SlideShare a Scribd company logo

Legal-Ethical-Professionalin-IS.pptx

•Download as PPTX, PDF•
•
S
Shruthi48

Legal and Ethical issues organizations faces in information security

Engineering
1 of 39
Legal, Ethical, and Professional Issues in Information Security Principles of Information Security Chapter 3
Chapter Objectives • Upon completion of this chapter you should be able to: – Use this chapter as a guide for future reference on laws, regulations, and professional organizations. – Differentiate between laws and ethics. – Identify major national laws that relate to the practice of information security. – Describe the role of culture as it applies to ethics in information security. 2
Law and Ethics in Information Security • Jean-Jacques Rousseau – The Social Contract or Principles of Political Right (1762) – "The rules the members of a society create to balance the right of the individual to self-determination with the needs of the society as a whole are called laws." • Laws – Rules that mandate or prohibit certain behavior in society. – Carry the sanctions of governing authority. • Ethics – Define socially acceptable behaviors. – Universally recognized examples include murder, theft, assault, and arson. • Cultural Mores – The fixed moral attitudes or customs of a particular group. 3
Organizational Liability • Liability – Legal obligation of an entity that extends beyond criminal or contract law. – Includes obligation to make restitution, or compensate for, wrongs committed by an organization or its employees. – Organization can be held financially liable (responsible) for actions of employees. – Obligation increases if organization fails to take due care. 4
Organizational Responsibilities for Due Care and Due Diligence • Due care – Must ensure that every employee knows • what is acceptable or unacceptable behavior • consequences of illegal or unethical actions. • Due diligence – Requires organization to • make a valid effort to protect others • continually maintain this level of effort – Internet has global reach --- injury/wrong can occur anywhere in the world. • Jurisdiction – A court's right to hear a case if a wrong was committed in its territory, or involves its citizenry --- long arm jurisdiction. – In U.S., any court can impose its authority over individuals or organizations, if it can establish jurisdiction 5
Policy vs Law • Laws – External legal requirements • Security policies. Internal (organizational) rules that: – Describe acceptable and unacceptable employee behaviors. – Organizational laws --- including penalties and sanctions. – Must be complete, appropriate and fairly applied in the work place. – In order to be enforceable, policies must be • Disseminated (Distribution): Distributed to all individuals and readily available for employee reference. • Reviewed (Reading): Document distributed in a format that could be read by employeees. • Comprehended (Understanding). Employees understand the :requirements --- e.g., quizzes or other methods of assessment. • Compliance (Agreement): Employee agrees to comply with the policy. • Uniformly enforced, regardless of employee status or assignment. 6
Types of Law • Civil law – Laws that govern a nation or state. • Criminal law – Violations harmful to society – Actively enforced by prosecution by the state. • Private law – Regulates relationship between individual and organization. – Encompasses family law, commercial law, labor law. • Public law – Regulates structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. – Includes criminal, administrative and constitutional law. 7
U.S. General Computer Crime Laws • Computer Fraud and Abuse Act of 1986 (CFA Act) – Cornerstone of federal laws and enforcement acts – Addresses threats to computers • It was amended in October 1996 by the National Information Infrastructure Protection Act of 1996, which modified several sections of the previous act, and increased the penalties for selected crimes. • The CFA Act was further modified by the USA Patriot Act of 2001—the abbreviated name for “Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” which provides law enforcement agencies with broader latitude to combat terrorism-related activities. Some of the laws modified by the Patriot Act date from the earliest laws created to deal with electronic technology. 8
• Communications Act of 1934 – Addresses Telecommunications – modified by Telecommunications Deregulation and Competition Act of 1996 • modernize archaic terminology • Computer Security Act of 1987 – Protect federal computer systems (federal agencies) – Establish minimum acceptable security practices.
U.S. Privacy Laws • Privacy Issues – Collection of personal information – Clipper chip - the Clipper Chip is a technology that was intended to monitor or track private communications. It uses an algorithm with a two-part key that was to be managed by two separate government agencies, and it was reportedly designed to protect individual communications while allowing the government to decrypt suspect transmissions. It never implemented • Privacy of Customer Information – U.S. Legal Code Privacy of Customer Information Section • Responsibilities of common carriers (phone co) to protect confidentiality 10
• Federal Privacy Act of 1974 – Regulates government protection of privacy, with some exceptions • Electronic Communications Privacy Act of 1986 – Fourth Amendment - unlawful search and seizure • Health Insurance Portability and Accountability Act of 1996 (HIPAA) – Kennedy-Kassebaum Act – Privacy of electronic data interchange for health care data HIPAA has five fundamental principles: 1. Consumer control of medical information 2. Boundaries on the use of medical information 3. Accountability for the privacy of private information 4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual 5. Security
• Financial Services Modernization Act (1999) – Gramm-Leach-Bliley Act of 1999 – Banks, securities firms, and insurance companies - disclosure of privacy policies • Identity Theft Related to the legislation on privacy is the growing body of law on identity theft. – The Federal Trade Commission (FTC) describes identity theft as “occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.”
