8/20/2019 Legal, Ethical, and Professional Issues In.ppt
1/34
Legal, Ethical, and Professional
Issues In Information Security
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
2/34
• Differentiate between laws and ethics
• Identify major national laws that relate to
the practice of information security
• Understand the role of culture as it applies
to ethics in information security
bjecti!es
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
3/34
Introduction
• "ou must understand scope of anorgani#ation$s legal and ethical
responsibilities
• %o minimi#e liabilities&reduce ris's, the
information security practitioner must(
) Understand current legal en!ironment
) Stay current with laws and regulations
) *atch for new issues that emerge
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
4/34
Law and Ethics in Information Security
• Laws( rules that mandate or prohibit certain
societal beha!ior
• Ethics( define socially acceptable beha!ior
• +ultural mores( fied moral attitudes or
customs of a particular group- ethics based
on these
• Laws carry sanctions of a go!erning
authority- ethics do not
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
5/34
%ypes of Law
• +i!il
• +riminal
• %ort
• Pri!ate
• Public
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
6/34
.ele!ant U/S/ Laws 01eneral2
• +omputer 3raud and 4buse 4ct of 5678 0+34 4ct2
• 9ational Information Infrastructure Protection 4ctof 5668
• US4 Patriot 4ct of :;;5
• %elecommunications Deregulation and+ompetition 4ctof 5668
• +ommunications Decency 4ct of 5668 0+D42
• +omputer Security 4ct of 567<
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
7/34
Pri!acy
• ne of the hottest topics in information
security
• Is a =state of being free from unsanctioned
intrusion>
• 4bility to aggregate data from multiplesources allows creation of information
databases pre!iously unheard of
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
8/34
Pri!acy of +ustomer Information
• Pri!acy of +ustomer Information Section ofcommon carrier regulation
• 3ederal Pri!acy 4ct of 56
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
9/34
Eport and Espionage Laws
• Economic Espionage 4ct of 5668 0EE42
• Security 4nd 3reedom %hroughEncryption 4ct of 5666 0S43E2
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
10/34
U/S/ +opyright Law
• Intellectual property recogni#ed as
protected asset in the U/S/- copyright law
etends to electronic formats
• *ith proper ac'nowledgement,
permissible to include portions of others$
wor' as reference• U/S/ +opyright ffice *eb site(
www/copyright/go!
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
11/34
3reedom of Information 4ct of 5688
03I42
• 4llows access to federal agency records or
information not determined to be matter of
national security
• U/S/ go!ernment agencies reuired to
disclose any reuested information upon
receipt of written reuest• Some information protected from
disclosure
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
12/34
State and Local .egulations
• .estrictions on organi#ational computer
technology use eist at international,
national, state, local le!els
• Information security professional
responsible for understanding state
regulations and ensuring organi#ation iscompliant with regulations
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
13/34
International Laws and Legal odies
• European +ouncil +yberB+rime +on!ention( ) Establishes international tas' force o!erseeing
Internet security functions for standardi#ed
international
technology laws
) 4ttempts to impro!e effecti!eness of international
in!estigations into breaches of technology law
) *ell recei!ed by intellectual property rightsad!ocates due to emphasis on copyright
infringement prosecution
) Lac's realistic pro!isions for enforcement
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
14/34
Digital Cillennium +opyright 4ct
0DC+42
• U/S/ contribution to international effort to
reduce impact of copyright, trademar',
and pri!acy infringement
• 4 response to European Union Directi!e
6F&?8&E+, which adds protection to
indi!iduals with regard to processing andfree mo!ement of personal data
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
15/34
United 9ations +harter
• Ca'es pro!isions, to a degree, for informationsecurity during information warfare 0I*2
• I* in!ol!es use of information technology to
conduct organi#ed and lawful militaryoperations
• I* is relati!ely new type of warfare, although
military has been conducting electronicwarfare operations for decades
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
16/34
Policy Gersus Law
• Cost organi#ations de!elop andformali#e a body of epectations called
policy
• Policies ser!e as organi#ational laws
• %o be enforceable, policy must be
distributed, readily a!ailable, easily
understood, and ac'nowledged by
employees
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
17/34
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
18/34
Ethical Differences 4cross +ultures
• +ultural differences create difficulty indetermining what is and is not ethical
• Difficulties arise when one nationality$s
ethical beha!ior conflicts with ethics of
another national group
• Eample( many of ways in which 4siancultures use computer technology is
software piracy
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
19/34
Ethics and Education
• !erriding factor in le!eling ethical perceptions
