Legal, Ethical, and Professional Issues in ... - SNS Courseware

Legal, Ethical, and Professional

Issues in Information Security

16ITOE03 MIS K.S.Mohan Unit IV Topic 2

Chapter Objectives

Upon completion of this chapter you should be able to:

◦ Use this chapter as a guide for future reference on laws,

regulations, and professional organizations.

◦ Differentiate between laws and ethics.

◦ Identify major national laws that relate to the practice of

information security.

◦ Describe the role of culture as it applies to ethics in

information security.

216ITOE03 MIS K.S.Mohan Unit IV Topic 2

*Law and Ethics in Information Security

Jean-Jacques Rousseau

◦ The Social Contract or Principles of Political Right (1762)

◦ "The rules the members of a society create to balance the right of the individual to self-determination with the needs of the society as a whole are called laws."

Laws**

◦ Rules that mandate or prohibit certain behavior in society.

◦ Carry the sanctions of governing authority.

Ethics**

◦ Define socially acceptable behaviors.

◦ Universally recognized examples include murder, theft, assault, and arson.

Cultural Mores

◦ The fixed moral attitudes or customs of a particular group.

3

16ITOE03 MIS K.S.Mohan Unit IV Topic

2

Organizational Liability

Liability**

◦ Legal obligation of an entity that extends beyond criminal

or contract law.

◦ Includes obligation to make restitution, or compensate for,

wrongs committed by an organization or its employees.

◦ Organization can be held financially liable (responsible) for

actions of employees.

◦ Obligation increases if organization fails to take due care.

4


2

Organizational Responsibilities for

Due Care and Due Diligence

Due care**

◦ Must ensure that every employee knows

what is acceptable or unacceptable behavior

consequences of illegal or unethical actions.

Due diligence**

◦ Requires organization to

make a valid effort to protect others

continually maintain this level of effort

◦ Internet has global reach --- injury/wrong can occur anywhere in the

world.

Jurisdiction**

◦ A court's right to hear a case if a wrong was committed in its territory,

or involves its citizenry --- long arm jurisdiction.

◦ In U.S., any court can impose its authority over individuals or

organizations, if it can establish jurisdiction

5


2

Policy vs Law

Laws

◦ External legal requirements

Security policies**. Internal (organizational) rules that:

◦ Describe acceptable and unacceptable employee behaviors.

◦ Organizational laws --- including penalties and sanctions.

◦ Must be complete, appropriate and fairly applied in the work place.

◦ In order to be enforceable, policies must be

Disseminated. Distributed to all individuals and readily available for employee reference.

Reviewed. Document distributed in a format that could be read by employeees.

Comprehended. Employees understand the requirements --- e.g., quizzes or other methods of assessment.

Compliance. Employee agrees to comply with the policy.

Uniformly enforced, regardless of employee status or assignment.

6


2

Types of Law

Civil law**

◦ Laws that govern a nation or state.

Criminal law**

◦ Violations harmful to society

◦ Actively enforced by prosecution by the state.

Private law**

◦ regulates relationship between individual and organization.

◦ encompasses family law, commercial law, labor law.

Public law**

◦ regulates structure and administration of government agencies and their relationships with

citizens, employees, and other governments, providing careful checks and balances.

◦ Includes criminal, administrative and constitutional law.

7


2

U.S. General Computer Crime Laws

Computer Fraud and Abuse Act of 1986 (CFA Act)**

◦ Cornerstone of federal laws and enforcement acts

◦ Addresses threats to computers

Communications Act of 1934

◦ Addresses Telecommunications

◦ modified by Telecommunications Deregulation and Competition Act of

1996

modernize archaic terminology

Computer Security Act of 1987**

◦ Protect federal computer systems (federal agencies)

◦ Establish minimum acceptable security practices.

8


2

U.S. Privacy Laws Privacy Issues

◦ Collection of personal information

◦ Clipper chip - never implemented

Privacy of Customer Information

◦ U.S. Legal Code Privacy of Customer Information Section

Responsibilities of common carriers (phone co) to protect confidentiality

Federal Privacy Act of 1974**

◦ Regulates government protection of privacy, with some exceptions

Electronic Communications Privacy Act of 1986**

◦ Fourth Amendment - unlawful search and seizure

Health Insurance Portability and Accountability Act of 1996 (HIPAA)**

◦ Kennedy-Kassebaum Act

◦ Privacy of electronic data interchange for health care data

Financial Services Modernization Act (1999)**

◦ Gramm-Leach-Bliley Act of 1999

◦ Banks, securities firms, and insurance companies - disclosure of privacy policies

9


2

U.S. Copyright Law**

Recognizes intellectual property as a protected asset in the U.S.

