SlideShare a Scribd company logo

ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf

S
ssuserceaa40

This document discusses laws, regulations, ethics, and professional organizations related to information security. It provides an overview of relevant US laws, such as the Computer Fraud and Abuse Act, and international agreements. The document also discusses how ethics can differ across cultures and the role of professional organizations in promoting codes of ethics for information security practitioners. Organizations are advised to understand applicable laws and regulations to minimize liability and adopt policies to deter unethical behavior.

1 of 39
Download to read offline
Principles of Information Security, 2nd Edition 1
Principles of Information Security, 2nd Edition 2  Use this chapter as a guide for future reference on laws, regulations, and professional organizations  Differentiate between laws and ethics  Identify major national laws that relate to the practice of information security  Understand the role of culture as it applies to ethics in information security Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, 2nd Edition 3 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To minimize liabilities/reduce risks, the information security practitioner must:  Understand current legal environment  Stay current with laws and regulations  Watch for new issues that emerge
Principles of Information Security, 2nd Edition 4 Law and Ethics in Information Security  Laws: rules that mandate or prohibit certain societal behavior  Ethics: define socially acceptable behavior  Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these  Laws carry sanctions of a governing authority; ethics do not
Principles of Information Security, 2nd Edition 5 Types of Law  Civil  Criminal  Tort  Private  Public
Principles of Information Security, 2nd Edition 6 Relevant U.S. Laws (General)  Computer Fraud and Abuse Act of 1986 (CFAAct)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
Principles of Information Security, 2nd Edition 7 Privacy  One of the hottest topics in information security  Is a “state of being free from unsanctioned intrusion”  Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
Principles of Information Security, 2nd Edition 8 Privacy of Customer Information  Privacy of Customer Information Section of common carrier regulation  Federal Privacy Act of 1974  Electronic Communications Privacy Act of 1986  Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act  Financial Services Modernization Act, or Gramm-Leach- Bliley Act of 1999
Principles of Information Security, 2nd Edition 9 Figure 3-1 – Export and Espionage
Principles of Information Security, 2nd Edition 10 Figure 3-2 – US Copyright Office
Principles of Information Security, 2nd Edition 11 Export and Espionage Laws  Economic Espionage Act of 1996 (EEA)  Security And Freedom Through Encryption Act of 1999 (SAFE)
Principles of Information Security, 2nd Edition 12 U.S. Copyright Law  Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats  With proper acknowledgement, permissible to include portions of others’ work as reference  U.S. Copyright Office Web site: www.copyright.gov
Principles of Information Security, 2nd Edition 13 Freedom of Information Act of 1966 (FOIA)  Allows access to federal agency records or information not determined to be matter of national security  U.S. government agencies required to disclose any requested information upon receipt of written request  Some information protected from disclosure
Principles of Information Security, 2nd Edition 14 State and Local Regulations  Restrictions on organizational computer technology use exist at international, national, state, local levels  Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
Principles of Information Security, 2nd Edition 15 International Laws and Legal Bodies  European Council Cyber-Crime Convention:  Establishes international task force overseeing Internet security functions for standardized international technology laws  Attempts to improve effectiveness of international investigations into breaches of technology law  Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution  Lacks realistic provisions for enforcement
Principles of Information Security, 2nd Edition 16 Figure 3-4 – EU Law Portal
Principles of Information Security, 2nd Edition 17 Digital Millennium Copyright Act (DMCA)  U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement  A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data
Principles of Information Security, 2nd Edition 18 United Nations Charter  Makes provisions, to a degree, for information security during information warfare (IW)  IW involves use of information technology to conduct organized and lawful military operations  IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
Principles of Information Security, 2nd Edition 19 Figure 3-5 – UN International Law
Principles of Information Security, 2nd Edition 20 Policy Versus Law  Most organizations develop and formalize a body of expectations called policy  Policies serve as organizational laws  To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
Principles of Information Security, 2nd Edition 21 Ethics and Information Security
Principles of Information Security, 2nd Edition 22 Ethical Differences Across Cultures  Cultural differences create difficulty in determining what is and is not ethical  Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group  Example: many of ways in which Asian cultures use computer technology is software piracy
Principles of Information Security, 2nd Edition 23 Ethics and Education  Overriding factor in leveling ethical perceptions within a small population is education  Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security  Proper ethical training vital to creating informed, well prepared, and low-risk system user
Principles of Information Security, 2nd Edition 24 Deterrence to Unethical and Illegal Behavior  Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls  Laws and policies only deter if three conditions are present:  Fear of penalty  Probability of being caught  Probability of penalty being administered
Principles of Information Security, 2nd Edition 25 Codes of Ethics and Professional Organizations  Several professional organizations have established codes of conduct/ethics  Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations  Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society
Principles of Information Security, 2nd Edition 26 Association of Computing Machinery (ACM)  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
Principles of Information Security, 2nd Edition 27 International Information Systems Security Certification Consortium, Inc. (ISC)2  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from (ISC)2  Code of ethics focuses on four mandatory canons
Principles of Information Security, 2nd Edition 28 System Administration, Networking, and Security Institute (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC)
Principles of Information Security, 2nd Edition 29 Information Systems Audit and Control Association (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals
Principles of Information Security, 2nd Edition 30 Computer Security Institute (CSI)  Provides information and training to support computer, networking, and information security professionals  Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
Principles of Information Security, 2nd Edition 31 Information Systems Security Association (ISSA)  Nonprofit society of information security (IS) professionals  Primary mission to bring together qualified IS practitioners for information exchange and educational development  Promotes code of ethics similar to (ISC)2, ISACA and ACM
Principles of Information Security, 2nd Edition 32 Other Security Organizations  Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet  Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals
Principles of Information Security, 2nd Edition 33 Other Security Organizations (continued)  CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University  Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society
Principles of Information Security, 2nd Edition 34 Key U.S. Federal Agencies  Department of Homeland Security (DHS)  Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)  National Security Agency (NSA)  U.S. Secret Service
Principles of Information Security, 2nd Edition 35 Organizational Liability and the Need for Counsel  Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort
Principles of Information Security, 2nd Edition 36 Summary  Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics  Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)  Types of law: civil, criminal, tort law, private, public
Principles of Information Security, 2nd Edition 37 Summary  Relevant U.S. laws:  Computer Fraud and Abuse Act of 1986 (CFAAct)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
Principles of Information Security, 2nd Edition 38 Homework  Relevant U.S. laws:  Computer Fraud and Abuse Act of 1986 (CFAAct)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987  These are relevant U.S. Laws on Information Security. Pick one law and prepare a 10 minutes presentation on it. One week.
Principles of Information Security, 2nd Edition 39 Summary  Many organizations have codes of conduct and/or codes of ethics  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that organization make valid effort to protect others and continually maintain that effort