within a small population is education
• Employees must be trained in epected
beha!iors of an ethical employee, especially inareas of information security
• Proper ethical training !ital to creating
informed, well prepared, and lowBris' systemuser
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
20/34
Deterrence to Unethical and Illegal
eha!ior
• Deterrence( best method for pre!enting anillegal or unethical acti!ity- e/g/, laws,
policies, technical controls
• Laws and policies only deter if three
conditions are present(
) 3ear of penalty
) Probability of being caught
) Probability of penalty being administered
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
21/34
+odes of Ethics and Professional
rgani#ations
• Se!eral professional organi#ations ha!eestablished codes of conductðics
• +odes of ethics can ha!e positi!e effect-
unfortunately, many employers do notencourage joining of these professional
organi#ations
• .esponsibility of security professionals to actethically and according to policies of employer,
professional organi#ation, and laws of society
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
22/34
4ssociation of +omputing Cachinery
04+C2
• 4+C established in 56?< as =the worldHs
first educational and scientific computing
society>
• +ode of ethics contains references to
protecting information confidentiality,
causing no harm, protecting others$ pri!acy,
and respecting others$ intellectual property
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
23/34
International Information Systems
Security +ertification +onsortium, Inc/
0IS+2:
• 9onBprofit organi#ation focusing on de!elopment
and implementation of information security
certifications and credentials• +ode primarily designed for information security
professionals who ha!e certification from 0IS+2:
• +ode of ethics focuses on four mandatorycanons
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
24/34
System 4dministration, 9etwor'ing,
and Security Institute 0S49S2
• Professional organi#ation with a large
membership dedicated to protection of
information and systems
• S49S offers set of certifications called
1lobal Information 4ssurance +ertification01I4+2
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
25/34
Information Systems 4udit and
+ontrol 4ssociation 0IS4+42
• Professional association with focus on
auditing, control, and security
• +oncentrates on pro!iding I% control
practices and standards
• IS4+4 has code of ethics for its
professionals
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
26/34
+omputer Security Institute 0+SI2
• Pro!ides information and training to
support computer, networ'ing, and
information security professionals
• %hough without a code of ethics, has
argued for adoption of ethical beha!ior
among information security professionals
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
27/34
Information Systems Security
4ssociation 0ISS42
• 9onprofit society of information security
0IS2 professionals
• Primary mission to bring together ualified
IS practitioners for information echange
and educational de!elopment
• Promotes code of ethics similar to 0IS+2:,
IS4+4 and 4+C
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
28/34
ther Security rgani#ations
• Internet Society 0IS+2( promotes
de!elopment and implementation of
education, standards, policy and education to
promote the Internet• +omputer Security Di!ision 0+SD2( di!ision of
9ational Institute for Standards and
%echnology 09IS%2- promotes industry bestpractices and is important reference for
information security professionals
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
29/34
ther Security rgani#ations
0continued2
• +E.% +oordination +enter 0+E.%&++2(
center of Internet security epertise
operated by +arnegie Cellon Uni!ersity
• +omputer Professionals for Social
.esponsibility 0+PS.2( public organi#ation
for anyone concerned with impact of
computer technology on society
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
30/34
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
31/34
rgani#ational Liability and the 9eed
for +ounsel
• Liability is legal obligation of an entity-
includes legal obligation to ma'e restitution
for wrongs committed
• rgani#ation increases liability if it refuses
to ta'e measures 'nown as due care
• Due diligence reuires that an organi#ationma'e !alid effort to protect others and
continually maintain that le!el of effort
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
32/34
Summary
• Laws( rules that mandate or prohibitcertain beha!ior in society- drawn from
ethics
• Ethics( define socially acceptable
beha!iors- based on cultural mores 0fied
moral attitudes or customs of a particular
group2
• %ypes of law( ci!il, criminal, tort law,
pri!ate, public
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
33/34
Summary• .ele!ant U/S/ laws(
) +omputer 3raud and 4buse 4ct of 5678 0+34 4ct2
) 9ational Information Infrastructure Protection 4ct of
5668
) US4 Patriot 4ct of :;;5
) %elecommunications Deregulation and +ompetition 4ct
of 5668
) +ommunications Decency 4ct of 5668 0+D42
) +omputer Security 4ct of 567<
8/20/2019 Legal, Ethical, and Professional Issues In.ppt
34/34
Summary
• Cany organi#ations ha!e codes of conduct
and&or codes of ethics
• rgani#ation increases liability if it refuses tota'e measures 'nown as due care
• Due diligence reuires that organi#ation ma'e
!alid effort to protect others and continuallymaintain that effort