C841 Task 1
docx
keyboard_arrow_up
School
Western Governors University *
*We aren’t endorsed by this school
Course
C841
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
6
Uploaded by BrigadierAlpacaPerson467
IHP3 Task 1: Legal Analysis
Submitted in partial completion of:
C841 – Legal Issues in Information Security
Western Governors University
Completed by: Wade Johnson
Student ID: 002097118
WGU C841 IHP3 – Task 1: Legal Analysis
A1. – Explain how the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act each
specifically relate to the criminal activity described in the case study.
The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1984 and has been amended since that time in 2001 with the passing of the PATRIOT Act and again in 2008 (Grama, 2015, p. 360). This act applies to TechFite because of the actions of the Business Intelligence (BI) unit. Sarah Miller, senior analyst of the BI unit used falsely created accounts to access different departments within TechFite, including the legal, HR, and finance departments. Jack Hudson and Megan Rogers, analysts who report to Ms. Miller, were complicit in these actions, which included accessing and viewing internal financial and executive documents.
TechFite has also violated portions of the Electronic Communications Privacy Act. This act has several different sections which apply to both government agencies/agents and private industry and protects information sent or stored electronically (Bureau of Justice Assistance, n.d.). In the investigation into the
actions of the BI unit, it was found that Sarah Miller, along with Jack Hudson and Megan Rogers, used the Metasploit tool to try to scan and access internet-based companies. The Metasploit tool is used to evaluate computer networks for vulnerabilities. The IP addresses that were scanned by this tool belonged to internet-based companies outside of TechFite. Access to these systems without the express permission of the targeted company constitute actions which could result in criminal prosecution.
A2. – Explain how three laws, regulations, or legal cases apply in the justification of legal action based upon negligence described in the case study.
Three different laws which justify legal action against TechFite, and its employees are the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and Sarbanes-Oxley Act. The actions of TechFite employees of the Business Intelligence unit are of import about both the CFAA and the ECPA while actions taken by TechFite financial unit and/or executive management personnel could result in legal action based on violation of the Sarbanes-Oxley Act (SOX). TechFite BI unit personnel including Sarah Miller, Megan Rogers, and Jack Hudson used “dummy accounts” to access to units within TechFite outside of the scope of the BI unit. These accounts used unauthorized escalation of privileges to gain access to financial records and executive documents. In this
case members of the BI unit compromised the confidentiality of a protected computer. These actions could result in misdemeanor charges or even felony charges, depending on “aggravating factors”
(Grama, 2015, p. 362).
Legal action against TechFite through violation of the ECPA again stems from actions of the BI unit. Analysis of BI unit computers using Encase Endpoint Investigator found the use of penetration testing software, specifically Metasploit, on machines used by TechFite; use of this software was primarily by Sarah Miller, senior analyst of the BI unit. Penetration testing is “the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes” (Rapid7, n.d.). The systems that Sarah Miller and other members of the BI unit scanned were outside companies and there is no information to prove that these companies were clients of TechFite that requested such testing by TechFite. According to the ECPA, TechFite employees violated the act by intentionally trying to access an
2
WGU C841 IHP3 – Task 1: Legal Analysis
electronic device connected to the internet; such actions can result in a fine and/or imprisonment (Legal
Information Institute, n.d.).
Legal action could also be brought against TechFite for violation of the Sarbanes-Oxley Act (SOX). As a publicly traded company, TechFite is subject to the provisions of SOX. An audit of the client list database of the Application Division found three companies which have a limited history. The three companies involved are Bebop Software of Alberta, FGH Research Group of Indiana, and Dazzling Comet Software of Florida. All three companies have the same individual as the registered agent, Yu Lee, and were incorporated in Nevada. Yu Lee has a personal connection to the head of the Application Division, Carl Jaspers. These three companies pay for TechFite services from Freeworkers’ Pennsylvania Bank, NA of Scranton, Pennsylvania; a bank which TechFite does not conduct business with or hold accounts with this bank. Violations of SOX include a possible conflict of interest between an outside company agent and TechFite employees, specifically between Mr. Jaspers and Ms. Lee, along with defrauding shareholders if it is found that the three companies are actually a method to artificially inflate sales numbers to improve pricing in shares of TechFite (SoxLaw, n.d.). The Chief Executive Officer and Chief Financial Officer may also face personal charges for violations of SOX.
A.3 – Discuss two
instances in which duty of due care was lacking.
The concept of duty of due care is “a person’s obligation to avoid acts or omissions that can harm others” (Grama, 2015, p. 370). TechFite IT Security Analyst Nadia Johnson is responsible for several instances in which duty of due care was lacking. While external threat management practices were in place, internal protection was not as thorough. This was especially true of the BI unit. Failure by Ms. Johnson to audit user account privilege escalation, surveilling internal network traffic, and enforcing data loss prevention strategies for sensitive documents have left not only clients of TechFite, but employees subject to loss of personal and protected information to unknown parties.
Another instance was in the lack of safeguards for client sensitive and proprietary information. TechFite maintains sensitive and proprietary information on current, former, and potential clients. This information is kept on a computer system that does not keep client information segregated from other client information. This, coupled with a BI unit in which all computers have full administrative access and
a marketing/sales unit that can access these same computer systems, means that one individual can see multiple clients’ information at one time and could pass sensitive information on to outside parties. Again, Ms. Johnson has failed to ensure safeguards are in place to prevent this type of damage to clients.
A.4 – Describe how the Sarbanes-Oxley Act (SOX) applies to the case study.