The following agencies, regulated businesses, and individuals are exempt from some of the regulations so that they can perform their duties • some of the regulations so that they can perform their duties: • Bureau of the Census • National Archives and Records Administration • Congress • Comptroller General • Federal courts with regard to specific issues using appropriate court orders • Credit reporting agencies • Individuals or organizations that demonstrate that information is necessary to protect the health or safety of that individual
Export and Espionage Laws • To meet national security needs and to protect trade secrets and other state and private assets, several laws restrict which information and information management and security resources may be exported from the United States. • The Security and Freedom through Encryption Act of 1999 provides guidance on the use of encryption and provides protection from government intervention. The acts include provisions that:
• Reinforce an individual’s right to use or sell encryption algorithms, without concern for regulations requiring some form of key registration. Key registration is the storage of a cryptographic key (or its text equivalent) with another party to be used to break the encryption of data. This is often called “key escrow.” • Prohibit the federal government from requiring the use of encryption for contracts, grants, and other official documents and correspondence. • State that the use of encryption is not probable cause to suspect criminal activity. • Relax export restrictions by amending the Export Administration Act of 1979. • Provide additional penalties for the use of encryption in the commission of a criminal act.
Export and Espionage
U.S. Privacy Laws • Privacy Issues – Collection of personal information – Clipper chip - never implemented • Privacy of Customer Information – U.S. Legal Code Privacy of Customer Information Section • Responsibilities of common carriers (phone co) to protect confidentiality • Federal Privacy Act of 1974** – Regulates government protection of privacy, with some exceptions • Electronic Communications Privacy Act of 1986** – Fourth Amendment - unlawful search and seizure • Health Insurance Portability and Accountability Act of 1996 (HIPAA)** – Kennedy-Kassebaum Act – Privacy of electronic data interchange for health care data • Financial Services Modernization Act (1999)** – Gramm-Leach-Bliley Act of 1999 – Banks, securities firms, and insurance companies - disclosure of privacy policies 19
U.S. Copyright Law • Recognizes intellectual property as a protected asset in the U.S. – published word, including electronic formats • Fair use of copyrighted materials – Includes • support news reporting • teaching • scholarship • related activities – Use MUST be for educational or library purposes • not for profit • not excessive • include proper acknowledgment to original author 20
Financial Reporting • Sarbanes-Oxley Act of 2002** – Affects • publicly traded corporations • public accounting firms – result of Enron, among others. • improve reliability and accuracy of financial reporting. • increase accountability of corporate governance in publicly traded companies. • Executives will need – assurance on reliability and quality of information systems from information technology managers. – Key issue: compliance with reporting requirements. 21
Freedom of Information Act of 1996 (FOIA) • Any person may request access to federal agency records or information not determined to be a matter of national security. –Agencies must disclose requested information • After the request has been reviewed and determined not to pose a risk to national security. • Does NOT apply to: –state/local government agencies –private businesses or individuals. 22
State and Local Regulations • Locally implemented laws pertaining to information security. • Information security professionals must be aware of these laws and comply with them. 23
International Laws and Legal Bodies • Few international laws relating to privacy and information security. • European Council Cyper-Crime Convention – 2001. Creates international task force – Improve effectiveness of international investigations – Emphasis on copyright infringement prosecution – Lacks realistic provisions for enforcement • WTO Agreement on Intellectual Property Rights – Intellectual property rules for multilateral trade system. • Digital Millenium Copyright Act** – U.S. response to 1995 Directive 95/46/EC by E.U. – U.K. Database Right • United Nations Charter – Information Warfare provisions. 24
Security Breaches Punishment • If not caught: illegal to demand a payment in order to “disappear without a track” – But banks and financial institutions have to keep it quiet… • If caught in a “lawful” country: fines and/or jail sentence • AOL employees http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090 http://www.aolsucks.org/ccaol2.htm • “$130 mil. stolen in computer crime. Each defendant faces the possibility of 35 years in prison, and more than $1 million in fines or twice the amount made from the crime, whichever is greater.” http://www.crime-research.org/news/27.08.2009/3750/ • Malicious kids go to jail http://www.cybercrime.gov/cases.htm – Kevin Mitnick and Robert Morris • Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html 25
Ethics and Information Security • Ethical issues of information security professionals – Expected to be leaders in ethical workplace behavior – No binding professional code of ethics – Some professional organizations provide ethical codes of conduct, • Have no authority to banish violators from professional practice. 26
Cultural Differences and Ethics • Different nationalities have different perspectives on computer ethics – Asian tradition - collective ownership – Western tradition - intellectual property rights • Study of computer use ethics among students in 9 nations – Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales, Netherlands – Studied 3 categories of use • software license infringement • illicit use • misuse of corporate resources 27
