1. Legal, Ethical, and Professional
Issues in Information Security
Principles of Information Security
Chapter 3
2. Chapter Objectives
• Upon completion of this chapter you should be
able to:
– Use this chapter as a guide for future reference on
laws, regulations, and professional organizations.
– Differentiate between laws and ethics.
– Identify major national laws that relate to the
practice of information security.
– Describe the role of culture as it applies to ethics in
information security.
2
3. Law and Ethics in Information Security
• Jean-Jacques Rousseau
– The Social Contract or Principles of Political Right (1762)
– "The rules the members of a society create to balance
the right of the individual to self-determination with the
needs of the society as a whole are called laws."
• Laws
– Rules that mandate or prohibit certain behavior in
society.
– Carry the sanctions of governing authority.
• Ethics
– Define socially acceptable behaviors.
– Universally recognized examples include murder, theft,
assault, and arson.
• Cultural Mores
– The fixed moral attitudes or customs of a particular
group. 3
4. Organizational Liability
• Liability
– Legal obligation of an entity that extends beyond
criminal or contract law.
– Includes obligation to make restitution, or
compensate for, wrongs committed by an
organization or its employees.
– Organization can be held financially liable
(responsible) for actions of employees.
– Obligation increases if organization fails to take due
care.
4
5. Organizational Responsibilities for Due Care and Due
Diligence
• Due care
– Must ensure that every employee knows
• what is acceptable or unacceptable behavior
• consequences of illegal or unethical actions.
• Due diligence
– Requires organization to
• make a valid effort to protect others
• continually maintain this level of effort
– Internet has global reach --- injury/wrong can occur anywhere in
the world.
• Jurisdiction
– A court's right to hear a case if a wrong was committed in its
territory, or involves its citizenry --- long arm jurisdiction.
– In U.S., any court can impose its authority over individuals or
organizations, if it can establish jurisdiction 5
6. Policy vs Law
• Laws
– External legal requirements
• Security policies. Internal (organizational) rules that:
– Describe acceptable and unacceptable employee behaviors.
– Organizational laws --- including penalties and sanctions.
– Must be complete, appropriate and fairly applied in the work
place.
– In order to be enforceable, policies must be
• Disseminated (Distribution): Distributed to all individuals and readily
available for employee reference.
• Reviewed (Reading): Document distributed in a format that could be
read by employeees.
• Comprehended (Understanding). Employees understand the
:requirements --- e.g., quizzes or other methods of assessment.
• Compliance (Agreement): Employee agrees to comply with the policy.
• Uniformly enforced, regardless of employee status or assignment.
6
7. Types of Law
• Civil law
– Laws that govern a nation or state.
• Criminal law
– Violations harmful to society
– Actively enforced by prosecution by the state.
• Private law
– Regulates relationship between individual and organization.
– Encompasses family law, commercial law, labor law.
• Public law
– Regulates structure and administration of government agencies
and their relationships with citizens, employees, and other
governments, providing careful checks and balances.
– Includes criminal, administrative and constitutional law. 7
8. U.S. General Computer Crime Laws
• Computer Fraud and Abuse Act of 1986 (CFA Act)
– Cornerstone of federal laws and enforcement acts
– Addresses threats to computers
• It was amended in October 1996 by the National Information
Infrastructure Protection Act of 1996, which modified several
sections of the previous act, and increased the penalties for
selected crimes.
• The CFA Act was further modified by the USA Patriot Act of
2001—the abbreviated name for “Uniting and Strengthening
America Act by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001,” which provides
law enforcement agencies with broader latitude to combat
terrorism-related activities. Some of the laws modified by the
Patriot Act date from the earliest laws created to deal with
electronic technology.
8
9. • Communications Act of 1934
– Addresses Telecommunications
– modified by Telecommunications Deregulation and
Competition Act of 1996
• modernize archaic terminology
• Computer Security Act of 1987
– Protect federal computer systems (federal agencies)
– Establish minimum acceptable security practices.
