This document provides an overview of laws and ethics related to information security. It discusses the differences between laws, which are enforced by governments, and ethics, which are based on social norms. Major laws covered include the Computer Fraud and Abuse Act, which addresses computer crime, and privacy laws like HIPAA which protect sensitive data. The document also examines legal issues around topics such as intellectual property, encryption, and data sharing both domestically in the US and internationally.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
1
ITC358
ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for se.
This document contains slides from a chapter on principles of information security. It discusses how laws are based on ethics, and different types of relevant laws in the US and other countries. These include privacy laws, copyright laws, and export/espionage laws. It also discusses ethics in information security, cultural differences, and professional organizations that promote ethics through codes of conduct and certifications. The role of education and deterrence to promote ethical behavior is covered.
This chapter discusses legal, ethical, and professional issues related to information security. It differentiates between laws, which mandate or prohibit behaviors and carry sanctions, and ethics, which define socially acceptable behaviors. The chapter outlines several important US laws regarding privacy, copyright, computer crimes, and financial reporting. It also discusses organizational liability and the need for security policies and due care or due diligence to protect systems and data.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It defines key concepts like laws, ethics, liability, due care and due diligence. Major sections cover relevant US laws, privacy laws, types of laws, and international legal issues. Professional ethics organizations and their codes are also summarized.
This document discusses key concepts related to data security law and management including due care, due diligence, compliance, computer crimes, intellectual property, privacy laws, and trans-border data flows. It provides definitions and explanations of these topics over 22 pages with over 100 bullet points. Security professionals must understand these legal concepts to ensure organizations take prudent steps to protect data and comply with relevant regulations and laws.
This document discusses laws and ethics related to information security. It describes how laws mandate behavior while ethics regulate socially acceptable conduct. Laws carry enforcement from authorities, unlike ethics. The document outlines organizational liability and need for legal counsel. It distinguishes between policies and laws, and different types of laws. Relevant US laws are also summarized, including computer crime laws, privacy acts, and more.
This chapter discusses computer forensics and the investigation of digital evidence. It covers the basics of crimes involving computers, including early cases like the Morris worm. Crimes are divided into felonies and misdemeanors. Cybercrime categories include crimes against persons, property, and government. Laws and acts like the Computer Fraud and Abuse Act help address cybercrime. The chapter also distinguishes between civil and criminal cases as well as the roles of law enforcement in investigating digital threats.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
1
ITC358
ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for se.
This document contains slides from a chapter on principles of information security. It discusses how laws are based on ethics, and different types of relevant laws in the US and other countries. These include privacy laws, copyright laws, and export/espionage laws. It also discusses ethics in information security, cultural differences, and professional organizations that promote ethics through codes of conduct and certifications. The role of education and deterrence to promote ethical behavior is covered.
This chapter discusses legal, ethical, and professional issues related to information security. It differentiates between laws, which mandate or prohibit behaviors and carry sanctions, and ethics, which define socially acceptable behaviors. The chapter outlines several important US laws regarding privacy, copyright, computer crimes, and financial reporting. It also discusses organizational liability and the need for security policies and due care or due diligence to protect systems and data.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It defines key concepts like laws, ethics, liability, due care and due diligence. Major sections cover relevant US laws, privacy laws, types of laws, and international legal issues. Professional ethics organizations and their codes are also summarized.
This document discusses key concepts related to data security law and management including due care, due diligence, compliance, computer crimes, intellectual property, privacy laws, and trans-border data flows. It provides definitions and explanations of these topics over 22 pages with over 100 bullet points. Security professionals must understand these legal concepts to ensure organizations take prudent steps to protect data and comply with relevant regulations and laws.
This document discusses laws and ethics related to information security. It describes how laws mandate behavior while ethics regulate socially acceptable conduct. Laws carry enforcement from authorities, unlike ethics. The document outlines organizational liability and need for legal counsel. It distinguishes between policies and laws, and different types of laws. Relevant US laws are also summarized, including computer crime laws, privacy acts, and more.
This chapter discusses computer forensics and the investigation of digital evidence. It covers the basics of crimes involving computers, including early cases like the Morris worm. Crimes are divided into felonies and misdemeanors. Cybercrime categories include crimes against persons, property, and government. Laws and acts like the Computer Fraud and Abuse Act help address cybercrime. The chapter also distinguishes between civil and criminal cases as well as the roles of law enforcement in investigating digital threats.
Great Issues Reflective Essay CybersecurityLIJames Bollen
Cybersecurity is a major issue of the 21st century due to increased internet usage and the ability of hackers to steal private information. There are debates around balancing security and liberty in approaches to cybersecurity. Laws have difficulties in cyberspace which lacks geographic boundaries, suggesting a natural law approach may be better. The internet also changes human relationships and challenges traditional concepts of jurisdiction. As the internet economy grows, cybercrime opportunities increase, emphasizing the importance of improving cybersecurity.