◦ published word, including electronic formats

Fair use of copyrighted materials

◦ Includes

support news reporting

teaching

scholarship

related activities

◦ Use MUST be for educational or library purposes

not for profit

not excessive

include proper acknowledgment to original author

10


2

Financial Reporting

Sarbanes-Oxley Act of 2002**

◦ Affects

publicly traded corporations

public accounting firms

◦ result of Enron, among others.

improve reliability and accuracy of financial reporting.

increase accountability of corporate governance in publicly traded

companies.

Executives will need

◦ assurance on reliability and quality of information systems from

information technology managers.

◦ Key issue: compliance with reporting requirements.

11


2

Freedom of Information Act of 1996 (FOIA)**

Any person may request access to federal agency records or

information not determined to be a matter of national security.

◦ Agencies must disclose requested information

After the request has been reviewed and determined not to pose a

risk to national security.

Does NOT apply to:

◦ state/local government agencies

◦ private businesses or individuals.

12


2

State and Local Regulations

Locally implemented laws pertaining to information security.

Information security professionals must be aware of these laws and

comply with them.

13


2

International Laws and Legal Bodies

Few international laws relating to privacy and information security.

European Council Cyper-Crime Convention

◦ 2001. Creates international task force

◦ Improve effectiveness of international investigations

◦ Emphasis on copyright infringement prosecution

◦ Lacks realistic provisions for enforcement

WTO Agreement on Intellectual Property Rights

◦ Intellectual property rules for multilateral trade system.

Digital Millenium Copyright Act**

◦ U.S. response to 1995 Directive 95/46/EC by E.U.

◦ U.K. Database Right

United Nations Charter

◦ Information Warfare provisions.

14


2

Security Breaches Punishment

If not caught: illegal to demand a payment in order to “disappear

without a track”

◦ But banks and financial institutions have to keep it quiet…

If caught in a “lawful” country: fines and/or jail sentence

AOL employees http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090

http://www.aolsucks.org/ccaol2.htm

“$130 mil. stolen in computer crime. Each defendant faces the possibility of

35 years in prison, and more than $1 million in fines or twice the amount

made from the crime, whichever is greater.” http://www.crime-

research.org/news/27.08.2009/3750/

Malicious kids go to jail http://www.cybercrime.gov/cases.htm

◦ Kevin Mitnick and Robert Morris

Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html

15


2

http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090

http://www.aolsucks.org/ccaol2.htm

http://www.crime-research.org/news/27.08.2009/3750/

http://www.cybercrime.gov/cases.htm

http://www.justice.gov/criminal/cybercrime/cccases.html

Ethics and Information Security

Ethical issues of information security professionals

◦ Expected to be leaders in ethical workplace behavior

◦ No binding professional code of ethics

◦ Some professional organizations provide ethical codes of conduct,

Have no authority to banish violators from professional practice.

16


2

Cultural Differences and Ethics

Different nationalities have different perspectives on computer ethics

◦ Asian tradition - collective ownership

◦ Western tradition - intellectual property rights

Study of computer use ethics among students in 9 nations

◦ Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales, Netherlands

◦ Studied 3 categories of use

software license infringement

illicit use

misuse of corporate resources

17


2

Cultural Differences:

Software License Infringement

Most nations had similar attitudes toward software piracy

◦ U.S.

significantly less tolerant (least tolerant)

◦ Other countries

moderate

higher piracy rates in Singapore/Hong Kong

may result from lack of legal disincentives or punitive measures

◦ Netherlands

most permissive

least likely to honor copyrights of content creators

lower piracy rate than Singapore/Hong Kong

18


2


Illicit Use of Software Viruses, hacking, other forms of abuse uniformly condemned as

unacceptable behavior.

Singapore/Hong Kong

◦ most tolerant

Sweden/Netherlands

◦ in-between

U.S., Wales, England, Australia

◦ least tolerant

19


2


Misuse of Corporate Resources

Generally lenient attitudes toward

◦ personal use of company computing resources.

