- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
SANS InfoSec Reading Room - Legal Issues
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
Featuring 34 papers as of Nov 22, 2009
5 Keys to a Successful Identity and Access Management Implementation
CA - October 2008 (Opens in new window)
Identity and Access Management: A Comprehensive Buyer's Guide
CA - October 2008 (Opens in new window)
Electronic Contracting In An Insecure World- By: Craig Wright (posted on February 1, 2008)
- CyberLaw 101: A primer on US laws related to honeypot deployments
- By: Jerome Radcliffe (posted on March 16, 2007)
- A Honeypot is defined as an Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system.
- Information Security and Section 404 of the Sarbanes-Oxley Act
- By: Reed Warner (posted on May 5, 2005)
- In response to the corporate accounting scandals of 2001 the Public Company Accounting and Investor Protection Act of 2002 was passed.
- The Outsourced Productivity Information Security Risk
- By: Eric Mittler (posted on March 9, 2005)
- Many of your data protection security controls will be by-passed by your vendors if they feel pressured to do so by employees at your company, unless you specifically mitigate this risk.
- Hearsay and Evidence in the Computer Emergency Response Team (CERT)
- By: Susan Sherman (posted on January 28, 2005)
- The Computer Emergency Response Team (CERT) is responsible for computer related information incident handling within a specific government Agency. Part of that mission is the inherent issue to provide support to law enforcement officials. CERT must provide evidence to those that are going to complete the law enforcement effort of an incident.
- Ethics in the IT Community
- By: Anthony Bundschuh (posted on January 22, 2005)
- This paper is an overview of the current state of ethics in the IT community. It describes the current state of ethics in IT, identifies the major areas of concern for the IT community, and discusses the relationships an IT professional will face, and the conflicts that may jeopardize those relationships.
- The Requirements of FDA's 21 CFR Part 11 and Software Programs That Meet the Requirements
- By: Kristine Safi (posted on January 19, 2005)
- With the increased use of electronic records in the Biotechnology Industry, there became a need for requirements to address data security, data integrity and traceability of this data. In response to this need, the Food and Drug Administration (FDA) published a regulation called 21 CFR Part 11, in August of 1997.
- Federal Computer Crime Laws
- By: Maxim May (posted on August 15, 2004)
- The Internet has been a boon to business, science, education and just about any field you can think of, including crime. Just like every human invention, Internet has two sides to it, on the one hand it allows businesses to be more productive and scientists to share research data almost instantaneously, on the other hand it grants criminals an additional tool to commit crimes and get away with it.
- Offshore Outsourcing and Information Confidentiality
- By: Mark Lum (posted on July 25, 2004)
- While recent news headlines of the past few months have focused on the controversial topic of offshore outsourcing of jobs from the United States to countries such as India, China, and Mexico, other headlines, relating to some of the effects of this phenomenon, have exposed problematic consequences and outcomes.
- An Overview of Sarbanes-Oxley for the Information Security Professional
- By: Gregg Stults (posted on July 25, 2004)
- The Sarbanes-Oxley Act of 2002 has dramatically affected overall awareness and management of internal controls in public corporations. Responsibility for accurate financial reporting has landed squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs.
- Cyber Risk Insurance
- By: Denis Drouin (posted on June 9, 2004)
- Technology has continued to astound the world's electronic culture by reacting with the use of mechanisms to defend and protect against the unknown. Cyber insurance has been one of those phenomenons that has experienced many challenges and at the same time mutated into a more complex tool to protect companies.
- The Role of IT Security in Sarbanes-Oxley Compliance
- By: Mary Fleming (posted on April 8, 2004)
- This document will summarize the requirements of Sarbanes-Oxley as they apply to IT and define the controls IT must be concerned with in the certification process. This document pertains only to the role of IT and IT security in Sarbanes-Oxley controls compliance; other company departments - accounting, finance, human resources, etc., may be subject to controls not covered herein.
- U.S. Government IT Security Laws
- By: Trevor Burke (posted on January 11, 2004)
- This document will serve as a guide to those new to federal IT law and address the above four issues, outline the guidelines and steps to ensure successful C&A as designed by NIST, and subsequently address lessons learned from trying to comply with FISMA.
- E-mail Communication with Patients in the Wake of the HIPAA Final Security Rule
- By: Dennis Schmidt (posted on October 31, 2003)
- This paper will explore the issues that the HIPAA regulations raise with doctor/patient e-mail communications and will discuss some possible solutions.
- Big Brother at the Office: Friend or Foe?
