Systems Security Certified Practitioner – SSCP – Question0604

The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding vulnerability. Therefore, a legal liability may exists when:

A.
(C<L)orCislessthanL
B. (C < L -(residual risk)) or C is less than L minus residual risk
C. (C > L) or C is greather than L
D. (C > L -(residual risk)) or C is greather than L minus residual risk

Correct Answer: A

Explanation:

If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards. Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or appropriate administrative and technical security measures to protect consumer information. The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in reaction to the GLBA and enforced by the U.S. Federal Trade Commission (FTC). The Safeguards Rule requires companies to implement a security plan to protect the confidentiality and integrity of consumer personal information and requires the designation of an individual responsible for compliance. Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply. The act of compliance includes demonstrating due diligence, which is defined as “reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations”. Reasonableness in software systems includes industries standards and may allow for imperfection. Lawyers representing firms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes “reasonable” security measures for several reasons, including: 1. Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology; 2. Compliance requires knowledge of specific security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and 3. Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non-compliance. In general, the costs of improved security are certain, but the improvement in security depends on unknown variables and probabilities outside the control of companies. The following reference(s) were used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 315. and http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf