SlideShare a Scribd company logo
1 of 60
TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 478/578 1
Legal, Ethical & Professional Issues
Ray Trygstad
ITM 478 / IT 478 / ITM 578 Spring 2005
Information Technology & Management Programs
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Objectives
Upon completion of this lesson
students should be able to:
– Differentiate between laws and ethics
– Identify major national laws that relate
to the practice of information security
– Discuss the role of culture as it applies
to ethics in information security
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Law and Ethics in Information Security
Laws - rules adopted for determining
expected behavior
– Laws drawn from ethics
Ethics define socially acceptable
behaviors
Ethics based on cultural mores:
fixed moral attitudes or customs of
a particular group
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Types of Law
Civil law
Criminal law
Tort law
Private law
Public law
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Relevant U.S. Laws - General
 Computer Fraud and Abuse Act of 1986
 National Information Infrastructure
Protection Act of 1996
 USA Patriot Act of 2001
 Telecommunications Deregulation and
Competition Act of 1996
 Communications Decency Act (CDA)
 Computer Security Act of 1987
 Digital Millennium Copyright Act of 1998
 Sarbanes-Oxley Act of 2002
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy
 Privacy: one of the hottest topics in
information
 Ability to collect information, combine facts
from separate sources, and merge with other
information results in collections of
information previously impossible to create
 Aggregation of data from multiple sources
permits unethical organizations to build
databases of facts with frightening
capabilities
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy in the U.S.
 Not a Constitutional right but has been
construed by the courts
– “Reasonable expectation” of privacy
 Working definition:
– right not to be disturbed
– right to be anonymous
– right not to be monitored
– right not to have one’s identifying information
exploited
 Construed Constitutional guarantees of
privacy apply only to the Federal
Government
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy of Customer Information
 Privacy of Customer Information Section of
Common Carrier Regulations
 Federal Privacy Act of 1974
 The Electronic Communications Privacy Act
of 1986
 The Health Insurance Portability &
Accountability Act Of 1996 (HIPAA) also
known as the Kennedy-Kassebaum Act
 The Financial Services Modernization Act or
Gramm-Leach-Bliley Act of 1999
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Freedom of Information Act of 1966 (FOIA)
The Freedom of Information Act
provides any person with the right to
request access to federal agency
records or information, not determined
to be in the interest of national security
– US Government agencies required to
disclose requested information on receipt
of a written request
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Freedom of Information Act of 1966 (FOIA)
Exceptions for information protected
from disclosure
Act does not apply to
– Congress or Federal courts
– state or local government agencies
– private businesses or individuals
Many states have their own version
of the FOIA
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Freedom of Information Act of 2000 (UK)
In 2000, the United Kingdom passed
their Freedom of Information Act
– Very similar in all respects to U.S. law
– More exceptions
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
European Union Model
 European Union Directive 95/46/EC effective
October 1998 increases protection of
individuals in processing of personal data &
limits free movement of such data
– Strong consumer protection
– Only allows gathering of information necessary for
transaction
– Personal data cannot be transferred to another
company without permission
 United Kingdom had implemented a version
of this directive called the Database Right
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
EU Law Portal
Figure 3-4
European Union
Law Web site
http://europa.eu.int/eur-lex/en/
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
International Laws and Legal Bodies
Council of Europe: European Council
Cyber-Crime Convention
– Creates an international task force to
oversee a range of security functions
associated with Internet activities,
– Standardizes technology laws across
international borders
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
International Laws and Legal Bodies
European Council Cyber-Crime
Convention
– Also attempts to improve effectiveness of
international investigations into breaches
of technology law
Well received by advocates of
intellectual property rights with
emphasis on copyright infringement
prosecution
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
UN International Law
Figure 3-46
United Nations
International
Law Web site
http://www.un.org/law/
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Export and Espionage Laws
Economic Espionage Act (EEA)
of 1996
Security and Freedom Through
Encryption Act of 1997 (SAFE)
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
What is a Copyright?
Set of exclusive legal rights authors
have over their works for a limited
period of time; these rights include
– copying the works (including parts of the
works)
– making derivative works
– distributing the works
– performing the works (showing a movie or
playing an audio recording, as well as
performing a dramatic work)
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
What is a Copyright?
Copyright exists upon creation
– Author’s rights begin when an original
work of authorship is fixed in a tangible
medium
A work does not have to bear a
copyright notice or be registered to
be copyrighted
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
US Copyright Law
Intellectual property is recognized as a
protected asset in the US
US copyright law extends this right to
the published word, including electronic
formats
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
US Copyright Law: Fair Use
Fair use of copyrighted materials
includes
– the use to support news reporting,
teaching, scholarship, and a number of
other related permissions
– the purpose of the use has to be for
educational or library purposes, not for
profit, and should not be excessive
DMCA (more on this in a minute)
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
What is Fair Use?
Allow for limited copying or
distribution of published works
without author’s permission
– Examples:
•Quotation of excerpts in a review or critique
•copying of a small part of a work by a teacher
or student to illustrate a lesson
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
What is Fair Use?
Determination of fair use based on:
– Purpose and nature of the use
– Nature of the copyrighted work
– Nature and substantiality of the material
used
– Effect of use on the potential market for or
value of the work
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
What is Fair Use?
As Kerry Konrad, co-lead litigation
counsel for Lotus Development
Corporation, succinctly said, “if your
use is private, limited, and for the
purpose of reference and illustration
only, it’s likely to be fair.”
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Licensing of Copyrights
If fair use does not apply, using
another’s intellectual property
requires a license
A license is not a given—the owner
does not have to grant a license nor
give any explanation when they don’t
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Licensing of Copyrights
 Placing materials on the Web does NOT
place them in the Public Domain unless
such assignment is specifically made
– Some Web sites contain content such as clipart,
buttons, bars, backgrounds, photos, where either
the items have been placed in the public domain
or a license for their use is clearly granted
– Otherwise all works online—graphic arts as well
as text—are protected by copyright, and your
reuse requires a license
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
US Copyright Office
Figure 3-3
U.S. Copyright
Office Web site
http://www.loc.gov/copyright/
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act
(DMCA) is the US version of an
international effort to reduce the
impact of copyright, trademark, and
privacy infringement
Many legal experts feel DMCA
illegally infringes on Fair Use and has
other adverse effects
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Impact of DMCA
Critics claim DCMA has had the
following impacts (among others):
– DMCA is being used to silence researchers,
computer scientists and critics
– Corporations are using it against the
public
– Public/College radio stations can no longer
afford to webcast
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Impact of DMCA
Also has had a stifling effect on
computer security research as
prohibits the circumvention of copy
protection and the distribution of
devices that can be used to circumvent
copyrights
– In doing so it treats publishing of security
vulnerabilities as a violation of the law
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Sarbanes-Oxley Act
Created to address accounting
“irregularities” (Enron, etc.)
Requires internal controls & internal
controls reporting
– As part of this, general computer controls
must be implemented and documented
Information security controls are a key
component of general computer controls
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Sarbanes-Oxley Act
 Section 404 -- Management Assessment
of Internal Controls
 Rules Required. The [Securities and
Exchange] Commission shall prescribe rules
requiring each annual report…to contain an
internal control report, which shall--
– state the responsibility of management for
establishing and maintaining an adequate
internal control structure and procedures for
financial reporting; and
– contain an assessment, as of the end of the most
recent fiscal year of the issuer, of the
effectiveness of the internal control structure and
procedures of the issuer for financial reporting
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Sarbanes-Oxley Act
Access controls, authorization,
auditability, data integrity and
availability (disaster recovery) are