Cultural Differences: Software License Infringement • Most nations had similar attitudes toward software piracy – U.S. • significantly less tolerant (least tolerant) – Other countries • moderate • higher piracy rates in Singapore/Hong Kong – may result from lack of legal disincentives or punitive measures – Netherlands • most permissive • least likely to honor copyrights of content creators • lower piracy rate than Singapore/Hong Kong 28
Cultural Differences: Illicit Use of Software • Viruses, hacking, other forms of abuse uniformly condemned as unacceptable behavior. • Singapore/Hong Kong – most tolerant • Sweden/Netherlands – in-between • U.S., Wales, England, Australia – least tolerant 29
Cultural Differences: Misuse of Corporate Resources • Generally lenient attitudes toward – personal use of company computing resources. • Singapore/Hong Kong – viewed personal use as unethical (least tolerant) • Other countries – Personal use acceptable if not specifically prohibited • Netherlands – most lenient 30
Ethics and Education • Education – overriding factor in leveling the ethical perceptions within a small population – Employees must be trained and kept aware of topics related to information security, including expected ethical behaviors.. – Many employees may not have formal technical training to understand that their behavior is unethical or illegal. • Ethical and legal training is an essential key to developing informed, well-prepared, and low-risk system users. 31
Deterrence to Unethical and Illegal Behavior • Use policy, education, training, and technology to protect information systems. • 3 categories of unethical and illegal behavior – Ignorance • No excuse for violating law, but allowable for policies. • Use education, policies, training, awareness programs to keep individuals aware of policies. – Accident • Use careful planning and control to prevent accidental modifications to system and data. – Intent • Frequent cornerstone for prosecution. • Best controls are litigation, prosecution, and technical controls. 32
Deterrence • Best method to prevent illegal or unethical activity. – Laws, policies, and technical controls • 3 conditions required for effective deterrence – Fear of penalty • reprimand or warnings may not have the same effectiveness as imprisonment or loss of pay. – Probability of being caught • must believe there is a strong possibility of being caught. – Probability of penalty being administered • must believe the penalty will be administered • Note: threats don’t work --- penalties must be realistic and enforceable. 33
Codes of Ethics • Established by various professional organizations – Produce a positive effect on judgment regarding computer use – Establishes responsibility of security professionals to act ethically • according to the policies and procedures of their employers, professional organizations, and laws of society. – Organizations assume responsibility to develop, disseminate, and enforce policies. 34
Major IT Professional Organizations and Ethics • Association for Computing Machinery (ACM) – promotes education and provides discounts for students – educational and scientific computing society • International Information Systems Security Certification Consortium (ISC2) – develops and implements information security certifications and credentials • System Administration, Networking, and Security Institute (SANS) – Global Information Assurance Certifications (GIAC) • Information Systems Audit and Control Association (ISACA) – focus on auditing, control and security • Computer Security Institute (CSI) – sponsors education and training for information security • Information Systems Security Association (ISSA) – information exchange and educational development for information security practitioners 35
Other Security Organizations • Internet Society (ISOC) – develop education, standards, policy, and education and training to promote the Internet • Internet Engineering Task Force (IETF) – develops Internet's technical foundations • Computer Security Division (CSD) of National Institute for Standards and Technology (NIST) – Computer Security Resource Center (CSRC) • Computer Emergency Response Team (CERT)** – CERT Coordination Center (CERT/CC) – Carnegie Mellon University Software Engineering Institute • Computer Professionals for Social Responsibility (CPSR) – promotes ethical and responsible development and use of computing – watchdog for development of ethical computing 36
U.S. Federal Agencies Related to Information Security • Department of Homeland Security (DHS) – Directorate of Information and Infrastructure • discover and respond to attacks on national information systems and critical infrastructure • research and development of software and technology – Science and Technology Directorate • Research and development activities – examination of vulnerabilities – sponsors emerging best practices • FBI National Infrastructure Protection Center (NIPC) – U.S. government center for threat assessment, warning, investigation, and response to threats or attacks against U.S. infrastructures – National InfraGard Program • cooperative effort between public and private organizations and academic community • provides free exchange of information with private sector regarding threats and attacks. 37
U.S. Federal Agencies (2) • National Security Agency (NSA)** – U.S. cryptologic organization – Centers of Excellence in Information Assurance Education • recognition for universities/schools • acknowledgment on NSA web site – Program to certify curricula in information security • Information Assurance Courseware Evaluation • Provides 3 year accreditation • U.S. Secret Service – Part of Department of Treasury – One mission is to detect and arrest any person committing U.S. federal offenses related to computer fraud and false identification crimes. 38
Legal-Ethical-Professionalin-IS.pptx

Recommended

Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Chapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptxChapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptxShruthi48
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 4
Lesson 4Lesson 4
Lesson 4MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical ControlsMLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction MLG College of Learning, Inc
 

Recommended

Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Chapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptxChapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptxShruthi48
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 4
Lesson 4Lesson 4
Lesson 4MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical ControlsMLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction MLG College of Learning, Inc
 
Information Security Lesson 1 - Eric Vanderburg
Information Security Lesson 1 - Eric VanderburgInformation Security Lesson 1 - Eric Vanderburg
Information Security Lesson 1 - Eric VanderburgEric Vanderburg
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1Hamed Moghaddam
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset SecurityHamed Moghaddam
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Building a cybercrime case
Building a cybercrime caseBuilding a cybercrime case
Building a cybercrime caseOnline
 
It Policies
It PoliciesIt Policies
It PoliciesJames Sutter
 
Secuntialesse
SecuntialesseSecuntialesse
SecuntialesseAnne Starr
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Chapter 3 - Lesson 1.pptx
Chapter 3 - Lesson 1.pptxChapter 3 - Lesson 1.pptx
Chapter 3 - Lesson 1.pptxJhaiJhai6
 
Information Assurance And Security - Chapter 3 - Lesson 1
Information Assurance And Security - Chapter 3 - Lesson 1Information Assurance And Security - Chapter 3 - Lesson 1
Information Assurance And Security - Chapter 3 - Lesson 1MLG College of Learning, Inc
 

More Related Content

What's hot

Information Security Lesson 1 - Eric Vanderburg
Information Security Lesson 1 - Eric VanderburgInformation Security Lesson 1 - Eric Vanderburg
Information Security Lesson 1 - Eric VanderburgEric Vanderburg
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1Hamed Moghaddam
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset SecurityHamed Moghaddam
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Building a cybercrime case
Building a cybercrime caseBuilding a cybercrime case
Building a cybercrime caseOnline
 
Secuntialesse
SecuntialesseSecuntialesse
SecuntialesseAnne Starr
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 

What's hot (20)

Information Security Lesson 1 - Eric Vanderburg
Information Security Lesson 1 - Eric VanderburgInformation Security Lesson 1 - Eric Vanderburg
Information Security Lesson 1 - Eric Vanderburg
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk Management
 
Information Security
Information Security Information Security
Information Security
 
Information security
Information securityInformation security
Information security
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset Security
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare Sector
 
Information classification
Information classificationInformation classification
Information classification
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit i
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Building a cybercrime case
Building a cybercrime caseBuilding a cybercrime case
Building a cybercrime case
 
It Policies
It PoliciesIt Policies
It Policies
 
Secuntialesse
SecuntialesseSecuntialesse
Secuntialesse
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Information security
Information securityInformation security
Information security
 

Similar to Legal-Ethical-Professionalin-IS.pptx

Chapter 3 - Lesson 1.pptx
Chapter 3 - Lesson 1.pptxChapter 3 - Lesson 1.pptx
Chapter 3 - Lesson 1.pptxJhaiJhai6
 
Information Assurance And Security - Chapter 3 - Lesson 1
Information Assurance And Security - Chapter 3 - Lesson 1Information Assurance And Security - Chapter 3 - Lesson 1
Information Assurance And Security - Chapter 3 - Lesson 1MLG College of Learning, Inc
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxNargis Parveen
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdfMeshalALshammari12
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxJhaiJhai6
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxEdFeranil
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.pptDEEPAK948083
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Current Privacy and Data Issues (for people who care about open data!)
Current Privacy and Data Issues (for people who care about open data!)Current Privacy and Data Issues (for people who care about open data!)
Current Privacy and Data Issues (for people who care about open data!)EmilyDShaw
 

Similar to Legal-Ethical-Professionalin-IS.pptx (20)

Chapter 3 - Lesson 1.pptx
Chapter 3 - Lesson 1.pptxChapter 3 - Lesson 1.pptx
Chapter 3 - Lesson 1.pptx
 
Information Assurance And Security - Chapter 3 - Lesson 1
Information Assurance And Security - Chapter 3 - Lesson 1Information Assurance And Security - Chapter 3 - Lesson 1
Information Assurance And Security - Chapter 3 - Lesson 1
 
Lesson 1- Laws and Ethics
Lesson 1- Laws and EthicsLesson 1- Laws and Ethics
Lesson 1- Laws and Ethics
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptx
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2
 
Lesson 2-Identify Theft
Lesson 2-Identify TheftLesson 2-Identify Theft
Lesson 2-Identify Theft
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptx
 
4482LawEthics.ppt
4482LawEthics.ppt4482LawEthics.ppt
4482LawEthics.ppt
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptx
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africa
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.ppt
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.ppt
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
Current Privacy and Data Issues (for people who care about open data!)
Current Privacy and Data Issues (for people who care about open data!)Current Privacy and Data Issues (for people who care about open data!)
Current Privacy and Data Issues (for people who care about open data!)
 

Recently uploaded

Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixingviprabot1
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
DATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage exampleDATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage examplePragyanshuParadkar1
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
pipeline in computer architecture design
pipeline in computer architecture designpipeline in computer architecture design
pipeline in computer architecture designssuser87fa0c1
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
EduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AIEduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AIkoyaldeepu123
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 

Recently uploaded (20)

Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixing
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
DATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage exampleDATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage example
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
pipeline in computer architecture design
pipeline in computer architecture designpipeline in computer architecture design
pipeline in computer architecture design
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
EduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AIEduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AI
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 

