This document provides an overview of key concepts regarding law and ethics in information security. It discusses the differences between laws and ethics, and how policies function similarly to laws within an organization. Several major US laws are outlined, including those covering general computer crimes, privacy, identity theft, export and espionage, copyright, and financial reporting. International agreements and professional organizations relevant to information security ethics are also mentioned. The document aims to help readers understand the legal and ethical responsibilities for information security practitioners.
The term cyber security is used to refer to the security offered through on-line services to protect your online information.
With an increasing amount of people getting connected to Internet, the security threats that cause massive harm are increasing also.
Just created a slideshare presentation giving a basic introduction to the Confidentiality, Integrity & Availability (CIA) Security Model. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
The term cyber security is used to refer to the security offered through on-line services to protect your online information.
With an increasing amount of people getting connected to Internet, the security threats that cause massive harm are increasing also.
Just created a slideshare presentation giving a basic introduction to the Confidentiality, Integrity & Availability (CIA) Security Model. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
This presentation includes 60+ slides that mainly deals with three Computer Security aspects i.e
1. Security Attacks and Threats
2. Security Services
3. Security Mechanisms
Along with that we've also includes Security Awareness and Security Policies
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
This presentation includes 60+ slides that mainly deals with three Computer Security aspects i.e
1. Security Attacks and Threats
2. Security Services
3. Security Mechanisms
Along with that we've also includes Security Awareness and Security Policies
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Statement of Michelle Richardson, Director, Privacy & Data
Center for Democracy & Technology
before the
United States Senate Committee on the Judiciary
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
On behalf of the Center for Democracy & Technology (CDT), thank you for the
opportunity to testify about the importance of crafting a federal consumer privacy law that
provides meaningful protections for Americans and clarity for entities of all sizes and sectors.
CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing the
rights of the individual in the digital world. CDT is committed to protecting privacy as a
fundamental human and civil right and as a necessity for securing other rights such as access to
justice, equal protection, and freedom of expression. CDT has offices in Washington, D.C., and
Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and
individual donations.1
The United States should be leading the way in protecting digital civil rights. This hearing
is an opportunity to learn how Congress can improve upon the privacy frameworks offered in
the European Union via the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA) to craft a comprehensive privacy law that works for the U.S. Our
digital future should be one in which technology supports human rights and human dignity. This
future cannot be realized if people are forced to choose between protecting their personal
information and using the technologies and services that enhance our lives. This future depends
on clear and meaningful rules governing data processing; rules that do not simply provide
1 All donations over $1,000 are disclosed in our annual report and are available online at:
https://cdt.org/financials/.
2
people with notices and check boxes but actually protect them from privacy and security
abuses and data-driven discrimination; protections that cannot be signed away.
Congress should resist the narratives that innovative technologies and strong privacy
protections are fundamentally at odds, and that a privacy law would necessarily cement the
market dominance of a few large companies. Clear and focused privacy rules can help
companies of all sizes gain certainty with respect to appropriate and inappropriate uses of data.
Clear rules will also empower engineers and product managers to design for privacy on the
front end, rather than having to wait for a public privacy scandal to force the rollback of a
product or data practice.
We understand that drafting comprehensive privacy legislation is a complex endeavor.
Over the past year we have worked with partners in civil societ.
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
1
ITC358
ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for se.
The ASEAN Data Protection Index 2020 uses seven Principles of Personal Data Protection in the ASEAN Framework on Data Protection 2016 to assess the level of data protection across various economies. This is the first index to use the ASEAN Framework on Data Protection as a best practice guideline, where the assessment of a positive data protection policy posture by a country would be one which promotes the free flow of data across borders.
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Terrance Tong
China’s recent cybersecurity laws have been cited by the government as internet and personal data protection milestones, while being viewed with suspicion by foreign multinationals as potentially increasing compliance costs. The one certain thing is that the Chinese government
is succeeding in exercising more control and oversight over cyberspace.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
An Indian Outline on Database ProtectionSinghania2015
One Business Processing Outsourcing company of India was in the eye of storm when one of its employees sold confidential financial information relating to customers of few British banks to an undercover reporter from the British tabloid ‘The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world for the need of specific legislation for the protection for personal data in India which is absent currently.
Advanced PII / PI data discovery and data protectionUlf Mattsson
We will discuss using Advanced PII/PI Discovery to Find & Inventory All Personal Data at an Enterprise Scale.
Learn about new machine learning & identity intelligence technology.
