Cybersecurity Governance - Congressional Oral Statement Project Project Scenario As the chief information security officer known as the CISO [pronounced siss-so] for a trade association, part of your

Cybersecurity Governance - Congressional Oral Statement Project

Project Scenario

As the chief information security officer known as the CISO [pronounced siss-so] for a trade association, part of your job is to monitor potential legislation that could affect your industry. You've been following attempts by legislators to amend the federal Computer Fraud and Abuse Act (CFAA), which made the news some years ago when Internet activist Aaron Swartz committed suicide before he went to trial on federal data-theft charges under the act.

Swartz, who believed in open access to information, was indicted for downloading millions of documents from a subscription-based academic database. Although Swartz was authorized to read papers on the site, federal prosecutors alleged that Swartz hacked restricted data from the Massachusetts Institute of Technology's network. He was indicted for counts of wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer, all with a maximum penalty of 35 years in prison and 1 million dollars in fines.

This week, the CEO of your organization sends you a memo explaining that he has been asked to make a statement before a Congressional committee. In the aftermath of the Swartz case, lawmakers have proposed amending the CFAA. The memo states, "I need you to provide me arguments for amending the CFAA, as well as specifics on where and how the law should be amended. Should some criminal sanctions be preserved? If so, which kind of actions would be appropriate? Provide examples of how your proposed changes would affect potential problems in the workplace."

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.

· 2.2: Locate and access sufficient information to investigate the issue or problem.

· 7.4: Align an organization's security posture to applicable laws, statutes, and regulatory documents.

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

· 1.8: Create clear oral messages.

Step 1: eLearning Module Cybercrime Awareness

Before you can begin preparing for the upcoming report, you must understand the basics of how the legal systems in the United States deal with cybercrime and how organizations comply with laws, regulations and policies.

Complete the Cybercrime Awareness eLearning module to get an overview of the US legal and justice systems, followed by a discussion of cybercrime, cyber terrorism, prevention, deterrence, investigative authorities, general compliance, cybersecurity laws, regulations, policies, standards, and guidelines.

While completing the module, answer the following questions:

1. What is the relationship between between criminal and civil court systems as they apply to cybersecurity policy?

2. What is compliance?

3. What can US organizations do to comply with regulations?

4. What policies and technologies can be used to address regulatory issues?

5. How can US organizations monitor compliance with cybersecurity policies and relevant regulatory requirements?

6. List the laws and regulations mentioned in the module.

7. List information security strategies, plans, policies, and procedures mentioned in the module that can be used to reduce regulatory risk.

You will use these answers to write your summary in the next step.

Step 2: Write the Cybercrime Awareness Summary

Using the notes you took on the Cybercrime Awareness module in the last step, write a one- to two-page summary. You may use your own insights; however, each of the following items must be briefly discussed:

1. What is the relationship between between criminal and civil court systems as they apply to cybersecurity policy?

2. What is compliance?

3. What can US organizations do to comply with regulatory issues?

4. What policies and technologies can be used to address regulations?

5. How can US organizations monitor compliance with cybersecurity policies and relevant regulatory requirements?

6. List the laws and regulations mentioned in the module.

7. List information security strategies, plans, policies, and procedures mentioned in the module that can be used to reduce regulatory risk.

Submit your summary for feedback.

Step 3: Research the Background of the CFAA

Now that you have an overview of cybercrime awareness and how organizations can comply with laws and regulations and reduce regulatory risk, you are ready to look more closely at specific statutes. Begin by researching the current version of the Computer Fraud & Abuse Act (CFAA). Your research will provide the basis for your analysis in the next step.

Your analysis will include:

1. a background of the CFAA

2. examples of how the CFAA might positively address the general misuse of computer systems and reduce computer crime

3. examples of abuses and overreaching by government in applying the law

4. discussion of how effective the CFAA is in protecting organizations from cyberattacks

Step 4: Write the CFAA Analysis

After completing your research on the Computer Fraud and Abuse Act, write a one- to two-page analysis of the statute and its effectiveness. This analysis will be Exhibit A for the final assignment.

Include in your analysis:

1. a background of the CFAA

2. examples of how the CFAA might positively address the general misuse of computer systems and reduce computer crime

3. examples of abuses and overreaching by government in applying the law

4. discussion of how effective the CFAA is in protecting organizations from cyberattacks

Submit your written analysis for feedback.

Step 5: Identify State Statutes

Now that you have analyzed the federal statute addressing computer fraud and abuse, you will identify computer crime statutes, or Computer Fraud & Abuse Act state clones, from three different states. Note and review these statutes carefully as you will use them in the following step.

Step 6: Computer Crime Comparison Table

Now that you have identified CFAA clones from at least three states, you will compare and contrast them with one another and the CFAA. Be sure to include specific vulnerabilities that the statutes are intended to address regarding computer access. Document your conclusions in the first section of the Computer Crime Comparison Table titled "Statute Comparisons." This table will aid you in developing your solutions.

Submit your table for feedback.

Step 7: Research State Case Judicial Opinion

So far in this project, you have familiarized yourself with cybercrime and laws that were written to protect against cybercrime. In this step, you will determine how effective you believe these statutes to be. Identify at least one actual use case for each state as well as for the CFAA to acquaint yourself with how well state/CFAA laws have been implemented. Continue to complete the Computer Crime Comparison Table that you began in Step 6. Document your conclusions in Section 2, Actual Cases.

Submit your table for feedback.

Step 8: Document New Developments

You have increased your awareness of cybercrime and measures that are taken to address it. You have analyzed the CFAA and compared similar state statutes. You are almost ready to begin developing your recommendations to amend the CFAA, but first you will need to explore recent developments.

Review and note developments in national and international laws, regulations, policies, and ethics as they relate to cybersecurity. Also, identify new developments in current legislative and regulatory processes as they apply to cybersecurity policy.

These developments should be referenced in your oral statement.

Step 9: Summarize and Develop Your Solutions

In order to develop recommendations to include in your presentation, you must first prepare your solutions. Summarize your recommended solutions ranked in order of "must implement," "highly recommended," and "generally recommended." You will use this solutions summary to develop your recommendations in your oral statement. These solutions will be the focus of your oral statement.

Step 10: How to Write an Oral Statement to Congress

Now that you have developed your solutions, you are ready to create a draft of your oral statement. To get started, complete the following:

1. Review best practices for preparing an oral statement to a Congressional committee or other policy-making body or public forum. 

2. Create a five- to seven-page written draft of your statement.

3. Reference the CFAA and at least one state statute.

4. Reference new developments in cybersecurity governance and legislative and regulatory processes.

Submit your draft to your instructor for feedback.

Step 11: Written Statement

Now that you have a draft of your written statement, it is time to finalize it in order to prepare for your oral statement. Be sure to incorporate any feedback your instructor provided into the final version.

Your goal in delivering this statement is to educate Congress on the implications this legislation will have on your industry. It is important that your statement is clear, concise, and demonstrates your knowledge of the issues. For more tips on how to deliver an oral statement to a congressional committee, consult Delivering an Oral Statement for guidance.

Submit your five- to seven-page written statement with the following attached as appendices: Cybercrime Awareness Summary, Computer Fraud and Abuse Act Analysis, and Computer Crime Comparison Table. The appendices do not contribute to the length of the written statement.

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.

· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.

· 2.2: Locate and access sufficient information to investigate the issue or problem.

· 7.4: Align an organization's security posture to applicable laws, statutes, and regulatory documents.

* Only steps 2, 4, 6, 7, 10 and 11 require documents to be written, the rest of these steps are primers for the actual submissions.