Uploaded bysyedatoobaaftab1
PPTX, PDF5 views

law_and_ethics_polocies_and_security.pptx

INFORMATION SEURITY PRESENTATION

Embed presentation

Download to read offline
Law & Ethics, Policies & Guidelines, and Security Awareness Information Security Reading: Chaps. 3, 5 in textbook 1
2 Introduction • You need to understand an organization’s legal, ethical responsibilities • To minimize liabilities and reduce risks, the information security practitioner must: – Understand current legal environment – Stay current with laws and regulations – Watch for emerging issues
3 Terminology (1) • See also page 89 of textbook • Cultural mores: fixed morals or customs of a group of people, form basis of ethics • Ethics: Rules that define socially acceptable behavior, not necessarily criminal, not enforced (via authority/courts) • Laws: Rules that mandate or prohibit behavior, enforced by governing authority (courts) – Laws carry sanctions of governing authority, ethics do not • Policy: “Organizational laws” – Expectations that define acceptable workplace behavior – General and broad, not aimed at specific technologies or procedures – To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
4 Terminology (2) • Standards, guidelines, best practices: define what must be done to comply with policy, how to do so • Jurisdiction: a court’s right to hear a case if a wrong was committed in its territory or against its citizens • Long-arm jurisdiction: court’s ability to “reach far” and apply law (another state, country) • Case law: documentation about application of law in various cases • Liability: legal obligation beyond what’s required by law, increased if you fail to take due care • Due care: has been taken when employees know what is/isn’t acceptable, what the consequences are • Due diligence: sustained efforts to protect others
5 Types of Law • Civil: laws governing nation or state • Criminal: harmful actions to society, prosecuted by the state • Tort: individual lawsuits as recourse for “wrongs”, prosecuted by individual attorneys • Private: includes family, commercial, labor law • Public: includes criminal, administrative, constitutional law
6 Law and Information Security • In practice, you can be sued for almost anything; no “absolute” protection against litigation • Information security practices can: – Reduce likelihood that incidents result in lawsuits – Reduce likelihood that you lose (by showing due care, due diligence) – Minimize damages/awards – Help you respond effectively to incidents • We’ll focus on criminal laws. Know Table 3-1 in the book; FERPA, HIPAA, DMCA.
7 Relevant Federal Laws (General) • Computer Fraud and Abuse Act of 1986 (CFAA) • National Information Infrastructure Protection Act of 1996 • USA PATRIOT Act of 2001 (made permanent in 2006) – Broadens reach of law enforcement agencies – Broadens “protected” information regarding open records law – Increased accountability, sanctions against money laundering – National Security Letters: administrative subpoenas with permanent gag orders • Telecommunications Deregulation and Competition Act of 1996 • Communications Decency Act of 1996 (CDA) (partly struck down) • Computer Security Act of 1987: sets minimal federal government security standards
8 Relevant Federal Laws (Privacy) • Federal Privacy Act of 1974: Federal government • Electronic Communications Privacy Act of 1986: Regulates interception of electronic communications • Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999 (GLBA): Requires privacy policies in healthcare and financial industries, restricts sharing & use of customer info • Family Education Rights and Privacy Act (FERPA): Restricts distribution of “student academic records” (including names and grades) • Freedom of Information Act of 1966: can request info from gov’t, some info is protected • FACTA Red Flag regulation of 2009 (ID theft)
9 Relevant Federal Laws (Copyright) • Intellectual property (IP) protection in U.S., other countries • Copyright law extends to electronic formats • With citations, you can include brief portions of others’ work as reference (“fair use”) • U.S. Copyright Office website: http://www.copyright.gov • Digital Millennium Copyright Act of 1998 (DMCA): criminalizes circumvention of technological copyright protection measures (some exceptions)
10 State and Local Regulations • Restrictions on organizational computer technology use at state, local levels • Information security professional responsible for understanding applicable regulations, compliance • State of Ohio: – Ohio Rev. Code §1347: notify data breach victims – Open records, anti-spam laws
11 International Laws and Legal Bodies • European Council Cyber-Crime Convention: – International task force oversees Internet security functions for standardized international technology laws – Attempts to improve effectiveness of international investigations into breaches of technology law • General Data Protection Regulation (GDPR): requires website disclosure about data collection, user consent (Europe)
