Chapter 3 - Legal, Ethical and Professional Issues in Information Security Flashcards
Learning Objectives
–Describe the functions of and relationships among laws, regulations, and professional organizations in information security
–Explain the differences between laws and ethics
–Identify major national laws that affect the practice of information security
–Discuss the role of culture as it applies to ethics in information security
What are the 3 things an IS practitioner must do to reduce risks and liabilities?
- Understand the current legal environment
- Stay current with laws and regulations
- Watch for new and emerging issues
Laws
Rules that mandate or prohibit certain actions or behaviors and are enforced by the state/government.
Ethics
Regulate and define socially acceptable behavior.
Cultural mores
fixed moral attitudes or customs of a particular group
Main difference b/w laws and ethics
laws have the cudgel of force behind them
Liability
the legal obligation of an entity beyond criminal or contract law, includes the legal obligation to make restitution
Restitution
the legal obligation to compensate an injured party for the wrongs committed
Due care
the legal standard requiring a prudent organization to act both legally and ethically and know the consequences of actions
Due diligence
the legal standard requiring a prudent organization to maintain the standard of due care and ensure actions are effective
Jurisdiction
&
Long-arm Jurisdiction
•Jurisdiction: court’s right to hear a case if the wrong was committed in its territory or involved its citizenry
•Long arm jurisdiction: application of laws to those residing outside court’s normal jurisdiction; usually granted when person acts illegally within jurisdiction and leaves
Policies
•Policies: managerial directives that specify acceptable and unacceptable employee behavior in the workplace
Difference between policy and law
ignorance of a policy is an acceptable defense
5 Criteria for policy enforcement
•Criteria for policy enforcement:
–Dissemination (distribution)
–Review (reading)
–Comprehension (understanding)
–Compliance (agreement)
–Uniform enforcement
Civil Law
governs nation or state; manages relationships/conflicts between organizations and people
Criminal Law
•Criminal: addresses activities and conduct harmful to society; actively enforced by the state
Private Law
•Private: family/commercial/labor law; regulates relationships between individuals and organizations
Public law
•Public: regulates structure/administration of government agencies and relationships with citizens, employees, and other governments
Computer Fraud and Abuse Act of 1986 (CFA Act)
•cornerstone of many computer-related federal laws and enforcement efforts
National Information Infrastructure Protection Act of 1996
–Modified several sections of the previous act and increased the penalties for selected crimes
The National Info Infrastructure Act increased penalties judged on the value of the information and the purpose. What are the three purposes?
- Purpose of commercial advantage
- For private financial gain
- In furtherance of a criminal act
USA PATRIOT Act of 2001
•USA PATRIOT Act of 2001: provides law enforcement agencies with broader latitude in order to combat terrorism-related activities
USA PATRIOT Improvement and Reauthorization Act
•USA PATRIOT Improvement and Reauthorization Act: Made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security (DHS) and the FBI in investigating terrorist activity
Computer Security Act of 1987
•One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
Privacy
•Right of individuals or groups to protect themselves and personal information from unauthorized access
What is a major concern with big data and privacy?
•Ability to aggregate data from multiple sources allows creation of information databases previously impossible
What is the significance of the Privacy Customer Information Section of the Common Carrier Regulation?
info cannot be used for marketing purposes, solely for providing services. They also cannot disclose info except when necessary to provide their services, or when a customer requests disclosure of information.
Importance of
Federal Privacy Act of 1974
Meant to keep the federal government in check if they do not protect the privacy of individuals’ and businesses’ information. They can be held responsible if any info is released w/o permission
The Electronic Communications Privacy Act of 1986
regulates the interception of wire, electronic, and oral communications. The ECPA works in conjunction with the Fourth Amendment of the US Constitution, which provides protections from unlawful search and seizure
Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act
The act requires organizations that retain health-care information to use information security mechanisms to protect this information, as well as policies and procedures to maintain this security.
Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.
It also requires due notice to customers so that they can request that their information not be shared with third parties.