Singapore/Hong Kong

◦ viewed personal use as unethical (least tolerant)

Other countries

◦ Personal use acceptable if not specifically prohibited

Netherlands

◦ most lenient

20


2

Ethics and Education

Education

◦ overriding factor in leveling the ethical perceptions within a small

population

◦ Employees must be trained and kept aware of topics related to

information security, including expected ethical behaviors..

◦ Many employees may not have formal technical training to

understand that their behavior is unethical or illegal.

Ethical and legal training is an essential key to developing informed,

well-prepared, and low-risk system users.

21


2

Deterrence to Unethical and Illegal

Behavior

Use policy, education, training, and technology to

protect information systems.

3 categories of unethical and illegal behavior

◦ Ignorance

No excuse for violating law, but allowable for policies.

Use education, policies, training, awareness programs to keep

individuals aware of policies.

◦ Accident

Use careful planning and control to prevent accidental

modifications to system and data.

◦ Intent

Frequent cornerstone for prosecution.

Best controls are litigation, prosecution, and technical controls.

22


2

Deterrence

Best method to prevent illegal or unethical activity.

◦ Laws, policies, and technical controls

3 conditions required for effective deterrence

◦ Fear of penalty

reprimand or warnings may not have the same effectiveness as imprisonment or loss of pay.

◦ Probability of being caught

must believe there is a strong possibility of being caught.

◦ Probability of penalty being administered

must believe the penalty will be administered

Note: threats don’t work --- penalties must be realistic and enforceable.

23


2

Codes of Ethics

Established by various professional organizations

◦ Produce a positive effect on judgment regarding computer use

◦ Establishes responsibility of security professionals to act ethically

according to the policies and procedures of their employers,

professional organizations, and laws of society.

◦ Organizations assume responsibility to develop, disseminate, and

enforce policies.

24


2

Major IT Professional Organizations and

Ethics

Association for Computing Machinery (ACM)

◦ promotes education and provides discounts for students

◦ educational and scientific computing society

International Information Systems Security Certification Consortium (ISC2)

◦ develops and implements information security certifications and credentials

System Administration, Networking, and Security Institute (SANS)

◦ Global Information Assurance Certifications (GIAC)

Information Systems Audit and Control Association (ISACA)

◦ focus on auditing, control and security

Computer Security Institute (CSI)

◦ sponsors education and training for information security

Information Systems Security Association (ISSA)

◦ information exchange and educational development for information security practitioners

25


2

Other Security Organizations

Internet Society (ISOC)

◦ develop education, standards, policy, and education and training to promote the Internet

Internet Engineering Task Force (IETF)

◦ develops Internet's technical foundations

Computer Security Division (CSD) of National Institute for Standards and Technology (NIST)

◦ Computer Security Resource Center (CSRC)

Computer Emergency Response Team (CERT)**

◦ CERT Coordination Center (CERT/CC)

◦ Carnegie Mellon University Software Engineering Institute

Computer Professionals for Social Responsibility (CPSR)

◦ promotes ethical and responsible development and use of computing

◦ watchdog for development of ethical computing

26


2

U.S. Federal Agencies Related to

Information Security

Department of Homeland Security (DHS)

◦ Directorate of Information and Infrastructure discover and respond to attacks on national information systems and

critical infrastructure

research and development of software and technology

◦ Science and Technology Directorate Research and development activities

examination of vulnerabilities

sponsors emerging best practices

FBI National Infrastructure Protection Center (NIPC)

◦ U.S. government center for threat assessment, warning, investigation, and response to threats or attacks against U.S. infrastructures

◦ National InfraGard Program

cooperative effort between public and private organizations and academic community

provides free exchange of information with private sector regarding threats and attacks.

27


2

U.S. Federal Agencies (2)

National Security Agency (NSA)**

◦ U.S. cryptologic organization

◦ Centers of Excellence in Information Assurance

Education

recognition for universities/schools

acknowledgment on NSA web site

◦ Program to certify curricula in information security

Information Assurance Courseware Evaluation

Provides 3 year accreditation

U.S. Secret Service◦ Part of Department of Treasury

◦ One mission is to detect and arrest any person committing U.S. federal

offenses related to computer fraud and false identification crimes.

28


2

Legal, Ethical, and Professional Issues in ... - SNS Courseware

Documents

Transcript of Legal, Ethical, and Professional Issues in ... - SNS Courseware