12 United Nations Charter • Makes provisions, to a degree, for information security during information warfare (IW) • IW uses information technology to conduct organized and lawful military operations • IW is fairly new type of warfare, although military has been conducting electronic warfare operations for decades
Ethics and Information Security 13
14 Ethical Differences Across Cultures • Cultural differences create difficulty in determining ethical behavior • Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group • Example: many ways in which Asian cultures use computer technology considered piracy
15 Ethics and Education • Education levels ethical perceptions within a small group of people • Employees must be trained in expected behaviors, especially regarding information security • Proper ethical training vital to creating informed, well prepared, and low-risk system user
16 Association of Computing Machinery (ACM) • ACM established in 1947 as “world’s first educational and scientific computing society” • Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
17 Computer Security Institute (CSI) • Provides training to support computer, networking, and info. security professionals • Argued for adoption of ethical behavior among info. security professionals
18 Key U.S. Federal Agencies • Department of Homeland Security (DHS) • Federal Bureau of Investigation’s (FBI’s) National Infrastructure Protection Center (NIPC) • National Security Agency (NSA) • U.S. Secret Service
19 Policy, Standards and Practices • Communities of interest need to consider policies as starting point for security efforts • Policies direct how issues should be addressed and technologies used • Security policies are least expensive controls to execute but most difficult to implement • Shaping policy is difficult
20 OSU Policies and Standards • Policies – Responsible Use of University Computing & Network Resources – Archives & Retention – Merchant Services & Use of Credit Cards – Deployment, Use of Wireless Data Networks – Public Records – Data Policy – Personal Info Disclosure • Standards – University Computer Security Standards: • Min. Computer Security • Critical Server Security • Web Server Security • DB Server Security – Local Administrative Privilege Standard • See
21 Policy Management • Policies management needed due to change • To remain viable, security policies must have: – People responsible for reviews – A schedule of reviews – Method for recommending reviews – Specific policy issuance and revision date
22 Information Classification • Information classification an important aspect of policy (e.g., public, internal, classified) • Specific company policies may be classified, but general guidelines shared among companies • A clean desk policy stipulates that at end of business day, classified information is properly secured • Questions: – Feasibilities? – Benefits?
23 Security Education, Training, and Awareness Program • Security education, training and awareness (SETA) implementation should follow security policy – Designed to reduce accidental security breaches – Training builds on general knowledge employees need for their jobs (focused on security aspects)
24 Security Education  Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security  When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education  A number of universities have formal coursework in information security
25 Security Training • Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely • Management of information security can develop customized in-house training or outsource the training program
Spheres of Security (Fig. 5- 15) 26
27 Design of Security Architecture • Defense in depth – Implementation of security in layers – Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls • Security perimeter – Point at which an organization’s security protection ends and outside world begins – Does not apply to internal attacks from employee threats or on-site physical threats
28 Security Technology Components • Firewall: device that selectively allows information into/out of organization • Demilitarized Zone (DMZ): “no-man’s land” between inside, outside networks; some companies place Web servers here • Intrusion Detection Systems (IDSs): detects unauthorized (strange) activity on organizational network, individual machines, or both
Network Security Architecture (Fig. 5-18) 29
30 Summary • Laws: state-enforced rules that mandate or prohibit certain behavior; drawn from ethics • Ethics: define socially acceptable behaviors (may vary among groups) • Policies: organizational laws • Management needs to “set tone” for security practices, support their deployment