Electronic Surveillance of Communications 100225Klamberg
The document discusses electronic surveillance of communications and legislation around signal intelligence. It provides context on changes in technology and threats that created demands for new legislation. It describes how signal intelligence works, including intercepting messages and metadata, as well as traffic analysis and social network analysis. Legislation in Sweden and other countries regulates agencies conducting signal intelligence and their mandates, clients, and oversight. Key aspects of Swedish law include the Defence Radio Establishment's mandate for surveillance, its clients and review mechanisms, methods like traffic analysis, and the scope of interception and data collection.
Rule of law in cyberspace as a means and way to cybersecurityFOTIOS ZYGOULIS
The document discusses the rule of law in cyberspace and how human rights norms can be protected online. It argues that traditional rules and regulations do not fully apply to the internet given its decentralized and borderless nature. However, human rights like privacy and dignity must still be upheld for individuals engaging in cyberspace. This requires a precise regulatory framework and cooperation between various stakeholders, including governments, civil society organizations, and the private sector, to balance security, oversight, and protecting individual liberties online.
This document discusses laws, regulations, ethics, and professional standards related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability and the need for legal counsel are also addressed. The document provides an overview of key concepts for information security practitioners to understand their legal and ethical responsibilities.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and privacy laws like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
A CLE presentation at the New York County Lawyer Association by Monique Altheim, Esq. with Joseph Bambara, followed by a panel discussion with Hon. James C. Francis, U.S. Magistrate Judge, Southern District of New York.
CYBER SECURITY :Cyber Law – The Legal PerspectivesDrSamsonChepuri1
This document discusses cyber law and cybercrime from legal perspectives under several sections. It begins by defining cybercrime in two categories: restrictive sense involving computer crime and general sense involving computer-related crime. It then outlines examples of cybercrimes such as unauthorized access, computer damage, sabotage, and espionage. The document also examines the legal landscape around cybercrime internationally, looking at laws and frameworks in regions like Asia-Pacific, Canada, the US, EU, and Africa. It discusses the reasons for and provisions of India's Information Technology Act 2000, including some weaknesses. Overall, the document provides an overview of cybercrime definitions, international cyber law approaches, and the context and key aspects of India's cyber law.
This document summarizes international laws and policies regarding privacy and mass surveillance in the post-Snowden era. It discusses obligations under international human rights law, calls by the UN General Assembly to review surveillance practices, and reports by the UN High Commissioner for Human Rights criticizing secret interpretations of law and lack of protections for individuals. The document also reviews data privacy regulations in Europe, debates around data localization, encryption technologies, and concludes that strengthening international law and information security is needed to curb mass surveillance by powerful states.
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
The document discusses computer law, investigations, and ethics. It covers reviewing computer crime laws and regulations, investigative techniques for determining if a crime was committed and gathering evidence, and ethical constraints. Specific topics covered include computer laws, computer crime, computer crime investigations, and computer ethics. Computer crime laws at both the federal and state levels are discussed.
The document discusses the threat to privacy posed by the government's increasing use of surveillance technologies without proper constitutional regulations. It notes that while some surveillance methods have existed for some time, many new technologies like drones, GPS tracking, and data collection have increased after 9/11. This has allowed unprecedented access to people's personal information without their consent. To protect both security and freedom, reasonable laws and policies are needed to limit government access, collection, and retention of individuals' data. The document recommends regulating aerial surveillance technologies more stringently to prevent unjustified invasions of privacy.
This document provides an overview and analysis of the Digital Security Act 2018 in Bangladesh. It discusses the purpose of the act to address cybersecurity issues, the controversies around limitations to civil liberties, and an evaluation of the act's constitutionality and viability based on international guidelines. The document examines specific sections of the act that are controversial and violate constitutional rights. It provides recommendations to address these issues in both the short and long term through legislative amendments and capacity building.
The document discusses key elements of whistleblower protection including definitions, reporting topics, and measures to protect whistleblowers. Nearly 75% of countries reviewed by the UN are recommended to strengthen protections. The UN Convention Against Corruption includes protections for witnesses and those who report corruption. There is no universal definition of whistleblowing, but most laws focus on reports of illegal, dangerous, or unethical acts from current or former employees. Anonymity, confidentiality, reporting channels, and the concept of "good faith" reporting are among the measures discussed.
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
1. Several states have laws requiring companies to notify customers of data security breaches and to implement reasonable security procedures to protect personal information. Some states like Massachusetts, Nevada, and Connecticut mandate specific security practices like encryption.
2. Nevada and Connecticut laws require encryption of personal information during transmission and storage. Massachusetts law requires encryption of stored and electronically transmitted personal information and a comprehensive security program.
3. Failure to comply with these laws can result in civil penalties and lawsuits. Additionally, data breaches pose serious risks to a company's brand reputation. It is important for companies to carefully review their data handling practices to ensure compliance.
