Post on 04-May-2023
Legal, Ethical, and Professional
Issues in Information Security
16ITOE03 MIS K.S.Mohan Unit IV Topic 2
Chapter Objectives
Upon completion of this chapter you should be able to:
◦ Use this chapter as a guide for future reference on laws,
regulations, and professional organizations.
◦ Differentiate between laws and ethics.
◦ Identify major national laws that relate to the practice of
information security.
◦ Describe the role of culture as it applies to ethics in
information security.
216ITOE03 MIS K.S.Mohan Unit IV Topic 2
*Law and Ethics in Information Security
Jean-Jacques Rousseau
◦ The Social Contract or Principles of Political Right (1762)
◦ "The rules the members of a society create to balance the right of the individual to self-determination with the needs of the society as a whole are called laws."
Laws**
◦ Rules that mandate or prohibit certain behavior in society.
◦ Carry the sanctions of governing authority.
Ethics**
◦ Define socially acceptable behaviors.
◦ Universally recognized examples include murder, theft, assault, and arson.
Cultural Mores
◦ The fixed moral attitudes or customs of a particular group.
3
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Organizational Liability
Liability**
◦ Legal obligation of an entity that extends beyond criminal
or contract law.
◦ Includes obligation to make restitution, or compensate for,
wrongs committed by an organization or its employees.
◦ Organization can be held financially liable (responsible) for
actions of employees.
◦ Obligation increases if organization fails to take due care.
4
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Organizational Responsibilities for
Due Care and Due Diligence
Due care**
◦ Must ensure that every employee knows
what is acceptable or unacceptable behavior
consequences of illegal or unethical actions.
Due diligence**
◦ Requires organization to
make a valid effort to protect others
continually maintain this level of effort
◦ Internet has global reach --- injury/wrong can occur anywhere in the
world.
Jurisdiction**
◦ A court's right to hear a case if a wrong was committed in its territory,
or involves its citizenry --- long arm jurisdiction.
◦ In U.S., any court can impose its authority over individuals or
organizations, if it can establish jurisdiction
5
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Policy vs Law
Laws
◦ External legal requirements
Security policies**. Internal (organizational) rules that:
◦ Describe acceptable and unacceptable employee behaviors.
◦ Organizational laws --- including penalties and sanctions.
◦ Must be complete, appropriate and fairly applied in the work place.
◦ In order to be enforceable, policies must be
Disseminated. Distributed to all individuals and readily available for employee reference.
Reviewed. Document distributed in a format that could be read by employeees.
Comprehended. Employees understand the requirements --- e.g., quizzes or other methods of assessment.
Compliance. Employee agrees to comply with the policy.
Uniformly enforced, regardless of employee status or assignment.
6
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Types of Law
Civil law**
◦ Laws that govern a nation or state.
Criminal law**
◦ Violations harmful to society
◦ Actively enforced by prosecution by the state.
Private law**
◦ regulates relationship between individual and organization.
◦ encompasses family law, commercial law, labor law.
Public law**
◦ regulates structure and administration of government agencies and their relationships with
citizens, employees, and other governments, providing careful checks and balances.
◦ Includes criminal, administrative and constitutional law.
7
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
U.S. General Computer Crime Laws
Computer Fraud and Abuse Act of 1986 (CFA Act)**
◦ Cornerstone of federal laws and enforcement acts
◦ Addresses threats to computers
Communications Act of 1934
◦ Addresses Telecommunications
◦ modified by Telecommunications Deregulation and Competition Act of
1996
modernize archaic terminology
Computer Security Act of 1987**
◦ Protect federal computer systems (federal agencies)
◦ Establish minimum acceptable security practices.
8
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
U.S. Privacy Laws Privacy Issues
◦ Collection of personal information
◦ Clipper chip - never implemented
Privacy of Customer Information
◦ U.S. Legal Code Privacy of Customer Information Section
Responsibilities of common carriers (phone co) to protect confidentiality
Federal Privacy Act of 1974**
◦ Regulates government protection of privacy, with some exceptions
Electronic Communications Privacy Act of 1986**
◦ Fourth Amendment - unlawful search and seizure
Health Insurance Portability and Accountability Act of 1996 (HIPAA)**
◦ Kennedy-Kassebaum Act
◦ Privacy of electronic data interchange for health care data
Financial Services Modernization Act (1999)**
◦ Gramm-Leach-Bliley Act of 1999
◦ Banks, securities firms, and insurance companies - disclosure of privacy policies
9
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
U.S. Copyright Law**
Recognizes intellectual property as a protected asset in the U.S.
