This document discusses laws, regulations, ethics, and professional organizations related to information security. It defines key concepts like laws, ethics, liability, due care and due diligence. Major sections cover relevant US laws, privacy laws, types of laws, and international legal issues. Professional ethics organizations and their codes are also summarized.
This document discusses laws, regulations, and ethics related to information security. It begins by explaining the importance of understanding an organization's legal responsibilities and keeping up with changing laws. It then discusses the differences between laws, ethics, and cultural norms. Several US and international laws are outlined pertaining to issues like computer crime, identity theft, copyright, and data privacy. The document also discusses the role of ethics and deterring unethical behavior through training, policies, and professional codes of conduct.
This document contains slides from a chapter on principles of information security. It discusses how laws are based on ethics, and different types of relevant laws in the US and other countries. These include privacy laws, copyright laws, and export/espionage laws. It also discusses ethics in information security, cultural differences, and professional organizations that promote ethics through codes of conduct and certifications. The role of education and deterrence to promote ethical behavior is covered.
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdfssuserceaa40
This document discusses laws, regulations, ethics, and professional organizations related to information security. It provides an overview of relevant US laws, such as the Computer Fraud and Abuse Act, and international agreements. The document also discusses how ethics can differ across cultures and the role of professional organizations in promoting codes of ethics for information security practitioners. Organizations are advised to understand applicable laws and regulations to minimize liability and adopt policies to deter unethical behavior.
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
1
ITC358
ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for se.
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
Laws define prohibited and mandated behaviors while ethics define socially acceptable behaviors based on cultural mores. Relevant US laws include the Computer Fraud and Abuse Act, National Information Infrastructure Protection Act, USA Patriot Act, and others. Organizations can establish codes of ethics and reduce liability by exercising due care and due diligence in protecting information.
This document provides an overview of laws and ethics related to information security. It discusses the differences between laws, which are enforced by governments, and ethics, which are based on social norms. Major laws covered include the Computer Fraud and Abuse Act, which addresses computer crime, and privacy laws like HIPAA which protect sensitive data. The document also examines legal issues around topics such as intellectual property, encryption, and data sharing both domestically in the US and internationally.
This document discusses laws, regulations, and ethics related to information security. It begins by explaining the importance of understanding an organization's legal responsibilities and keeping up with changing laws. It then discusses the differences between laws, ethics, and cultural norms. Several US and international laws are outlined pertaining to issues like computer crime, identity theft, copyright, and data privacy. The document also discusses the role of ethics and deterring unethical behavior through training, policies, and professional codes of conduct.
This document contains slides from a chapter on principles of information security. It discusses how laws are based on ethics, and different types of relevant laws in the US and other countries. These include privacy laws, copyright laws, and export/espionage laws. It also discusses ethics in information security, cultural differences, and professional organizations that promote ethics through codes of conduct and certifications. The role of education and deterrence to promote ethical behavior is covered.
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdfssuserceaa40
This document discusses laws, regulations, ethics, and professional organizations related to information security. It provides an overview of relevant US laws, such as the Computer Fraud and Abuse Act, and international agreements. The document also discusses how ethics can differ across cultures and the role of professional organizations in promoting codes of ethics for information security practitioners. Organizations are advised to understand applicable laws and regulations to minimize liability and adopt policies to deter unethical behavior.
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
1
ITC358
ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for se.
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
Laws define prohibited and mandated behaviors while ethics define socially acceptable behaviors based on cultural mores. Relevant US laws include the Computer Fraud and Abuse Act, National Information Infrastructure Protection Act, USA Patriot Act, and others. Organizations can establish codes of ethics and reduce liability by exercising due care and due diligence in protecting information.
This document provides an overview of laws and ethics related to information security. It discusses the differences between laws, which are enforced by governments, and ethics, which are based on social norms. Major laws covered include the Computer Fraud and Abuse Act, which addresses computer crime, and privacy laws like HIPAA which protect sensitive data. The document also examines legal issues around topics such as intellectual property, encryption, and data sharing both domestically in the US and internationally.
Chapter 11 laws and ethic information securitySyaiful Ahdan
This document provides an overview of key concepts regarding law and ethics in information security. It discusses the differences between laws and ethics, and how policies function similarly to laws within an organization. Several major US laws are outlined, including those covering general computer crimes, privacy, identity theft, export and espionage, copyright, and financial reporting. International agreements and professional organizations relevant to information security ethics are also mentioned. The document aims to help readers understand the legal and ethical responsibilities for information security practitioners.
Law and Ethics in Information Security.pptxEdFeranil
This document discusses laws and ethics related to information security. It begins by defining laws and ethics, noting that laws carry sanctions while ethics do not. It discusses how ethics are based on cultural norms and provides examples of universally accepted ethics. It then discusses organizational liability if an organization does not encourage or model strong ethical behavior. It notes that liability extends beyond criminal law and includes obligations to compensate for wrongs. It emphasizes the need for due care, due diligence, and counsel. The document also discusses policy versus law, types of law, general computer crime laws, privacy laws, identity theft laws, export/espionage laws, copyright law, codes of ethics, and why ethics are significant for information security. It poses ethical questions
The document discusses several legal and ethical issues related to technology and the internet. It covers topics like privacy, intellectual property, free speech, taxation, computer crimes, consumer protection, and other legal issues. It also discusses frameworks for analyzing ethical issues, protecting privacy and intellectual property, debates around free speech and censorship, protecting children online, controlling spam, and computer crimes.