key elements of controls to ensure
compliance with section 404
Because there is external financial
auditor involvement in assuring
rules compliance, this draws audit
firms into IT security auditing or at
least verification of IT security audits
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
State & Local Regulations
Each state or locality may have laws
and regulations that impact the use of
computer technology
Information security professionals have
a responsibility to understand state
laws and regulations and insure
organization’s security policies and
procedures comply
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
United Nations Charter
To some degree the United Nations
Charter provides provisions for
information security during
Information Warfare
Information Warfare (IW) involves use
of information technology to conduct
offensive operations as part of an
organized and lawful military operation
by a sovereign state
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Warfare
IW is a relatively new application of
warfare, although the military has been
conducting electronic warfare and
counter-warfare operations for decades,
jamming, intercepting, and spoofing
enemy communications
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy Versus Law
Most organizations develop and formalize
a body of expectations called policy
Policies function in an organization like
laws
For a policy to become enforceable, it
must meet certain standards
Only when all conditions are met, does
the organization have a reasonable
expectation of effective policy
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Enforceable Policy
Enforceable policy must be:
– Distributed to all individuals who are
expected to comply
– Readily available for employee reference
– Easily understood with multi-language
translations and translations for visually
impaired, or literacy-impaired employees
– Acknowledged by the employee, usually by
means of a signed consent form
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Content of Corporate Use Policies
 Rights
 Responsibilities
 Privileges
 Prohibitions
– Activities
– Uses
• “business only” (strict)
or “business and
reasonable personal use”
(loose)
• Similar to telephone use
policies
– Harassment
– Overloading resources
 Tracking
– What tracking will be
done
– Who will do it
– What circumstances
– How will the information
will be stored
– Who will have access to it
 Communicating
information
 Virus detection
 Export restrictions
 Waiver of Privacy
 Disclaimers
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Ethical Concepts in Information Security
10 Commandments of Computer Ethics
from The Computer Ethics Institute
1. Thou shalt not use a computer to harm other
people.
2. Thou shalt not interfere with other people’s
computer work.
3. Thou shalt not snoop around in other
people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false
witness [lie].
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Ethical Concepts in Information Security
10 Commandments of Computer Ethics
from The Computer Ethics Institute
6. Thou shalt not copy or use proprietary software for
which you have not paid.
7. Thou shalt not use other people’s computer resources
without authorization or proper compensation.
8. Thou shalt not appropriate other people’s
intellectual output.
9. Thou shalt think about the social consequences of
the program you are writing or the system you are
designing.
10. Thou shalt always use a computer in ways that
insure consideration and respect for your fellow
humans.
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Cultural Differences in Ethical Concepts
 Differences in cultures cause problems in
determining what is ethical and what is not
ethical
 Studies of ethical sensitivity to computer use
reveal different nationalities have different
perspectives
 Difficulties arise when one nationality’s
ethical behavior contradicts that of another
national group
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Ethics and Education
 Employees must be trained in topics related
to information security, including expected
behaviors of an ethical employee
 Especially important in areas of information
security; many employees may not have the
formal technical training to understand what
behavior is unethical or illegal
 Proper ethical and legal training is vital to
creating an informed, well prepared, and
low-risk system user
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Deterrence to Unethical and Illegal Behavior
Deterrence - preventing an illegal or
unethical activity
– Examples of deterrents: Laws, policies,
technical controls
Laws and policies only deter if three
conditions are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Codes of Ethics, Certifications, and Professional Organizations
 Many organizations have codes of conduct
and/or codes of ethics
– Codes of ethics can have a positive effect
– Unfortunately, having a code of ethics is not
enough
 Security professionals must act ethically
and according to the policies and
procedures of their employer, their
professional organization, and the laws of
society
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Association of Computing Machinery
The ACM (www.acm.org) is a respected
professional society
– originally established in 1947 as “the
world’s first educational and scientific
computing society”
Their code of ethics requires members
to perform their duties in a manner
befitting an ethical computing
professional
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Association of Computing Machinery
The code contains specific references to
protecting the confidentiality of
information, causing no harm,
protecting the privacy of others, and
respecting the intellectual property and
copyrights of others
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
International Information Systems Security Certification Consortium
The (ISC)2
(www.isc2.org) is a non-profit
organization
– focuses on the development and
implementation of information security
certifications and credentials
The code of ethics put forth by (ISC)2
is
primarily designed for information
security professionals who have earned
a certification from (ISC)2
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
(ISC)2
Code
 (ISC)2
code focuses on four mandatory
canons:
– Protect society, the commonwealth, and
the infrastructure
– Act honorably, honestly, justly,
responsibly, and legally
– Provide diligent and competent service to
principals
– Advance and protect the profession
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
System Administration, Networking, and Security Institute
The System Administration,
Networking, and Security Institute, or
SANS (www.sans.org), is a professional
organization with a large membership
dedicated to the protection of
information and systems
SANS offers a certifications called the
Global Information Assurance
Certification or GIAC
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Systems Audit and Control Association
The Information Systems Audit and
Control Association or ISACA
(www.isaca.org) is a professional
association with a focus on auditing,
control, and security
Although it does not focus exclusively
on information security, the Certified
Information Systems Auditor or CISA
certification does contain many
information security components
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Systems Audit and Control Association
The ISACA also has a code of ethics
for professionals
Requires many of the same high
standards for ethical performance as
the other organizations and
certifications
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
CSI - Computer Security Institute
 The Computer Security Institute
(www.gocsi.com) provides information and
certification to support the computer,
networking, and information security
professional
 While CSI does not promote a single
certification certificate like the CISSP or
GISO, it does provide a range of technical
training classes in the areas of Internet
Security, Intrusion Management, Network
Security, Forensics, as well as technical
networking
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Other Security Organizations
 Information Systems Security Association
(ISSA)® (www.issa.org)
 Internet Society or ISOC (www.isoc.org)
 Computer Security Division (CSD) of the
National Institute for Standards and
Technology (NIST)
– contains a resource center known as the Computer
Security Resource Center (csrc.nist.gov) housing
one of the most comprehensive sets of publicly
available information on the entire suite of
information security topics
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Other Security Organizations
CERT® Coordination Center or
CERT/CC (www.cert.org) is a center of
Internet security expertise operated by
Carnegie Mellon University
Computer Professionals for Social
Responsibility (CPSR) promotes the
development of ethical computing
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Key U.S. Federal Agencies
The Department of Homeland
Security’s National Infrastructure
Protection Center (NIPC)
(www.nipc.gov)
– National InfraGard Program
National Security Agency (NSA)
– The NSA is “the Nation’s cryptologic
organization”
– NSA Information Assurance Directorate
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Other Key Federal Agencies
Figure 3-14
U.S. Secret
Service Web site
http://www.secretservice.gov/
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Liability and the Need for Counsel
 Liability is the legal obligation of an entity
– Liability extends beyond legal obligation or
contract to include liability for a wrongful act and
the legal obligation to make restitution
– An organization increases its liability if it refuses
to take strong measures known as due care
 Due diligence requires that an organization
make a valid effort to protect others and
continually maintain this level of effort
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Our Private Directory for this Course
Answers to chapter review questions
InfoSec Library as self-extracting .zip
file (distributed on CD to live students)
Can only be accessed from Blackboard
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 478/578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?