10. U.S. Privacy Laws
• Privacy Issues
– Collection of personal information
– Clipper chip - the Clipper Chip is a technology that was
intended to monitor or track private communications. It uses
an algorithm with a two-part key that was to be managed by
two separate government agencies, and it was reportedly
designed to protect individual communications while allowing
the government to decrypt suspect transmissions. It never
implemented
• Privacy of Customer Information
– U.S. Legal Code Privacy of Customer Information Section
• Responsibilities of common carriers (phone co) to protect
confidentiality
10
11. • Federal Privacy Act of 1974
– Regulates government protection of privacy, with some
exceptions
• Electronic Communications Privacy Act of 1986
– Fourth Amendment - unlawful search and seizure
• Health Insurance Portability and Accountability Act
of 1996 (HIPAA)
– Kennedy-Kassebaum Act
– Privacy of electronic data interchange for health care data
HIPAA has five fundamental principles:
1. Consumer control of medical information
2. Boundaries on the use of medical information
3. Accountability for the privacy of private information
4. Balance of public responsibility for the use of medical
information for the greater good measured against impact to
the individual
5. Security
12. • Financial Services Modernization Act (1999)
– Gramm-Leach-Bliley Act of 1999
– Banks, securities firms, and insurance companies -
disclosure of privacy policies
• Identity Theft Related to the legislation on
privacy is the growing body of law on identity
theft.
– The Federal Trade Commission (FTC) describes
identity theft as “occurring when someone uses
your personally identifying information, like your
name, Social Security number, or credit card
number, without your permission, to commit fraud
or other crimes.”
13. The following agencies, regulated businesses, and
individuals are exempt from some of the regulations
so that they can perform their duties
• some of the regulations so that they can perform
their duties:
• Bureau of the Census
• National Archives and Records Administration
• Congress
• Comptroller General
• Federal courts with regard to specific issues using
appropriate court orders
• Credit reporting agencies
• Individuals or organizations that demonstrate that
information is necessary to protect the health or
safety of that individual
14.
15.
16. Export and Espionage Laws
• To meet national security needs and to protect
trade secrets and other state and private assets,
several laws restrict which information and
information management and security resources
may be exported from the United States.
• The Security and Freedom through Encryption Act
of 1999 provides guidance on the use of
encryption and provides protection from
government intervention. The acts include
provisions that:
17. • Reinforce an individual’s right to use or sell
encryption algorithms, without concern for
regulations requiring some form of key registration.
Key registration is the storage of a cryptographic key
(or its text equivalent) with another party to be used
to break the encryption of data. This is often called
“key escrow.”
• Prohibit the federal government from requiring the
use of encryption for contracts, grants, and other
official documents and correspondence.
• State that the use of encryption is not probable
cause to suspect criminal activity.
• Relax export restrictions by amending the Export
Administration Act of 1979.
• Provide additional penalties for the use of encryption
in the commission of a criminal act.
19. U.S. Privacy Laws
• Privacy Issues
– Collection of personal information
– Clipper chip - never implemented
• Privacy of Customer Information
– U.S. Legal Code Privacy of Customer Information Section
• Responsibilities of common carriers (phone co) to protect
confidentiality
• Federal Privacy Act of 1974**
– Regulates government protection of privacy, with some exceptions
• Electronic Communications Privacy Act of 1986**
– Fourth Amendment - unlawful search and seizure
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)**
– Kennedy-Kassebaum Act
– Privacy of electronic data interchange for health care data
• Financial Services Modernization Act (1999)**
– Gramm-Leach-Bliley Act of 1999
– Banks, securities firms, and insurance companies - disclosure of privacy
policies 19
20. U.S. Copyright Law
• Recognizes intellectual property as a protected asset in
the U.S.
– published word, including electronic formats
• Fair use of copyrighted materials
– Includes
• support news reporting
• teaching
• scholarship
• related activities
– Use MUST be for educational or library purposes
• not for profit
• not excessive
• include proper acknowledgment to original author
20
21. Financial Reporting
• Sarbanes-Oxley Act of 2002**
– Affects
• publicly traded corporations
• public accounting firms
– result of Enron, among others.