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
Laws define prohibited and mandated behaviors while ethics define socially acceptable behaviors based on cultural mores. Relevant US laws include the Computer Fraud and Abuse Act, National Information Infrastructure Protection Act, USA Patriot Act, and others. Organizations can establish codes of ethics and reduce liability by exercising due care and due diligence in protecting information.
CYBOK: Law and Regulation webinar slides.pdfHari319621
The document provides an overview of the CyBOK (Cybersecurity Body of Knowledge) Law and Regulation knowledge area. It begins with an introduction that explains the challenges of covering legal topics given differences in laws across jurisdictions and the broad scope of cybersecurity. It then provides high-level summaries of some of the key legal topics covered in the knowledge area, including jurisdiction, privacy laws, data protection, and computer crime laws. The document encourages readers to use the material as an educational aid to help identify legal issues and provide guidance in further research.
This document discusses laws, regulations, and ethics related to information security. It begins by explaining the importance of understanding an organization's legal responsibilities and keeping up with changing laws. It then discusses the differences between laws, ethics, and cultural norms. Several US and international laws are outlined pertaining to issues like computer crime, identity theft, copyright, and data privacy. The document also discusses the role of ethics and deterring unethical behavior through training, policies, and professional codes of conduct.
Where next for the Regulation of Investigatory Powers Act?blogzilla
This document summarizes recommendations from reports by David Anderson QC, the Intelligence and Security Committee, and RUSI on reforming and consolidating complex UK legislation governing intelligence agencies and investigatory powers. It notes calls to replace existing laws with a new comprehensive bill that clearly defines agencies' powers and capabilities while strengthening oversight and legal safeguards. The government plans to introduce a draft Investigatory Powers Bill for scrutiny later in 2015.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Great Issues Reflective Essay CybersecurityLIJames Bollen
Cybersecurity is a major issue of the 21st century due to increased internet usage and the ability of hackers to steal private information. There are debates around balancing security and liberty in approaches to cybersecurity. Laws have difficulties in cyberspace which lacks geographic boundaries, suggesting a natural law approach may be better. The internet also changes human relationships and challenges traditional concepts of jurisdiction. As the internet economy grows, cybercrime opportunities increase, emphasizing the importance of improving cybersecurity.
Electronic Surveillance of Communications 100225Klamberg
The document discusses electronic surveillance of communications and legislation around signal intelligence. It provides context on changes in technology and threats that created demands for new legislation. It describes how signal intelligence works, including intercepting messages and metadata, as well as traffic analysis and social network analysis. Legislation in Sweden and other countries regulates agencies conducting signal intelligence and their mandates, clients, and oversight. Key aspects of Swedish law include the Defence Radio Establishment's mandate for surveillance, its clients and review mechanisms, methods like traffic analysis, and the scope of interception and data collection.
Rule of law in cyberspace as a means and way to cybersecurityFOTIOS ZYGOULIS
The document discusses the rule of law in cyberspace and how human rights norms can be protected online. It argues that traditional rules and regulations do not fully apply to the internet given its decentralized and borderless nature. However, human rights like privacy and dignity must still be upheld for individuals engaging in cyberspace. This requires a precise regulatory framework and cooperation between various stakeholders, including governments, civil society organizations, and the private sector, to balance security, oversight, and protecting individual liberties online.
This document discusses laws, regulations, ethics, and professional standards related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability and the need for legal counsel are also addressed. The document provides an overview of key concepts for information security practitioners to understand their legal and ethical responsibilities.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and privacy laws like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
A CLE presentation at the New York County Lawyer Association by Monique Altheim, Esq. with Joseph Bambara, followed by a panel discussion with Hon. James C. Francis, U.S. Magistrate Judge, Southern District of New York.
CYBER SECURITY :Cyber Law – The Legal PerspectivesDrSamsonChepuri1
This document discusses cyber law and cybercrime from legal perspectives under several sections. It begins by defining cybercrime in two categories: restrictive sense involving computer crime and general sense involving computer-related crime. It then outlines examples of cybercrimes such as unauthorized access, computer damage, sabotage, and espionage. The document also examines the legal landscape around cybercrime internationally, looking at laws and frameworks in regions like Asia-Pacific, Canada, the US, EU, and Africa. It discusses the reasons for and provisions of India's Information Technology Act 2000, including some weaknesses. Overall, the document provides an overview of cybercrime definitions, international cyber law approaches, and the context and key aspects of India's cyber law.
This document summarizes international laws and policies regarding privacy and mass surveillance in the post-Snowden era. It discusses obligations under international human rights law, calls by the UN General Assembly to review surveillance practices, and reports by the UN High Commissioner for Human Rights criticizing secret interpretations of law and lack of protections for individuals. The document also reviews data privacy regulations in Europe, debates around data localization, encryption technologies, and concludes that strengthening international law and information security is needed to curb mass surveillance by powerful states.