More Related Content

What's hot

Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityCarl Ceder
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
			Chapter 10:  Information  Systems Acquisition, Development, and Maintenance			Chapter 10:  Information  Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Avantika University
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber CrimeDr Raghu Khimani
 
Social, Legal & Ethical Aspects of Computing.
Social, Legal & Ethical Aspects of Computing.Social, Legal & Ethical Aspects of Computing.
Social, Legal & Ethical Aspects of Computing.muhammad-Sulaiman
 
Computer misuse and criminal law
Computer misuse and criminal lawComputer misuse and criminal law
Computer misuse and criminal lawZaheer Irshad
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 

What's hot (20)

Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-security
 
Computer crime
 Computer crime Computer crime
Computer crime
 
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
 
Internet Ethics
Internet EthicsInternet Ethics
Internet Ethics
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protection
 
Cyber Laws
Cyber LawsCyber Laws
Cyber Laws
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
			Chapter 10:  Information  Systems Acquisition, Development, and Maintenance			Chapter 10:  Information  Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
 
cyber crime
cyber crimecyber crime
cyber crime
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Security policy
Security policySecurity policy
Security policy
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Ethical issues in cyberspace
Ethical issues in cyberspaceEthical issues in cyberspace
Ethical issues in cyberspace
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber Crime
 
Social, Legal & Ethical Aspects of Computing.
Social, Legal & Ethical Aspects of Computing.Social, Legal & Ethical Aspects of Computing.
Social, Legal & Ethical Aspects of Computing.
 
Computer misuse and criminal law
Computer misuse and criminal lawComputer misuse and criminal law
Computer misuse and criminal law
 
Physical security
Physical securityPhysical security
Physical security
 

Viewers also liked

Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care itDhani Ahmad
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behaviorDhani Ahmad
 
Risk management i
Risk management iRisk management i
Risk management iDhani Ahmad
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnelDhani Ahmad
 
Risk management ii
Risk management iiRisk management ii
Risk management iiDhani Ahmad
 
Strategic planning
Strategic planningStrategic planning
Strategic planningDhani Ahmad
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisDhani Ahmad
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Beni Krisbiantoro
 
Information system
Information systemInformation system
Information systemDhani Ahmad
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and recordsDhani Ahmad
 
Islamic information management
Islamic information managementIslamic information management
Islamic information managementDhani Ahmad
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islamDhani Ahmad
 
Information resource management
Information resource managementInformation resource management
Information resource managementDhani Ahmad
 
Lecture 08 distributed dbms
Lecture 08 distributed dbmsLecture 08 distributed dbms
Lecture 08 distributed dbmsemailharmeet
 

Viewers also liked (20)

Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care it
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behavior
 
Risk management i
Risk management iRisk management i
Risk management i
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
The need for security
The need for securityThe need for security
The need for security
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
 
Secure
SecureSecure
Secure
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
 
Strategic planning
Strategic planningStrategic planning
Strategic planning
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
 
Information system
Information systemInformation system
Information system
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and records
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
 
Islamic information management
Islamic information managementIslamic information management
Islamic information management
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islam
 
Information resource management
Information resource managementInformation resource management
Information resource management
 
Database design
Database designDatabase design
Database design
 
Lecture 08 distributed dbms
Lecture 08 distributed dbmsLecture 08 distributed dbms
Lecture 08 distributed dbms
 

Similar to Legal, ethical & professional issues

Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
Intellectual properties presentation
Intellectual properties presentationIntellectual properties presentation
Intellectual properties presentationDarylSavage
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...Prof. (Dr.) Tabrez Ahmad
 
Societal impacts PART 1
Societal impacts PART 1Societal impacts PART 1
Societal impacts PART 1AVISHITYAGI
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxJhaiJhai6
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
Intellectual Property in Professional Practices
Intellectual Property in Professional PracticesIntellectual Property in Professional Practices
Intellectual Property in Professional PracticesSaji909
 
Social Media and Legal Ethics
Social Media and Legal EthicsSocial Media and Legal Ethics
Social Media and Legal Ethicsanthonywong
 
Intellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and CopyrightsIntellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and CopyrightsUpekha Vandebona
 
Legal and ethical issues associated with modern technologies
Legal and ethical issues associated with modern technologiesLegal and ethical issues associated with modern technologies
Legal and ethical issues associated with modern technologiesSheila Mable
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityDhani Ahmad
 
CYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATIONCYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATION3.com
 
Presentation Ict
Presentation IctPresentation Ict
Presentation Ictsafa
 

Similar to Legal, ethical & professional issues (20)

ISC Chapter 3.pdf
ISC Chapter 3.pdfISC Chapter 3.pdf
ISC Chapter 3.pdf
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
Presentation ict3992
Presentation ict3992Presentation ict3992
Presentation ict3992
 
Intellectual properties presentation
Intellectual properties presentationIntellectual properties presentation
Intellectual properties presentation
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.ppt
 
Societal impacts PART 1
Societal impacts PART 1Societal impacts PART 1
Societal impacts PART 1
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptx
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2
 
Lesson 2-Identify Theft
Lesson 2-Identify TheftLesson 2-Identify Theft
Lesson 2-Identify Theft
 
Intellectual Property in Professional Practices
Intellectual Property in Professional PracticesIntellectual Property in Professional Practices
Intellectual Property in Professional Practices
 
Social Media and Legal Ethics
Social Media and Legal EthicsSocial Media and Legal Ethics
Social Media and Legal Ethics
 
Intellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and CopyrightsIntellectual Property, Sri Lanka and Copyrights
Intellectual Property, Sri Lanka and Copyrights
 
REVISED TRIPs_SLIDES.ppt
REVISED TRIPs_SLIDES.pptREVISED TRIPs_SLIDES.ppt
REVISED TRIPs_SLIDES.ppt
 
Legal and ethical issues associated with modern technologies
Legal and ethical issues associated with modern technologiesLegal and ethical issues associated with modern technologies
Legal and ethical issues associated with modern technologies
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
CYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATIONCYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATION
 
Presentation Ict
Presentation IctPresentation Ict
Presentation Ict
 

More from Dhani Ahmad

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planningDhani Ahmad
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effortDhani Ahmad
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentationsDhani Ahmad
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data managementDhani Ahmad
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & proceduresDhani Ahmad
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sourcesDhani Ahmad
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire designDhani Ahmad
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in researchDhani Ahmad
 