You will learn how to:
• Identify all PII across structured, unstructured, cloud & Big Data.
• Inventory PII by data subject & residency for GDPR.
• Measure data re-identifiability for pseudonymization.
• Uncover dark or uncatalogued data.
• Fix data quality, visualize PII data relationships
• Apply data protection to discovered sensitive data.
Danny Friedmann, Sinking the Safe Harbour with the Legal Certainty of Strict ...Danny Friedmann
In both the EU and US, there are safe harbour provisions in place that should, under certain conditions, provide online service providers (OSPs) with immunity in the case of intellectual property infringement by third parties. However, the significant litigation against OSPs demonstrates that the safe harbour provisions are neither effective nor efficient. By providing OSPs with immunity against third party liability, safe harbour provisions contribute to a climate where the behaviour of OSPs is dominated by short-term business interests which are conducive neither to the enforcement of intellectual property rights by the OSPs nor to legal certainty for proprietors, internet users and OSPs alike.
The precondition for invoking safe harbour provisions, that one remain passive and only act reactively, leads to wilful blindness, although OSPs are best positioned to filter infringing use of content proactively. This article therefore asserts that the safe harbour provisions must be replaced by strict intermediary liability. As will be pointed out below, this transition is not as dramatic as it seems.
Safe harbours provisions were drafted at a moment when OSPs, as social media, still needed to be developed. They do not protect proprietors against infringement. Moreover, the protection of OSPs against liability is an illusion. If one extrapolates the development in filter technology one can see that advocating safe harbour provisions has become a rearguard battle and that implementation of strict liability for OSPs is inescapable.
Similar to Chapter 11 laws and ethic information security (20)
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Unit 8 - Information and Communication Technology (Paper I).pdf
Chapter 11 laws and ethic information security
1. 112/25/2019 1 1
1
Part 2 Access Control 1Security+ Guide to Network Security Fundamentals, Third Edition
1
11
1 1 tohttps://github.com/syaifulahdan/
INFORMATION SECURITY
Law and Ethics Information Security
Introduction
Law and Ethics in Information Security
Organizational Liability and the Need for Counsel
Policy Vs Law
Type of Law
Relevant U.S Laws
General Computer Crime Laws
Privacy
Privacy of Customer Information
Identity Theft
Export and Espionage Laws
U.S Copyright Laws
Financial Reporting
Freedom of Information Act of 1966 (FOIA)
Digital Millenium Copyright Act (DMCA)
State and Local Regulations
Principles of Information Security, 3rd Edition
Internal Laws and Legal Bodies
European Union Cyber Crime Convention
Aggreement on Trade Related Aspect of
Intellectual Property Right
United Nation Charter
Ethics and Information Security
Deterrence to Unethical and Illegal Behavior
Codes of Ethics and Professional Ogranization
Association of Computing Machinery (ACM)
International Information System Security
Certification Consortium, Inc.
System Adminisration Networking, and Security
Institute (SANS)
Information System Audit and Control Association
(ISACA)
Information System Security Association (ISSA)
Key U.S Federal Agencies
2. 212/25/2019 2 2
2
Part 2 Access Control 2Security+ Guide to Network Security Fundamentals, Third Edition
2
22
2 2 tohttps://github.com/syaifulahdan/
2
Use this chapter as a guide for future reference on
laws, regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the
practice of information security
Understand the role of culture as it applies to ethics
in information security
Learning Objectives
Upon completion of this material, you should be able
to:
3. 312/25/2019 3 3
3
Part 2 Access Control 3Security+ Guide to Network Security Fundamentals, Third Edition
3
33
3 3 tohttps://github.com/syaifulahdan/
3
Introduction
You must understand scope of an organization’s
legal and ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
4. 412/25/2019 4 4
4
Part 2 Access Control 4Security+ Guide to Network Security Fundamentals, Third Edition
4
44
4 4 tohttps://github.com/syaifulahdan/
4
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics
do not
5. 512/25/2019 5 5
5
Part 2 Access Control 5Security+ Guide to Network Security Fundamentals, Third Edition
5
55
5 5 tohttps://github.com/syaifulahdan/
5
Organizational Liability and the Need for
Counsel
Liability: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
Restitution: to compensate for wrongs committed
by an organization or its employees
Due care: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
Due diligence: making a valid effort to protect