◦ published word, including electronic formats
Fair use of copyrighted materials
◦ Includes
support news reporting
teaching
scholarship
related activities
◦ Use MUST be for educational or library purposes
not for profit
not excessive
include proper acknowledgment to original author
10
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Financial Reporting
Sarbanes-Oxley Act of 2002**
◦ Affects
publicly traded corporations
public accounting firms
◦ result of Enron, among others.
improve reliability and accuracy of financial reporting.
increase accountability of corporate governance in publicly traded
companies.
Executives will need
◦ assurance on reliability and quality of information systems from
information technology managers.
◦ Key issue: compliance with reporting requirements.
11
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Freedom of Information Act of 1996 (FOIA)**
Any person may request access to federal agency records or
information not determined to be a matter of national security.
◦ Agencies must disclose requested information
After the request has been reviewed and determined not to pose a
risk to national security.
Does NOT apply to:
◦ state/local government agencies
◦ private businesses or individuals.
12
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
State and Local Regulations
Locally implemented laws pertaining to information security.
Information security professionals must be aware of these laws and
comply with them.
13
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
International Laws and Legal Bodies
Few international laws relating to privacy and information security.
European Council Cyper-Crime Convention
◦ 2001. Creates international task force
◦ Improve effectiveness of international investigations
◦ Emphasis on copyright infringement prosecution
◦ Lacks realistic provisions for enforcement
WTO Agreement on Intellectual Property Rights
◦ Intellectual property rules for multilateral trade system.
Digital Millenium Copyright Act**
◦ U.S. response to 1995 Directive 95/46/EC by E.U.
◦ U.K. Database Right
United Nations Charter
◦ Information Warfare provisions.
14
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Security Breaches Punishment
If not caught: illegal to demand a payment in order to “disappear
without a track”
◦ But banks and financial institutions have to keep it quiet…
If caught in a “lawful” country: fines and/or jail sentence
AOL employees http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090
http://www.aolsucks.org/ccaol2.htm
“$130 mil. stolen in computer crime. Each defendant faces the possibility of
35 years in prison, and more than $1 million in fines or twice the amount
made from the crime, whichever is greater.” http://www.crime-
research.org/news/27.08.2009/3750/
Malicious kids go to jail http://www.cybercrime.gov/cases.htm
◦ Kevin Mitnick and Robert Morris
Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html
15
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Ethics and Information Security
Ethical issues of information security professionals
◦ Expected to be leaders in ethical workplace behavior
◦ No binding professional code of ethics
◦ Some professional organizations provide ethical codes of conduct,
Have no authority to banish violators from professional practice.
16
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Cultural Differences and Ethics
Different nationalities have different perspectives on computer ethics
◦ Asian tradition - collective ownership
◦ Western tradition - intellectual property rights
Study of computer use ethics among students in 9 nations
◦ Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales, Netherlands
◦ Studied 3 categories of use
software license infringement
illicit use
misuse of corporate resources
17
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Cultural Differences:
Software License Infringement
Most nations had similar attitudes toward software piracy
◦ U.S.
significantly less tolerant (least tolerant)
◦ Other countries
moderate
higher piracy rates in Singapore/Hong Kong
may result from lack of legal disincentives or punitive measures
◦ Netherlands
most permissive
least likely to honor copyrights of content creators
lower piracy rate than Singapore/Hong Kong
18
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Cultural Differences:
Illicit Use of Software Viruses, hacking, other forms of abuse uniformly condemned as
unacceptable behavior.
Singapore/Hong Kong
◦ most tolerant
Sweden/Netherlands
◦ in-between
U.S., Wales, England, Australia
◦ least tolerant
19
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Cultural Differences:
Misuse of Corporate Resources
Generally lenient attitudes toward
◦ personal use of company computing resources.