Recommended

Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
Gamentortc
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
mtvvvv
 
whitman_ch04.ppt
whitman_ch04.pptwhitman_ch04.ppt
whitman_ch04.ppt
DEEPAK948083
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security
sappingtonkr
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.ppt
DEEPAK948083
 
Chapter3.ppt
Chapter3.pptChapter3.ppt
Chapter3.ppt
HaiderAli424102
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
Syaiful Ahdan
 

Recommended

Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
Gamentortc
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
mtvvvv
 
whitman_ch04.ppt
whitman_ch04.pptwhitman_ch04.ppt
whitman_ch04.ppt
DEEPAK948083
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security
sappingtonkr
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.ppt
DEEPAK948083
 
Chapter3.ppt
Chapter3.pptChapter3.ppt
Chapter3.ppt
HaiderAli424102
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
Syaiful Ahdan
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
3999779.ppt
3999779.ppt3999779.ppt
3999779.ppt
pixvilx
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
hyacinthshackley2629
 
information-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.pptinformation-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.ppt
MuhammadAbdullah311866
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
abdukadirabdullahuad
 
INT 1010 05-2.pdf
INT 1010 05-2.pdfINT 1010 05-2.pdf
INT 1010 05-2.pdf
Luis R Castellanos
 
Chapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfChapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdf
EthioDotNetDeveloper
 
Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8
Mukesh Chinta
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1
UDCNTT
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
Asst.prof M.Gokilavani
 
IT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notesIT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notes
Asst.prof M.Gokilavani
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
RAMESHBABU311293
 
cnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdfcnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdf
RiyaSonawane
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacy
salehnia
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
Editor IJCATR
 
Review questions
Review questionsReview questions
Review questions
Anura Kumara
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
pronab Kurmi
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
Tam Nguyen
 
What is the purpose of studying mathematics.pptx
What is the purpose of studying mathematics.pptxWhat is the purpose of studying mathematics.pptx
What is the purpose of studying mathematics.pptx
christianmathematics
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 

More Related Content

Similar to ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf

Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
3999779.ppt
3999779.ppt3999779.ppt
3999779.ppt
pixvilx
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
hyacinthshackley2629
 
information-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.pptinformation-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.ppt
MuhammadAbdullah311866
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
abdukadirabdullahuad
 