More from Dhani Ahmad (10)

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planning
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
 
Implementing security
Implementing securityImplementing security
Implementing security
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentations
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data management
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & procedures
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sources
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire design
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in research
 

Recently uploaded

Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Dewi Agency
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样AS
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证hfkmxufye
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理apekaom
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样AS
 
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec JeddahAbortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddahmarufhussain782445
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowIdeoholics
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)Obat Cytotec
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 

Recently uploaded (20)

Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec JeddahAbortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 

Legal, ethical & professional issues

  • 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 478/578 1 Legal, Ethical & Professional Issues Ray Trygstad ITM 478 / IT 478 / ITM 578 Spring 2005 Information Technology & Management Programs CenterforProfessional Development Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
  • 2. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Objectives Upon completion of this lesson students should be able to: – Differentiate between laws and ethics – Identify major national laws that relate to the practice of information security – Discuss the role of culture as it applies to ethics in information security
  • 3. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 3 ILLINOIS INSTITUTE OF TECHNOLOGY Law and Ethics in Information Security Laws - rules adopted for determining expected behavior – Laws drawn from ethics Ethics define socially acceptable behaviors Ethics based on cultural mores: fixed moral attitudes or customs of a particular group
  • 4. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 4 ILLINOIS INSTITUTE OF TECHNOLOGY Types of Law Civil law Criminal law Tort law Private law Public law
  • 5. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 5 ILLINOIS INSTITUTE OF TECHNOLOGY Relevant U.S. Laws - General  Computer Fraud and Abuse Act of 1986  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act (CDA)  Computer Security Act of 1987  Digital Millennium Copyright Act of 1998  Sarbanes-Oxley Act of 2002
  • 6. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 6 ILLINOIS INSTITUTE OF TECHNOLOGY Privacy  Privacy: one of the hottest topics in information  Ability to collect information, combine facts from separate sources, and merge with other information results in collections of information previously impossible to create  Aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities
  • 7. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 7 ILLINOIS INSTITUTE OF TECHNOLOGY Privacy in the U.S.  Not a Constitutional right but has been construed by the courts – “Reasonable expectation” of privacy  Working definition: – right not to be disturbed – right to be anonymous – right not to be monitored – right not to have one’s identifying information exploited  Construed Constitutional guarantees of privacy apply only to the Federal Government
  • 8. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Privacy of Customer Information  Privacy of Customer Information Section of Common Carrier Regulations  Federal Privacy Act of 1974  The Electronic Communications Privacy Act of 1986  The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as the Kennedy-Kassebaum Act  The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
  • 9. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 9 ILLINOIS INSTITUTE OF TECHNOLOGY Freedom of Information Act of 1966 (FOIA) The Freedom of Information Act provides any person with the right to request access to federal agency records or information, not determined to be in the interest of national security – US Government agencies required to disclose requested information on receipt of a written request
  • 10. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 10 ILLINOIS INSTITUTE OF TECHNOLOGY Freedom of Information Act of 1966 (FOIA) Exceptions for information protected from disclosure Act does not apply to – Congress or Federal courts – state or local government agencies – private businesses or individuals Many states have their own version of the FOIA
  • 11. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 11 ILLINOIS INSTITUTE OF TECHNOLOGY Freedom of Information Act of 2000 (UK) In 2000, the United Kingdom passed their Freedom of Information Act – Very similar in all respects to U.S. law – More exceptions
  • 12. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 12 ILLINOIS INSTITUTE OF TECHNOLOGY European Union Model  European Union Directive 95/46/EC effective October 1998 increases protection of individuals in processing of personal data & limits free movement of such data – Strong consumer protection – Only allows gathering of information necessary for transaction – Personal data cannot be transferred to another company without permission  United Kingdom had implemented a version of this directive called the Database Right
  • 13. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 13 ILLINOIS INSTITUTE OF TECHNOLOGY EU Law Portal Figure 3-4 European Union Law Web site http://europa.eu.int/eur-lex/en/
  • 14. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 14 ILLINOIS INSTITUTE OF TECHNOLOGY International Laws and Legal Bodies Council of Europe: European Council Cyber-Crime Convention – Creates an international task force to oversee a range of security functions associated with Internet activities, – Standardizes technology laws across international borders
  • 15. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 15 ILLINOIS INSTITUTE OF TECHNOLOGY International Laws and Legal Bodies European Council Cyber-Crime Convention – Also attempts to improve effectiveness of international investigations into breaches of technology law Well received by advocates of intellectual property rights with emphasis on copyright infringement prosecution
  • 16. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 16 ILLINOIS INSTITUTE OF TECHNOLOGY UN International Law Figure 3-46 United Nations International Law Web site http://www.un.org/law/
  • 17. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 17 ILLINOIS INSTITUTE OF TECHNOLOGY Export and Espionage Laws Economic Espionage Act (EEA) of 1996 Security and Freedom Through Encryption Act of 1997 (SAFE)
  • 18. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 18 ILLINOIS INSTITUTE OF TECHNOLOGY What is a Copyright? Set of exclusive legal rights authors have over their works for a limited period of time; these rights include – copying the works (including parts of the works) – making derivative works – distributing the works – performing the works (showing a movie or playing an audio recording, as well as performing a dramatic work)
  • 19. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 19 ILLINOIS INSTITUTE OF TECHNOLOGY What is a Copyright? Copyright exists upon creation – Author’s rights begin when an original work of authorship is fixed in a tangible medium A work does not have to bear a copyright notice or be registered to be copyrighted
  • 20. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 20 ILLINOIS INSTITUTE OF TECHNOLOGY US Copyright Law Intellectual property is recognized as a protected asset in the US US copyright law extends this right to the published word, including electronic formats
  • 21. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 21 ILLINOIS INSTITUTE OF TECHNOLOGY US Copyright Law: Fair Use Fair use of copyrighted materials includes – the use to support news reporting, teaching, scholarship, and a number of other related permissions – the purpose of the use has to be for educational or library purposes, not for profit, and should not be excessive DMCA (more on this in a minute)
  • 22. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 22 ILLINOIS INSTITUTE OF TECHNOLOGY What is Fair Use? Allow for limited copying or distribution of published works without author’s permission – Examples: •Quotation of excerpts in a review or critique •copying of a small part of a work by a teacher or student to illustrate a lesson
  • 23. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 23 ILLINOIS INSTITUTE OF TECHNOLOGY What is Fair Use? Determination of fair use based on: – Purpose and nature of the use – Nature of the copyrighted work – Nature and substantiality of the material used – Effect of use on the potential market for or value of the work
  • 24. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 24 ILLINOIS INSTITUTE OF TECHNOLOGY What is Fair Use? As Kerry Konrad, co-lead litigation counsel for Lotus Development Corporation, succinctly said, “if your use is private, limited, and for the purpose of reference and illustration only, it’s likely to be fair.”
  • 25. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Licensing of Copyrights If fair use does not apply, using another’s intellectual property requires a license A license is not a given—the owner does not have to grant a license nor give any explanation when they don’t
  • 26. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Licensing of Copyrights  Placing materials on the Web does NOT place them in the Public Domain unless such assignment is specifically made – Some Web sites contain content such as clipart, buttons, bars, backgrounds, photos, where either the items have been placed in the public domain or a license for their use is clearly granted – Otherwise all works online—graphic arts as well as text—are protected by copyright, and your reuse requires a license
  • 27. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 27 ILLINOIS INSTITUTE OF TECHNOLOGY US Copyright Office Figure 3-3 U.S. Copyright Office Web site http://www.loc.gov/copyright/
  • 28. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Digital Millennium Copyright Act (DMCA) The Digital Millennium Copyright Act (DMCA) is the US version of an international effort to reduce the impact of copyright, trademark, and privacy infringement Many legal experts feel DMCA illegally infringes on Fair Use and has other adverse effects
  • 29. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Impact of DMCA Critics claim DCMA has had the following impacts (among others): – DMCA is being used to silence researchers, computer scientists and critics – Corporations are using it against the public – Public/College radio stations can no longer afford to webcast
  • 30. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Impact of DMCA Also has had a stifling effect on computer security research as prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights – In doing so it treats publishing of security vulnerabilities as a violation of the law
  • 31. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Sarbanes-Oxley Act Created to address accounting “irregularities” (Enron, etc.) Requires internal controls & internal controls reporting – As part of this, general computer controls must be implemented and documented Information security controls are a key component of general computer controls
  • 32. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 32 ILLINOIS INSTITUTE OF TECHNOLOGY Sarbanes-Oxley Act  Section 404 -- Management Assessment of Internal Controls  Rules Required. The [Securities and Exchange] Commission shall prescribe rules requiring each annual report…to contain an internal control report, which shall-- – state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and – contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting
  • 33. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Sarbanes-Oxley Act Access controls, authorization, auditability, data integrity and availability (disaster recovery) are key elements of controls to ensure compliance with section 404 Because there is external financial auditor involvement in assuring rules compliance, this draws audit firms into IT security auditing or at least verification of IT security audits
  • 34. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 34 ILLINOIS INSTITUTE OF TECHNOLOGY State & Local Regulations Each state or locality may have laws and regulations that impact the use of computer technology Information security professionals have a responsibility to understand state laws and regulations and insure organization’s security policies and procedures comply
  • 35. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 35 ILLINOIS INSTITUTE OF TECHNOLOGY United Nations Charter To some degree the United Nations Charter provides provisions for information security during Information Warfare Information Warfare (IW) involves use of information technology to conduct offensive operations as part of an organized and lawful military operation by a sovereign state
  • 36. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Information Warfare IW is a relatively new application of warfare, although the military has been conducting electronic warfare and counter-warfare operations for decades, jamming, intercepting, and spoofing enemy communications
  • 37. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Policy Versus Law Most organizations develop and formalize a body of expectations called policy Policies function in an organization like laws For a policy to become enforceable, it must meet certain standards Only when all conditions are met, does the organization have a reasonable expectation of effective policy
  • 38. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Standards for Enforceable Policy Enforceable policy must be: – Distributed to all individuals who are expected to comply – Readily available for employee reference – Easily understood with multi-language translations and translations for visually impaired, or literacy-impaired employees – Acknowledged by the employee, usually by means of a signed consent form
  • 39. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 39 ILLINOIS INSTITUTE OF TECHNOLOGY Content of Corporate Use Policies  Rights  Responsibilities  Privileges  Prohibitions – Activities – Uses • “business only” (strict) or “business and reasonable personal use” (loose) • Similar to telephone use policies – Harassment – Overloading resources  Tracking – What tracking will be done – Who will do it – What circumstances – How will the information will be stored – Who will have access to it  Communicating information  Virus detection  Export restrictions  Waiver of Privacy  Disclaimers
  • 40. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 40 ILLINOIS INSTITUTE OF TECHNOLOGY Ethical Concepts in Information Security 10 Commandments of Computer Ethics from The Computer Ethics Institute 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people’s computer work. 3. Thou shalt not snoop around in other people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness [lie].
  • 41. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 41 ILLINOIS INSTITUTE OF TECHNOLOGY Ethical Concepts in Information Security 10 Commandments of Computer Ethics from The Computer Ethics Institute 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people’s computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people’s intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
  • 42. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Cultural Differences in Ethical Concepts  Differences in cultures cause problems in determining what is ethical and what is not ethical  Studies of ethical sensitivity to computer use reveal different nationalities have different perspectives  Difficulties arise when one nationality’s ethical behavior contradicts that of another national group
  • 43. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 43 ILLINOIS INSTITUTE OF TECHNOLOGY Ethics and Education  Employees must be trained in topics related to information security, including expected behaviors of an ethical employee  Especially important in areas of information security; many employees may not have the formal technical training to understand what behavior is unethical or illegal  Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user
  • 44. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 44 ILLINOIS INSTITUTE OF TECHNOLOGY Deterrence to Unethical and Illegal Behavior Deterrence - preventing an illegal or unethical activity – Examples of deterrents: Laws, policies, technical controls Laws and policies only deter if three conditions are present: – Fear of penalty – Probability of being caught – Probability of penalty being administered
  • 45. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 45 ILLINOIS INSTITUTE OF TECHNOLOGY Codes of Ethics, Certifications, and Professional Organizations  Many organizations have codes of conduct and/or codes of ethics – Codes of ethics can have a positive effect – Unfortunately, having a code of ethics is not enough  Security professionals must act ethically and according to the policies and procedures of their employer, their professional organization, and the laws of society
  • 46. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 46 ILLINOIS INSTITUTE OF TECHNOLOGY Association of Computing Machinery The ACM (www.acm.org) is a respected professional society – originally established in 1947 as “the world’s first educational and scientific computing society” Their code of ethics requires members to perform their duties in a manner befitting an ethical computing professional
  • 47. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 47 ILLINOIS INSTITUTE OF TECHNOLOGY Association of Computing Machinery The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others
  • 48. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 48 ILLINOIS INSTITUTE OF TECHNOLOGY International Information Systems Security Certification Consortium The (ISC)2 (www.isc2.org) is a non-profit organization – focuses on the development and implementation of information security certifications and credentials The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2
  • 49. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 49 ILLINOIS INSTITUTE OF TECHNOLOGY (ISC)2 Code  (ISC)2 code focuses on four mandatory canons: – Protect society, the commonwealth, and the infrastructure – Act honorably, honestly, justly, responsibly, and legally – Provide diligent and competent service to principals – Advance and protect the profession
  • 50. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 50 ILLINOIS INSTITUTE OF TECHNOLOGY System Administration, Networking, and Security Institute The System Administration, Networking, and Security Institute, or SANS (www.sans.org), is a professional organization with a large membership dedicated to the protection of information and systems SANS offers a certifications called the Global Information Assurance Certification or GIAC
  • 51. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 51 ILLINOIS INSTITUTE OF TECHNOLOGY Information Systems Audit and Control Association The Information Systems Audit and Control Association or ISACA (www.isaca.org) is a professional association with a focus on auditing, control, and security Although it does not focus exclusively on information security, the Certified Information Systems Auditor or CISA certification does contain many information security components
  • 52. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 52 ILLINOIS INSTITUTE OF TECHNOLOGY Information Systems Audit and Control Association The ISACA also has a code of ethics for professionals Requires many of the same high standards for ethical performance as the other organizations and certifications
  • 53. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 53 ILLINOIS INSTITUTE OF TECHNOLOGY CSI - Computer Security Institute  The Computer Security Institute (www.gocsi.com) provides information and certification to support the computer, networking, and information security professional  While CSI does not promote a single certification certificate like the CISSP or GISO, it does provide a range of technical training classes in the areas of Internet Security, Intrusion Management, Network Security, Forensics, as well as technical networking
  • 54. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 54 ILLINOIS INSTITUTE OF TECHNOLOGY Other Security Organizations  Information Systems Security Association (ISSA)® (www.issa.org)  Internet Society or ISOC (www.isoc.org)  Computer Security Division (CSD) of the National Institute for Standards and Technology (NIST) – contains a resource center known as the Computer Security Resource Center (csrc.nist.gov) housing one of the most comprehensive sets of publicly available information on the entire suite of information security topics
  • 55. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 55 ILLINOIS INSTITUTE OF TECHNOLOGY Other Security Organizations CERT® Coordination Center or CERT/CC (www.cert.org) is a center of Internet security expertise operated by Carnegie Mellon University Computer Professionals for Social Responsibility (CPSR) promotes the development of ethical computing
  • 56. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 56 ILLINOIS INSTITUTE OF TECHNOLOGY Key U.S. Federal Agencies The Department of Homeland Security’s National Infrastructure Protection Center (NIPC) (www.nipc.gov) – National InfraGard Program National Security Agency (NSA) – The NSA is “the Nation’s cryptologic organization” – NSA Information Assurance Directorate
  • 57. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 57 ILLINOIS INSTITUTE OF TECHNOLOGY Other Key Federal Agencies Figure 3-14 U.S. Secret Service Web site http://www.secretservice.gov/
  • 58. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 58 ILLINOIS INSTITUTE OF TECHNOLOGY Organizational Liability and the Need for Counsel  Liability is the legal obligation of an entity – Liability extends beyond legal obligation or contract to include liability for a wrongful act and the legal obligation to make restitution – An organization increases its liability if it refuses to take strong measures known as due care  Due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort
  • 59. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 59 ILLINOIS INSTITUTE OF TECHNOLOGY Our Private Directory for this Course Answers to chapter review questions InfoSec Library as self-extracting .zip file (distributed on CD to live students) Can only be accessed from Blackboard
  • 60. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 478/578 60 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Questions?

