Fintech Case Study Task 1 Randy Sturgill Western Governors University C841: Legal Issues in Information Security 8-3-23 Task 1 A. show your know-how of the utility of the regulation with the aid of doing the subsequent: A1. give an explanation for how the Computer Fraud and Abuse Act and the Electronic Communications privacy Act especially relate to the crook pastime described within the case study The Computer Fraud and Abuse Act (CFAA) pertains to this situation as it criminalizes fraudulent acts the use of included computer systems. TechFite’s attention to working with several net-primarily based businesses nearly guarantees that they're running with computers utilized in interstate or overseas commerce, which are labeled as included computers by the CFAA. the invention of the Metasploit tool and evidence of its use in the latest penetration and scanning against different internet-based groups shows that the personnel has probably violated CFAA restrictions. especially, the unauthorized get admission to protected computers with a motive to defraud or cause harm. The Electronic Communications Privateness Act (ECPA) relates to this situation as it prevents getting the right of entry to saved electronic communications until allowed someplace else in the ECPA. The ECPA should turn out to be referring to the case in approaches. The employees of TechFite could have violated ECPA if they accessed the stored digital communications of different organizations whilst the use of the Metasploit tool. additionally, the gathering of evidence on the occasion of a legal movement against TechFite or its employees will need to observe ECPA rules. A2. explain how 3 legal guidelines, guidelines, or felony instances follow within the justification of prison action based totally upon negligence defined in the case study. criminal movement is justified against TechFite for negligence that ended in violations of the pc Fraud and Abuse Act, Sarbanes-Oxley, and the Digital Communications privacy Act. The CFAA states "Whoever intentionally accesses a computer without authorization or exceeds authorized get right of entry to, and thereby obtains data from any blanketed computer; will be punished as furnished in subsection (c) of this segment." [1]. The of business Intelligence Unit didn't audit their consumer bills. due to this, employees at TechFite exceed their legal get right of entry through escalation of privilege. This led to gaining unauthorized get entry to financial and executive files from other departments within the employer. due to the fact TechFite is engaged in Interstate commerce, the business's computers are included under CFAA and the unauthorized get entry to statistics is unlawful. Negligence becomes additionally tested in the advertising/income unit related to the Business Intelligence unit. loss of separation of responsibilities no implementation of least privilege in this phase resulted in a single individual having the ability to create a sales account and then file and submit sales on that account. SOX segment 404 calls for executives to "(1) nation the responsibility of control for organizing and maintaining an ok inner control structure and approaches for economic reporting; and (2) include an evaluation, as of the quit of the most recent monetary yr of the issuer, of the effectiveness of the inner manipulate structure and approaches of the issuer for financial reporting." [2]. The unchecked get admission to employees ought to the monetary reporting device prevents oversight into whether or not those sales had been accurate, or whether or not they even came about. consequently, there's almost no signal of an inner management shape for financial reporting, which leaves TechFite susceptible to felony movement below the Sarbanes-Oxley Act. the lack of oversight throughout the BI Unit brought about ability infringement of multiple sections of the ECPA. “title I of the ECPA typically prohibits the subsequent behavior: 1) deliberately intercepting or endeavoring to intercept electronic communications; 2) deliberately the usage of or endeavoring to use electronic communications that have been obtained through interception; or 3) deliberately disclosing or endeavoring to disclose to any other person the contents of the electronic communications which have been obtained via interception. 18 u.s.C. § 2511(1)(a)…title II of the ECPA, or the stored Communications Act, makes it unlawful to deliberately access, attain, adjust, or disclose the contents of any stored digital communication, without right authorization. 18 United States. §§ 2701(a) and 2701(a). identify II has two standard exceptions to its prohibitions: 1) the consent exception; and a pair of) the issuer exception" [3]. The gathered digital evidence of the BI Unit's scanning and penetration of other businesses makes it possible the BI Unit has been intercepting and accessing the stored communications of other corporations in violation of identify I and II of the ECPA. The investigators can have legal access to the stored emails they reviewed without a warrant because of the name II's consent exception. TechFite is a personal entity and calls for all employees to signal a launch allowing enterprise surveillance of any digital communications using TechFite device. consequently, any evidence of crimes the investigators locate inside saved electronic communications may be admissible proof in the courtroom because of the Silver Platter Doctrine. A3. talk two instances wherein responsibility of due care changed into lacking. two instances wherein due care becomes lacking are the lack of safeguarding consumer information and the shortage of consumer account audits. Having no protection of client facts thru the use of records loss prevention era could lead to untraceable abuse of consumer facts. records loss prevention would offer controls to prevent the unauthorized transmission of customer facts, and detection and monitoring of any tries to achieve this. this will have averted the instances where the NDAs with Orange Leaf and Union town electronic Ventures were violated by offering proprietary records to their competitors. The implementation of account auditing should have averted a large amount of problems inside the BI Unit. making sure the least privilege on all money owed, monitoring accounts to track tries to increase privilege, and getting rid of unused debts is a fundamental parts of retaining statistics protection. This oversight would have supplied a number of the internal controls required with the aid of SOX, avoided the move-branch statistics breach, and could have avoided the setup of the Metasploit device via disabling access to put-in software without administrative approval. A4. Describe how the Sarbanes-Oxley Act (SOX) applies to the case study. The Sarbanes-Oxley Act's goals are to shield buyers by using ensuring publicly traded agencies correctly document their budget. SOX relates to this case due to more than one failure to make certain that TechFite’s finances are valid. character individuals of the marketing