others; continually maintaining level of effort
6. 612/25/2019 6 6
6
Part 2 Access Control 6Security+ Guide to Network Security Fundamentals, Third Edition
6
66
6 6 tohttps://github.com/syaifulahdan/
6
Organizational Liability and the Need for
Counsel (continued)
Jurisdiction: court's right to hear a case if the wrong
was committed in its territory or involved its
citizenry
Long arm jurisdiction: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction
7. 712/25/2019 7 7
7
Part 2 Access Control 7Security+ Guide to Network Security Fundamentals, Third Edition
7
77
7 7 tohttps://github.com/syaifulahdan/
7
Policy versus Law
Policies: body of expectations that describe
acceptable and unacceptable employee behaviors in
the workplace
Policies function as laws within an organization;
must be crafted carefully to ensure they are complete,
appropriate, fairly applied to everyone
Difference between policy and law: ignorance of a
policy is an acceptable defense
Criteria for policy enforcement: dissemination
(distribution), review (reading), comprehension
(understanding), compliance (agreement), uniform
enforcement
8. 812/25/2019 8 8
8
Part 2 Access Control 8Security+ Guide to Network Security Fundamentals, Third Edition
8
88
8 8 tohttps://github.com/syaifulahdan/
8
Types of Law
Civil: governs nation or state; manages
relationships/conflicts between organizational
entities and people
Criminal: addresses violations harmful to society;
actively enforced by the state
Private: regulates relationships between individuals
and organizations
Public: regulates structure/administration of
government agencies and relationships with citizens,
employees, and other governments
9. 912/25/2019 9 9
9
Part 2 Access Control 9Security+ Guide to Network Security Fundamentals, Third Edition
9
99
9 9 tohttps://github.com/syaifulahdan/
9
Relevant U.S. Laws
United States has been a leader in the development
and implementation of information security
legislation
Implementation of information security legislation
contributes to a more reliable business environment
and a stable economy
EU vs. US on privacy
US vs. China on censureship
U.S. has specified penalties for individuals and
organizations failing to follow requirements set forth
in U.S. civil statutes
10. 1012/25/2019 10 10
10
Part 2 Access Control 10Security+ Guide to Network Security Fundamentals, Third Edition
10
1010
10 10 tohttps://github.com/syaifulahdan/
10
General Computer Crime Laws
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act
of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
11. 1112/25/2019 11 11
11
Part 2 Access Control 11Security+ Guide to Network Security Fundamentals, Third Edition
11
1111
11 11 tohttps://github.com/syaifulahdan/
11
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources
allows creation of information databases previously
unheard of
12. 1212/25/2019 12 12
12
Part 2 Access Control 12Security+ Guide to Network Security Fundamentals, Third Edition
12
1212
12 12 tohttps://github.com/syaifulahdan/
12
Privacy of Customer Information
Privacy of Customer Information Section of the
common carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act
of 1996 (HIPAA), aka Kennedy-Kassebaum Act
Financial Services Modernization Act, or Gramm-
Leach-Bliley Act of 1999
13. 1312/25/2019 13 13
13
Part 2 Access Control 13Security+ Guide to Network Security Fundamentals, Third Edition
13
1313
13 13 tohttps://github.com/syaifulahdan/
13
Identity Theft
Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security number,
or credit card number, without your permission, to
commit fraud or other crimes”
Fraud And Related Activity In Connection With
Identification Documents, Authentication Features,
And Information (Title 18, U.S.C. § 1028)
14. 1412/25/2019 14 14
14
Part 2 Access Control 14Security+ Guide to Network Security Fundamentals, Third Edition
14
1414
14 14 tohttps://github.com/syaifulahdan/
14
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of
1999 (SAFE)
No teeth…
15. 1512/25/2019 15 15
15
Part 2 Access Control 15Security+ Guide to Network Security Fundamentals, Third Edition
15
1515
15 15 tohttps://github.com/syaifulahdan/
15
Figure 3-1 – Export and
Espionage
16. 1612/25/2019 16 16
16
Part 2 Access Control 16Security+ Guide to Network Security Fundamentals, Third Edition
16
1616
16 16 tohttps://github.com/syaifulahdan/
16
U.S. Copyright Law
Intellectual property recognized as protected asset
in the U.S.; copyright law extends to electronic
formats
With proper acknowledgment, permissible to
include portions of others’ work as reference
U.S. Copyright Office Web site:
www.copyright.gov
17. 1712/25/2019 17 17
17
Part 2 Access Control 17Security+ Guide to Network Security Fundamentals, Third Edition
17
1717
17 17 tohttps://github.com/syaifulahdan/
17
Financial Reporting
Sarbanes-Oxley Act of 2002
