Legal Liability

A.

If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards.

Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access.

The U.S.

Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or appropriate administrative and technical security measures to protect consumer information.

The GLBA is a U.S.

Federal law enacted by U.S.

Congress in 1998 to allow consolidation among commercial banks.

The GLBA Safeguards Rule is U.S.

Federal regulation created in reaction to the GLBA and enforced by the U.S.

Federal Trade Commission (FTC).The Safeguards Rule requires companies to implement a security planto protect the confidentiality and integrity of consumer personal information and requires the designation of an individual responsible forcompliance.

Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply.

The act of compliance includes demonstrating duediligence, which is defined as "reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations".Reasonableness in software systems includes industries standards and may allow for imperfection.Lawyers representing firms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes "reasonable" security measures for several reasons, including: 1.Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology; 2.Compliance requires knowledge of specific security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and 3.Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non- compliance.

In general, the costs of improved security are certain, but the improvement in security depends on unknown variables and probabilitiesoutside the control of companies.

The following reference(s) were used for this question: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 315

and http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf.

The evaluation of legal requirements for implementing safeguards is a crucial step in the risk management process. It involves assessing the cost of implementing security measures versus the potential loss resulting from the exploitation of a vulnerability. The residual risk is also taken into account, which is the risk remaining after the safeguards have been implemented.

The formula used to evaluate legal requirements is as follows:

C < L - (residual risk)

Where C represents the cost of implementing safeguards, L represents the potential loss resulting from the exploitation of a vulnerability, and the residual risk is the risk remaining after safeguards have been implemented.

Option A (C < L) is incorrect as it does not take into account the residual risk.

Option B (C < L - (residual risk)) is the correct answer. This formula considers the residual risk, which is the risk remaining after the safeguards have been implemented, and evaluates whether the cost of implementing the safeguards is less than the potential loss resulting from the exploitation of the vulnerability minus the residual risk.

Option C (C > L) is incorrect as it implies that the cost of implementing safeguards is greater than the potential loss resulting from the exploitation of a vulnerability, which would not make sense from a risk management perspective.

Option D (C > L - (residual risk)) is also incorrect as it implies that the cost of implementing safeguards is greater than the potential loss resulting from the exploitation of the vulnerability minus the residual risk, which would not be a cost-effective approach.

In summary, option B (C < L - (residual risk)) is the correct answer because it takes into account the residual risk, which is the risk remaining after the safeguards have been implemented, and evaluates whether the cost of implementing the safeguards is less than the potential loss resulting from the exploitation of the vulnerability minus the residual risk.