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
The document discusses computer law, investigations, and ethics. It covers reviewing computer crime laws and regulations, investigative techniques for determining if a crime was committed and gathering evidence, and ethical constraints. Specific topics covered include computer laws, computer crime, computer crime investigations, and computer ethics. Computer crime laws at both the federal and state levels are discussed.
The document discusses the threat to privacy posed by the government's increasing use of surveillance technologies without proper constitutional regulations. It notes that while some surveillance methods have existed for some time, many new technologies like drones, GPS tracking, and data collection have increased after 9/11. This has allowed unprecedented access to people's personal information without their consent. To protect both security and freedom, reasonable laws and policies are needed to limit government access, collection, and retention of individuals' data. The document recommends regulating aerial surveillance technologies more stringently to prevent unjustified invasions of privacy.
This document provides an overview and analysis of the Digital Security Act 2018 in Bangladesh. It discusses the purpose of the act to address cybersecurity issues, the controversies around limitations to civil liberties, and an evaluation of the act's constitutionality and viability based on international guidelines. The document examines specific sections of the act that are controversial and violate constitutional rights. It provides recommendations to address these issues in both the short and long term through legislative amendments and capacity building.
The document discusses key elements of whistleblower protection including definitions, reporting topics, and measures to protect whistleblowers. Nearly 75% of countries reviewed by the UN are recommended to strengthen protections. The UN Convention Against Corruption includes protections for witnesses and those who report corruption. There is no universal definition of whistleblowing, but most laws focus on reports of illegal, dangerous, or unethical acts from current or former employees. Anonymity, confidentiality, reporting channels, and the concept of "good faith" reporting are among the measures discussed.
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
1. Several states have laws requiring companies to notify customers of data security breaches and to implement reasonable security procedures to protect personal information. Some states like Massachusetts, Nevada, and Connecticut mandate specific security practices like encryption.
2. Nevada and Connecticut laws require encryption of personal information during transmission and storage. Massachusetts law requires encryption of stored and electronically transmitted personal information and a comprehensive security program.
3. Failure to comply with these laws can result in civil penalties and lawsuits. Additionally, data breaches pose serious risks to a company's brand reputation. It is important for companies to carefully review their data handling practices to ensure compliance.
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
Laws define prohibited and mandated behaviors while ethics define socially acceptable behaviors based on cultural mores. Relevant US laws include the Computer Fraud and Abuse Act, National Information Infrastructure Protection Act, USA Patriot Act, and others. Organizations can establish codes of ethics and reduce liability by exercising due care and due diligence in protecting information.
CYBOK: Law and Regulation webinar slides.pdfHari319621
The document provides an overview of the CyBOK (Cybersecurity Body of Knowledge) Law and Regulation knowledge area. It begins with an introduction that explains the challenges of covering legal topics given differences in laws across jurisdictions and the broad scope of cybersecurity. It then provides high-level summaries of some of the key legal topics covered in the knowledge area, including jurisdiction, privacy laws, data protection, and computer crime laws. The document encourages readers to use the material as an educational aid to help identify legal issues and provide guidance in further research.
This document discusses laws, regulations, and ethics related to information security. It begins by explaining the importance of understanding an organization's legal responsibilities and keeping up with changing laws. It then discusses the differences between laws, ethics, and cultural norms. Several US and international laws are outlined pertaining to issues like computer crime, identity theft, copyright, and data privacy. The document also discusses the role of ethics and deterring unethical behavior through training, policies, and professional codes of conduct.
Where next for the Regulation of Investigatory Powers Act?blogzilla
This document summarizes recommendations from reports by David Anderson QC, the Intelligence and Security Committee, and RUSI on reforming and consolidating complex UK legislation governing intelligence agencies and investigatory powers. It notes calls to replace existing laws with a new comprehensive bill that clearly defines agencies' powers and capabilities while strengthening oversight and legal safeguards. The government plans to introduce a draft Investigatory Powers Bill for scrutiny later in 2015.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
International Conference on NLP, Artificial Intelligence, Machine Learning an...gerogepatton
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Manufacturing Process of molasses based distillery ppt.pptx
4482LawEthics.ppt
1. 1
8/24/2023 1
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
CSE 4482: Computer Security Management:
Assessment and Forensics
2. 2
Ch 12: Law and Ethics
• Upon completion of this chapter, you should be
able to:
– Differentiate between law and ethics
– Describe the ethical foundations and approaches that
underlie modern codes of ethics
– Identify major national and international laws that
relate to the practice of information security
– Describe the role of culture as it applies to ethics in
information security
– Identify current information on laws, regulations, and
relevant professional organizations
Management of Information Security, 3rd ed.
3. 3
Introduction
• All information security professionals must
understand the scope of an organization’s
legal and ethical responsibilities
• Understand the current legal environment
– Keep apprised of new laws, regulations, and
ethical issues as they emerge
– To minimize the organization’s liabilities
• Educate employees and management
about their legal and ethical obligations
– And proper use of information technology
Management of Information Security, 3rd ed.