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Statement of Michelle Richardson, Director, Privacy & Data
Center for Democracy & Technology
before the
United States Senate Committee on the Judiciary
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
On behalf of the Center for Democracy & Technology (CDT), thank you for the
opportunity to testify about the importance of crafting a federal consumer privacy law that
provides meaningful protections for Americans and clarity for entities of all sizes and sectors.
CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing the
rights of the individual in the digital world. CDT is committed to protecting privacy as a
fundamental human and civil right and as a necessity for securing other rights such as access to
justice, equal protection, and freedom of expression. CDT has offices in Washington, D.C., and
Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and
individual donations.1
The United States should be leading the way in protecting digital civil rights. This hearing
is an opportunity to learn how Congress can improve upon the privacy frameworks offered in
the European Union via the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA) to craft a comprehensive privacy law that works for the U.S. Our
digital future should be one in which technology supports human rights and human dignity. This
future cannot be realized if people are forced to choose between protecting their personal
information and using the technologies and services that enhance our lives. This future depends
on clear and meaningful rules governing data processing; rules that do not simply provide
1 All donations over $1,000 are disclosed in our annual report and are available online at:
https://cdt.org/financials/.
2
people with notices and check boxes but actually protect them from privacy and security
abuses and data-driven discrimination; protections that cannot be signed away.
Congress should resist the narratives that innovative technologies and strong privacy
protections are fundamentally at odds, and that a privacy law would necessarily cement the
market dominance of a few large companies. Clear and focused privacy rules can help
companies of all sizes gain certainty with respect to appropriate and inappropriate uses of data.
Clear rules will also empower engineers and product managers to design for privacy on the
front end, rather than having to wait for a public privacy scandal to force the rollback of a
product or data practice.
We understand that drafting comprehensive privacy legislation is a complex endeavor.
Over the past year we have worked with partners in civil societ.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
The document discusses privacy and data protection. It defines privacy as an individual's ability to control how and when personal information is shared with others. It outlines several international agreements that establish privacy as a universal human right. The document also discusses the three dimensions of privacy - personal, territorial, and informational - and basic privacy principles like transparency and purpose limitation.
This document discusses ethics in IT security. It covers laws and ethics, codes of ethics from professional organizations like ACM and ISSA, relevant US laws on topics like privacy and copyright, and the importance of education and training in developing an ethical approach to information security. Overall it emphasizes the responsibility of security practitioners to understand legal/regulatory issues and act ethically.
This document discusses laws and ethics related to information security. It describes how laws mandate behavior while ethics regulate socially acceptable conduct. Laws carry enforcement from authorities, unlike ethics. The document outlines organizational liability and need for legal counsel. It distinguishes between policies and laws, and different types of laws. Relevant US laws are also summarized, including computer crime laws, privacy acts, and more.
This document discusses laws, regulations, ethics, and professional standards related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability and the need for legal counsel are also addressed. The document provides an overview of key concepts for information security practitioners to understand their legal and ethical responsibilities.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and privacy laws like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
This document discusses legal and ethical issues in information security. It differentiates between laws, which are rules mandated by governing bodies, and ethics, which define socially acceptable behavior. The document outlines several key U.S. laws regarding privacy, copyright, and freedom of information. It also discusses the importance of understanding international, state and local regulations. Professional organizations for information security professionals are described that promote codes of ethics to guide appropriate behavior.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
This document discusses key concepts related to data security law and management including due care, due diligence, compliance, computer crimes, intellectual property, privacy laws, and trans-border data flows. It provides definitions and explanations of these topics over 22 pages with over 100 bullet points. Security professionals must understand these legal concepts to ensure organizations take prudent steps to protect data and comply with relevant regulations and laws.
The document discusses privacy laws in the United States, focusing on workplace privacy. It outlines several key privacy laws and acts, including the Fourth Amendment which protects against unreasonable searches and seizures, the Electronic Communications Privacy Act of 1986 which protects electronic communications from unauthorized surveillance, and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule which regulates use of medical records. It also notes tensions between employers monitoring employees for quality control and employees' desires for privacy in the workplace.
Links Associated with Privacy Death of privacy ‘Your ce.docxsmile790243
Links Associated with Privacy
Death of privacy: ‘Your cell phone Big Brother’s best friend’ (video with Steve Rambam CEO
of Pallorium Inc. an international online investigative service).
TEDx-Cory Doctorow: How do we make kids care about online privacy? (video that
illustrates how social networking and our use of the Internet influences how children
under-value their privacy).
Privacy no more? TrapWire’s all seeing eye tracks your every move. (video of how the
federal government uses surveillance cameras nationwide).
Privacy Issues in the Age of Technology: Jim Dempsey (provides an overview of privacy
issues and how data is used by organizations).
Defcon 21 - The ACLU Presents: NSA Surveillance and More (illustrates key issues
associated with NSA surveillance and how the government acquires data about
individuals).