Editor's Notes

  1. Learning Objectives Upon completion of this chapter the student should be able to: Use this chapter as a guide for future reference on laws, regulations, and professional organizations. Differentiate between laws and ethics. Identify major national laws that relate to the practice of information security. Understand the role of culture as it applies to ethics in information security.
  2. Introduction As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities. To minimize liabilities and reduce risks from electronic, physical threats and reduce the losses from legal action, the information security practitioner must understand the current legal environment, stay current as new laws and regulations emerge, and watch for issues that need attention. Law And Ethics In Information Security As individuals we elect to trade some aspects of personal freedom for social order. Laws are rules adopted for determining expected behavior in modern society and are drawn from Ethics, which define socially acceptable behaviors. Ethics in turn are based on cultural mores: fixed moral attitudes or customs of a particular group. Some ethics are recognized as universal among cultures.
  3. Types Of Law Civil law represents a wide variety of laws that are recorded in volumes of legal “code” available for review by the average citizen. Criminal law addresses violations harmful to society and is actively enforced through prosecution by the state. Tort law allows individuals to seek recourse against others in the event of personal, physical, or financial injury. Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.
  4. Relevant U.S. Laws - General Computer Crime Laws: The Computer Fraud and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. It was amended in October 1996 with the National Information Infrastructure Protection Act of 1996, which modified several sections of the CFA, and increased the penalties for selected crimes. The USA Patriot Act of 2001 modified a wide range of existing laws to provide law enforcement agencies with broader latitude of actions to combat terrorism-related activities. The Communication Act of 1934 was revised by the Telecommunications Deregulation and Competition Act of 1996, which attempts to modernize the archaic terminology of the older act. These much-needed updates of terminology were included as part of the Communications Decency Act (CDA). The CDA was immediately ensnared in a thorny legal debate over the attempt to define indecency, and ultimately rejected by the Supreme Court. Another key law that is of critical importance for the information security professions is the Computer Security Act of 1987. It was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. The National Bureau of Standards, in cooperation with the National Security Agency, became responsible for developing these security standards and guidelines.
  5. Privacy The issue of privacy has become one of the hottest topics in information. The ability to collect information on an individual, combine facts from separate sources, and merge it with other information has resulted in databases of information that were previously impossible to set up. The aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities.
  6. Privacy in the U.S. It is NOT a Constitutional right but has been construed by the courts Courts have determined that people have a “reasonable expectation” of privacy There are no clearly established definitions but here’s one that works the right not to be disturbed the right to be anonymous the right not to be monitored the right not to have one’s identifying information exploited These construed Constitutional guarantees of privacy apply only to the Federal Government
  7. Privacy of Customer Information The Privacy of Customer Information Section of Common Carrier regulation specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes. It also stipulates that carriers cannot disclose this information except when necessary to provide its services. The only other exception is when a customer requests the disclosure of information, and then the disclosure is restricted to that customer’s information only. The Federal Privacy Act of 1974 regulates the government in the protection of individual privacy and was created to insure that government agencies protect the privacy of individuals’ and businesses’ information and to hold those agencies responsible if any portion of this information is released without permission. The Electronic Communications Privacy Act of 1986 regulates the interception of wire, electronic and oral communications. The ECPA works in conjunction with the Fourth Amendment of the US Constitution, which provides protections from unlawful search and seizure. The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as the Kennedy-Kassebaum Act, impacts all healthcare organizations including small doctor practices, health clinics, life insurers and universities, as well as some organizations which have self-insured employee health programs. The act requires organizations that retain healthcare information to use information security mechanisms to protect this information, as well as policies and procedures to maintain this security. It also requires a comprehensive assessment of the organization's information security systems, policies, and procedures. There is no specification of particular security technologies for each of the security requirements; only that security must be implemented to ensure the privacy of the healthcare information. The Privacy standards of HIPAA severely restrict the dissemination and distribution of private health information without documented consent. The standards provide patients the right to know who has access to their information and who has accessed it and also restrict the use of health information to the minimum required for the healthcare services required. The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 requires all financial institutions to disclose their privacy policies on the sharing of non-public personal information. It also requires due notice to customers, so that they can request that their information not be shared with third parties. The act ensures that the privacy policies in effect in an organization are fully disclosed when a customer initiates a business relationship, as well as distributed at least annually for the duration of the professional association.
  8. Freedom of Information Act of 1966 (FOIA) The Freedom of Information Act provides any person with the right to request access to federal agency records or information, not determined to be of national security. US Government agencies are required to disclose any requested information on receipt of a written request. There are exceptions for information that is protected from disclosure (normally due to classification). The Act applies only to federal agencies and does not create a right of access to records held by Congress or Federal courts. The Act does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA.
  9. Freedom of Information Act of 1966 (FOIA) There are exceptions for information that is protected from disclosure. Nine exemptions and three exclusions (most often due to classification for national security reasons). Includes medical info, agency internal personnel policies, trade secrets, information about wells. The Act applies only to federal agencies and does not create a right of access to records held by Congress or Federal courts. The Act does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA.
  10. Freedom of Information Act of 2000 (UK) In 2000, the United Kingdom passed their Freedom of Information Act Very similar in all respects to U.S. law More exceptions
  11. The European Union also put forward Directive 95/46/EC that increases protection of individuals with regard to the processing of personal data and on the free movement of such data. The United Kingdom has already implemented a version of this directive called the Database Right (The Copyright and Rights in Databases Regulations 1997).
  12. International Laws And Legal Bodies Recently the Council of Europe drafted the European Council Cyber-Crime Convention, designed to create an international task force to oversee a range of security functions associated with Internet activities, and to standardize technology laws across international borders.
  13. International Laws And Legal Bodies European Council Cyber-Crime Convention It also attempts to improve the effectiveness of international investigations into breaches of technology law. This convention is well received by advocates of intellectual property rights with its emphasis on copyright infringement prosecution.
