Legal, Ethical and professional issues in Information Security

Principles of Information Security, 2nd Edition 2
Introduction
 You must understand scope of an organization’s legal and
ethical responsibilities
 To minimize liabilities/reduce risks, the information
security practitioner must:
 Understand current legal environment
 Stay current with laws and regulations
 Watch for new issues that emerge

Law and Ethics in Information Security
 Laws: rules that mandate or prohibit certain societal
behavior
 Ethics: define socially acceptable behavior
 Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
 Laws carry sanctions of a governing authority; ethics do not

Organizational Liability and need of Council
 Liability:
Legal obligation of an entity that extends beyond
criminal or contract law.
 Includes obligation to make restitution, or compensate
for, wrongs committed by an organization or its
employees.
4

Organizational Liability and need of Council
 Due care**
 Must ensure that every employee knows
 what is acceptable or unacceptable behavior ,consequences of illegal or
unethical actions.
 Due diligence**
 Requires the organization to make a valid effort to protect others continually
maintain this level of effort.
 Jurisdiction**
 A court's right to hear a case if a wrong was committed in its territory, or
involves its citizenry
 Long arm jurisdiction**
 To draw an accused individual into its court systems from around the world
or across the country.
5

Types of Law
 Civil
 Criminal
 Private
 Public

Relevant U.S. Laws (General)
 Computer Fraud and Abuse Act of 1986 (CFAAct)
 National Information Infrastructure Protection Act of 1996
 USA Patriot Act of 2001
 Telecommunications Deregulation and Competition Act
of 1996
 Communications Decency Act of 1996 (CDA)
 Computer Security Act of 1987

Privacy
 One of the hottest topics in information security
 Is a “state of being free from unsanctioned intrusion”
 Ability to aggregate data from multiple sources allows
creation of information databases previously unheard of

Export and Espionage Laws
 Economic Espionage Act of 1996 (EEA)
 Security And Freedom Through Encryption Act of 1999
(SAFE)

U.S. Copyright Law
 Intellectual property is recognized as a protected asset in
the U.S.; copyright law extends to electronic formats.
 With proper acknowledgment, permissible to include
portions of others’ work as a reference.
 As long as proper acknowledgment is provided to the
original author, it is entirely permissible.

Freedom of Information Act of 1966 (FOIA)
 Allows access to federal agency records or information
not determined to be matter of national security
 U.S. government agencies required to disclose any
requested information upon receipt of written request
 Some information protected from disclosure

State and Local Regulations
 Restrictions on organizational computer technology use
exist at international, national, state, local levels
 Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations

International Laws and Legal Bodies
 European Council Cyber-Crime Convention:
 Establishes international task force overseeing Internet
security functions for standardized international
technology laws
 Attempts to improve effectiveness of international
investigations into breaches of technology law
 Well received by intellectual property rights advocates due
to emphasis on copyright infringement prosecution
 Lacks realistic provisions for enforcement

14
International Laws and Legal Bodies
 Few international laws relating to privacy and information
security.
 European Council Cyber-Crime Convention
 2001. Creates an international task force
 Improve the effectiveness of international investigations
 Emphasis on copyright infringement prosecution
 Lacks realistic provisions for enforcement
 WTO Agreement on Intellectual Property Rights
 Intellectual property rules for the multilateral trade systems.
 Digital Millennium Copyright Act**
 U.S. contribution to international effort to reduce impact of
copyright, trademark, and privacy infringement .

15
Policy Versus Law
 Most organizations develop and formalize a body of
expectations called policy
 Policies serve as organizational laws
 To be enforceable, policy:
 Disseminate.
 Reviewed.
 Comprehend.
 Compliance.

Ethics and Information Security
“thou Shalt” is known for “you shall”

Ethical Differences Across Cultures
 Cultural differences create difficulty in determining what is
and is not ethical
 Difficulties arise when one nationality’s ethical behavior
conflicts with ethics of another national group
 Example: many of ways in which Asian cultures use
computer technology is software piracy

Ethics and Education
 Overriding factor in leveling ethical perceptions within a
small population is education
 Employees must be trained in expected behaviors of an
ethical employee, especially in areas of information
security
 Proper ethical training vital to creating informed, well
prepared, and low-risk system user

Deterrence (‫تھام‬ ‫)روک‬ to Unethical and Illegal
Behavior
 Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical controls
 Laws and policies only deter if three conditions are
present:
 Fear of penalty
 Probability of being caught
 Probability of penalty being administered

Codes of Ethics and Professional Organizations
 Several professional organizations have established
codes of conduct/ethics
 Codes of ethics can have positive effect; unfortunately,
many employers do not encourage joining of these
professional organizations
 Responsibility of security professionals to act ethically
and according to policies of employer, professional
organization, and laws of society

Major IT Professional Organizations and Ethics
 Association for Computing Machinery (ACM)
 promotes education and provides discounts for students
 educational and scientific computing society
 International Information Systems Security Certification Consortium (ISC2)
 develops and implements information security certifications and
credentials
 System Administration, Networking, and Security Institute (SANS)
 Global Information Assurance Certifications (GIAC)
 Information Systems Audit and Control Association (ISACA)
 focus on auditing, control and security
 Computer Security Institute (CSI)
 sponsors education and training for information security
 Information Systems Security Association (ISSA)
 information exchange and educational development for information
security practitioners
21

Key U.S. Federal Agencies
 Department of Homeland Security (DHS)
 Federal Bureau of Investigation’s National Infrastructure
Protection Center (NIPC)
 National Security Agency (NSA)
 U.S. Secret Service

Organizational Liability(‫داری‬ ‫)ذمہ‬ and the
Need for Counsel
 Liability is legal obligation of an entity; includes legal
obligation to make restitution for wrongs committed
 Organization increases liability if it refuses to take
measures known as due care
 Due diligence requires that an organization make valid
effort to protect others and continually maintain that level
of effort

Summary
 Many organizations have codes of conduct and/or codes
of ethics
 Organization increases liability if it refuses to take
measures known as due care
 Due diligence requires that organization make valid effort
to protect others and continually maintain that effort

Legal, Ethical and professional issues in Information Security

More Related Content

What's hot (20)

Similar to Legal, Ethical and professional issues in Information Security (20)

Recently uploaded (20)

Legal, Ethical and professional issues in Information Security