Smartphones damage our privacy much more than we realize: interview with Carissa Véliz
(privacy issues regarding our use of cell phones, personal computers, social media sites,
etc.).
http://www.youtube.com/watch?v=QGHU8btqrrU
http://www.youtube.com/watch?v=RAGjNe1YhMA
http://www.youtube.com/watch?v=yyNA_6yv5Y0
https://www.youtube.com/watch?v=HekUeBJJbSw
https://www.youtube.com/watch?v=tknNtx9Sl2E
https://www.youtube.com/watch?v=RFqCyMtv1Cc
TECHNOLOGY AS A THREAT TO
PRIVACY: Ethical Challenges to the
Information Profession
J. J. BRITZ
Department of Information Science
University of Pretoria
0002 Pretoria, South Africa
E-mail: [email protected]
The aim of this paper is to assess the impact of technology on the private lives of people.
It is approached from a socio-ethical perspective with specific emphasis on the
implication for the information profession. The issues discussed are the concept privacy,
he influence of technology on the processing of personal and private information, the
relevance of this influence for the information profession, and proposed solutions to these
ethical issues for the information profession.
1. INTRODUCTION
We are currently living in the so-called information age which can be described as an
era were economic activities are mainly information based (an age of
informationalization). This is due to the development and use of technology. The main
characteristics of this era can be summarized as a rise in the number of knowledge
workers, a world that has become more open - in the sense of communication (global
village/Gutenberg galaxy) and internationalization (trans-border flow of data).
This paradigm shift brings new ethical and juridical problems which are mainly
related to issues such as the right of access to information, the right of privacy which
is threatened by the emphasis on the free flow of information, and the protection of
the economic interest of the owners of intellectual property.
In this paper the ethical questions related to the right to privacy of the individual
which is threatened by the use of ...
This document provides an overview of cryptography and network security. It begins with definitions of cryptography and discusses security trends like confidentiality, integrity, and availability. It then covers topics like classical encryption techniques, modern cryptography foundations, cryptosystems, cryptanalysis, and security policies. The document emphasizes the need for security at multiple levels and discusses legal, ethical and professional aspects of security.
The document discusses human rights issues related to cyberspace and the internet. It covers the right to freedom of speech and expression online, the right to internet access, the right to privacy, and data protection laws in India. It also discusses some issues with law enforcement, including that existing laws may not keep up with the speed of the internet and resolving disputes can be difficult due to jurisdictional complexities.
This chapter discusses privacy and the laws that protect personal information. It covers topics like identity theft, consumer profiling, data breaches, and workplace monitoring. Laws discussed include the Fair Credit Reporting Act, Health Insurance Portability and Accountability Act, Children's Online Privacy Protection Act, and others. The chapter also examines ethical issues around electronic discovery, responsible treatment of consumer data, and advanced surveillance technologies.
The document discusses competing models of information control - the American utilitarian model and European deontological model. The utilitarian model focuses on economic incentives and is market-driven, while the deontological model emphasizes individual moral rights. These two approaches dominate intellectual property rights and data privacy rights respectively on the international stage. The document provides an in-depth analysis of how each model approaches intellectual property and data privacy/protection.
The document describes text mining and web mining. It discusses the need for text mining due to the large amount of unstructured data organizations hold. It differentiates between text mining, web mining, and data mining. The document outlines the text mining process of establishing a corpus from unstructured data sources, introducing structure to create a term-document matrix, and extracting knowledge from the matrix. It also discusses applications of text mining in domains like security, medicine, marketing, and academics.
This document summarizes several routing protocols for ad hoc wireless networks. It describes the challenges in this domain including dynamic topologies and limited resources. It then categorizes and explains several types of routing protocols, including proactive protocols like DSDV, reactive protocols like AODV and DSR, hybrid protocols like ZRP, and geographic routing. It provides details on the route discovery and maintenance mechanisms of some of these prominent protocols. It also discusses theoretical limits on network capacity and the impact of mobility and hierarchy.
Chapter 11 laws and ethic information securitySyaiful Ahdan
This document provides an overview of key concepts regarding law and ethics in information security. It discusses the differences between laws and ethics, and how policies function similarly to laws within an organization. Several major US laws are outlined, including those covering general computer crimes, privacy, identity theft, export and espionage, copyright, and financial reporting. International agreements and professional organizations relevant to information security ethics are also mentioned. The document aims to help readers understand the legal and ethical responsibilities for information security practitioners.
Law and Ethics in Information Security.pptxEdFeranil
This document discusses laws and ethics related to information security. It begins by defining laws and ethics, noting that laws carry sanctions while ethics do not. It discusses how ethics are based on cultural norms and provides examples of universally accepted ethics. It then discusses organizational liability if an organization does not encourage or model strong ethical behavior. It notes that liability extends beyond criminal law and includes obligations to compensate for wrongs. It emphasizes the need for due care, due diligence, and counsel. The document also discusses policy versus law, types of law, general computer crime laws, privacy laws, identity theft laws, export/espionage laws, copyright law, codes of ethics, and why ethics are significant for information security. It poses ethical questions
The document discusses several legal and ethical issues related to technology and the internet. It covers topics like privacy, intellectual property, free speech, taxation, computer crimes, consumer protection, and other legal issues. It also discusses frameworks for analyzing ethical issues, protecting privacy and intellectual property, debates around free speech and censorship, protecting children online, controlling spam, and computer crimes.