Affects executive management of publicly traded
corporations and public accounting firms
Seeks to improve reliability and accuracy of financial
reporting and increase the accountability of corporate
governance in publicly traded companies
Penalties for noncompliance range from fines to jail
terms
18. 1812/25/2019 18 18
18
Part 2 Access Control 18Security+ Guide to Network Security Fundamentals, Third Edition
18
1818
18 18 tohttps://github.com/syaifulahdan/
18
Freedom of Information Act of 1966
(FOIA)
Allows access to federal agency records or
information not determined to be matter of national
security
U.S. government agencies required to disclose any
requested information upon receipt of written
request
Some information protected from disclosure
19. 1912/25/2019 19 19
19
Part 2 Access Control 19Security+ Guide to Network Security Fundamentals, Third Edition
19
1919
19 19 tohttps://github.com/syaifulahdan/
19
Digital Millennium Copyright Act (DMCA)
U.S. contribution to international effort to reduce
impact of copyright, trademark, and privacy
infringement
A response to European Union Directive 95/46/EC,
which adds protection to individuals with regard to
processing and free movement of personal data
20. 2012/25/2019 20 20
20
Part 2 Access Control 20Security+ Guide to Network Security Fundamentals, Third Edition
20
2020
20 20 tohttps://github.com/syaifulahdan/
20
State and Local Regulations
Restrictions on organizational computer technology
use exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
21. 2112/25/2019 21 21
21
Part 2 Access Control 21Security+ Guide to Network Security Fundamentals, Third Edition
21
2121
21 21 tohttps://github.com/syaifulahdan/
21
International Laws and Legal Bodies
IT professionals and IS practitioners should realize
that when organizations do business on the Internet,
they do business globally
Professionals must be sensitive to laws and ethical
values of many different cultures, societies, and
countries
Because of political complexities of relationships
among nations and differences in culture, there are
few international laws relating to privacy and
information security
These international laws are important but are limited
in their enforceability
22. 2212/25/2019 22 22
22
Part 2 Access Control 22Security+ Guide to Network Security Fundamentals, Third Edition
22
2222
22 22 tohttps://github.com/syaifulahdan/
22
European Union Cyber-Crime Convention
Establishes international task force overseeing
Internet security functions for standardized
international technology laws
Attempts to improve effectiveness of international
investigations into breaches of technology law
Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution
Lacks realistic provisions for enforcement
23. 2312/25/2019 23 23
23
Part 2 Access Control 23Security+ Guide to Network Security Fundamentals, Third Edition
23
2323
23 23 tohttps://github.com/syaifulahdan/
23
Figure 3-4 – EU Law Portal
24. 2412/25/2019 24 24
24
Part 2 Access Control 24Security+ Guide to Network Security Fundamentals, Third Edition
24
2424
24 24 tohttps://github.com/syaifulahdan/
24
Agreement on Trade-Related Aspects of
Intellectual Property Rights
Created by World Trade Organization (WTO)
First significant international effort to protect
intellectual property rights
Agreement covers five issues:
Application of basic principles of trading system and
international intellectual property agreements
Giving adequate protection to intellectual property
rights
Enforcement of those rights by countries in their own
territories
Settling intellectual property disputes
Transitional arrangements while new system is being
introduced
25. 2512/25/2019 25 25
25
Part 2 Access Control 25Security+ Guide to Network Security Fundamentals, Third Edition
25
2525
25 25 tohttps://github.com/syaifulahdan/
25
United Nations Charter
Makes provisions, to a degree, for information
security during information warfare (IW)
IW involves use of information technology to
conduct organized and lawful military operations
IW is relatively new type of warfare, although
military has been conducting electronic warfare
operations for decades
26. 2612/25/2019 26 26
26
Part 2 Access Control 26Security+ Guide to Network Security Fundamentals, Third Edition
26
2626
26 26 tohttps://github.com/syaifulahdan/
26
Ethics and Information Security
27. 2712/25/2019 27 27
27
Part 2 Access Control 27Security+ Guide to Network Security Fundamentals, Third Edition
27
2727
27 27 tohttps://github.com/syaifulahdan/
27
Ethical Differences Across Cultures
Cultural differences create difficulty in determining
what is and is not ethical
Difficulties arise when one nationality’s ethical
behavior conflicts with ethics of another national
group
Example: many of the ways in which Asian cultures
use computer technology is considered software
piracy by other nations
28. 2812/25/2019 28 28
28