INT 1010 05-2.pdf
INT 1010 05-2.pdfINT 1010 05-2.pdf
INT 1010 05-2.pdf
Luis R Castellanos
 
Chapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfChapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdf
EthioDotNetDeveloper
 
Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8
Mukesh Chinta
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1
UDCNTT
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
Asst.prof M.Gokilavani
 
IT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notesIT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notes
Asst.prof M.Gokilavani
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
RAMESHBABU311293
 
cnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdfcnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdf
RiyaSonawane
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacy
salehnia
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
Editor IJCATR
 
Review questions
Review questionsReview questions
Review questions
Anura Kumara
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
pronab Kurmi
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
Tam Nguyen
 

Similar to ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf (20)

Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
 
Ch01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.pptCh01_Introduction_to_Information_Securit.ppt
Ch01_Introduction_to_Information_Securit.ppt
 
3999779.ppt
3999779.ppt3999779.ppt
3999779.ppt
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
 
information-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.pptinformation-security-3rd-edition2-define-information-security.ppt
information-security-3rd-edition2-define-information-security.ppt
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
 
INT 1010 05-2.pdf
INT 1010 05-2.pdfINT 1010 05-2.pdf
INT 1010 05-2.pdf
 
Chapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfChapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdf
 
Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
 
IT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notesIT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notes
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
cnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdfcnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdf
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacy
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
 
Review questions
Review questionsReview questions
Review questions
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
 

Recently uploaded

What is the purpose of studying mathematics.pptx
What is the purpose of studying mathematics.pptxWhat is the purpose of studying mathematics.pptx
What is the purpose of studying mathematics.pptx
christianmathematics
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
Israel Genealogy Research Association
 
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
NelTorrente
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
IreneSebastianRueco1
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Excellence Foundation for South Sudan
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
National Information Standards Organization (NISO)
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
Celine George
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 

Recently uploaded (20)

What is the purpose of studying mathematics.pptx
What is the purpose of studying mathematics.pptxWhat is the purpose of studying mathematics.pptx
What is the purpose of studying mathematics.pptx
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
 