Identity Theft
•It can occur when someone steals victim’s personally identifiable information (PII) and poses as victim to conduct actions/make purchases.
What steps should you take if you suspect identity theft?
- –Report to one of three national credit reporting companies and request initial fraud alert
- –Order credit reports and examine for fraud activity; contact fraud department in organization holding suspect account
- –Create identity theft report through FTC’s identity theft affidavit
- –Document all calls/letters/communications during the process
Export and Espionage Act of 1996 (EEA)
an attempt to protect American ingenuity, intellectual property, and competitive advantage, Congress passed the Economic Espionage Act (EEA) in 1996. This law attempts to prevent trade secrets from being illegally shared.
The Security And Freedom Through Encryption Act of 1997 (SAFE)
was an attempt by Congress to provide guidance on the use of encryption and provided measures of public protection from government intervention.
Exclusions to U.S. copyright law
Fair use of copyrighted materials includes the use to support news reporting, teaching, scholarship, and a number of other related permissions, so long as the purpose of the use is for educational or library purposes, not for profit, and is not excessive.
What is the goal of US copyright laws?
To protect intellectual property
Sarbanes Oxley Act of 2002
•Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance in publicly traded companies
Effects of SOX 2002
- Affects executive management of publicly traded corporations and public accounting firms
- Penalties for noncompliance range from fines to jail terms
Freedom of Information Act of 1966 (FOIA)
- Allows access to federal agency records or information not determined to be matter of national security
- U.S. government agencies required to disclose any requested information upon receipt of written request
backlog meaning
A backlog is a buildup of work that needs to be completed. The term “backlog” has a number of uses in accounting and finance.
Payment Card Industry Data Security Standards (PCI DSS)
•offers a standard of performance to which organizations processing payment cards must comply.
State(Federal) vs. Local regulations
Federal computer laws mainly written specifically for federal information systems; have little applicability to private organizations
Thus, IS professionals are responsible for understanding and complying with state regulations.
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is the U.S. version of an international effort to reduce the impact of copyright, trademark, and privacy infringement especially through the removal of technological copyright protection measures.
Three general causes of unethical and illegal behavior
- Ignorance
- Accident
- Intent
Deterrence
methods and strategies used to prevent unethical activity (i.e.: laws, policies, technical controls)
Mission of
Department of Homeland Security (DHS)
to protect the citizens as well as the physical and informational assets of the US
Mission of the US Secret Service
–In addition to protective services, charged with safeguarding nation’s financial infrastructure and payments system to preserve integrity of economy
Missions of the FBI
–Primary law enforcement agency; investigates traditional crimes and cybercrimes
–Key priorities include computer/network intrusions, identity theft, and fraud
Mission of the
National Security Agency (NSA)
–Is the nation’s cryptologic organization
–Responsible for signal intelligence and information assurance (security)
–Information Assurance Directorate (IAD) is responsible for the protection of systems that store, process, and transmit information of high national value.
The 7 Dynamics of Every Successful Dynamic Dating Conversation.
- Ground to create presence (grounded vulnerability)
- Connect
- Appreciate
- Be Curious
- Share
- Support
- Be Bold
Story at the beginning of the Chapter and what can be learned?
Henry Macgruder leaves a CD at the coffee station and Iris Majwubu finds it, runs a virus scan, and identifies both the owner and the crime.
Henry was basically selling sensitive company information (names, addresses, SSNs, credit card numbers, etc.)
Henry - bad guy
Iris - person who found out
Jill - person paying Jill for the stolen information
ISACA
Information Systems Audit and Control Association
ISACA Certifications (internal audit careers)
Certified Information Systems Auditor (CISA,1978)[18]
Certified Information Security Manager (CISM, 2002)[19]
Certified in the Governance of Enterprise IT (CGEIT, 2007)[20]
Certified in Risk and Information Systems Control (CRISC, 2010)[21]
Certified Data Privacy Solutions Engineer (CDPSE)[22]
Cybersecurity Practitioner Certification (CSX-P)[23]
