Legal, Ethical, and Professional Issues In.ppt

8/20/2019 Legal, Ethical, and Professional Issues In.ppt

1/34

Legal, Ethical, and Professional

Issues In Information Security


2/34

• Differentiate between laws and ethics

• Identify major national laws that relate to

the practice of information security

• Understand the role of culture as it applies

to ethics in information security

bjecti!es


3/34

Introduction

• "ou must understand scope of anorgani#ation$s legal and ethical

responsibilities

• %o minimi#e liabilities&reduce ris's, the

information security practitioner must(

) Understand current legal en!ironment

) Stay current with laws and regulations

) *atch for new issues that emerge


4/34

Law and Ethics in Information Security

• Laws( rules that mandate or prohibit certain

societal beha!ior

• Ethics( define socially acceptable beha!ior

• +ultural mores( fied moral attitudes or

customs of a particular group- ethics based

on these

• Laws carry sanctions of a go!erning

authority- ethics do not


5/34

%ypes of Law

• +i!il

• +riminal

• %ort

• Pri!ate

• Public


6/34

.ele!ant U/S/ Laws 01eneral2

• +omputer 3raud and 4buse 4ct of 5678 0+34 4ct2

• 9ational Information Infrastructure Protection 4ctof 5668

• US4 Patriot 4ct of :;;5

• %elecommunications Deregulation and+ompetition 4ctof 5668

• +ommunications Decency 4ct of 5668 0+D42

• +omputer Security 4ct of 567<


7/34

Pri!acy

• ne of the hottest topics in information

security

• Is a =state of being free from unsanctioned

intrusion>

• 4bility to aggregate data from multiplesources allows creation of information

databases pre!iously unheard of


8/34

Pri!acy of +ustomer Information

• Pri!acy of +ustomer Information Section ofcommon carrier regulation

• 3ederal Pri!acy 4ct of 56


9/34

Eport and Espionage Laws

• Economic Espionage 4ct of 5668 0EE42

• Security 4nd 3reedom %hroughEncryption 4ct of 5666 0S43E2


10/34

U/S/ +opyright Law

• Intellectual property recogni#ed as

protected asset in the U/S/- copyright law

etends to electronic formats

• *ith proper ac'nowledgement,

permissible to include portions of others$

wor' as reference• U/S/ +opyright ffice *eb site(

www/copyright/go!


11/34

3reedom of Information 4ct of 5688

03I42

• 4llows access to federal agency records or

information not determined to be matter of

national security

• U/S/ go!ernment agencies reuired to

disclose any reuested information upon

receipt of written reuest• Some information protected from

disclosure


12/34

State and Local .egulations

• .estrictions on organi#ational computer

technology use eist at international,

national, state, local le!els

• Information security professional

responsible for understanding state

regulations and ensuring organi#ation iscompliant with regulations


13/34

International Laws and Legal odies

• European +ouncil +yberB+rime +on!ention( ) Establishes international tas' force o!erseeing

Internet security functions for standardi#ed

international

technology laws

) 4ttempts to impro!e effecti!eness of international

in!estigations into breaches of technology law

) *ell recei!ed by intellectual property rightsad!ocates due to emphasis on copyright

infringement prosecution

) Lac's realistic pro!isions for enforcement


14/34

Digital Cillennium +opyright 4ct

0DC+42

• U/S/ contribution to international effort to

reduce impact of copyright, trademar',

and pri!acy infringement

• 4 response to European Union Directi!e

6F&?8&E+, which adds protection to

indi!iduals with regard to processing andfree mo!ement of personal data


15/34

United 9ations +harter

• Ca'es pro!isions, to a degree, for informationsecurity during information warfare 0I*2

• I* in!ol!es use of information technology to

conduct organi#ed and lawful militaryoperations

• I* is relati!ely new type of warfare, although

military has been conducting electronicwarfare operations for decades


16/34

Policy Gersus Law

• Cost organi#ations de!elop andformali#e a body of epectations called

policy

• Policies ser!e as organi#ational laws

• %o be enforceable, policy must be

distributed, readily a!ailable, easily

understood, and ac'nowledged by

employees


17/34


18/34

Ethical Differences 4cross +ultures

• +ultural differences create difficulty indetermining what is and is not ethical

