Legal 523 series, although it is not mandatory that a student attend those course days before attending this one. To a degree this course Day Number 5 overlaps some topics covered in the Management 512 series of courses, but this course focuses on law and is developed by a lawyer.
The Legal 523 course series is increasingly global in its coverage. Although this course Day Number 5 will center around American law, non-American law and the roles of non-American government authorities will be examined as well.
CPE/CMU Credits: 6
"The best guy in the country on these issues is Ben Wright."
-Stephen H. Chapman, Principal and CEO, Security Advisers, LLC
"Ben's insight into legal issues and teaching style makes this potentially dry material exciting. His stories and examples add to the printed material"
-Karl Kurrle, Golf Savings Bank
|Who Should Attend|
|Press & Reviews|
Learn more about LEG523 from the author:
Interested in the GLEG certification? Find out the benefits here: http://legal-beagle.typepad.com/security/2010/03/training.html