and sales gadgets had too many privileges and were able to create customers and then file and put up sales to those equal customers. This gives and clean street to exaggerate sales or post non-existent sales, making the employer seem extra profitable than its miles. members of the BI Unit were able to get entry to financial and government files for which they did now not have authorization. this could have been finished to regulate the documents in some way, which ends up in addition questions on the accuracy of TechFite’s finances. Subsequently, dating turned into observed with 3 apparent shell corporations owned by way of a companion of TechFite’s CISO. These 3 agencies funnel money into the sales department despite no longer having any actual net presence, which is TechFite’s middle enterprise. This provides a sturdy indication that the shell businesses are being used to artificially inflate TechFite’s income. All of this leads to the enterprise violating section 404 of SOX, because of the employer's lack of internal controls to verify the accuracy of its monetary reporting. The senior management of the organization is susceptible under section 302, which requires them to certify the accuracy of their mentioned economic announcement. All of this will lead to crook penalties as stated in SOX segment 906. B. talk criminal theories with the aid of doing the subsequent: B1. explain how proof inside the case examination helps claims of alleged criminal pastime in TechFite. The proof within the case supports claims of alleged criminal pastime. Carl Jaspers went out of his way to have dummy debts created and people identical bills had been used to violate CFAA by using getting access to covered computer systems. The Senior control of the employer turned into required to validate that the inner controls for financial reporting had been able to provide an accurate account of the agency’s economic status. Eventually, the EnCase device supplied direct evidence of BI Unit personnel scanning and penetrating different companies' networks. B1a. become aware of who committed the alleged criminal acts and who had been the victims. The people who may additionally have dedicated crook acts within the case examined are Noah Stevenson (CEO), Carl Jaspers (CISO), Sarah Miller, Megan Rogers, and Jack Hudson. Noah Stevenson is required by SOX to make certain internal controls for monetary reporting and certify that the enterprise’s financial file is accurate. The shortage of controls to verify accuracy means he may want to face crook fees underneath SOX segment 906. Carl Jaspers directed the advent of dummy accounts that have been used to gain unauthorized get rights of entry to computers blanketed by the CFAA. Carl Jaspers also has a tremendously suspicious relationship with 3 obvious shell companies which might be probably being used to commit company fraud. Sarah Miller, Megan Rogers, and Jack Hudson all used the Metasploit tool to test and penetrate different corporations’ networks. If any interception of digital communications or access to saved communications could result in a violation of the ECPA. The sufferers in this situation study have been any companies whose proprietary records changed into shared due to lack of inner information controls, rival organizations whose communications might also have been intercepted or improperly accessed, and shareholders who invested in TechFite whilst it was greater profitable than it turned into. B1b. Explain how existing cybersecurity policies and techniques did not prevent the alleged criminal pastime. Lack of account auditing allowed Carl Jaspers to boost the privilege of dummy accounts for unauthorized get right of entry to protected computer systems in other departments. No implementation of the least privilege caused income participants to have an excessive amount of access and cast doubt on the accuracy of TechFite’s sales reviews. The precept of least privilege may also have avoided individuals from being able to install the Metasploit device by requiring administrative approval to install a software program. B2. Explain how evidence in the case looks at supports claims of alleged acts of negligence in TechFite. The case takes a look at exhibits that there was a clear lack of guidelines from Senior control that would have averted TechFite’s problems. A policy in opposition to conflicts of interest ought to have prevented the boss/subordinate relationship and Carl Jaspers’ enterprise with a partner from college. If there has been any coverage for tracking the organization's internal network, it did not appear enforced due to the dearth of audits and rampant consumer account abuse. This negligence from the pinnacle is what allowed a toxic culture to form. B2a. perceive who turned negligent and who has been the victim. Nadia Johnson turned negligent by failing to pick out the dearth of internal oversight within the BI Unit. especially, the shortage of person account audits, statistics loss prevention, and network tracking. Senior management at TechFite become negligent for failing to enforce a separation of responsibilities coverage that might guard purchaser records and enhance the accuracy of their financial reporting. TechFite was additionally negligent for failing to put into effect a coverage preventing Boss/Subordinate relationships that could result in conflicts of interest. The sufferers of this negligence were any customers of TechFite whose facts turned into unprotected and compromised, the agencies whose communications might also have been compromised via the Metasploit device, the opposite departments of TechFite whose files have been illegally acquired, and again, any shareholders who believed they were investing in an employer-based off accurate economic reviews. B2b. explain how existing cybersecurity guidelines and procedures did not prevent negligent practices. The cybersecurity policy that become in an area only worked to prevent TechFite from external sources. An internally centered policy that mandated consumer account audits, checking for escalation of privilege, scanning for unauthorized applications, and network pastime tracking did now not exist, which shows negligence in accounting for insider threats. Account audits might have avoided the dummy users and escalated privilege. Unauthorized software scans would have detected the Metasploit software program. network tracking could have found out the scanning and penetration of other businesses and the breaches into different departments. References [1] United States Government. (1984). 18 U.S. Code § 1030 - Fraud and related activity in connection with computers. Retrieved from https://www.law.cornell.edu/uscode/text/18/1030 [2] United States Government. (2018, October 19). Sarbanes Oxley Act of 2002. Retrieved from http://legcounsel.house.gov/Comps/Sarbanes-oxley%20Act%20Of%202002.pdf [3] Caterine, M. J. (n.d.). Privacy of electronic communications. Retrieved fromhttps://www.americanbar.org/content/dam/aba/administrative/labor_law/meetings/2009/200 9_err _008.authcheckdam.pdf