2. Cyber security
Cybersecurity denotes the technologies and procedures intended to
safeguard computers, networks, and data from unlawful admittance,
weaknesses, and attacks transported through the Internet by cyber
delinquents.
Cyber security's core function is to protect the devices we all use
(smartphones, laptops, tablets and computers), and the services we
access - both online and at work - from theft or damage.
ISO 27001 (ISO27001) is the international Cybersecurity Standard that
delivers a model for creating, applying, functioning, monitoring,
reviewing, preserving, and improving an Information Security
Management System.
3.
4. Policy
• What is policy?
• “Policy is a set of ideas and proposals for action, which culminates in a
government decision. Typically policy will become a rule or regulation,
enforceable by law”
“Policies simply guide our actions. Policies can be guidelines, rules, regulations,
laws, principles, or directions
5. Law and Ethics in Information Security
• Laws: rules that mandate or prohibit certain societal behavior
• Ethics: define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a particular group;
ethics based on these
• Laws carry sanctions of a governing authority; ethics do not
Principles of Information Security, 4th Edition 5
6. Understanding Cybersecurity Law and Ethics
With ransomware, viruses, spear phishing and other types of cyberattacks
proliferating in today’s digital world, both people and organizations need
protection from those who would infiltrate their networks and misuse and
steal their data.
• Cybersecurity law helps define
• such boundaries and sets up important guardrails that guide how
organizations handle issues like data privacy and confidentiality.
7. Who makes the law?
• Different national approaches
• Checks and balances
• Separation of powers
Legislative
Executive
Judicial
• Sources of law
8. What Is Cybersecurity Law?
• Every day, malicious hackers develop increasingly sophisticated methods to exploit
vulnerabilities in technology infrastructure and launch cyberattacks against all types of
companies and institutions. Cybersecurity laws are designed to protect information
technology (IT) and computer systems from these bad actors(User)
• These laws spell out what constitutes a cybercrime and specify measures that
organizations must take to protect their systems, networks and information from
cyberattack.
• Covering a wide scope of issues, from intellectual property rights to the distribution of
digital media, cybersecurity laws help regulate the internet and internet-related
technologies.
9. Types of Cyber Law
• Privacy Laws:
• Privacy laws govern the collection, use, and protection of individuals’
personal information online.
• Examples include the General Data Protection Regulation (GDPR) in Europe
and the California Consumer Privacy Act (CCPA) in the United States.
• Cybercrime Laws:
• Cybercrime laws focus on criminal activities conducted online, including
hacking, identity theft, online fraud, and cyberbullying.
• Data Breach Notification Laws:
• Data breach notification laws mandate that organizations inform affected
individuals and authorities when a data breach occurs.
10. Cybersecurity Laws:
• Cybersecurity laws require organizations to implement measures to protect their
digital infrastructure and sensitive data.
• These laws often set standards and requirements for data security practices.
Intellectual Property Laws:
• Intellectual property laws protect digital content, patents, trademarks, and
copyrights in the digital realm.
• They address issues like copyright infringement and online piracy.
E-Commerce and Online Contracts:
• Laws related to e-commerce and online contracts establish legal frameworks for
online transactions, electronic signatures, and consumer rights.
• They provide a basis for resolving disputes in the digital marketplace.
Cyber Law(cont’d.)
11. • Social Media and Online Content Regulations:
• Regulations governing social media and online content address issues such as hate
speech, defamation, and harmful content.
• They set guidelines for the removal or restriction of such content.
• Computer Crime Laws:
• Computer crime laws specifically target offenses involving computer systems and
networks.
• They encompass unauthorized access, malware distribution, and cyberattacks on
critical infrastructure.
• Cryptocurrency and Blockchain Regulations:
• As digital currencies and blockchain technology gain prominence, regulations address
issues like cryptocurrency trading, initial coin offerings (ICOs), and blockchain-based
contracts.
• International Cybersecurity Agreements:
• Some laws and agreements focus on international cooperation in combating
cybercrimes and promoting cybersecurity best practices.
• Examples include the Budapest Convention on Cybercrime and bilateral
cybersecurity
12. General Computer Crime Laws
• Computer Fraud and Abuse Act of 1986 (CFA Act): cornerstone of many computer-
related federal laws and enforcement efforts
• National Information Infrastructure Protection Act of 1996:
– Modified several sections of the previous act and increased the penalties for
selected crimes
– Severity of penalties judged on the purpose
• For purposes of commercial advantage
• For private financial gain
• In furtherance of a criminal act
Principles of Information Security, 4th Edition 12
13. Privacy
• US Regulations
– Privacy of Customer Information Section of the common carrier regulation
– Federal Privacy Act of 1974
– Electronic Communications Privacy Act of 1986
– Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
Principles of Information Security, 4th Edition 13
14. Privacy (cont’d.)
• Identity Theft
– Federal Trade Commission: “occurring when someone uses your
personally identifying information, like your name, Social Security
number, or credit card number, without your permission, to commit fraud
or other crimes”
– Fraud And Related Activity In Connection With Identification Documents,
Authentication Features, And Information (Title 18, U.S.C. § 1028)
Principles of Information Security, 4th Edition 14
15. Privacy (cont’d.)
• If someone suspects identity theft
– Report to the three dominant consumer reporting companies that your
identity is threatened
– Account
• Close compromised account
• Dispute accounts opened without permission
– Register your concern with the FTC
– Report the incident to either your local police or police in the location
where the identity theft occurred
Principals of Information Security, Fourth Edition 15
16. Health Insurance Portability and Accountability Act
(HIPAA)
Governments also took action, addressing cybersecurity in laws such as
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal
law that required the creation of national standards to protect sensitive patient
health information from being disclosed without the patient’s consent or
knowledge.
The following types Privacy Rule and considered covered entities:
• Healthcare providers:
• Health plans
• Clearinghouses
• Business associates
17. What is the purpose of HIPAA?
HIPAA is a federal law enacted to:
Protect the privacy of a patient’s personal and health information.
Provide for electronic and physical security of personal and health information.
Standardize coding to simplify billing and other transactions
The following types of individuals and organizations are subject to the Privacy Rule and
considered covered entities:
18. Export and Espionage Laws
• Economic Espionage Act of 1996 (EEA)
• Security And Freedom Through Encryption Act of 1999 (SAFE)
• The acts include provisions about encryption that:
– Reinforce the right to use or sell encryption algorithms, without concern of key
registration
– Prohibit the federal government from requiring it
– Make it not probable cause in criminal activity
– Relax export restrictions
– Additional penalties for using it in a crime
18
19. U.S. Copyright Law
• Intellectual property recognized as protected asset in the U.S.; copyright
law extends to electronic formats
• With proper acknowledgment, permissible to include portions of others’
work as reference
• U.S. Copyright Office Web site: www.copyright.gov
Principles of Information Security, 4th Edition 19
20. Financial Reporting
• Sarbanes-Oxley Act of 2002
• Affects executive management of publicly traded corporations and public
accounting firms
• Seeks to improve reliability and accuracy of financial reporting and increase the
accountability of corporate governance
• Penalties for noncompliance range from fines to jail terms
• Reliability assurance will require additional emphasis on confidentiality and
integrity
Principles of Information Security, 4th Edition 20
21. Freedom of Information Act of 1966 (FOIA)
• Allows access to federal agency records or information not determined to
be matter of national security
• U.S. government agencies required to disclose any requested information
upon receipt of written request
• Some information protected from disclosure
Principles of Information Security, 4th Edition 21
22. International Laws and Legal Bodies
• When organizations do business on the Internet, they do business globally
• Professionals must be sensitive to laws and ethical values of many different
cultures, societies, and countries
• Because of political complexities of relationships among nations and differences in
culture, there are few international laws relating to privacy and information
security
• These international laws are important but are limited in their enforceability
Principles of Information Security, 4th Edition 22
23. Gramm-Leach-Bliley Act
• Also known as the Financial Services Modernization Act of 1999, the Gramm-
Leach-Bliley Act is a federal law that outlines rules designed to protect financial
information. It requires financial institutions such as banks, credit unions and
insurance companies to inform their customers of how they intend to share user
data.
25. Who Enforces Cybersecurity Law?
Today, federal, state, local and tribal authorities enforce a host of cybersecurity
laws and regulations. The federal agencies responsible for upholding cybersecurity
legislation include the following:
Federal Trade Commission (FTC)
S. Department of Homeland Security (DHS)
National Institute of Standards and Technology (NIST)
Federal Bureau of Investigation(FBI)
26. Major IT Professional Organizations
• Association of Computing Machinery (ACM)
– Established in 1947 as “the world's first educational and scientific computing
society”
– Code of ethics contains references to protecting information confidentiality,
causing no harm, protecting others’ privacy, and respecting others’ intellectual
property
Principles of Information Security, 4th Edition 26
27. Major IT Professional Organizations (cont’d.)
• International Information Systems Security Certification
Consortium, Inc. (ISC)2
– Non-profit organization focusing on development and implementation of
information security certifications and credentials
– Code primarily designed for information security professionals who have
certification from (ISC)2
– Code of ethics focuses on four mandatory canons
Principles of Information Security, 4th Edition 27
28. Major IT Professional Organizations (cont’d.)
• System Administration, Networking, and Security Institute
(SANS)
– Professional organization with a large membership dedicated to protection of
information and systems
– SANS offers set of certifications called Global Information Assurance
Certification (GIAC)
Principles of Information Security, 4th Edition 28
29. Major IT Professional Organizations (cont’d.)
• Information Systems Audit and Control Association (ISACA)
– Professional association with focus on auditing, control, and security
– Concentrates on providing IT control practices and standards
– ISACA has code of ethics for its professionals
Principles of Information Security, 4th Edition 29
30. Major IT Professional Organizations (cont’d.)
• Information Systems Security Association (ISSA)
– Non-profit society of information security (IS) professionals
– Primary mission to bring together qualified IS practitioners for
information exchange and educational development
– Promotes code of ethics similar to (ISC)2, ISACA, and ACM
Principles of Information Security, 4th Edition 30
31. Cybersecurity Information Sharing Act
• In 2015, Congress passed the Cybersecurity Information Sharing Act (CISA).
• This law provides liability protections to private companies to encourage them to share
information with the government about identified cyber threats.
• By making information sharing with the government easier, the law aims to keep federal
authorities informed of any cyber threats that could put critical infrastructure and
national security at risk.
• The law also stipulates the government’s responsibility to share information about cyber
threats with private companies.
32. Payment Card Industry Data Security Standard
• Launched in 2004, the Payment Card Industry Data Security Standard (PCI DSS)
establishes rules for protecting consumers’ credit and debit card data. Managed service
providers and any organization that processes, stores or transmits payment card
information must comply with these regulations.
• The PCI DSS aims to improve security throughout the payment transaction process,
preventing credit card fraud and data breaches. It mandates the use of:
Secure networks equipped with robust firewalls
Digital encryption for credit card transactions
Controlled access to cardholder data
The use of updated antivirus software and other anti-malware programs
34. Children’s Online Privacy Protection Act
• The Children’s Online Privacy Protection Act (COPPA) of 1998 establishes rules for
how website operators and online services can collect the personal information
of children under 13 years of age. It helps ensure that online entities don’t gather
children’s personal data without parental consent.
• Components of the law stipulate when and how websites should seek consent
from parents and guardians. The law also outlines what privacy policies need to
include, along with the various responsibilities website operators have with
regard to protecting children’s safety and privacy online.
35. Federal Trade Commission Act
• A precursor to modern cybersecurity laws, the Federal Trade Commission (FTC)
Act of 1914 was drafted to prevent organizations from neglecting basic privacy
rights, which today include cybersecurity practices that put consumers at risk.
The law empowers the FTC to take legal action against organizations when they:
Fail to protect consumer privacy rights
Mislead consumers regarding the security of their data
Cause considerable harm to consumers by violating their privacy rights
36. Federal Information Security Modernization Act
• The Federal Information Security Modernization Act (FISMA) of 2014 mandates that federal
agencies protect their information systems and data by putting security controls in place.
These controls help ensure the integrity, accessibility and confidentiality of the data that
federal agencies gather and use.
Under the law, federal agencies must establish information security programs that:
Conduct regular risk assessments
Perform security testing and evaluations
Develop incident response planning
Regularly monitor security controls
Complete compliance reports
37. State and Local Government Cybersecurity Act of 2021
• The State and Local Government Cybersecurity Act of 2021 aims to help state, local and
tribal authorities effectively coordinate with the Cybersecurity and Infrastructure
Security Agency, an arm of DHS, to confront cyber threats.
Other provisions in the law include the following:
Granting technical assistance to respond to cyberattacks
Communicating indicators for cyber threats and risk, as well as effective defensive
measures
Developing a platform to exchange standards, policies and best practices in
cybersecurity
38. Key U.S. Federal Agencies
• Department of Homeland Security (DHS)
– Made up of five directorates, or divisions
– Mission is to protect the people as well as the physical and informational assets of the US
• Federal Bureau of Investigation’s National InfraGard Program
– Maintains an intrusion alert network
– Maintains a secure Web site for communication about suspicious activity or intrusions
– Sponsors local chapter activities
– Operates a help desk for questions
38
39. Key U.S. Federal Agencies (cont’d.)
• National Security Agency (NSA)
– Is the Nation’s cryptologic organization
– Protects US information systems
– Produces foreign intelligence information
– Responsible for signal intelligence and information system security
• U.S. Secret Service
– In addition to protective services, charged with the detection and arrest
of persons committing a federal office relating to computer fraud or false
identification
39
40. Summary
• Laws: rules that mandate or prohibit certain behavior in society;
drawn from ethics
• Ethics: define socially acceptable behaviours; based on cultural
mores (fixed moral attitudes or customs of a particular group)
• Types of law: civil, criminal, private, public
40
41. Summary (cont’d.)
• Relevant U.S. laws:
– Computer Fraud and Abuse Act of 1986 (CFA Act)
– National Information Infrastructure Protection Act of 1996
– USA PATRIOT Act of 2001
– USA PATRIOT Improvement and Reauthorization Act
– Computer Security Act of 1987
– Title 18, U.S.C. § 1028
41