Part 2 Access Control 28Security+ Guide to Network Security Fundamentals, Third Edition
28
2828
28 28 tohttps://github.com/syaifulahdan/
28
Ethics and Education
Overriding factor in leveling ethical perceptions
within a small population is education
Employees must be trained in expected behaviors of
an ethical employee, especially in areas of
information security
Proper ethical training vital to creating informed,
well prepared, and low-risk system user
29. 2912/25/2019 29 29
29
Part 2 Access Control 29Security+ Guide to Network Security Fundamentals, Third Edition
29
2929
29 29 tohttps://github.com/syaifulahdan/
29
Deterrence to Unethical and Illegal
Behavior
Three general causes of unethical and illegal
behavior: ignorance, accident, intent
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical
controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
30. 3012/25/2019 30 30
30
Part 2 Access Control 30Security+ Guide to Network Security Fundamentals, Third Edition
30
3030
30 30 tohttps://github.com/syaifulahdan/
30
Codes of Ethics and Professional
Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect;
unfortunately, many employers do not encourage
joining these professional organizations
Responsibility of security professionals to act
ethically and according to policies of employer,
professional organization, and laws of society
31. 3112/25/2019 31 31
31
Part 2 Access Control 31Security+ Guide to Network Security Fundamentals, Third Edition
31
3131
31 31 tohttps://github.com/syaifulahdan/
31
Association of Computing Machinery
(ACM)
ACM established in 1947 as “the world's first
educational and scientific computing society”
Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
32. 3212/25/2019 32 32
32
Part 2 Access Control 32Security+ Guide to Network Security Fundamentals, Third Edition
32
3232
32 32 tohttps://github.com/syaifulahdan/
32
International Information Systems
Security Certification Consortium, Inc.
(ISC)2
Nonprofit organization focusing on development
and implementation of information security
certifications and credentials
Code primarily designed for information security
professionals who have certification from (ISC)2
Code of ethics focuses on four mandatory canons
33. 3312/25/2019 33 33
33
Part 2 Access Control 33Security+ Guide to Network Security Fundamentals, Third Edition
33
3333
33 33 tohttps://github.com/syaifulahdan/
33
System Administration, Networking, and
Security Institute (SANS)
Professional organization with a large membership
dedicated to protection of information and systems
SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
34. 3412/25/2019 34 34
34
Part 2 Access Control 34Security+ Guide to Network Security Fundamentals, Third Edition
34
3434
34 34 tohttps://github.com/syaifulahdan/
34
Information Systems Audit and Control
Association (ISACA)
Professional association with focus on auditing,
control, and security
Concentrates on providing IT control practices and
standards
ISACA has code of ethics for its professionals
35. 3512/25/2019 35 35
35
Part 2 Access Control 35Security+ Guide to Network Security Fundamentals, Third Edition
35
3535
35 35 tohttps://github.com/syaifulahdan/
35
Information Systems Security
Association (ISSA)
Nonprofit society of information security (IS)
professionals
Primary mission to bring together qualified IS
practitioners for information exchange and
educational development
Promotes code of ethics similar to (ISC)2, ISACA,
and ACM
36. 3612/25/2019 36 36
36
Part 2 Access Control 36Security+ Guide to Network Security Fundamentals, Third Edition
36
3636
36 36 tohttps://github.com/syaifulahdan/
36
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National
InfraGard Program
National Security Agency (NSA)
U.S. Secret Service
37. 3712/25/2019 37 37
37
Part 2 Access Control 37Security+ Guide to Network Security Fundamentals, Third Edition
37
3737
37 37 tohttps://github.com/syaifulahdan/
37
Summary
Laws: rules that mandate or prohibit certain
behavior in society; drawn from ethics
Ethics: define socially acceptable behaviors; based
on cultural mores (fixed moral attitudes or customs
of a particular group)
Types of law: civil, criminal, private, public
38. 3812/25/2019 38 38
38
Part 2 Access Control 38Security+ Guide to Network Security Fundamentals, Third Edition
38
3838
38 38 tohttps://github.com/syaifulahdan/
38
Summary (continued)
Relevant U.S. laws:
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of
1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
39. 3912/25/2019 39 39
39
Part 2 Access Control 39Security+ Guide to Network Security Fundamentals, Third Edition
39
3939
39 39 tohttps://github.com/syaifulahdan/
39
Summary (continued)
Many organizations have codes of conduct and/or
codes of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid
effort to protect others and continually maintain that
effort