4. 4
Law and Ethics in Information
Security
• Laws: Rules adopted and enforced by
governments to codify expected behavior in
modern society
• Ethics: Relatively fixed moral attitudes or
customs of a societal group (based on
cultural mores)
• The key difference between law and ethics
is that law carries the sanction of a
governing authority and ethics do not
Management of Information Security, 3rd ed.
5. 5
Information Security and the Law
• InfoSec professionals and managers must
understand the legal framework within
which their organizations operate
• Can influence the organization to a greater
or lesser extent, depending on the nature of
the organization and the scale on which it
operates
Management of Information Security, 3rd ed.
6. 6
Types of Law
• Civil law
– Pertains to relationships between and among
individuals and organizations
• Criminal law
– Addresses violations harmful to society
– Actively enforced and prosecuted by the state
• Tort law
– A subset of civil law that allows individuals to
seek redress in the event of personal, physical,
or financial injury
Management of Information Security, 3rd ed.
7. 7
Civil lawsuits
• In a civil law problem, ‘victim’ must take
action to get a legal remedy (adequate
compensation).
– ‘victim’ must hire a private lawyer & pay expenses
of pursuing the matter
– the police does not get involved, beyond the point
of restoring the order
• In Civil Law, to convict someone, the guilt
must be proven on ‘balance of probabilities’.
• In Civil Law, monetary remedies (damages)
are most common.
8. 8
Criminal cases
In a criminal law problem, ‘victim’ (may)
report the case to the police and they have
the responsibility to investigate.
• if charge has been properly laid and there is
supporting evidence, the Crown Prosecutor
(not person who complains of incident)
prosecutes in the courts – public funds
finance these services
• even if a ‘victim’ starts a prosecution
privately, the Attorney General has the power
to take over the prosecution
9. 9
Criminal cases II
• In Criminal Law, to convict someone, the guilt
must be proven ‘beyond reasonable doubt’.
• In Criminal Law, the sentence to the offender
may include one or a combination of the
following:
– fine
– restitution – compensate for victim’s loss or
damages
– probation
– community service
– imprisonment
10. 10
Types of Law (contd.)
• Private law
– Regulates the relationships among individuals
and among individuals and organizations
• Family law, commercial law, and labor law
• Public law
– Regulates the structure and administration of
government agencies and their relationships
with citizens, employees, and other
governments
• Criminal, administrative, and constitutional law
Management of Information Security, 3rd ed.
12. 12
Policy Versus Law
• Difference between policy and law
– Ignorance of policy is an acceptable defense
• Policies must be:
– Distributed to all individuals who are expected
to comply with them
– Readily available for employee reference
– Easily understood, with multilingual, visually
impaired and low-literacy translations
– Acknowledged by employee with consent form
– Uniformly enforced for all employees
Management of Information Security, 3rd ed.
13. 13
International Laws and Legal Bodies
• International trade is governed by
international treaties and trade agreements
– Many domestic laws and customs do not apply
• There are currently few international laws
relating to privacy and information security
– Because of cultural differences and political
complexities of the relationships among
nations
Management of Information Security, 3rd ed.
14. 14
International Laws and Legal
Bodies (cont’d.)
• European Council Cyber-Crime Convention
– Empowers an international task force to
oversee a range of Internet security functions
• Standardizes technology laws internationally
– Attempts to improve the effectiveness of
international investigations into breaches of
technology law
– Goal is to simplify the acquisition of information
for law enforcement agents in certain types of
international crimes, as well as the extradition
process
Management of Information Security, 3rd ed.
15. 15
International Laws and Legal
Bodies (cont’d.)
• The Digital Millennium Copyright Act
– A U.S.-based international effort to reduce the
impact of copyright, trademark, and privacy
infringement, especially via the removal of
technological copyright protection measures
• European Union Directive 95/46/EC
– Increases individual rights to process and
freely move personal data
• Database Right
– U.K. version of this directive
Management of Information Security, 3rd ed.
16. 16
Relevant U.S. Laws
• The Computer Fraud and Abuse Act of 1986
(CFA Act)
– landmark in the fight against cybercrime : the first law
to address crime in which the computer is the ‘subject’
– The cornerstone of many computer-related federal
laws and enforcement efforts
– Amended in October 1996 by the National Information
Infrastructure Protection Act
– Further modified by the USA Patriot Act of 2001
• Provides law enforcement agencies with broader latitude to
combat terrorism-related activities
• The USA Patriot Act was updated and extended, in many
cases permanently
Management of Information Security, 3rd ed.
17. 17
CFA Act
criminal offences under the CFA Act:
• knowingly accessing a computer without
authorization or exceeding authorized access
to obtain national security data
• intentionally accessing a computer without
authorization (or) to obtain one of the
following:
– a financial record of a financial institution;
– information from any US-government department or agency;
– information from any protected computer.