Singapore/Hong Kong
◦ viewed personal use as unethical (least tolerant)
Other countries
◦ Personal use acceptable if not specifically prohibited
Netherlands
◦ most lenient
20
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Ethics and Education
Education
◦ overriding factor in leveling the ethical perceptions within a small
population
◦ Employees must be trained and kept aware of topics related to
information security, including expected ethical behaviors..
◦ Many employees may not have formal technical training to
understand that their behavior is unethical or illegal.
Ethical and legal training is an essential key to developing informed,
well-prepared, and low-risk system users.
21
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Deterrence to Unethical and Illegal
Behavior
Use policy, education, training, and technology to
protect information systems.
3 categories of unethical and illegal behavior
◦ Ignorance
No excuse for violating law, but allowable for policies.
Use education, policies, training, awareness programs to keep
individuals aware of policies.
◦ Accident
Use careful planning and control to prevent accidental
modifications to system and data.
◦ Intent
Frequent cornerstone for prosecution.
Best controls are litigation, prosecution, and technical controls.
22
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Deterrence
Best method to prevent illegal or unethical activity.
◦ Laws, policies, and technical controls
3 conditions required for effective deterrence
◦ Fear of penalty
reprimand or warnings may not have the same effectiveness as imprisonment or loss of pay.
◦ Probability of being caught
must believe there is a strong possibility of being caught.
◦ Probability of penalty being administered
must believe the penalty will be administered
Note: threats don’t work --- penalties must be realistic and enforceable.
23
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Codes of Ethics
Established by various professional organizations
◦ Produce a positive effect on judgment regarding computer use
◦ Establishes responsibility of security professionals to act ethically
according to the policies and procedures of their employers,
professional organizations, and laws of society.
◦ Organizations assume responsibility to develop, disseminate, and
enforce policies.
24
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Major IT Professional Organizations and
Ethics
Association for Computing Machinery (ACM)
◦ promotes education and provides discounts for students
◦ educational and scientific computing society
International Information Systems Security Certification Consortium (ISC2)
◦ develops and implements information security certifications and credentials
System Administration, Networking, and Security Institute (SANS)
◦ Global Information Assurance Certifications (GIAC)
Information Systems Audit and Control Association (ISACA)
◦ focus on auditing, control and security
Computer Security Institute (CSI)
◦ sponsors education and training for information security
Information Systems Security Association (ISSA)
◦ information exchange and educational development for information security practitioners
25
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
Other Security Organizations
Internet Society (ISOC)
◦ develop education, standards, policy, and education and training to promote the Internet
Internet Engineering Task Force (IETF)
◦ develops Internet's technical foundations
Computer Security Division (CSD) of National Institute for Standards and Technology (NIST)
◦ Computer Security Resource Center (CSRC)
Computer Emergency Response Team (CERT)**
◦ CERT Coordination Center (CERT/CC)
◦ Carnegie Mellon University Software Engineering Institute
Computer Professionals for Social Responsibility (CPSR)
◦ promotes ethical and responsible development and use of computing
◦ watchdog for development of ethical computing
26
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
U.S. Federal Agencies Related to
Information Security
Department of Homeland Security (DHS)
◦ Directorate of Information and Infrastructure discover and respond to attacks on national information systems and
critical infrastructure
research and development of software and technology
◦ Science and Technology Directorate Research and development activities
examination of vulnerabilities
sponsors emerging best practices
FBI National Infrastructure Protection Center (NIPC)
◦ U.S. government center for threat assessment, warning, investigation, and response to threats or attacks against U.S. infrastructures
◦ National InfraGard Program
cooperative effort between public and private organizations and academic community
provides free exchange of information with private sector regarding threats and attacks.
27
16ITOE03 MIS K.S.Mohan Unit IV Topic
2
U.S. Federal Agencies (2)
National Security Agency (NSA)**
◦ U.S. cryptologic organization
◦ Centers of Excellence in Information Assurance
Education
recognition for universities/schools
acknowledgment on NSA web site
◦ Program to certify curricula in information security
Information Assurance Courseware Evaluation
Provides 3 year accreditation
U.S. Secret Service◦ Part of Department of Treasury
◦ One mission is to detect and arrest any person committing U.S. federal
offenses related to computer fraud and false identification crimes.
28
16ITOE03 MIS K.S.Mohan Unit IV Topic
2