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Statement of Michelle Richardson, Director, Privacy & Data
Center for Democracy & Technology
before the
United States Senate Committee on the Judiciary
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
On behalf of the Center for Democracy & Technology (CDT), thank you for the
opportunity to testify about the importance of crafting a federal consumer privacy law that
provides meaningful protections for Americans and clarity for entities of all sizes and sectors.
CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing the
rights of the individual in the digital world. CDT is committed to protecting privacy as a
fundamental human and civil right and as a necessity for securing other rights such as access to
justice, equal protection, and freedom of expression. CDT has offices in Washington, D.C., and
Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and
individual donations.1
The United States should be leading the way in protecting digital civil rights. This hearing
is an opportunity to learn how Congress can improve upon the privacy frameworks offered in
the European Union via the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA) to craft a comprehensive privacy law that works for the U.S. Our
digital future should be one in which technology supports human rights and human dignity. This
future cannot be realized if people are forced to choose between protecting their personal
information and using the technologies and services that enhance our lives. This future depends
on clear and meaningful rules governing data processing; rules that do not simply provide
1 All donations over $1,000 are disclosed in our annual report and are available online at:
https://cdt.org/financials/.
2
people with notices and check boxes but actually protect them from privacy and security
abuses and data-driven discrimination; protections that cannot be signed away.
Congress should resist the narratives that innovative technologies and strong privacy
protections are fundamentally at odds, and that a privacy law would necessarily cement the
market dominance of a few large companies. Clear and focused privacy rules can help
companies of all sizes gain certainty with respect to appropriate and inappropriate uses of data.
Clear rules will also empower engineers and product managers to design for privacy on the
front end, rather than having to wait for a public privacy scandal to force the rollback of a
product or data practice.
We understand that drafting comprehensive privacy legislation is a complex endeavor.
Over the past year we have worked with partners in civil societ.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
The document discusses privacy and data protection. It defines privacy as an individual's ability to control how and when personal information is shared with others. It outlines several international agreements that establish privacy as a universal human right. The document also discusses the three dimensions of privacy - personal, territorial, and informational - and basic privacy principles like transparency and purpose limitation.
This document discusses ethics in IT security. It covers laws and ethics, codes of ethics from professional organizations like ACM and ISSA, relevant US laws on topics like privacy and copyright, and the importance of education and training in developing an ethical approach to information security. Overall it emphasizes the responsibility of security practitioners to understand legal/regulatory issues and act ethically.
This document discusses laws and ethics related to information security. It describes how laws mandate behavior while ethics regulate socially acceptable conduct. Laws carry enforcement from authorities, unlike ethics. The document outlines organizational liability and need for legal counsel. It distinguishes between policies and laws, and different types of laws. Relevant US laws are also summarized, including computer crime laws, privacy acts, and more.
This document discusses laws, regulations, ethics, and professional standards related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability and the need for legal counsel are also addressed. The document provides an overview of key concepts for information security practitioners to understand their legal and ethical responsibilities.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and laws around privacy like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
This document discusses laws, regulations, ethics, and professional organizations related to information security. It covers the differences between laws and ethics, types of laws, relevant US laws including the Computer Fraud and Abuse Act and privacy laws like HIPAA. Organizational liability, policies versus laws, and the need for legal counsel are also addressed. The goal is to help information security practitioners understand the legal environment and minimize risks.
This document discusses legal and ethical issues in information security. It differentiates between laws, which are rules mandated by governing bodies, and ethics, which define socially acceptable behavior. The document outlines several key U.S. laws regarding privacy, copyright, and freedom of information. It also discusses the importance of understanding international, state and local regulations. Professional organizations for information security professionals are described that promote codes of ethics to guide appropriate behavior.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
This document discusses key concepts related to data security law and management including due care, due diligence, compliance, computer crimes, intellectual property, privacy laws, and trans-border data flows. It provides definitions and explanations of these topics over 22 pages with over 100 bullet points. Security professionals must understand these legal concepts to ensure organizations take prudent steps to protect data and comply with relevant regulations and laws.
The document discusses privacy laws in the United States, focusing on workplace privacy. It outlines several key privacy laws and acts, including the Fourth Amendment which protects against unreasonable searches and seizures, the Electronic Communications Privacy Act of 1986 which protects electronic communications from unauthorized surveillance, and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule which regulates use of medical records. It also notes tensions between employers monitoring employees for quality control and employees' desires for privacy in the workplace.
Links Associated with Privacy Death of privacy ‘Your ce.docxsmile790243
Links Associated with Privacy
Death of privacy: ‘Your cell phone Big Brother’s best friend’ (video with Steve Rambam CEO
of Pallorium Inc. an international online investigative service).
TEDx-Cory Doctorow: How do we make kids care about online privacy? (video that
illustrates how social networking and our use of the Internet influences how children
under-value their privacy).
Privacy no more? TrapWire’s all seeing eye tracks your every move. (video of how the
federal government uses surveillance cameras nationwide).
Privacy Issues in the Age of Technology: Jim Dempsey (provides an overview of privacy
issues and how data is used by organizations).
Defcon 21 - The ACLU Presents: NSA Surveillance and More (illustrates key issues
associated with NSA surveillance and how the government acquires data about
individuals).