• 3) intentionally accessing without authorization
(or) a government computer and affecting the
use of the government’s operation of the
computer
18. 18
CFA Act – contd.
• knowingly causing the transmission of a
program, information, code or command that
causes damage such as:
– loss to one or more persons (or companies) during any one-
year period aggregating at least $5,000 in value
– the modification or impairment of medical records
– physical injury to any person
– a threat to public health of safety
– damage affecting a government computer system
• 5) knowingly and with intent to defraud traffics
a password or a similar information through
which a computer may be accessed without
authorization
19. 19
CFA Act – contd.
• although the Act does not specifically
mention hacking, malware and
denial of service, they are its main
focus
• Punishment for offences prosecuted
under the CFAA varies from fines to
imprisonment of up to 20 years, or both.
20. 20
Case Study: Morris Case (1988)
One of the first cases prosecuted under the CFA Act.
• Morris, a Ph.D. candidate in CS (Cornell U), wanted to
demonstrate the weakness of security measures of
computers on the Internet, a network linking university,
government and military computers around the US.
• His plan was to insert a worm into as many computers
as he could gain access to, but to ensure that the worm
replicated itself slowly enough that it would not cause
the computers to slow down or crash.
• However, Morris miscalculated how quickly the worm
would replicate. By the time he released a message on
how to kill the worm, it was too late: Some 6,000
computers had crashed or become "catatonic“ at
numerous institutions, with estimated damages of $200
to $53,000 for each institution.
• Morris was sentenced to three years‘ probation and 400
hours of community service, and was fined $10,500.
21. 21
Relevant U.S. Laws (cont’d.)
• The Computer Security Act of 1987
– One of the first attempts to protect federal
computer systems
• Established minimum acceptable security practices
– Established a Computer System Security and
Privacy Advisory Board within the Department
of Commerce
– Requires mandatory periodic training in
computer security awareness and accepted
computer security practice for all users of
Federal computer systems
Management of Information Security, 3rd ed.
22. 22
Relevant U.S. Laws (cont’d.)
• The Computer Security Act of 1987
(cont’d.)
– Charged the National Bureau of Standards and
the NSA (now NIST) with the development of:
• Standards, guidelines, and associated methods and
techniques for computer systems
• Uniform standards and guidelines for most federal
computer systems
• Technical, management, physical, and
administrative standards and guidelines for the cost-
effective security and privacy of sensitive
information in federal computer systems
Management of Information Security, 3rd ed.
23. 23
Relevant U.S. Laws (cont’d.)
• The Computer Security Act of 1987
(cont’d.)
– Charged the National Bureau of Standards and
the NSA ( now NIST) with the development of:
(cont’d.)
• Guidelines for operators of federal computer
systems containing sensitive information in training
their employees in security awareness
• Validation procedures for, and evaluation of the
effectiveness of, standards and guidelines
– Through research and liaison with other government and
private agencies
Management of Information Security, 3rd ed.
24. 24
Patriot Act
• allows law enforcement greater latitude in
combating criminals and terrorists who use
computers and communication networks
[telephone, computer, wireless]
– L.E. has authority to intercept voice
communications in computer hacking
investigations
– L.E. has authority to obtain voice mail and other
stored voice communications using standard
search warrants rather than wiretap orders
– L.E. has authority to trace communications on the
Internet and other computer networks
25. 25
Patriot Act - II
• L.E. has authority to issue nationwide search
warrants for e-mails and other electronic data
⇒ ISPs compelled to disclose unopened
emails …
• ISPs are permitted to disclose customer info
in the case of emergency - if they suspect an
immediate risk of death or serious physical
injury to any person
• Patriot Act one of the most controversial acts – gives
away personal freedoms and constitutional rights
inexchange for higher levels of national) safety …
For more see:
http://www.justice.gov/criminal/cybercrime/PatriotAct.htm
26. 26
Case Study: Patriot Act vs.
Constitution (2004)
• “ … While conducting surveillance of the defendant and
co-defendant, the agents lost track of them. The agents
then dialed the defendant’s cell phone several times, and
used the provider’s computer data to determine which
cell transmission towers were being ‘hit’ by that phone.
The cell’s data revealed the defendant’s general
locationand helped catch him.
• On appeal of his conviction, the defendant argued that
the cell-site data and resulting evidence should have
been suppressed because they turned his phone into a
tracking device – and that violated his constitutional
rights …”
• The court found that the cell-site data falls under the
category of ‘electronic communication’, hence was not
illegal …
• “Computer Forensics: Principles and Practices”, pp. 423 by L.
Volonino, R. Anzaldua, J. Godwin
27. 27
Relevant U.S. Laws (cont’d.)