  14. Export And Espionage Laws In an attempt to protect American ingenuity, intellectual property, and competitive advantage, Congress passed the Economic Espionage Act (EEA) in 1996. This law attempts to prevent trade secrets from being illegally shared. The Security And Freedom Through Encryption Act of 1997 (SAFE) was an attempt by Congress to provide guidance on the use of encryption, and provided measures of public protection from government intervention.
  15. A.What is a copyright? 1.the set of exclusive legal rights authors have over their works for a limited period of time. These rights include i.copying the works (including parts of the works) ii.making derivative works iii.distributing the works iv.performing the works (showing a movie or playing an audio recording, as well as performing a dramatic work)
  16. A.What is a copyright? 2.A copyright exists upon creation 3.The author's rights begin when an original work of authorship is fixed in a tangible medium 4.A work does not have to bear a copyright notice or be registered to be copyrighted
  17. US Copyright Law Intellectual property is recognized as a protected asset in the US. US copyright law extends this right to the published word, including electronic formats.
  18. US Copyright Law Fair use of copyrighted materials includes the use to support news reporting, teaching, scholarship, and a number of other related permissions, so long as the purpose of the use is for educational or library purposes, not for profit, and is not excessive.
  19. What is Fair Use? Fair use provisions of the copyright law allow for limited copying or distribution of published works without the author's permission Examples of fair use of copyrighted materials include quotation of excerpts in a review or critique, or copying of a small part of a work by a teacher or student to illustrate a lesson
  20. What is Fair Use? Determination of fair use is based on: The purpose and nature of the use The nature of the copyrighted work The nature and substantiality of the material used The effect of use on the potential market for or value of the work
  21. What is Fair Use? As Kerry Konrad, co-lead litigation counsel for Lotus Development Corporation, succinctly said, "if your use is private, limited, and for the purpose of reference and illustration only, it's likely to be fair."
  22. Licensing A.If fair use does not apply, to make use of another’s intellectual property requires a license B.A license is not a given—the owner does not have to grant a license nor give any explaination when they don’t
  23. Licensing C.Placing materials on the Web does NOT place them inthe Public Domain unless such assignment is specifically made 1.Some Web sites contain content such as clipart, buttons, bars, backgrounds, photos, where either the items have been placed in the public domain or a license for their use is clearly granted 2.Otherwise all works online—graphic arts as well as text—are protected by copyright 3.Your reuse requires a license
  24. Digital Millennium Copyright Act (DMCA) The Digital Millennium Copyright Act (DMCA) is the US version of an international effort to reduce the impact of copyright, trademark, and privacy infringement especially through the removal of technological copyright protection measures. Many legal experts feel DMCA illegally infringes on Fair Use and has other adverse effects
  25. Impact of DMCA Critics claim DCMA has had the following impacts (among others): DMCA is being used to silence researchers, computer scientists and critics Corporations are using it against the public Public/College radio stations can no longer afford to webcast
  26. Impact of DMCA Also has had a stifling effect on computer security research as prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights In doing so it treats publishing of security vulnerabilities as a violation of the law
  27. Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 was created to address accounting “irregularities” such as Enron and similar cases It requires the application of internal controls & internal controls reporting As part of this, general computer controls must be implemented and documented Information security controls are a key component of general computer controls
  28. Sarbanes-Oxley Act Section 404 -- Management Assessment of Internal Controls Rules Required. The [Securities and Exchange] Commission shall prescribe rules requiring each annual report…to contain an internal control report, which shall-- state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting
  29. Sarbanes-Oxley Act Access controls, authorization, auditability, data integrity and availability (disaster recovery) are key elements of controls to ensure compliance with section 404 Because there is external financial auditor involvement in assuring rules compliance, this draws audit firms into IT security auditing or at least verification of IT security audits
  30. State & Local Regulations In addition to the national and international restrictions placed on an organization in the use of computer technology, each state or locality may have a number of laws and regulations that impact operations. It is the responsibility of the information security professional to understand state and local laws and regulations and insure the organization’s security policies and procedures comply with those laws and regulations.
  31. United Nations Charter To some degree the United Nations Charter provides provisions for information security during Information Warfare. Information Warfare (IW) involves the use of information technology to conduct offensive operations as part of an organized and lawful military operation by a sovereign state.
  32. United Nations Charter IW is a relatively new application of warfare, although the military has been conducting electronic warfare and counter-warfare operations for decades, jamming, intercepting, and spoofing enemy communications.
  33. Policy Versus Law Most organizations develop and formalize a body of expectations that describe acceptable and unacceptable behaviors of the employee within the workplace. This body of expectations is called policy. Properly executed policies function in an organization like laws, complete with penalties, judicial practices, and sanctions to require compliance. For a policy to become enforceable, it must meet certain standards. Only when all of these conditions are met, does the organization have the reasonable expectation that should an employee violate policy, they may be appropriately penalized without fear of legal retribution.
  34. Policy Versus Law For a policy to become enforceable, it must be: Distributed to all individuals who are expected to comply with it. Readily available for employee reference. Easily understood with multi-language translations and translations for visually impaired, or literacy-impaired employees. Acknowledged by the employee, usually by means of a signed consent form.
  35. Ethical Concepts In Information Security “The Ten Commandments of Computer Ethics from The Computer Ethics Institute 1.Thou shalt not use a computer to harm other people. 2.Thou shalt not interfere with other people's computer work. 3.Thou shalt not snoop around in other people's computer files. 4.Thou shalt not use a computer to steal. 5.Thou shalt not use a computer to bear false witness.
  36. Ethical Concepts In Information Security “The Ten Commandments of Computer Ethics” from The Computer Ethics Institute 6.Thou shalt not copy or use proprietary software for which you have not paid. 7.Thou shalt not use other people's computer resources without authorization or proper compensation. 8.Thou shalt not appropriate other people's intellectual output. 9.Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10.Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.”
  37. Cultural Differences In Ethical Concepts With regard to computer use, differences in cultures cause problems in determining what is ethical and what is not ethical. Studies of ethical sensitivity to computer use reveal that individuals of different nationalities have different perspectives on ethics. Difficulties arise when one nationality’s ethical behavior contradicts that of another national group.
  38. Ethics And Education Employees must be trained and kept aware in a number of topics related to information security, not the least of which is the expected behaviors of an ethical employee. This is especially important in areas of information security, as many employees may not have the formal technical training to understand that their behavior is unethical or even illegal. Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user.