Smartphones damage our privacy much more than we realize: interview with Carissa Véliz
(privacy issues regarding our use of cell phones, personal computers, social media sites,
etc.).
http://www.youtube.com/watch?v=QGHU8btqrrU
http://www.youtube.com/watch?v=RAGjNe1YhMA
http://www.youtube.com/watch?v=yyNA_6yv5Y0
https://www.youtube.com/watch?v=HekUeBJJbSw
https://www.youtube.com/watch?v=tknNtx9Sl2E
https://www.youtube.com/watch?v=RFqCyMtv1Cc
TECHNOLOGY AS A THREAT TO
PRIVACY: Ethical Challenges to the
Information Profession
J. J. BRITZ
Department of Information Science
University of Pretoria
0002 Pretoria, South Africa
E-mail: [email protected]
The aim of this paper is to assess the impact of technology on the private lives of people.
It is approached from a socio-ethical perspective with specific emphasis on the
implication for the information profession. The issues discussed are the concept privacy,
he influence of technology on the processing of personal and private information, the
relevance of this influence for the information profession, and proposed solutions to these
ethical issues for the information profession.
1. INTRODUCTION
We are currently living in the so-called information age which can be described as an
era were economic activities are mainly information based (an age of
informationalization). This is due to the development and use of technology. The main
characteristics of this era can be summarized as a rise in the number of knowledge
workers, a world that has become more open - in the sense of communication (global
village/Gutenberg galaxy) and internationalization (trans-border flow of data).
This paradigm shift brings new ethical and juridical problems which are mainly
related to issues such as the right of access to information, the right of privacy which
is threatened by the emphasis on the free flow of information, and the protection of
the economic interest of the owners of intellectual property.
In this paper the ethical questions related to the right to privacy of the individual
which is threatened by the use of ...
This document provides an overview of cryptography and network security. It begins with definitions of cryptography and discusses security trends like confidentiality, integrity, and availability. It then covers topics like classical encryption techniques, modern cryptography foundations, cryptosystems, cryptanalysis, and security policies. The document emphasizes the need for security at multiple levels and discusses legal, ethical and professional aspects of security.
The document discusses human rights issues related to cyberspace and the internet. It covers the right to freedom of speech and expression online, the right to internet access, the right to privacy, and data protection laws in India. It also discusses some issues with law enforcement, including that existing laws may not keep up with the speed of the internet and resolving disputes can be difficult due to jurisdictional complexities.
This chapter discusses privacy and the laws that protect personal information. It covers topics like identity theft, consumer profiling, data breaches, and workplace monitoring. Laws discussed include the Fair Credit Reporting Act, Health Insurance Portability and Accountability Act, Children's Online Privacy Protection Act, and others. The chapter also examines ethical issues around electronic discovery, responsible treatment of consumer data, and advanced surveillance technologies.
The document discusses competing models of information control - the American utilitarian model and European deontological model. The utilitarian model focuses on economic incentives and is market-driven, while the deontological model emphasizes individual moral rights. These two approaches dominate intellectual property rights and data privacy rights respectively on the international stage. The document provides an in-depth analysis of how each model approaches intellectual property and data privacy/protection.
The document describes text mining and web mining. It discusses the need for text mining due to the large amount of unstructured data organizations hold. It differentiates between text mining, web mining, and data mining. The document outlines the text mining process of establishing a corpus from unstructured data sources, introducing structure to create a term-document matrix, and extracting knowledge from the matrix. It also discusses applications of text mining in domains like security, medicine, marketing, and academics.
This document summarizes several routing protocols for ad hoc wireless networks. It describes the challenges in this domain including dynamic topologies and limited resources. It then categorizes and explains several types of routing protocols, including proactive protocols like DSDV, reactive protocols like AODV and DSR, hybrid protocols like ZRP, and geographic routing. It provides details on the route discovery and maintenance mechanisms of some of these prominent protocols. It also discusses theoretical limits on network capacity and the impact of mobility and hierarchy.
The document provides an overview of sensor networks, which consist of low-cost, low-power sensor devices that can collect, process, analyze, and disseminate data from various environments. Sensor networks enable information gathering and processing through reliable monitoring using small, wireless sensor nodes. Key challenges for sensor networks include extending the lifetime of the network given limited energy resources and adapting to changing topologies as nodes fail or move. Sensor networks operate using self-organizing, multi-hop wireless connections between nodes that coordinate sensing tasks and route data back to central access points.
This document provides an introduction to data mining concepts and techniques. It defines data mining as the extraction of implicit, previously unknown, and potentially useful patterns from large amounts of data. The document outlines the data mining process and how data mining draws upon multiple disciplines including database technology, statistics, machine learning, and visualization. It also describes common data mining functionalities like classification, clustering, association rule mining, and discusses some of the most popular data mining algorithms.
The document provides an introduction to data mining, including why it is used from both commercial and scientific viewpoints. It discusses how much data is being collected and stored, and how data mining can help make sense of large datasets that would be impossible for humans to analyze alone. It describes some of the largest databases in the world and different data mining tasks like classification, regression, clustering, and association rule learning. Examples are given for how data mining can be applied to problems like credit risk assessment, fraud detection, customer churn prediction, and direct marketing.