• Privacy Laws
– Many organizations collect, trade, and sell
personal information as a commodity
• Individuals are becoming aware of these practices
and looking to governments to protect their privacy
– Aggregation of data from multiple sources
permits unethical organizations to build
databases with alarming quantities of personal
information
Management of Information Security, 3rd ed.
28. 28
Relevant U.S. Laws (cont’d.)
• Privacy Laws (cont’d.)
– The Privacy of Customer Information Section
of the section of regulations covering common
carriers
• Specifies that any proprietary information shall be
used explicitly for providing services, and not for
any marketing purposes
– The Federal Privacy Act of 1974 regulates the
government’s use of private information
• Ensure that government agencies protect the
privacy of individuals’ and businesses’ information
Management of Information Security, 3rd ed.
29. 29
Relevant U.S. Laws (cont’d.)
• Privacy Laws (cont’d.)
– The Electronic Communications Privacy Act of
1986
• A collection of statutes that regulates the
interception of wire, electronic, and oral
communications
– These statutes work in cooperation with the
Fourth Amendment of the U.S. Constitution
• Prohibits search and seizure without a warrant
Management of Information Security, 3rd ed.
30. 30
Relevant U.S. Laws (cont’d.)
• Health Insurance Portability &
Accountability Act Of 1996 (HIPAA)
– An attempt to protect the confidentiality and
security of health care data
• Establishes and enforces standards
• Standardizes electronic data interchange
– Requires organizations that retain health care
information to use information security
mechanisms to protect this information
• Also requires an assessment of the organization's
InfoSec systems, policies, and procedures
Management of Information Security, 3rd ed.
31. 31
HIPPA II
• Provides guidelines for the use of electronic
signatures
– Based on security standards ensuring message
integrity, user authentication, and nonrepudiation
• Fundamental privacy principles:
– Consumer control of medical information
– Boundaries on the use of medical information
– Accountability for the privacy of private information
– Fundamental privacy principles: (cont’d.)
• Balance of public responsibility for the use of medical
information for the greater good measured against impact to
the individual
• Security of health information
Management of Information Security, 3rd ed.
32. 32
The Financial Services
Modernization Act
• Also called Gramm-Leach-Bliley Act of 1999
• Applies to banks, securities firms, and insurance
companies
• Requires all financial institutions to disclose their
privacy policies
– Describing how they share nonpublic personal
information
– Describing how customers can request that their
information not be shared with third parties
Management of Information Security, 3rd ed.
33. 33
The Financial Services
Modernization Act II
– Ensures that the privacy policies in effect in an
organization are fully disclosed when a
customer initiates a business relationship
• Distributed at least annually for the duration of the
professional association
– Safeguarding the confidentiality and
integrity of customer information is no
longer just a best practice for financial
institutions – it is now a legal
requirement.
Management of Information Security, 3rd ed.
34. 34
Relevant U.S. Laws (cont’d.)
• Export and Espionage Laws
– Economic Espionage Act (EEA) of 1996
• An attempt to protect intellectual property and
competitive advantage
• Attempts to protect trade secrets from the foreign
government that uses its classic espionage
apparatus to spy on a company
– Also between two companies
– Or a disgruntled former employee
Management of Information Security, 3rd ed.
35. 35
Relevant U.S. Laws (cont’d.)
• Export and Espionage Laws
– The Security and Freedom through Encryption
Act of 1997
• Provides guidance on the use of encryption
• Institutes measures of public protection from
government intervention
• Reinforces an individual’s right to use or sell
encryption algorithms
• Prohibits the federal government from requiring the
use of encryption for contracts, grants, and other
official documents, and correspondence
Management of Information Security, 3rd ed.
36. 36
Management of Information Security, 3rd ed.
Relevant Canadian Laws
Two key Canadian (federal) privacy laws:
• The Privacy Act - imposes obligations on
federal government departments and
agencies to respect privacy rights by
limiting the collection, use and
disclosure of personal information.
• Personal Information Protection and
Electronic Document Act (PIPEDA) -
sets out ground rules for how private
sector organizations may collect, use or
disclose personal information in the
course of commercial activities.
Figure 12-1: Export restrictions
Source: Course Technology/Cengage Learning
37. 37
Relevant U.S. Laws (cont’d.)
• U.S. Copyright Law
– Extends protection to intellectual property,
including words published in electronic formats
– ‘Fair use’ allows material to be quoted so long
as the purpose is educational and not for profit,
and the usage is not excessive
– Proper acknowledgement must be provided to
the author and/or copyright holder of such
works
• Including a description of the location of source
materials, using a recognized form of citation
Management of Information Security, 3rd ed.
38. 38
Relevant U.S. Laws (cont’d.)
• Freedom of Information Act of 1966
– All Federal agencies are required to disclose
records requested in writing by any person
– Applies only to Federal agencies and does not
create a right of access to records held by
Congress, the courts, or by state or local
government agencies
• Sarbanes-Oxley Act of 2002
– Enforces accountability for the financial record
keeping and reporting at publicly traded
corporations
Management of Information Security, 3rd ed.
