【北邮国院大三下】Cybersecurity Law 网络安全法 Week1【更新Topic4, 5】_cyber security law

给大家的福利

零基础入门

对于从来没有接触过网络安全的同学，我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线，大家跟着这个大的方向学习准没问题。

同时每个成长路线对应的板块都有配套的视频提供：

因篇幅有限，仅展示部分资料

网络安全面试题

绿盟护网行动

还有大家最喜欢的黑客技术

网络安全源码合集+工具包

所有资料共282G，朋友们如果有需要全套《网络安全入门+黑客进阶学习资源包》，可以扫描下方二维码领取（如遇扫码问题，可以在评论区留言领取哦）~

网上学习资料一大堆，但如果学到的知识不成体系，遇到问题时只是浅尝辄止，不再深入研究，那么很难做到真正的技术提升。

需要这份系统化资料的朋友，可以点击这里获取

一个人可以走的很快，但一群人才能走的更远！不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人，都欢迎加入我们的的圈子（技术交流、学习资源、职场吐槽、大厂内推、面试辅导），让我们一起学习成长！

不同的潜在责任来源:法规、规章、合同、组织治理、自愿组织、私法侵权

Different kinds of information often sought to be protected:

• personal data under data protection laws 数据保护法下的个人数据
• corporate financial information 企业财务信息
• health information 健康信息
• credit card information 信用卡信息

No such thing as perfect information security 没有完美的信息安全

Sources of Obligations

• Laws – rules – regulations
  • Common law
    • body of law that developed through legal tradition and court cases (case law/judge-made law) – impact on torts, contract, and property law 通过法律传统和法庭案件(判例法/法官制定的法律)发展起来的法律体系——对侵权法、合同法和财产法的影响
  • Statutory law 成文法
    • written law that is adopted by the governments 政府通过的成文法
  • 【关于这两个法律的不同：（以下斜体答案来自newBing）The main difference between common law and statutory law is that common law is based on precedent, or previous court decisions, while statutory law is based on written laws passed by a legislature or other government agency. Common law is also procedural, meaning it regulates how lawsuits are conducted, while statutory law is substantive, meaning it defines rights and duties of citizens 普通法和成文法之间的主要区别在于普通法是基于先例或以前的法院判决，而成文法是基于立法机关或其他政府机构通过的成文法。普通法也是程序法，这意味着它规定了诉讼如何进行，而成文法是实体法，这意味着它规定了公民的权利和义务】
  • Rules
    • governments delegate power to agencies to create rules, enforce rules, and review rules 政府授权各机构制定规则、执行规则和审查规则
  • Regulations
    • regulatory authorities have the power to create and enforce regulations 监管机构有权制定和执行法规
• Standards

Common Law

Tort law

• A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act 侵权行为，在普通法司法管辖区，是一种民事错误，不公平地导致他人遭受损失或伤害，并导致实施侵权行为的人承担法律责任
• Duty – breach – causation – harm elements

Contract Law

• A contract is an agreement, giving rise to obligations, which are enforced or recognised by law 合同是一种协议，产生了由法律强制执行或承认的义务

Regulations 规则

Sector regulators are increasingly auditing companies for their information security management and also issuing ‘regulatory guidance’ or ‘best practice advisories’ on information security

行业监管机构越来越多地对公司的信息安全管理进行审计，并发布关于信息安全的“监管指导”或“最佳实践建议”

Standard

Emerging guidance in form of ‘standards’

以“标准”形式出现的指导

These standards determine how to comply with a legal duty or self-imposedobligation for adequate/reasonable/appropriate information security

这些标准确定如何遵守充分/合理/适当的信息安全的法定义务或自我强制义务

• Standards bodies (ISO; PCI Council)
• International organizations (OECD Guidelines)
• Recent legislation with regulations detailing the necessary steps to the process that will meet the duty of care (GLBA, HIPAA)

Statutes 议会立法，章程

都是一些例子，直接看图得了

Scope of Obligations

These legal obligations specify a duty:

这些法律义务规定了一种义务:

• For example, to provide adequate or reasonable or appropriate security 例如，提供充分的、合理的或适当的保障

They don’t usually give specific guidance as to what that means or how it is to be accomplished

他们通常不会给出具体的指导，说明这意味着什么或如何实现

Issues

The duty to keep information secure is not further specified in the statutes

保护信息安全的义务在法规中没有进一步规定

The GDPR indicates: ‘Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.’