  39. Deterrence To Unethical And Illegal Behavior Deterrence is the best method for preventing an illegal or unethical activity. Laws, policies, and technical controls are all examples of deterrents. However, it is generally agreed that laws and policies and their associated penalties only deter if three conditions are present. Fear of penalty. Probability of being caught. Probability of penalty being administered.
  40. Codes Of Ethics, Certifications And Professional Organizations A number of professional organizations have established codes of conduct and/or codes of ethics that members are expected to follow. Codes of ethics can have a positive effect on an individual’s judgment regarding computer use. Unfortunately, having a code of ethics is not enough, because many employers do not encourage their employees to join these professional organizations. It is the responsibility of security professionals to act ethically and according to the policies and procedures of their employer, their professional organization, and the laws of society.
  41. Association of Computing Machinery. The ACM (www.acm.org) is a respected professional society, originally established in 1947, as “the world's first educational and scientific computing society”. The ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional. The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others.
  42. Association of Computing Machinery. The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others.
  43. International Information Systems Security Certification Consortium The (ISC)2 (www.isc2.org) is a non-profit organization that focuses on the development and implementation of information security certifications and credentials. The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2.
  44. This code focuses on four mandatory canons: Protect society, the commonwealth, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; and Advance and protect the profession.
  45. System Administration, Networking, and Security Institute The System Administration, Networking, and Security Institute, or SANS (www.sans.org), is a professional organization with a large membership dedicated to the protection of information and systems. SANS offers a set of certifications called the Global Information Assurance Certification or GIAC.
  46. Information Systems Audit and Control Association The Information Systems Audit and Control Association or ISACA (www.isaca.org) is a professional association with a focus on auditing, control, and security. Although it does not focus exclusively on information security, the Certified Information Systems Auditor or CISA certification does contain many information security components.
  47. Information Systems Audit and Control Association The ISACA also has a code of ethics for its professionals. It requires many of the same high standards for ethical performance as the other organizations and certifications.
  48. CSI - Computer Security Institute The Computer Security Institute (www.gocsi.com) provides information and certification to support the computer, networking, and information security professional. While CSI does not promote a single certification certificate like the CISSP or GISO, it does provide a range of technical training classes in the areas of Internet Security, Intrusion Management, Network Security, Forensics, as well as technical networking.
  49. OTHER SECURITY ORGANIZATIONS The Information Systems Security Association (ISSA)® (www.issa.org) is a non-profit society of information security professionals. As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development. The Internet Society or ISOC (www.isoc.org) is a non-profit, non-governmental, international organization for professionals. It promotes the development and implementation of education, standards, policy, and education and training to promote the Internet. The Computer Security Division (CSD) of the National Institute for Standards and Technology (NIST), contains a resource center known as the Computer Security Resource Center (CSRC) which is a must know for any current or aspiring information security professional. This Web site (csrc.nist.gov) houses one of the most comprehensive sets of publicly available information on the entire suite of information security topics. The CERT® Coordination Center or CERT/CC (www.cert.org) is a center of Internet security expertise operated by Carnegie Mellon University. The CERT/CC studies security issues and provides publications and alerts to help educate the public to the threats facing information security. The center also provides training and expertise in the handling of computer incidents. The Computer Professionals for Social Responsibility (CPSR) is a public organization for technologists and anyone with a general concern for the impact of computer technology on society. CPSR promotes ethical and responsible development and use of computing, and seeks to inform public and private policy and lawmakers on this subject. It acts as an ethical watchdog for the development of ethical computing.
  50. OTHER SECURITY ORGANIZATIONS The CERT® Coordination Center or CERT/CC (www.cert.org) is a center of Internet security expertise operated by Carnegie Mellon University. The CERT/CC studies security issues and provides publications and alerts to help educate the public to the threats facing information security. The center also provides training and expertise in the handling of computer incidents. The Computer Professionals for Social Responsibility (CPSR) is a public organization for technologists and anyone with a general concern for the impact of computer technology on society. CPSR promotes ethical and responsible development and use of computing, and seeks to inform public and private policy and lawmakers on this subject. It acts as an ethical watchdog for the development of ethical computing.
  51. KEY U.S. FEDERAL AGENCIES The Department of Homeland Security’s National Infrastructure Protection Center (NIPC) (www.nipc.gov) was established in 1998 and serves as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against critical U.S. infrastructures. A key part of the NIPC’s efforts to educate, train, inform and involve the business and public sector in information security is the National InfraGard Program. Established in January of 2001, the National InfraGard Program began as a cooperative effort between the FBI’s Cleveland Field Office and local technology professionals. Another key federal agency is the National Security Agency (NSA). The NSA is “the Nation's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information” The NSA is responsible for signal intelligence and information system security.
  52. The U.S. Secret Service is a department within the Department of Homeland Security. The Secret Service is also charged with the detection and arrest of any person committing a U.S. Federal offense relating to computer fraud and false identification crimes. This represents an extension of the original mission of protecting U.S. currency-related issues to areas of communications fraud and abuse.
  53. ORGANIZATIONAL LIABILITY AND THE NEED FOR COUNSEL What if an organization does not support or even encourage strong ethical conduct on the part of its employees? What if an organization does not behave ethically? Even if there is no breach of criminal law, prosecuted under criminal code, there is the issue of liability. Liability is the legal obligation of an entity. Liability extends beyond a legal obligation or contract to include liability for a wrongful act and the legal obligation to make payment or restitution – compensation for the wrong. ORGANIZATIONAL LIABILITY AND THE NEED FOR COUNSEL The bottom line is that if an employee, acting with or without the authorization of the organization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action. An organization increases its liability if it refuses to take strong measures known as due care, to make sure that every employee knows what is acceptable or not acceptable behavior in the organization, and the consequences of illegal or unethical actions. Due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort. With the global impact of the Internet, those who could be potentially injured or wronged by an organization’s members could be anywhere, in any state, any country around the world. Under the U.S. legal system, any court can impose its authority over an individual or organization if it can establish jurisdiction – the court’s right to hear a case in its court if the wrong was committed in its territory or involving its citizenry. This is sometimes referred to as Long Arm Jurisdiction, as the long arm of the law reaches across the country or around the world to pull an accused individual into its court systems.