This document provides an overview of a data mining course. It discusses that the course will be taught by George Kollios and will cover topics like data warehouses, association rule mining, clustering, classification, and advanced topics. It also outlines the grading breakdown and schedule. Additionally, it defines data mining and describes common data mining tasks like classification, clustering, and association rule mining. It provides examples of applications and discusses the data mining process.
An IP address is a unique number that identifies a device on a network. IP stands for Internet Protocol, which defines the format for sending data over the internet or networks. IP addresses contain location information and allow devices to communicate by identifying the destination address. They are divided into a network and host part, and can be represented in decimal or binary notation. IPv4 is currently used, while IPv6 is an upcoming replacement that improves on IPv4. IP addresses can be public, assigned by ISPs, or private for internal networks.
The document describes a chapter about the application layer from a textbook on computer networking. It covers several topics:
1. An introduction to the application layer including common network applications, client-server and peer-to-peer architectures, and how processes communicate over the network.
2. Descriptions of the HTTP and TCP protocols that are commonly used at the application layer. HTTP uses the TCP transport layer to provide reliable data transfer for web applications.
3. An overview of how non-persistent and persistent HTTP connections work, with persistent connections allowing multiple objects to be transferred over a single TCP connection between a client and server.
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYDEEPAK948083
This document provides an overview of mobile and wireless security. It discusses the need for security as wireless networks become more prevalent and outlines some common security threats like spoofing, sniffing, tampering and theft. It then describes various security technologies used to address these threats, including cryptography, digital certificates, digital signatures and public key infrastructure. Specific security protocols like SSL, TLS and IPSec are also mentioned. The document emphasizes that securing wireless networks requires considering authentication, data integrity, confidentiality, authorization and non-repudiation across the entire environment.
This document provides an introduction to data structures presented by Prof. K. Adisesha. It defines data structures as representations of logical relationships between data elements that consider both the elements and their relationships. Data structures affect both structural and functional aspects of programs. They are classified as primitive or non-primitive, with primitive structures operated on directly by machine instructions and non-primitive structures derived from primitive ones. Linear data structures like stacks and queues have elements in sequence, while non-linear structures like trees and graphs have hierarchical or parent-child relationships. Common operations on data structures include traversal, insertion, selection, searching, sorting, merging, and deletion. Arrays are also discussed in detail as a fundamental data structure.
This document discusses different types of malicious code such as viruses, Trojan horses, logic bombs, and worms. It defines each type and provides examples. Viruses can attach to programs by appending code, surrounding code, or integrating with/replacing code. They gain control by overwriting targets or changing pointers. Common places for viruses include boot sectors, system files, and memory-resident programs. Viruses can be detected through their storage patterns, execution patterns, and transmission patterns. Prevention methods include using trusted software sources, testing new software in isolation, and regularly using virus detectors.
1) Elliptic curve cryptography uses elliptic curves over finite fields to provide a method for constructing cryptographic groups.
2) The security of elliptic curve cryptography relies on the difficulty of solving the elliptic curve discrete logarithm problem.
3) Elliptic curve cryptography provides the same security level as other cryptosystems like RSA but with smaller key sizes, making it advantageous for applications with limited computational power or space.
Block ciphers encrypt fixed-length blocks of plaintext into ciphertext using symmetric keys. There are five modes of operation that allow block ciphers to encrypt messages longer than the block size: electronic codebook (ECB), cipher block chaining (CBC), cipher feedback (CFB), output feedback (OFB), and counter mode. These modes address issues like encrypting non-block-sized messages and adding randomness to prevent patterns in the ciphertext. ECB encrypts each block independently while the others use chaining or a counter to make each ciphertext block dependent on previous blocks. Initialization vectors are used to randomize encryption of identical plaintexts.
Elliptic curve cryptography uses elliptic curves over finite fields to provide security for encryption, digital signatures, and key exchange. The security of ECC relies on the difficulty of solving the elliptic curve discrete logarithm problem. ECC offers equivalent security to RSA and other systems using smaller key sizes, reducing requirements for storage, transmission, and processing. Implementation considerations include optimization of finite field and elliptic curve arithmetic for different computing environments and applications.
The document provides an introduction to data structures and algorithms. It begins with basic concepts like data, data types, data objects, and data structures. It then discusses different types of data structures like linear and non-linear, static and dynamic, and persistent and ephemeral data structures. The document also explains common data structures like arrays, stacks, queues, linked lists, trees and graphs. It provides examples to illustrate concepts like one dimensional, two dimensional and multi-dimensional arrays. Finally, it presents code examples to generate Fibonacci series using both iterative and recursive functions.
IPSec provides security services like data integrity, authentication and confidentiality. It uses protocols like AH and ESP to implement these services in transport or tunnel mode. The IPSec architecture includes security policy and security association databases that define how security is applied to packets. SSL/TLS works above the transport layer, using a handshake protocol to authenticate parties and negotiate encryption, before applying its record protocol to provide message integrity and confidentiality. IDS/IPS systems monitor networks for malicious activity, generate alerts and reports. Signature and anomaly-based methods are used to detect known and unknown threats. IPS systems also aim to prevent detected threats from succeeding.