As a publicly traded company on NASDAQ, TechFite must follow the Sarbanes-Oxley Act. This means that
the company must meet financial transparency and accountability standards which are audited annually and easily available to shareholders (SoxLaw, n.d.). As presented in the case study, TechFite is not in compliance with SOX. An audit of the client list database of the Application Division found three companies which have a limited history. The three 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
WGU C841 IHP3 – Task 1: Legal Analysis
companies involved are Bebop Software of Alberta, FGH Research Group of Indiana, and Dazzling Comet Software of Florida. All three companies have the same individual as the registered agent, Yu Lee, and were incorporated in Nevada. Yu Lee has a personal connection to the head of the Application Division, Carl Jaspers. These three companies pay for TechFite services from Freeworkers’ Pennsylvania Bank, NA of Scranton, Pennsylvania; a bank which TechFite does not conduct business with or hold accounts with this bank. Violations of SOX include a possible conflict of interest between an outside company agent and TechFite employees, specifically between Mr. Jaspers and Ms. Lee, along with defrauding shareholders if it is found that the three companies are actually a method to artificially inflate sales numbers to improve pricing in shares of TechFite (SoxLaw, n.d.). The Chief Executive Officer and Chief Financial Officer may also face personal charges for violations of SOX.
B.1 – Explain how evidence in the case study supports claims of alleged criminal activity in TechFite.
The actions taken by Sarah Miller, Megan Rogers, and Jack Hudson in the use of Metasploit software are criminal violations of the Electronic Communications Privacy Act. In the case study, these individuals used a valid penetration testing program to try to access third-party Internet-based companies. These companies would be the victims of the actions of Ms. Miller, Ms. Rogers, and Mr. Hudson. The Metasploit software is designed to scan for vulnerabilities in a network that could be exploited by an individual to unlawfully gain access to the network and computer system (Rapid7, n.d.). By conducting such operations, these TechFite employees tried to access electronic communications stored in a digital form which is protected by the ECPA. Since there were no internal auditing or surveillance measures in place to check on network traffic and activity on the part of IT Security Analyst Nadia Johnson, these actions were not found until outside audit was completed. B.2 – Explain how evidence in the case study supports claims of alleged acts of negligence in TechFite.
Nadia Johnson may be negligent in her role as IT Security Analyst due to a failure to find dummy internal
user accounts which had escalated privileges, giving the accounts access to information that was beyond
what would be acceptable. The information that the dummy accounts had included financial records, HR
records, and executive documents related to TechFite. In this instance, TechFite as a company, its employees, and its clients are all victims of the alleged negligence. The accounts were found to have originated in the BI unit which is part of the Applications Division. Evaluation of the relationship between Ms. Johnson and Applications Division Head Carl Jaspers shows a strong social relationship between Johnson and Jaspers which could be a cause for the lack of auditing of the BI unit by IT Security.
At the present time, there is no policy in place to prevent social relationships between IT Security personnel and those they oversee. There is also little documentation on internal oversight of internal threat management, allowing for the creation and use of the dummy accounts.
4
WGU C841 IHP3 – Task 1: Legal Analysis
C. – Prepare a summary directed to senior management that states the status of TechFite’s legal compliance.
TechFite must follow multiple laws including, but not limited to, the Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), and Sarbanes-Oxley Act (SOX). Evaluation of TechFite’s compliance with these laws shows TechFite to be in a tenuous position. TechFite employees have used company resources to try to access systems of outside parties without their knowledge in violation of ECPA. Along with this, dummy employee accounts were created and given escalated privileges allowing Business Intelligence unit personnel access to financial documents, HR documents, and even high-level executive documents within TechFite. These actions violate several sections of the CFAA. Such actions were made possible due to a lack of internal auditing and surveillance by TechFite’s IT Security Analyst.
TechFite is also not in compliance with SOX. The audit conducted on the Application Division’s client database found three companies which were all incorporated in Nevada and have the same individual as
the registered agent. Yu Lee, the registered agent for these companies, has a personal relationship with the head of the Applications Division with which they do business. Further investigation into these companies found that payment for services all originate from one bank with which TechFite does not conduct business. When evaluated as a whole, there is an appearance that these companies are fictitious and are used to simply move money into the Applications Division and the bank may be supplying an off-the-books method of making payments. None of this was found by executive staff at TechFite due to a lack of proper annual audits as required by SOX. These actions violate multiple sections of SOX and leave TechFite as well as its employees subject to criminal prosecution.
5
WGU C841 IHP3 – Task 1: Legal Analysis
References
Bureau of Justice Assistance. (n.d.). Electronic Communications Privacy Act of 1986 (ECPA)
. Retrieved from Bureau of Justice Assistance - US Department of Justice: https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285
Grama, J. L. (2015). Legal Issues in Information Security.
Burlington, MA: Jones & Bartlett Learning.
Legal Information Institute. (n.d.). 18 U.S. Code Section 2511
. Retrieved from Interception and disclosure
of wire, oral, or electronic communications prohibited: https://www.law.cornell.edu/uscode/text/18/2511
Rapid7. (n.d.). What is Penetration Testing? | Metasploit Documentation
. Retrieved from Rapid7 Documentation: https://docs.rapid7.com/metasploit/what-is-penetration-testing
SoxLaw. (n.d.). Sarbanes-Oxley Act of 2002 | Information & Resources
. Retrieved from SOXLAW: https://www.soxlaw.com/
6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help