- By: Clint M Satterwhite (posted on October 31, 2003)
- This paper outlines most of the issues regarding monitoring of employee workplace computer use and attempts to present an objective presentation of the information from both the employee and employer's perspectives.
- A Context-Based Access Control Model for HIPAA Privacy and Security Compliance
- By: Harry E Smith (posted on October 31, 2003)
- This paper proposes a new approach to meeting much of the burden imposed by the HIPAA privacy and security requirements
- System Security and Your Responsibilities: Minimizing Your Liability
- By: Gary Holtz (posted on October 31, 2003)
- A discussion of security policy and procedures, with attention to minimizing liability in the event of computer or network security incidents.
- The Art of Enforcement
- By: Jeff Neithercutt (posted on October 31, 2003)
- The careful planning, integration, training, and support of a multi-disciplined group of Incident Responders will continue to be, for most corporations, the last line of defense against computer crimes; and, the better their relationship with the Local, State, and Federal Agencies they work with, the better the success of both their proactive and reactive activities.
- HIPAA Compliance: Cost-Effective Solutions for the Technical Security Regulations
- By: Tautra Romig (posted on October 31, 2003)
- While HIPAA is comprised of many different regulations, the objective of this document is to suggest cost-effective solutions to the proposed Technical Security Mechanisms regulation.
- The 2001 Patriot Act and Its Implications for the IT Security Professional
- By: Oscar W Peterson (posted on October 31, 2003)
- This paper will focus on IT related issues encompassed by the USAPA in general as well as possible actions that could be expected of the IT Security Professional.
- Dangerous Technology: Management Beware
- By: Brent McKinley (posted on October 31, 2003)
- The purpose of this paper is to inform management and upper level administration of the legal liabilities and loss of productivity due to the inappropriate use of the Internet, email, interconnected computer systems and pirated software.
- The Legal System and Ethics in Information Security
- By: Amit Raju Philip (posted on October 31, 2003)
- A discussion of the issues faced by the legal system in keeping up with the fast paced development of technology and the ways in which the current laws can help, as well as the role that ethics have to play in the world of computer security.
- An Uneven Playing Field: The Advantages of the Cyber Criminal vs. Law Enforcement-and Some Practical
- By: Torri Piper (posted on October 31, 2003)
- This paper offers some observations of the disparities between the criminals manipulating digital data and law enforcement chasing after them; and tenders some suggestions in an effort to even the playing field.
- Running an IT Investigation in the Corporate Environment
- By: Carl Endorf (posted on October 31, 2003)
- This paper describes the issues that are involved in conducting an IT investigation of an incident in a corporate environment.
- Preparing for HIPAA: Privacy and Security Issues to be Considered
- By: Sherry Fischer (posted on October 31, 2003)
- The Health Insurance Portability and Accountability Act (HIPAA) is imposing privacy and security regulations on health plans, health care clearinghouses, and health care providers.
- Financial Institutions Required To Do Their Part To Fight Crime
- By: Terry Ritter (posted on October 31, 2003)
- This paper will briefly explain how the U.S. Patriot Act legislation came into existence, but its main focus will be to outline the requirements of the recently proposed Section 326 "Customer Identification Program.
- Issues in Protecting Our Critical Infrastructure
- By: William Nance (posted on June 2, 2003)
- The Internet has brought many important changes to the way we do business, both in the public and private sectors. We can use it to instantly communicate with others across the country, conduct business meetings, or control equipment in remote locations.
- What is the Federal Government Doing to Improve the State of Information Security?
- By: Jason Hiney (posted on April 4, 2003)
- The objective of this paper is to take a broad look at recent Government actions improve the state of information security in the United States and prevent such problems.
- Laws of Canada as they Pertain to Computer Crime
- By: Donna Simmons (posted on May 2, 2002)
- This paper examines the existing laws in the Criminal Code of Canada as they pertain to computer crime.
- The Ethics and Legality of Port Scanning
- By: Shaun Jamieson (posted on October 8, 2001)
- This paper will define and outline the process of port scanning, discuss ethical and legal issues surrounding port scanning, and assert the importance of strictly defining scanning in an organization's policy.
- Malaysian Law and Computer Crime
- By: Wong Chong Yew (posted on August 8, 2001)
- This paper attempts to describe the Malaysian Computer Crimes Act 1997 (CCA 1997) and provide important guidelines for a successful computer crime investigation.
- South Africa - Computer Misuse Act, Proposed
- By: Michael Masters (posted on June 14, 2001)
- This paper looks at this proposed act as well as its application in today's computer environment.
Check Them Out!
This course will provide a wealth of information to advance my career in the IT field.
-Doreen Lawrence, Los Alamos National Lab
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy