Chapter 3 - Legal, Ethical and Professional Issues in Information Security

Question 1

Learning Objectives

Answer 1

–Describe the functions of and relationships among laws, regulations, and professional organizations in information security

–Explain the differences between laws and ethics

–Identify major national laws that affect the practice of information security

–Discuss the role of culture as it applies to ethics in information security

Question 2

What are the 3 things an IS practitioner must do to reduce risks and liabilities?

Answer 2

1. Understand the current legal environment
2. Stay current with laws and regulations
3. Watch for new and emerging issues

Question 3

Laws

Answer 3

Rules that mandate or prohibit certain actions or behaviors and are enforced by the state/government.

Question 4

Ethics

Answer 4

Regulate and define socially acceptable behavior.

Question 5

Cultural mores

Answer 5

fixed moral attitudes or customs of a particular group

Question 6

Main difference b/w laws and ethics

Answer 6

laws have the cudgel of force behind them

Question 7

Liability

Answer 7

the legal obligation of an entity beyond criminal or contract law, includes the legal obligation to make restitution

Question 8

Restitution

Answer 8

the legal obligation to compensate an injured party for the wrongs committed

Question 9

Due care

Answer 9

the legal standard requiring a prudent organization to act both legally and ethically and know the consequences of actions

Question 10

Due diligence

Answer 10

the legal standard requiring a prudent organization to maintain the standard of due care and ensure actions are effective

Question 11

Jurisdiction

&

Long-arm Jurisdiction

Answer 11

•Jurisdiction: court’s right to hear a case if the wrong was committed in its territory or involved its citizenry

•Long arm jurisdiction: application of laws to those residing outside court’s normal jurisdiction; usually granted when person acts illegally within jurisdiction and leaves

Question 12

Policies

Answer 12

•Policies: managerial directives that specify acceptable and unacceptable employee behavior in the workplace

Question 13

Difference between policy and law

Answer 13

ignorance of a policy is an acceptable defense

Question 14

5 Criteria for policy enforcement

Answer 14

•Criteria for policy enforcement:

–Dissemination (distribution)

–Review (reading)

–Comprehension (understanding)

–Compliance (agreement)

–Uniform enforcement

Question 15

Civil Law

Answer 15

governs nation or state; manages relationships/conflicts between organizations and people

Question 16

Criminal Law

Answer 16

•Criminal: addresses activities and conduct harmful to society; actively enforced by the state

Question 17

Private Law

Answer 17

•Private: family/commercial/labor law; regulates relationships between individuals and organizations

Question 18

Public law

Answer 18

•Public: regulates structure/administration of government agencies and relationships with citizens, employees, and other governments

Question 19

Computer Fraud and Abuse Act of 1986 (CFA Act)

Answer 19

•cornerstone of many computer-related federal laws and enforcement efforts‏

Question 20

National Information Infrastructure Protection Act of 1996

Answer 20

–Modified several sections of the previous act and increased the penalties for selected crimes

Question 21

The National Info Infrastructure Act increased penalties judged on the value of the information and the purpose. What are the three purposes?

Answer 21

1. Purpose of commercial advantage
2. For private financial gain
3. In furtherance of a criminal act

Question 22

USA PATRIOT Act of 2001

Answer 22

•USA PATRIOT Act of 2001: provides law enforcement agencies with broader latitude in order to combat terrorism-related activities

Question 23

USA PATRIOT Improvement and Reauthorization Act

Answer 23

•USA PATRIOT Improvement and Reauthorization Act: Made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security (DHS) and the FBI in investigating terrorist activity

Question 24

Computer Security Act of 1987

Answer 24

•One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

Question 25

Privacy

Answer 25

•Right of individuals or groups to protect themselves and personal information from unauthorized access

Question 26

What is a major concern with big data and privacy?

Answer 26

•Ability to aggregate data from multiple sources allows creation of information databases previously impossible

Question 27

What is the significance of the Privacy Customer Information Section of the Common Carrier Regulation?

Answer 27

info cannot be used for marketing purposes, solely for providing services. They also cannot disclose info except when necessary to provide their services, or when a customer requests disclosure of information.

Question 28

Importance of

Federal Privacy Act of 1974

Answer 28

Meant to keep the federal government in check if they do not protect the privacy of individuals’ and businesses’ information. They can be held responsible if any info is released w/o permission

Question 29

The Electronic Communications Privacy Act of 1986

Answer 29

regulates the interception of wire, electronic, and oral communications. The ECPA works in conjunction with the Fourth Amendment of the US Constitution, which provides protections from unlawful search and seizure

Question 30

Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act

Answer 30

The act requires organizations that retain health-care information to use information security mechanisms to protect this information, as well as policies and procedures to maintain this security.

Question 31

Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Answer 31

requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.

It also requires due notice to customers so that they can request that their information not be shared with third parties.

Question 32

Identity Theft

Answer 32

•It can occur when someone steals victim’s personally identifiable information (PII) and poses as victim to conduct actions/make purchases.

Question 33

What steps should you take if you suspect identity theft?

Answer 33

1. –Report to one of three national credit reporting companies and request initial fraud alert
2. –Order credit reports and examine for fraud activity; contact fraud department in organization holding suspect account
3. –Create identity theft report through FTC’s identity theft affidavit
4. –Document all calls/letters/communications during the process

Question 34

Export and Espionage Act of 1996 (EEA)

Answer 34

an attempt to protect American ingenuity, intellectual property, and competitive advantage, Congress passed the Economic Espionage Act (EEA) in 1996. This law attempts to prevent trade secrets from being illegally shared.

Question 35

The Security And Freedom Through Encryption Act of 1997 (SAFE)

Answer 35

was an attempt by Congress to provide guidance on the use of encryption and provided measures of public protection from government intervention.

Question 36

Exclusions to U.S. copyright law

Answer 36

Fair use of copyrighted materials includes the use to support news reporting, teaching, scholarship, and a number of other related permissions, so long as the purpose of the use is for educational or library purposes, not for profit, and is not excessive.

Question 37

What is the goal of US copyright laws?

Answer 37

To protect intellectual property

Question 38

Sarbanes Oxley Act of 2002

Answer 38

•Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance in publicly traded companies

Question 39

Effects of SOX 2002

Answer 39

• Affects executive management of publicly traded corporations and public accounting firms
• Penalties for noncompliance range from fines to jail terms

Question 40

Freedom of Information Act of 1966 (FOIA)

Answer 40

• Allows access to federal agency records or information not determined to be matter of national security
• U.S. government agencies required to disclose any requested information upon receipt of written request

Question 41

backlog meaning

Answer 41

A backlog is a buildup of work that needs to be completed. The term “backlog” has a number of uses in accounting and finance.

Question 42

Payment Card Industry Data Security Standards (PCI DSS)

Answer 42

•offers a standard of performance to which organizations processing payment cards must comply.

Question 43

State(Federal) vs. Local regulations

Answer 43

Federal computer laws mainly written specifically for federal information systems; have little applicability to private organizations

Thus, IS professionals are responsible for understanding and complying with state regulations.

Question 44

Digital Millennium Copyright Act (DMCA)‏

Answer 44

The Digital Millennium Copyright Act (DMCA) is the U.S. version of an international effort to reduce the impact of copyright, trademark, and privacy infringement especially through the removal of technological copyright protection measures.

Question 45

Three general causes of unethical and illegal behavior

Answer 45

1. Ignorance
2. Accident
3. Intent

Question 46

Deterrence

Answer 46

methods and strategies used to prevent unethical activity (i.e.: laws, policies, technical controls)

Question 47

Mission of

Department of Homeland Security (DHS)

Answer 47

to protect the citizens as well as the physical and informational assets of the US

Question 48

Mission of the US Secret Service

Answer 48

–In addition to protective services, charged with safeguarding nation’s financial infrastructure and payments system to preserve integrity of economy

Question 49

Missions of the FBI

Answer 49

–Primary law enforcement agency; investigates traditional crimes and cybercrimes

–Key priorities include computer/network intrusions, identity theft, and fraud

Question 50

Mission of the

National Security Agency (NSA)

Answer 50

–Is the nation’s cryptologic organization

–Responsible for signal intelligence and information assurance (security)

–Information Assurance Directorate (IAD) is responsible for the protection of systems that store, process, and transmit information of high national value.

Question 51

The 7 Dynamics of Every Successful Dynamic Dating Conversation.

Answer 51

1. Ground to create presence (grounded vulnerability)
2. Connect
3. Appreciate
4. Be Curious
5. Share
6. Support
7. Be Bold

Question 52

Story at the beginning of the Chapter and what can be learned?

Answer 52

Henry Macgruder leaves a CD at the coffee station and Iris Majwubu finds it, runs a virus scan, and identifies both the owner and the crime.

Henry was basically selling sensitive company information (names, addresses, SSNs, credit card numbers, etc.)

Henry - bad guy

Iris - person who found out

Jill - person paying Jill for the stolen information

Question 53

ISACA

Answer 53

Information Systems Audit and Control Association

Question 54

ISACA Certifications (internal audit careers)

Answer 54

Certified Information Systems Auditor (CISA,1978)[18]

Certified Information Security Manager (CISM, 2002)[19]

Certified in the Governance of Enterprise IT (CGEIT, 2007)[20]

Certified in Risk and Information Systems Control (CRISC, 2010)[21]

Certified Data Privacy Solutions Engineer (CDPSE)[22]

Cybersecurity Practitioner Certification (CSX-P)[23]