39. 39
Relevant U.S. Laws (cont’d.)
• Sarbanes-Oxley Act of 2002 (cont’d.)
– Requires that the CEO and chief financial
officer (CFO) assume direct and personal
accountability for the completeness and
accuracy of a publicly traded organization’s
financial reporting and record-keeping systems
• As these executives attempt to ensure that the
systems used to record and report are sound, the
related areas of availability and confidentiality are
also emphasized
Management of Information Security, 3rd ed.
40. 40
State and Local Regulations
• Information security professionals must
understand state laws and regulations
– Ensure that their organization’s security policies and
procedures comply
• Georgia Computer Systems Protection Act
– Has various computer security provisions
– Establishes specific penalties for use of information
technology to attack or exploit information systems in
organizations
• The Georgia Identity Theft Law
– a business may not discard a record containing
personal information unless it shreds, erases, modifies,
or otherwise makes the information irretrievable
Management of Information Security, 3rd ed.
41. 41
Ethics in Information Security
• The student of information security is not
expected to study the topic of ethics in a
vacuum, but within a larger ethical
framework
– Information security professionals may be
expected to be more articulate about the topic
than others in the organization
– Often must withstand a higher degree of
scrutiny
Management of Information Security, 3rd ed.
42. 42
Ten Commandments of
Computer Ethics
From the Computer Ethics Institute
• Thou shalt not:
– Use a computer to harm other people
– Interfere with other people's computer work
– Snoop around in other people's computer files
– Use a computer to steal
– Use a computer to bear false witness
– Copy or use proprietary software (w/o paying)
Management of Information Security, 3rd ed.
43. 43
Ten Commandments - contd
– Use other people's computer resources
without authorization or proper
compensation
– Appropriate other people's intellectual
output
– Think about the social consequences of
the program you are writing or the system
you are designing
– Always use a computer in ways that
ensure consideration and respect for fellow
humans
44. 44
Ethics and Education
• Differences in computer use ethics
– Not exclusively cultural
– Found among individuals within the same
country, within the same social class, and
within the same company
• Key studies reveal that the overriding factor
in leveling the ethical perceptions within a
small population is education
• Employees must be trained on the
expected behaviors of an ethical employee
Management of Information Security, 3rd ed.
45. 45
Deterring Unethical and Illegal
Behavior
• InfoSec personnel should do everything in
their power to deter unethical and illegal
acts
– Using policy, education and training, and
technology as controls to protect information
• Categories of unethical behavior
– Ignorance
– Accident
– Intent
Management of Information Security, 3rd ed.
46. 46
Deterring Unethical and Illegal
Behavior (cont’d.)
• Deterrence
– Best method for preventing an illegal or
unethical activity
– Examples: laws, policies, and technical
controls
– Laws and policies and their associated
penalties only deter if three conditions are
present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered
Management of Information Security, 3rd ed.
47. 47
Professional Organizations and
their Codes of Ethics
• Some professional organizations have
established codes of conduct and/or codes
of ethics (e.g. ACM, Bar assoc, Nurses Assoc)
– Members are expected to follow
– Codes of ethics can have a positive effect on
an individual’s judgment regarding computer
use
• Security professionals must act ethically
– According to the policies and procedures of
their employers, their professional
organizations, and the laws of society
Management of Information Security, 3rd ed.
48. 48
Organizational Liability and the
Need for Counsel
• What if an organization does not support or
encourage strong ethical conduct by its
employees?
• What if an organization does not behave
ethically?
• If an employee, acting with or without the
authorization, performs an illegal or
unethical act, causing some degree of
harm, the organization can be held
financially liable for that action
Management of Information Security, 3rd ed.
49. 49
Organizational Liability and the
Need for Counsel (cont’d.)
• An organization increases its liability if it
refuses to take measures (due care) to
make sure that every employee knows
what is acceptable and what is not, and the
consequences of illegal or unethical actions
• Due diligence requires that an organization
make a valid and ongoing effort to protect
others
Management of Information Security, 3rd ed.
50. 50
Managing Investigations in the
Organization
• When (not if) an organization finds itself dealing
with a suspected policy or law violation
– Must appoint an individual to investigate it
– How the internal investigation proceeds
• Dictates whether or not the organization has the ability to take
action against the perpetrator if in fact evidence is found that
substantiates the charge
• In order to protect the organization, and to
possibly assist law enforcement in the conduct of
an investigation
– The investigator (CISO, InfoSec Manager or other
appointed individual) must document what happened
and how
Management of Information Security, 3rd ed.
51. 51
Summary
• Introduction
• Law and ethics in information security
• The legal environment
• Ethical concepts in information security
• Professional organizations’ codes of ethics
• Organizational liability and the need for
counsel
• Key U.S. Federal agencies
• Managing investigations in the organization
Management of Information Security, 3rd ed.