Legal-Ethical-Professionalin-IS.pptx

  • 1. Legal, Ethical, and Professional Issues in Information Security Principles of Information Security Chapter 3
  • 2. Chapter Objectives • Upon completion of this chapter you should be able to: – Use this chapter as a guide for future reference on laws, regulations, and professional organizations. – Differentiate between laws and ethics. – Identify major national laws that relate to the practice of information security. – Describe the role of culture as it applies to ethics in information security. 2
  • 3. Law and Ethics in Information Security • Jean-Jacques Rousseau – The Social Contract or Principles of Political Right (1762) – "The rules the members of a society create to balance the right of the individual to self-determination with the needs of the society as a whole are called laws." • Laws – Rules that mandate or prohibit certain behavior in society. – Carry the sanctions of governing authority. • Ethics – Define socially acceptable behaviors. – Universally recognized examples include murder, theft, assault, and arson. • Cultural Mores – The fixed moral attitudes or customs of a particular group. 3
  • 4. Organizational Liability • Liability – Legal obligation of an entity that extends beyond criminal or contract law. – Includes obligation to make restitution, or compensate for, wrongs committed by an organization or its employees. – Organization can be held financially liable (responsible) for actions of employees. – Obligation increases if organization fails to take due care. 4
  • 5. Organizational Responsibilities for Due Care and Due Diligence • Due care – Must ensure that every employee knows • what is acceptable or unacceptable behavior • consequences of illegal or unethical actions. • Due diligence – Requires organization to • make a valid effort to protect others • continually maintain this level of effort – Internet has global reach --- injury/wrong can occur anywhere in the world. • Jurisdiction – A court's right to hear a case if a wrong was committed in its territory, or involves its citizenry --- long arm jurisdiction. – In U.S., any court can impose its authority over individuals or organizations, if it can establish jurisdiction 5
  • 6. Policy vs Law • Laws – External legal requirements • Security policies. Internal (organizational) rules that: – Describe acceptable and unacceptable employee behaviors. – Organizational laws --- including penalties and sanctions. – Must be complete, appropriate and fairly applied in the work place. – In order to be enforceable, policies must be • Disseminated (Distribution): Distributed to all individuals and readily available for employee reference. • Reviewed (Reading): Document distributed in a format that could be read by employeees. • Comprehended (Understanding). Employees understand the :requirements --- e.g., quizzes or other methods of assessment. • Compliance (Agreement): Employee agrees to comply with the policy. • Uniformly enforced, regardless of employee status or assignment. 6
  • 7. Types of Law • Civil law – Laws that govern a nation or state. • Criminal law – Violations harmful to society – Actively enforced by prosecution by the state. • Private law – Regulates relationship between individual and organization. – Encompasses family law, commercial law, labor law. • Public law – Regulates structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. – Includes criminal, administrative and constitutional law. 7
  • 8. U.S. General Computer Crime Laws • Computer Fraud and Abuse Act of 1986 (CFA Act) – Cornerstone of federal laws and enforcement acts – Addresses threats to computers • It was amended in October 1996 by the National Information Infrastructure Protection Act of 1996, which modified several sections of the previous act, and increased the penalties for selected crimes. • The CFA Act was further modified by the USA Patriot Act of 2001—the abbreviated name for “Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” which provides law enforcement agencies with broader latitude to combat terrorism-related activities. Some of the laws modified by the Patriot Act date from the earliest laws created to deal with electronic technology. 8
  • 9. • Communications Act of 1934 – Addresses Telecommunications – modified by Telecommunications Deregulation and Competition Act of 1996 • modernize archaic terminology • Computer Security Act of 1987 – Protect federal computer systems (federal agencies) – Establish minimum acceptable security practices.
  • 10. U.S. Privacy Laws • Privacy Issues – Collection of personal information – Clipper chip - the Clipper Chip is a technology that was intended to monitor or track private communications. It uses an algorithm with a two-part key that was to be managed by two separate government agencies, and it was reportedly designed to protect individual communications while allowing the government to decrypt suspect transmissions. It never implemented • Privacy of Customer Information – U.S. Legal Code Privacy of Customer Information Section • Responsibilities of common carriers (phone co) to protect confidentiality 10
  • 11. • Federal Privacy Act of 1974 – Regulates government protection of privacy, with some exceptions • Electronic Communications Privacy Act of 1986 – Fourth Amendment - unlawful search and seizure • Health Insurance Portability and Accountability Act of 1996 (HIPAA) – Kennedy-Kassebaum Act – Privacy of electronic data interchange for health care data HIPAA has five fundamental principles: 1. Consumer control of medical information 2. Boundaries on the use of medical information 3. Accountability for the privacy of private information 4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual 5. Security
  • 12. • Financial Services Modernization Act (1999) – Gramm-Leach-Bliley Act of 1999 – Banks, securities firms, and insurance companies - disclosure of privacy policies • Identity Theft Related to the legislation on privacy is the growing body of law on identity theft. – The Federal Trade Commission (FTC) describes identity theft as “occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.”