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 

ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf

  • 1. Principles of Information Security, 2nd Edition 1
  • 2. Principles of Information Security, 2nd Edition 2  Use this chapter as a guide for future reference on laws, regulations, and professional organizations  Differentiate between laws and ethics  Identify major national laws that relate to the practice of information security  Understand the role of culture as it applies to ethics in information security Learning Objectives Upon completion of this material, you should be able to:
  • 3. Principles of Information Security, 2nd Edition 3 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To minimize liabilities/reduce risks, the information security practitioner must:  Understand current legal environment  Stay current with laws and regulations  Watch for new issues that emerge
  • 4. Principles of Information Security, 2nd Edition 4 Law and Ethics in Information Security  Laws: rules that mandate or prohibit certain societal behavior  Ethics: define socially acceptable behavior  Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these  Laws carry sanctions of a governing authority; ethics do not
  • 5. Principles of Information Security, 2nd Edition 5 Types of Law  Civil  Criminal  Tort  Private  Public
  • 6. Principles of Information Security, 2nd Edition 6 Relevant U.S. Laws (General)  Computer Fraud and Abuse Act of 1986 (CFAAct)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
  • 7. Principles of Information Security, 2nd Edition 7 Privacy  One of the hottest topics in information security  Is a “state of being free from unsanctioned intrusion”  Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
  • 8. Principles of Information Security, 2nd Edition 8 Privacy of Customer Information  Privacy of Customer Information Section of common carrier regulation  Federal Privacy Act of 1974  Electronic Communications Privacy Act of 1986  Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act  Financial Services Modernization Act, or Gramm-Leach- Bliley Act of 1999
  • 9. Principles of Information Security, 2nd Edition 9 Figure 3-1 – Export and Espionage
  • 10. Principles of Information Security, 2nd Edition 10 Figure 3-2 – US Copyright Office
  • 11. Principles of Information Security, 2nd Edition 11 Export and Espionage Laws  Economic Espionage Act of 1996 (EEA)  Security And Freedom Through Encryption Act of 1999 (SAFE)
  • 12. Principles of Information Security, 2nd Edition 12 U.S. Copyright Law  Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats  With proper acknowledgement, permissible to include portions of others’ work as reference  U.S. Copyright Office Web site: www.copyright.gov
  • 13. Principles of Information Security, 2nd Edition 13 Freedom of Information Act of 1966 (FOIA)  Allows access to federal agency records or information not determined to be matter of national security  U.S. government agencies required to disclose any requested information upon receipt of written request  Some information protected from disclosure
  • 14. Principles of Information Security, 2nd Edition 14 State and Local Regulations  Restrictions on organizational computer technology use exist at international, national, state, local levels  Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
  • 15. Principles of Information Security, 2nd Edition 15 International Laws and Legal Bodies  European Council Cyber-Crime Convention:  Establishes international task force overseeing Internet security functions for standardized international technology laws  Attempts to improve effectiveness of international investigations into breaches of technology law  Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution  Lacks realistic provisions for enforcement
  • 16. Principles of Information Security, 2nd Edition 16 Figure 3-4 – EU Law Portal
  • 17. Principles of Information Security, 2nd Edition 17 Digital Millennium Copyright Act (DMCA)  U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement  A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data
  • 18. Principles of Information Security, 2nd Edition 18 United Nations Charter  Makes provisions, to a degree, for information security during information warfare (IW)  IW involves use of information technology to conduct organized and lawful military operations  IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
  • 19. Principles of Information Security, 2nd Edition 19 Figure 3-5 – UN International Law
  • 20. Principles of Information Security, 2nd Edition 20 Policy Versus Law  Most organizations develop and formalize a body of expectations called policy  Policies serve as organizational laws  To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
  • 21. Principles of Information Security, 2nd Edition 21 Ethics and Information Security
  • 22. Principles of Information Security, 2nd Edition 22 Ethical Differences Across Cultures  Cultural differences create difficulty in determining what is and is not ethical  Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group  Example: many of ways in which Asian cultures use computer technology is software piracy
  • 23. Principles of Information Security, 2nd Edition 23 Ethics and Education  Overriding factor in leveling ethical perceptions within a small population is education  Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security  Proper ethical training vital to creating informed, well prepared, and low-risk system user
  • 24. Principles of Information Security, 2nd Edition 24 Deterrence to Unethical and Illegal Behavior  Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls  Laws and policies only deter if three conditions are present:  Fear of penalty  Probability of being caught  Probability of penalty being administered
  • 25. Principles of Information Security, 2nd Edition 25 Codes of Ethics and Professional Organizations  Several professional organizations have established codes of conduct/ethics  Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations  Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society
  • 26. Principles of Information Security, 2nd Edition 26 Association of Computing Machinery (ACM)  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
  • 27. Principles of Information Security, 2nd Edition 27 International Information Systems Security Certification Consortium, Inc. (ISC)2  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from (ISC)2  Code of ethics focuses on four mandatory canons
  • 28. Principles of Information Security, 2nd Edition 28 System Administration, Networking, and Security Institute (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC)
  • 29. Principles of Information Security, 2nd Edition 29 Information Systems Audit and Control Association (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals
  • 30. Principles of Information Security, 2nd Edition 30 Computer Security Institute (CSI)  Provides information and training to support computer, networking, and information security professionals  Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
  • 31. Principles of Information Security, 2nd Edition 31 Information Systems Security Association (ISSA)  Nonprofit society of information security (IS) professionals  Primary mission to bring together qualified IS practitioners for information exchange and educational development  Promotes code of ethics similar to (ISC)2, ISACA and ACM
  • 32. Principles of Information Security, 2nd Edition 32 Other Security Organizations  Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet  Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals
  • 33. Principles of Information Security, 2nd Edition 33 Other Security Organizations (continued)  CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University  Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society
  • 34. Principles of Information Security, 2nd Edition 34 Key U.S. Federal Agencies  Department of Homeland Security (DHS)  Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)  National Security Agency (NSA)  U.S. Secret Service
  • 35. Principles of Information Security, 2nd Edition 35 Organizational Liability and the Need for Counsel  Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort
  • 36. Principles of Information Security, 2nd Edition 36 Summary  Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics  Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)  Types of law: civil, criminal, tort law, private, public
  • 37. Principles of Information Security, 2nd Edition 37 Summary  Relevant U.S. laws:  Computer Fraud and Abuse Act of 1986 (CFAAct)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
  • 38. Principles of Information Security, 2nd Edition 38 Homework  Relevant U.S. laws:  Computer Fraud and Abuse Act of 1986 (CFAAct)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987  These are relevant U.S. Laws on Information Security. Pick one law and prepare a 10 minutes presentation on it. One week.
  • 39. Principles of Information Security, 2nd Edition 39 Summary  Many organizations have codes of conduct and/or codes of ethics  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that organization make valid effort to protect others and continually maintain that effort