The document discusses stacks and their applications. It defines a stack as a Last In First Out (LIFO) data structure. Key stack operations are described such as push, pop, and peek. An array implementation of a stack is presented and applications like checking balanced brackets, converting infix to postfix notation, and postfix calculators are covered. Example code and diagrams are provided to illustrate stack concepts and operations.
The document discusses traversing a binary tree without recursion. It describes using an activation stack to simulate recursion by tracking the nodes to visit at each level of the tree. It provides pseudocode for in-order, pre-order and post-order traversal algorithms using an activation stack instead of recursion. It also covers inserting nodes into a binary search tree by recursively finding the correct location to add new nodes while maintaining the tree's search properties.
- A tree is a nonlinear hierarchical data structure that stores elements with parent-child relationships. Common examples include family trees, book tables of contents, and file system directories.
- Trees have nodes connected by edges, with one node designated as the root. Nodes have properties like parents, children, siblings, ancestors, descendants. A tree can be empty or have a root node with zero or more subtrees.
- Tree traversal algorithms like preorder, inorder, and postorder recursively visit each node by following different traversal orders. These are used to search, display, or evaluate information stored in the tree.
The document discusses algorithms for finding minimum spanning trees in graphs. It describes Kruskal's and Prim's algorithms. Kruskal's algorithm works by sorting the edges by weight and building the spanning tree by adding the shortest edges that do not create cycles. Prim's algorithm works by growing a spanning tree from an initial node by repeatedly adding the shortest edge connecting an already included node to an unincluded node. The document provides pseudocode and a walkthrough example of Kruskal's algorithm and Prim's algorithm.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
2. Principles of Information Security, 3rd Edition 2
Use this chapter as a guide for future reference on laws,
regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the practice of
information security
Understand the role of culture as it applies to ethics in
information security
Learning Objectives
Upon completion of this material, you should be able to:
3. Principles of Information Security, 3rd Edition 3
Introduction
You must understand scope of an organization’s legal
and ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
4. Principles of Information Security, 3rd Edition 4
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics do not
5. Principles of Information Security, 3rd Edition 5
Organizational Liability and the Need for
Counsel
Liability: legal obligation of an entity extending beyond
criminal or contract law; includes legal obligation to make
restitution
Restitution: to compensate for wrongs committed by an
organization or its employees
Due care: insuring that employees know what constitutes
acceptable behavior and know the consequences of
illegal or unethical actions
Due diligence: making a valid effort to protect others;
continually maintaining level of effort
6. Principles of Information Security, 3rd Edition 6
Organizational Liability and the Need for
Counsel (continued)
Jurisdiction: court's right to hear a case if the wrong was
committed in its territory or involved its citizenry
Long arm jurisdiction: right of any court to impose its
authority over an individual or organization if it can
establish jurisdiction
7. Principles of Information Security, 3rd Edition 7
Policy versus Law
Policies: body of expectations that describe acceptable and
unacceptable employee behaviors in the workplace
Policies function as laws within an organization; must be
crafted carefully to ensure they are complete, appropriate,
fairly applied to everyone
Difference between policy and law: ignorance of a policy is
an acceptable defense
Criteria for policy enforcement: dissemination (distribution),
review (reading), comprehension (understanding),
compliance (agreement), uniform enforcement
8. Principles of Information Security, 3rd Edition 8
Types of Law
Civil: governs nation or state; manages
relationships/conflicts between organizational entities and
people
Criminal: addresses violations harmful to society; actively
enforced by the state
Private: regulates relationships between individuals and
organizations
Public: regulates structure/administration of government
agencies and relationships with citizens, employees, and
other governments
9. Principles of Information Security, 3rd Edition 9
Relevant U.S. Laws
United States has been a leader in the development and
implementation of information security legislation
Implementation of information security legislation
contributes to a more reliable business environment and a
stable economy
EU vs. US on privacy
US vs. China on censureship
U.S. has specified penalties for individuals and
organizations failing to follow requirements set forth in U.S.