More Related Content

PPTX
02 Legal, Ethical, and Professional Issues in Information Security
bysappingtonkr
 
PPTX
Legal, Ethical, and Professional Issues In Information Security
byCarl Ceder
 
PPT
Ethics in IT Security
bymtvvvv
 
PPTX
Law and Order in PK in a country is most important
byAssadLeo1
 
PPT
Presentation on Law and Ethics in Information Security.ppt
byDawoodkhan980027
 
PDF
Lecture 8.pdf
byabdukadirabdullahuad
 
PDF
Cs8792 cns - unit i
byArthyR3
 
PPTX
egal, Ethical, and Professional Issues in Information Security.pptx
bysania82678
 
02 Legal, Ethical, and Professional Issues in Information Security
bysappingtonkr
 
Legal, Ethical, and Professional Issues In Information Security
byCarl Ceder
 
Ethics in IT Security
bymtvvvv
 
Law and Order in PK in a country is most important
byAssadLeo1
 
Presentation on Law and Ethics in Information Security.ppt
byDawoodkhan980027
 
Lecture 8.pdf
byabdukadirabdullahuad
 
Cs8792 cns - unit i
byArthyR3
 
egal, Ethical, and Professional Issues in Information Security.pptx
bysania82678
 

Similar to law_and_ethics_polocies_and_security.pptx

PPTX
Laws and ethics in information assurance
byakbarshah9596
 
PPTX
Legal-Ethical-Professionalin-IS.pptx
byShruthi48
 
PDF
3600-lecture3-legal-ethical-professional-issues.pdf
byabdukadirabdullahuad
 
PPTX
Whitman_Ch03.pptx
bySiphamandla9
 
PPTX
Law and Ethics in Information Security.pptx
byEdFeranil
 
PPTX
539547533-Law-and-Ethics-in-Information-Security-1.pptx
bySuvedha8
 
PPT
lesson333.ppt
byDEEPAK948083
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 2)
bySam Bowne
 
PDF
541341322-3-ITE403-Whitman-Ch03-W3C1.pdf
byubaidullah75790
 
PPT
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
byamiable_indian
 
PPTX
Ehsan Kabir Solicitor-Ethics Frameworks
byEhsan kabir Solicitor
 
PPT
4482LawEthics 3333333333333333333333333333333333333333333333333...
bybahawalofficial218
 
PPT
4482LawEthics.pptwhich you should learns
byfillformadarsh
 
PPT
Law & Ethics.pptx - B.COM [Business Law]
bykaibinni5
 
PPT
4482 Law Ethics for Every Steps in Life and Business.ppt
byAlifahadHussain
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 2)
bySam Bowne
 
PDF
Data Security Law and Management.pdf
byMeshalALshammari12
 
PPT
4482LawEthics.ppt
byLAXMIPRASANNA565999
 
PPTX
Chapter 3 - Lesson 1.pptx
byJhaiJhai6
 
Laws and ethics in information assurance
byakbarshah9596
 
Legal-Ethical-Professionalin-IS.pptx
byShruthi48
 
3600-lecture3-legal-ethical-professional-issues.pdf
byabdukadirabdullahuad
 
Whitman_Ch03.pptx
bySiphamandla9
 
Law and Ethics in Information Security.pptx
byEdFeranil
 
539547533-Law-and-Ethics-in-Information-Security-1.pptx
bySuvedha8
 
lesson333.ppt
byDEEPAK948083
 
Security Policies and Standards
byprimeteacher32
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
bySam Bowne
 
541341322-3-ITE403-Whitman-Ch03-W3C1.pdf
byubaidullah75790
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
byamiable_indian
 
Ehsan Kabir Solicitor-Ethics Frameworks
byEhsan kabir Solicitor
 
4482LawEthics 3333333333333333333333333333333333333333333333333...
bybahawalofficial218
 
4482LawEthics.pptwhich you should learns
byfillformadarsh
 
Law & Ethics.pptx - B.COM [Business Law]
bykaibinni5
 
4482 Law Ethics for Every Steps in Life and Business.ppt
byAlifahadHussain
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
bySam Bowne
 