• Difficulties arise when one nationality$s

ethical beha!ior conflicts with ethics of

another national group

• Eample( many of ways in which 4siancultures use computer technology is

software piracy


19/34

Ethics and Education

• !erriding factor in le!eling ethical perceptions

within a small population is education

• Employees must be trained in epected

beha!iors of an ethical employee, especially inareas of information security

• Proper ethical training !ital to creating

informed, well prepared, and lowBris' systemuser


20/34

Deterrence to Unethical and Illegal

eha!ior

• Deterrence( best method for pre!enting anillegal or unethical acti!ity- e/g/, laws,

policies, technical controls

• Laws and policies only deter if three

conditions are present(

) 3ear of penalty

) Probability of being caught

) Probability of penalty being administered


21/34

+odes of Ethics and Professional

rgani#ations

• Se!eral professional organi#ations ha!eestablished codes of conduct&ethics

• +odes of ethics can ha!e positi!e effect-

unfortunately, many employers do notencourage joining of these professional

organi#ations

• .esponsibility of security professionals to actethically and according to policies of employer,

professional organi#ation, and laws of society


22/34

4ssociation of +omputing Cachinery

04+C2

• 4+C established in 56?< as =the worldHs

first educational and scientific computing

society>

• +ode of ethics contains references to

protecting information confidentiality,

causing no harm, protecting others$ pri!acy,

and respecting others$ intellectual property


23/34

International Information Systems

Security +ertification +onsortium, Inc/

0IS+2:

• 9onBprofit organi#ation focusing on de!elopment

and implementation of information security

certifications and credentials• +ode primarily designed for information security

professionals who ha!e certification from 0IS+2:

• +ode of ethics focuses on four mandatorycanons


24/34

System 4dministration, 9etwor'ing,

and Security Institute 0S49S2

• Professional organi#ation with a large

membership dedicated to protection of

information and systems

• S49S offers set of certifications called

1lobal Information 4ssurance +ertification01I4+2


25/34

Information Systems 4udit and

+ontrol 4ssociation 0IS4+42

• Professional association with focus on

auditing, control, and security

• +oncentrates on pro!iding I% control

practices and standards

• IS4+4 has code of ethics for its

professionals


26/34

+omputer Security Institute 0+SI2

• Pro!ides information and training to

support computer, networ'ing, and

information security professionals

• %hough without a code of ethics, has

argued for adoption of ethical beha!ior

among information security professionals


27/34

Information Systems Security

4ssociation 0ISS42

• 9onprofit society of information security

0IS2 professionals

• Primary mission to bring together ualified

IS practitioners for information echange

and educational de!elopment

• Promotes code of ethics similar to 0IS+2:,

IS4+4 and 4+C


28/34

ther Security rgani#ations

• Internet Society 0IS+2( promotes

de!elopment and implementation of

education, standards, policy and education to

promote the Internet• +omputer Security Di!ision 0+SD2( di!ision of

9ational Institute for Standards and

%echnology 09IS%2- promotes industry bestpractices and is important reference for

information security professionals


29/34

ther Security rgani#ations

0continued2

• +E.% +oordination +enter 0+E.%&++2(

center of Internet security epertise

operated by +arnegie Cellon Uni!ersity

• +omputer Professionals for Social

.esponsibility 0+PS.2( public organi#ation

for anyone concerned with impact of

computer technology on society


30/34


31/34

rgani#ational Liability and the 9eed

for +ounsel

• Liability is legal obligation of an entity-

includes legal obligation to ma'e restitution

for wrongs committed

• rgani#ation increases liability if it refuses

to ta'e measures 'nown as due care

• Due diligence reuires that an organi#ationma'e !alid effort to protect others and

continually maintain that le!el of effort


32/34

Summary

• Laws( rules that mandate or prohibitcertain beha!ior in society- drawn from

ethics

• Ethics( define socially acceptable

beha!iors- based on cultural mores 0fied

moral attitudes or customs of a particular

group2

• %ypes of law( ci!il, criminal, tort law,

pri!ate, public


33/34

Summary• .ele!ant U/S/ laws(

) +omputer 3raud and 4buse 4ct of 5678 0+34 4ct2

) 9ational Information Infrastructure Protection 4ct of

5668

) US4 Patriot 4ct of :;;5

) %elecommunications Deregulation and +ompetition 4ct

of 5668

) +ommunications Decency 4ct of 5668 0+D42

) +omputer Security 4ct of 567<


34/34

Summary

• Cany organi#ations ha!e codes of conduct

and&or codes of ethics

• rgani#ation increases liability if it refuses tota'e measures 'nown as due care

• Due diligence reuires that organi#ation ma'e

!alid effort to protect others and continuallymaintain that effort

Legal, Ethical, and Professional Issues In.ppt

Documents