civil statutes
10. Principles of Information Security, 3rd Edition 10
General Computer Crime Laws
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization Act
Computer Security Act of 1987
11. Principles of Information Security, 3rd Edition 11
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources allows
creation of information databases previously unheard of
12. Principles of Information Security, 3rd Edition 12
Privacy of Customer Information
Privacy of Customer Information Section of the common
carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act of
1996 (HIPAA), aka Kennedy-Kassebaum Act
Financial Services Modernization Act, or Gramm-Leach-
Bliley Act of 1999
13. Principles of Information Security, 3rd Edition 13
Identity Theft
Federal Trade Commission: “occurring when someone
uses your personally identifying information, like your
name, Social Security number, or credit card number,
without your permission, to commit fraud or other crimes”
Fraud And Related Activity In Connection With
Identification Documents, Authentication Features, And
Information (Title 18, U.S.C. § 1028)
14. Principles of Information Security, 3rd Edition 14
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of 1999
(SAFE)
No teeth…
15. Principles of Information Security, 3rd Edition 16
U.S. Copyright Law
Intellectual property recognized as protected asset in the
U.S.; copyright law extends to electronic formats
With proper acknowledgment, permissible to include
portions of others’ work as reference
U.S. Copyright Office Web site: www.copyright.gov
16. Principles of Information Security, 3rd Edition 17
Financial Reporting
Sarbanes-Oxley Act of 2002
Affects executive management of publicly traded
corporations and public accounting firms
Seeks to improve reliability and accuracy of financial
reporting and increase the accountability of corporate
governance in publicly traded companies
Penalties for noncompliance range from fines to jail terms
17. Principles of Information Security, 3rd Edition 18
Freedom of Information Act of 1966 (FOIA)
Allows access to federal agency records or information
not determined to be matter of national security
U.S. government agencies required to disclose any
requested information upon receipt of written request
Some information protected from disclosure
18. Principles of Information Security, 3rd Edition 19
Digital Millennium Copyright Act (DMCA)
U.S. contribution to international effort to reduce impact of
copyright, trademark, and privacy infringement
A response to European Union Directive 95/46/EC, which
adds protection to individuals with regard to processing
and free movement of personal data
19. Principles of Information Security, 3rd Edition 20
State and Local Regulations
Restrictions on organizational computer technology use
exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
20. Principles of Information Security, 3rd Edition 21
International Laws and Legal Bodies
IT professionals and IS practitioners should realize that
when organizations do business on the Internet, they do
business globally
Professionals must be sensitive to laws and ethical values
of many different cultures, societies, and countries
Because of political complexities of relationships among
nations and differences in culture, there are few
international laws relating to privacy and information
security
These international laws are important but are limited in
their enforceability
21. Principles of Information Security, 3rd Edition 24
Agreement on Trade-Related Aspects of
Intellectual Property Rights
Created by World Trade Organization (WTO)
First significant international effort to protect intellectual
property rights
Agreement covers five issues:
Application of basic principles of trading system and
international intellectual property agreements
Giving adequate protection to intellectual property rights
Enforcement of those rights by countries in their own
territories
Settling intellectual property disputes
Transitional arrangements while new system is being
introduced
22. Principles of Information Security, 3rd Edition 25
United Nations Charter
Makes provisions, to a degree, for information security
during information warfare (IW)
IW involves use of information technology to conduct
organized and lawful military operations
IW is relatively new type of warfare, although military has
been conducting electronic warfare operations for
decades
24. Principles of Information Security, 3rd Edition 27
Ethical Differences Across Cultures
Cultural differences create difficulty in determining what is
and is not ethical
Difficulties arise when one nationality’s ethical behavior
conflicts with ethics of another national group
Example: many of the ways in which Asian cultures use
computer technology is considered software piracy by
other nations
25. Principles of Information Security, 3rd Edition 28
Ethics and Education
Overriding factor in leveling ethical perceptions within a
small population is education
Employees must be trained in expected behaviors of an
ethical employee, especially in areas of information
security
Proper ethical training vital to creating informed, well
prepared, and low-risk system user
26. Principles of Information Security, 3rd Edition 29
Deterrence to Unethical and Illegal Behavior
Three general causes of unethical and illegal behavior:
ignorance, accident, intent
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
27. Principles of Information Security, 3rd Edition 30
Codes of Ethics and Professional Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect; unfortunately,
many employers do not encourage joining these
professional organizations
Responsibility of security professionals to act ethically
and according to policies of employer, professional
organization, and laws of society
28. Principles of Information Security, 3rd Edition 31
Association of Computing Machinery (ACM)
ACM established in 1947 as “the world's first educational
and scientific computing society”
Code of ethics contains references to protecting
information confidentiality, causing no harm, protecting
others’ privacy, and respecting others’ intellectual
property
29. Principles of Information Security, 3rd Edition 32
International Information Systems Security
Certification Consortium, Inc. (ISC)2
Nonprofit organization focusing on development and
implementation of information security certifications and
credentials
Code primarily designed for information security
professionals who have certification from (ISC)2
Code of ethics focuses on four mandatory canons
30. Principles of Information Security, 3rd Edition 33
System Administration, Networking, and
Security Institute (SANS)
Professional organization with a large membership
dedicated to protection of information and systems
SANS offers set of certifications called Global Information
Assurance Certification (GIAC)
31. Principles of Information Security, 3rd Edition 34
Information Systems Audit and Control
Association (ISACA)
Professional association with focus on auditing, control,
and security
Concentrates on providing IT control practices and
standards
ISACA has code of ethics for its professionals
32. Principles of Information Security, 3rd Edition 35
Information Systems Security Association
(ISSA)
Nonprofit society of information security (IS) professionals
Primary mission to bring together qualified IS practitioners
for information exchange and educational development
Promotes code of ethics similar to (ISC)2, ISACA, and
ACM
33. Principles of Information Security, 3rd Edition 36
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National InfraGard
Program
National Security Agency (NSA)
U.S. Secret Service
34. Principles of Information Security, 3rd Edition 37
Summary
Laws: rules that mandate or prohibit certain behavior in
society; drawn from ethics
Ethics: define socially acceptable behaviors; based on
cultural mores (fixed moral attitudes or customs of a
particular group)
Types of law: civil, criminal, private, public
35. Principles of Information Security, 3rd Edition 38
Summary (continued)
Relevant U.S. laws:
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization Act
Computer Security Act of 1987
36. Principles of Information Security, 3rd Edition 39
Summary (continued)
Many organizations have codes of conduct and/or codes
of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid effort
to protect others and continually maintain that effort