Data Security Law and Management.pdf
byMeshalALshammari12
 
4482LawEthics.ppt
byLAXMIPRASANNA565999
 
Chapter 3 - Lesson 1.pptx
byJhaiJhai6
 

Recently uploaded

PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPTX
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PDF
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 

law_and_ethics_polocies_and_security.pptx

  • 1.
    Law & Ethics,Policies & Guidelines, and Security Awareness Information Security Reading: Chaps. 3, 5 in textbook 1
  • 2.
    2 Introduction • You needto understand an organization’s legal, ethical responsibilities • To minimize liabilities and reduce risks, the information security practitioner must: – Understand current legal environment – Stay current with laws and regulations – Watch for emerging issues
  • 3.
    3 Terminology (1) • See alsopage 89 of textbook • Cultural mores: fixed morals or customs of a group of people, form basis of ethics • Ethics: Rules that define socially acceptable behavior, not necessarily criminal, not enforced (via authority/courts) • Laws: Rules that mandate or prohibit behavior, enforced by governing authority (courts) – Laws carry sanctions of governing authority, ethics do not • Policy: “Organizational laws” – Expectations that define acceptable workplace behavior – General and broad, not aimed at specific technologies or procedures – To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
  • 4.
    4 Terminology (2) • Standards, guidelines,best practices: define what must be done to comply with policy, how to do so • Jurisdiction: a court’s right to hear a case if a wrong was committed in its territory or against its citizens • Long-arm jurisdiction: court’s ability to “reach far” and apply law (another state, country) • Case law: documentation about application of law in various cases • Liability: legal obligation beyond what’s required by law, increased if you fail to take due care • Due care: has been taken when employees know what is/isn’t acceptable, what the consequences are • Due diligence: sustained efforts to protect others
  • 5.
    5 Types of Law •Civil: laws governing nation or state • Criminal: harmful actions to society, prosecuted by the state • Tort: individual lawsuits as recourse for “wrongs”, prosecuted by individual attorneys • Private: includes family, commercial, labor law • Public: includes criminal, administrative, constitutional law
  • 6.
    6 Law and InformationSecurity • In practice, you can be sued for almost anything; no “absolute” protection against litigation • Information security practices can: – Reduce likelihood that incidents result in lawsuits – Reduce likelihood that you lose (by showing due care, due diligence) – Minimize damages/awards – Help you respond effectively to incidents • We’ll focus on criminal laws. Know Table 3-1 in the book; FERPA, HIPAA, DMCA.
  • 7.
    7 Relevant Federal Laws(General) • Computer Fraud and Abuse Act of 1986 (CFAA) • National Information Infrastructure Protection Act of 1996 • USA PATRIOT Act of 2001 (made permanent in 2006) – Broadens reach of law enforcement agencies – Broadens “protected” information regarding open records law – Increased accountability, sanctions against money laundering – National Security Letters: administrative subpoenas with permanent gag orders • Telecommunications Deregulation and Competition Act of 1996 • Communications Decency Act of 1996 (CDA) (partly struck down) • Computer Security Act of 1987: sets minimal federal government security standards
  • 8.
    8 Relevant Federal Laws(Privacy) • Federal Privacy Act of 1974: Federal government • Electronic Communications Privacy Act of 1986: Regulates interception of electronic communications • Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999 (GLBA): Requires privacy policies in healthcare and financial industries, restricts sharing & use of customer info • Family Education Rights and Privacy Act (FERPA): Restricts distribution of “student academic records” (including names and grades) • Freedom of Information Act of 1966: can request info from gov’t, some info is protected • FACTA Red Flag regulation of 2009 (ID theft)
  • 9.
    9 Relevant Federal Laws(Copyright) • Intellectual property (IP) protection in U.S., other countries • Copyright law extends to electronic formats • With citations, you can include brief portions of others’ work as reference (“fair use”) • U.S. Copyright Office website: http://www.copyright.gov • Digital Millennium Copyright Act of 1998 (DMCA): criminalizes circumvention of technological copyright protection measures (some exceptions)
  • 10.
    10 State and LocalRegulations • Restrictions on organizational computer technology use at state, local levels • Information security professional responsible for understanding applicable regulations, compliance • State of Ohio: – Ohio Rev. Code §1347: notify data breach victims – Open records, anti-spam laws
  • 11.