  • 13. The following agencies, regulated businesses, and individuals are exempt from some of the regulations so that they can perform their duties • some of the regulations so that they can perform their duties: • Bureau of the Census • National Archives and Records Administration • Congress • Comptroller General • Federal courts with regard to specific issues using appropriate court orders • Credit reporting agencies • Individuals or organizations that demonstrate that information is necessary to protect the health or safety of that individual
  • 14.
  • 15.
  • 16. Export and Espionage Laws • To meet national security needs and to protect trade secrets and other state and private assets, several laws restrict which information and information management and security resources may be exported from the United States. • The Security and Freedom through Encryption Act of 1999 provides guidance on the use of encryption and provides protection from government intervention. The acts include provisions that:
  • 17. • Reinforce an individual’s right to use or sell encryption algorithms, without concern for regulations requiring some form of key registration. Key registration is the storage of a cryptographic key (or its text equivalent) with another party to be used to break the encryption of data. This is often called “key escrow.” • Prohibit the federal government from requiring the use of encryption for contracts, grants, and other official documents and correspondence. • State that the use of encryption is not probable cause to suspect criminal activity. • Relax export restrictions by amending the Export Administration Act of 1979. • Provide additional penalties for the use of encryption in the commission of a criminal act.
  • 19. U.S. Privacy Laws • Privacy Issues – Collection of personal information – Clipper chip - never implemented • Privacy of Customer Information – U.S. Legal Code Privacy of Customer Information Section • Responsibilities of common carriers (phone co) to protect confidentiality • Federal Privacy Act of 1974** – Regulates government protection of privacy, with some exceptions • Electronic Communications Privacy Act of 1986** – Fourth Amendment - unlawful search and seizure • Health Insurance Portability and Accountability Act of 1996 (HIPAA)** – Kennedy-Kassebaum Act – Privacy of electronic data interchange for health care data • Financial Services Modernization Act (1999)** – Gramm-Leach-Bliley Act of 1999 – Banks, securities firms, and insurance companies - disclosure of privacy policies 19
  • 20. U.S. Copyright Law • Recognizes intellectual property as a protected asset in the U.S. – published word, including electronic formats • Fair use of copyrighted materials – Includes • support news reporting • teaching • scholarship • related activities – Use MUST be for educational or library purposes • not for profit • not excessive • include proper acknowledgment to original author 20
  • 21. Financial Reporting • Sarbanes-Oxley Act of 2002** – Affects • publicly traded corporations • public accounting firms – result of Enron, among others. • improve reliability and accuracy of financial reporting. • increase accountability of corporate governance in publicly traded companies. • Executives will need – assurance on reliability and quality of information systems from information technology managers. – Key issue: compliance with reporting requirements. 21
  • 22. Freedom of Information Act of 1996 (FOIA) • Any person may request access to federal agency records or information not determined to be a matter of national security. –Agencies must disclose requested information • After the request has been reviewed and determined not to pose a risk to national security. • Does NOT apply to: –state/local government agencies –private businesses or individuals. 22
  • 23. State and Local Regulations • Locally implemented laws pertaining to information security. • Information security professionals must be aware of these laws and comply with them. 23
  • 24. International Laws and Legal Bodies • Few international laws relating to privacy and information security. • European Council Cyper-Crime Convention – 2001. Creates international task force – Improve effectiveness of international investigations – Emphasis on copyright infringement prosecution – Lacks realistic provisions for enforcement • WTO Agreement on Intellectual Property Rights – Intellectual property rules for multilateral trade system. • Digital Millenium Copyright Act** – U.S. response to 1995 Directive 95/46/EC by E.U. – U.K. Database Right • United Nations Charter – Information Warfare provisions. 24
  • 25. Security Breaches Punishment • If not caught: illegal to demand a payment in order to “disappear without a track” – But banks and financial institutions have to keep it quiet… • If caught in a “lawful” country: fines and/or jail sentence • AOL employees http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090 http://www.aolsucks.org/ccaol2.htm • “$130 mil. stolen in computer crime. Each defendant faces the possibility of 35 years in prison, and more than $1 million in fines or twice the amount made from the crime, whichever is greater.” http://www.crime-research.org/news/27.08.2009/3750/ • Malicious kids go to jail http://www.cybercrime.gov/cases.htm – Kevin Mitnick and Robert Morris • Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html 25
  • 26. Ethics and Information Security • Ethical issues of information security professionals – Expected to be leaders in ethical workplace behavior – No binding professional code of ethics – Some professional organizations provide ethical codes of conduct, • Have no authority to banish violators from professional practice. 26
  • 27. Cultural Differences and Ethics • Different nationalities have different perspectives on computer ethics – Asian tradition - collective ownership – Western tradition - intellectual property rights • Study of computer use ethics among students in 9 nations – Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales, Netherlands – Studied 3 categories of use • software license infringement • illicit use • misuse of corporate resources 27