GDPR指出:“考虑到技术水平和实施成本，此类措施应确保与处理所代表的风险和被保护数据的性质相适应的安全水平。”

A cost/risk analysis qualifies an appropriate level of security

成本/风险分析确定了适当的安全级别

【上面这些东西确实没有一条主逻辑链，所以ppt很乱，我整理的也很乱，将就看吧，也没啥内容】

什么是cybersecurity中的cyber

It might potentially include any device that has the ability to communicate

它可能包括任何具有通信能力的设备

• Cybersecurity refers to the systems, contracts and policies we put in place to manage risk with regards to Cyberspace 网络安全是指我们为管理网络空间风险而制定的系统、合同和政策

网络安全的main risk areas

• Threats to corporate files 公司文件威胁
  • Loss of files 文件丢失
  • Email attacks and theft 电子邮件攻击和盗窃
• Threats to industrial control systems 对工业控制系统的威胁
• Threats to confidential information 对机密信息的威胁
• Other commercial risks

网络安全的main vulnerabilities

• Password and policy issues 密码和策略问题
• BYOD and shadow IT BYOD和影子IT
• Loss or theft of devices 设备丢失或被盗
• Technical flaws 技术的缺陷
• Out-of-date applications 过时的应用程序
• Insider threats 内部威胁
• Data storage issues 数据存储问题
  • SQL injections, cryptographic flaws SQL注入，密码漏洞
• Cloud-based storage and systems 基于云的存储和系统

接下来要谈的是EU的information security相关问题

Conclusions of EU

【为什么把conclusion放前面，因为PPT的东西太乱了，conclusion给的应该都是重点，带着这些重点再往后看】

• No single source of Information Security obligations – no single definition 没有单一来源的信息安全义务-没有单一的定义
• Different types of information – different level of protection –different mechanisms 不同类型的信息——不同级别的保护——不同的机制
• EU approach is a principle-based regulation 欧盟的做法是基于原则的监管

Directives / Regulations 指示/规例

• Privacy
  • EU General Data Protection Regulation (GDPR) 欧盟的通用数据保护条例
• Telecommunications networks/services
  • ePrivacy Directive (regulates the use of electronic communications services) 电子资料私隐指引(规管电子通讯服务的使用)
• Critical Infrastructure 关键基础设施
  • Network and Information Systems Directive (NIS Directive) 网络和信息系统指令(NIS指令)

GDPR

Introduction

Organisations that decide to collect and process personal data for their own purposes are known as controllers

决定为自己的目的收集和处理个人数据的组织被称为控制者

A controller may engage a service provider or processor to process personal data on behalf of the controller

控制者可以聘请服务提供者或处理者代表控制者处理个人数据

A processor is an individual or legal person or other body that processes personal data on behalf of the controller

处理者是指代表控制者处理个人数据的个人、法人或其他团体

Scope

The GDPR regulates the processing of personal data

GDPR规范了个人数据的处理

Personal data is any information relating to an identified or identifiable natural person (‘data subject’)

个人数据是指与已识别或可识别自然人(“数据主体”)有关的任何信息。

Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

可识别自然人是指可以直接或间接识别的自然人，特别是通过参考一个标识符，如姓名、识别号码、位置数据、在线标识符，或参考该自然人的身体、生理、遗传、心理、经济、文化或社会身份的一个或多个特定因素

Relates to living individuals only

只涉及活着的个人

Special categories of personal data is subject to a stricter regime

特殊类别的个人资料受到更严格的制度管制

• Racial or ethnic origin 种族或民族起源
• Political opinions 政治意见
• Religious or philosophical beliefs 宗教或哲学信仰
• Trade union membership 工会会员资格
• Genetic data 遗传学数据
• Biometric data for the purpose of uniquely identifying a natural person 用于唯一识别自然人的生物特征数据
• Data concerning health 关于健康的数据
• Data concerning a natural person’s sex life or sexual orientation 有关自然人性生活或性取向的资料

Princip