• improve reliability and accuracy of financial reporting.
• increase accountability of corporate governance in publicly
traded companies.
• Executives will need
– assurance on reliability and quality of information
systems from information technology managers.
– Key issue: compliance with reporting requirements.
21
22. Freedom of Information Act of 1996 (FOIA)
• Any person may request access to federal agency
records or information not determined to be a
matter of national security.
–Agencies must disclose requested information
• After the request has been reviewed and
determined not to pose a risk to national security.
• Does NOT apply to:
–state/local government agencies
–private businesses or individuals.
22
23. State and Local Regulations
• Locally implemented laws pertaining to
information security.
• Information security professionals must be aware
of these laws and comply with them.
23
24. International Laws and Legal Bodies
• Few international laws relating to privacy and information
security.
• European Council Cyper-Crime Convention
– 2001. Creates international task force
– Improve effectiveness of international investigations
– Emphasis on copyright infringement prosecution
– Lacks realistic provisions for enforcement
• WTO Agreement on Intellectual Property Rights
– Intellectual property rules for multilateral trade system.
• Digital Millenium Copyright Act**
– U.S. response to 1995 Directive 95/46/EC by E.U.
– U.K. Database Right
• United Nations Charter
– Information Warfare provisions.
24
25. Security Breaches Punishment
• If not caught: illegal to demand a payment in order to
“disappear without a track”
– But banks and financial institutions have to keep it quiet…
• If caught in a “lawful” country: fines and/or jail sentence
• AOL employees
http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090
http://www.aolsucks.org/ccaol2.htm
• “$130 mil. stolen in computer crime. Each defendant faces the
possibility of 35 years in prison, and more than $1 million in fines
or twice the amount made from the crime, whichever is greater.”
http://www.crime-research.org/news/27.08.2009/3750/
• Malicious kids go to jail http://www.cybercrime.gov/cases.htm
– Kevin Mitnick and Robert Morris
• Federal cases database (only up to 2006)
http://www.justice.gov/criminal/cybercrime/cccases.html
25
26. Ethics and Information Security
• Ethical issues of information security
professionals
– Expected to be leaders in ethical workplace behavior
– No binding professional code of ethics
– Some professional organizations provide ethical
codes of conduct,
• Have no authority to banish violators from professional
practice.
26
27. Cultural Differences and Ethics
• Different nationalities have different perspectives on
computer ethics
– Asian tradition - collective ownership
– Western tradition - intellectual property rights
• Study of computer use ethics among students in 9
nations
– Singapore, Hong Kong, U.S., England, Australia,
Sweden, Wales, Netherlands
– Studied 3 categories of use
• software license infringement
• illicit use
• misuse of corporate resources
27
28. Cultural Differences: Software License Infringement
• Most nations had similar attitudes toward
software piracy
– U.S.
• significantly less tolerant (least tolerant)
– Other countries
• moderate
• higher piracy rates in Singapore/Hong Kong
– may result from lack of legal disincentives or punitive
measures
– Netherlands
• most permissive
• least likely to honor copyrights of content creators
• lower piracy rate than Singapore/Hong Kong
28
29. Cultural Differences: Illicit Use of Software
• Viruses, hacking, other forms of abuse uniformly
condemned as unacceptable behavior.
• Singapore/Hong Kong
– most tolerant
• Sweden/Netherlands
– in-between
• U.S., Wales, England, Australia
– least tolerant
29
30. Cultural Differences: Misuse of Corporate Resources
• Generally lenient attitudes toward
– personal use of company computing resources.
• Singapore/Hong Kong
– viewed personal use as unethical (least tolerant)
• Other countries
– Personal use acceptable if not specifically
prohibited
• Netherlands
– most lenient
30
31. Ethics and Education
• Education
– overriding factor in leveling the ethical perceptions
within a small population
– Employees must be trained and kept aware of topics
related to information security, including expected
ethical behaviors..