  • 28. Cultural Differences: Software License Infringement • Most nations had similar attitudes toward software piracy – U.S. • significantly less tolerant (least tolerant) – Other countries • moderate • higher piracy rates in Singapore/Hong Kong – may result from lack of legal disincentives or punitive measures – Netherlands • most permissive • least likely to honor copyrights of content creators • lower piracy rate than Singapore/Hong Kong 28
  • 29. Cultural Differences: Illicit Use of Software • Viruses, hacking, other forms of abuse uniformly condemned as unacceptable behavior. • Singapore/Hong Kong – most tolerant • Sweden/Netherlands – in-between • U.S., Wales, England, Australia – least tolerant 29
  • 30. Cultural Differences: Misuse of Corporate Resources • Generally lenient attitudes toward – personal use of company computing resources. • Singapore/Hong Kong – viewed personal use as unethical (least tolerant) • Other countries – Personal use acceptable if not specifically prohibited • Netherlands – most lenient 30
  • 31. Ethics and Education • Education – overriding factor in leveling the ethical perceptions within a small population – Employees must be trained and kept aware of topics related to information security, including expected ethical behaviors.. – Many employees may not have formal technical training to understand that their behavior is unethical or illegal. • Ethical and legal training is an essential key to developing informed, well-prepared, and low-risk system users. 31
  • 32. Deterrence to Unethical and Illegal Behavior • Use policy, education, training, and technology to protect information systems. • 3 categories of unethical and illegal behavior – Ignorance • No excuse for violating law, but allowable for policies. • Use education, policies, training, awareness programs to keep individuals aware of policies. – Accident • Use careful planning and control to prevent accidental modifications to system and data. – Intent • Frequent cornerstone for prosecution. • Best controls are litigation, prosecution, and technical controls. 32
  • 33. Deterrence • Best method to prevent illegal or unethical activity. – Laws, policies, and technical controls • 3 conditions required for effective deterrence – Fear of penalty • reprimand or warnings may not have the same effectiveness as imprisonment or loss of pay. – Probability of being caught • must believe there is a strong possibility of being caught. – Probability of penalty being administered • must believe the penalty will be administered • Note: threats don’t work --- penalties must be realistic and enforceable. 33
  • 34. Codes of Ethics • Established by various professional organizations – Produce a positive effect on judgment regarding computer use – Establishes responsibility of security professionals to act ethically • according to the policies and procedures of their employers, professional organizations, and laws of society. – Organizations assume responsibility to develop, disseminate, and enforce policies. 34
  • 35. Major IT Professional Organizations and Ethics • Association for Computing Machinery (ACM) – promotes education and provides discounts for students – educational and scientific computing society • International Information Systems Security Certification Consortium (ISC2) – develops and implements information security certifications and credentials • System Administration, Networking, and Security Institute (SANS) – Global Information Assurance Certifications (GIAC) • Information Systems Audit and Control Association (ISACA) – focus on auditing, control and security • Computer Security Institute (CSI) – sponsors education and training for information security • Information Systems Security Association (ISSA) – information exchange and educational development for information security practitioners 35
  • 36. Other Security Organizations • Internet Society (ISOC) – develop education, standards, policy, and education and training to promote the Internet • Internet Engineering Task Force (IETF) – develops Internet's technical foundations • Computer Security Division (CSD) of National Institute for Standards and Technology (NIST) – Computer Security Resource Center (CSRC) • Computer Emergency Response Team (CERT)** – CERT Coordination Center (CERT/CC) – Carnegie Mellon University Software Engineering Institute • Computer Professionals for Social Responsibility (CPSR) – promotes ethical and responsible development and use of computing – watchdog for development of ethical computing 36
  • 37. U.S. Federal Agencies Related to Information Security • Department of Homeland Security (DHS) – Directorate of Information and Infrastructure • discover and respond to attacks on national information systems and critical infrastructure • research and development of software and technology – Science and Technology Directorate • Research and development activities – examination of vulnerabilities – sponsors emerging best practices • FBI National Infrastructure Protection Center (NIPC) – U.S. government center for threat assessment, warning, investigation, and response to threats or attacks against U.S. infrastructures – National InfraGard Program • cooperative effort between public and private organizations and academic community • provides free exchange of information with private sector regarding threats and attacks. 37
  • 38. U.S. Federal Agencies (2) • National Security Agency (NSA)** – U.S. cryptologic organization – Centers of Excellence in Information Assurance Education • recognition for universities/schools • acknowledgment on NSA web site – Program to certify curricula in information security • Information Assurance Courseware Evaluation • Provides 3 year accreditation • U.S. Secret Service – Part of Department of Treasury – One mission is to detect and arrest any person committing U.S. federal offenses related to computer fraud and false identification crimes. 38