    11 International Laws andLegal Bodies • European Council Cyber-Crime Convention: – International task force oversees Internet security functions for standardized international technology laws – Attempts to improve effectiveness of international investigations into breaches of technology law • General Data Protection Regulation (GDPR): requires website disclosure about data collection, user consent (Europe)
  • 12.
    12 United Nations Charter •Makes provisions, to a degree, for information security during information warfare (IW) • IW uses information technology to conduct organized and lawful military operations • IW is fairly new type of warfare, although military has been conducting electronic warfare operations for decades
  • 13.
  • 14.
    14 Ethical Differences AcrossCultures • Cultural differences create difficulty in determining ethical behavior • Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group • Example: many ways in which Asian cultures use computer technology considered piracy
  • 15.
    15 Ethics and Education •Education levels ethical perceptions within a small group of people • Employees must be trained in expected behaviors, especially regarding information security • Proper ethical training vital to creating informed, well prepared, and low-risk system user
  • 16.
    16 Association of ComputingMachinery (ACM) • ACM established in 1947 as “world’s first educational and scientific computing society” • Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
  • 17.
    17 Computer Security Institute(CSI) • Provides training to support computer, networking, and info. security professionals • Argued for adoption of ethical behavior among info. security professionals
  • 18.
    18 Key U.S. Federal Agencies •Department of Homeland Security (DHS) • Federal Bureau of Investigation’s (FBI’s) National Infrastructure Protection Center (NIPC) • National Security Agency (NSA) • U.S. Secret Service
  • 19.
    19 Policy, Standards andPractices • Communities of interest need to consider policies as starting point for security efforts • Policies direct how issues should be addressed and technologies used • Security policies are least expensive controls to execute but most difficult to implement • Shaping policy is difficult
  • 20.
    20 OSU Policies andStandards • Policies – Responsible Use of University Computing & Network Resources – Archives & Retention – Merchant Services & Use of Credit Cards – Deployment, Use of Wireless Data Networks – Public Records – Data Policy – Personal Info Disclosure • Standards – University Computer Security Standards: • Min. Computer Security • Critical Server Security • Web Server Security • DB Server Security – Local Administrative Privilege Standard • See
  • 21.
    21 Policy Management • Policiesmanagement needed due to change • To remain viable, security policies must have: – People responsible for reviews – A schedule of reviews – Method for recommending reviews – Specific policy issuance and revision date
  • 22.
    22 Information Classification • Informationclassification an important aspect of policy (e.g., public, internal, classified) • Specific company policies may be classified, but general guidelines shared among companies • A clean desk policy stipulates that at end of business day, classified information is properly secured • Questions: – Feasibilities? – Benefits?
  • 23.
    23 Security Education, Training,and Awareness Program • Security education, training and awareness (SETA) implementation should follow security policy – Designed to reduce accidental security breaches – Training builds on general knowledge employees need for their jobs (focused on security aspects)
  • 24.
    24 Security Education  Everyonein an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security  When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education  A number of universities have formal coursework in information security
  • 25.
    25 Security Training • Involvesproviding members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely • Management of information security can develop customized in-house training or outsource the training program
  • 26.
    Spheres of Security(Fig. 5- 15) 26
  • 27.
    27 Design of SecurityArchitecture • Defense in depth – Implementation of security in layers – Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls • Security perimeter – Point at which an organization’s security protection ends and outside world begins – Does not apply to internal attacks from employee threats or on-site physical threats
  • 28.
    28 Security Technology Components •Firewall: device that selectively allows information into/out of organization • Demilitarized Zone (DMZ): “no-man’s land” between inside, outside networks; some companies place Web servers here • Intrusion Detection Systems (IDSs): detects unauthorized (strange) activity on organizational network, individual machines, or both
  • 29.
  • 30.
    30 Summary • Laws: state-enforcedrules that mandate or prohibit certain behavior; drawn from ethics • Ethics: define socially acceptable behaviors (may vary among groups) • Policies: organizational laws • Management needs to “set tone” for security practices, support their deployment