– Many employees may not have formal technical
training to understand that their behavior is
unethical or illegal.
• Ethical and legal training is an essential key to
developing informed, well-prepared, and low-risk
system users.
31
32. Deterrence to Unethical and Illegal Behavior
• Use policy, education, training, and technology to
protect information systems.
• 3 categories of unethical and illegal behavior
– Ignorance
• No excuse for violating law, but allowable for policies.
• Use education, policies, training, awareness programs to
keep individuals aware of policies.
– Accident
• Use careful planning and control to prevent accidental
modifications to system and data.
– Intent
• Frequent cornerstone for prosecution.
• Best controls are litigation, prosecution, and technical
controls.
32
33. Deterrence
• Best method to prevent illegal or unethical activity.
– Laws, policies, and technical controls
• 3 conditions required for effective deterrence
– Fear of penalty
• reprimand or warnings may not have the same
effectiveness as imprisonment or loss of pay.
– Probability of being caught
• must believe there is a strong possibility of being caught.
– Probability of penalty being administered
• must believe the penalty will be administered
• Note: threats don’t work --- penalties must be realistic
and enforceable.
33
34. Codes of Ethics
• Established by various professional organizations
– Produce a positive effect on judgment regarding
computer use
– Establishes responsibility of security professionals to
act ethically
• according to the policies and procedures of their
employers, professional organizations, and laws of society.
– Organizations assume responsibility to develop,
disseminate, and enforce policies.
34
35. Major IT Professional Organizations and Ethics
• Association for Computing Machinery (ACM)
– promotes education and provides discounts for students
– educational and scientific computing society
• International Information Systems Security Certification
Consortium (ISC2)
– develops and implements information security certifications
and credentials
• System Administration, Networking, and Security Institute (SANS)
– Global Information Assurance Certifications (GIAC)
• Information Systems Audit and Control Association (ISACA)
– focus on auditing, control and security
• Computer Security Institute (CSI)
– sponsors education and training for information security
• Information Systems Security Association (ISSA)
– information exchange and educational development for
information security practitioners
35
36. Other Security Organizations
• Internet Society (ISOC)
– develop education, standards, policy, and education and
training to promote the Internet
• Internet Engineering Task Force (IETF)
– develops Internet's technical foundations
• Computer Security Division (CSD) of National Institute for
Standards and Technology (NIST)
– Computer Security Resource Center (CSRC)
• Computer Emergency Response Team (CERT)**
– CERT Coordination Center (CERT/CC)
– Carnegie Mellon University Software Engineering Institute
• Computer Professionals for Social Responsibility (CPSR)
– promotes ethical and responsible development and use of
computing
– watchdog for development of ethical computing 36
37. U.S. Federal Agencies Related to Information Security
• Department of Homeland Security (DHS)
– Directorate of Information and Infrastructure
• discover and respond to attacks on national information systems and
critical infrastructure
• research and development of software and technology
– Science and Technology Directorate
• Research and development activities
– examination of vulnerabilities
– sponsors emerging best practices
• FBI National Infrastructure Protection Center (NIPC)
– U.S. government center for threat assessment, warning, investigation, and
response to threats or attacks against U.S. infrastructures
– National InfraGard Program
• cooperative effort between public and private organizations and academic
community
• provides free exchange of information with private sector regarding threats and
attacks.
37
38. U.S. Federal Agencies (2)
• National Security Agency (NSA)**
– U.S. cryptologic organization
– Centers of Excellence in Information Assurance
Education
• recognition for universities/schools
• acknowledgment on NSA web site
– Program to certify curricula in information security
• Information Assurance Courseware Evaluation
• Provides 3 year accreditation
• U.S. Secret Service
– Part of Department of Treasury
– One mission is to detect and arrest any person committing U.S. federal
offenses related to computer fraud and false identification crimes. 38