Lecture 3 Flashcards
?
rules that mandate or prohibit certain societal behavior
Law and Ethics in Information Security
Legal, Ethical, and Professional Issues in Information Security
Laws
?
define socially acceptable behavior
Law and Ethics in Information Security
Legal, Ethical, and Professional Issues in Information Security
Ethics
?
fixed moral attitudes or customs of a particular group; ethics based on these
Law and Ethics in Information Security
Legal, Ethical, and Professional Issues in Information Security
Cultural mores
?
fixed moral attitudes or customs of a particular group; ethics based on these
Law and Ethics in Information Security
Legal, Ethical, and Professional Issues in Information Security
Cultural mores
? carry sanctions of a governing authority; ?? do not
Law and Ethics in Information Security
Legal, Ethical, and Professional Issues in Information Security
- Laws
- Ethics
?, ??, ???, ????, ?????
(5) Types of Law
Legal, Ethical, and Professional Issues in Information Security
- Civil
- Criminal
- Tort
- Private
- Public
?, ??, ???, ????, ?????, ??????
(6) Relevant U.S. Laws (General)
Legal, Ethical, and Professional Issues in Information Security
- Computer Fraud and Abuse Act of 1986 (CFA Act)
- National Information Infrastructure Protection Act of 1996
- USA Patriot Act of 2001
- Telecommunications Deregulation and Competition Act of 1996
- Communications Decency Act of 1996 (CDA)
- Computer Security Act of 1987
?
One of the hottest topics in information security
Legal, Ethical, and Professional Issues in Information Security
Privacy
?
Is a “state of being free from unsanctioned intrusion”
Legal, Ethical, and Professional Issues in Information Security
Privacy
?
Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
Legal, Ethical, and Professional Issues in Information Security
Privacy
?
Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
Legal, Ethical, and Professional Issues in Information Security
Privacy
?, ??, ???, ????, ?????
(5) Privacy of Customer Information
Legal, Ethical, and Professional Issues in Information Security
- Privacy of Customer Information Section of common carrier regulation
- Federal Privacy Act of 1974
- Electronic Communications Privacy Act of 1986
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act
- Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
?, ??
(2) Export and Espionage Laws
Legal, Ethical, and Professional Issues in Information Security
- Economic Espionage Act of 1996 (EEA)
- Security And Freedom Through Encryption Act of 1999 (SAFE)
?, ??
Intellectual property recognized as protected asset in the U.S.; ?? extends to electronic formats
Legal, Ethical, and Professional Issues in Information Security
- U.S. Copyright Law
- copyright law
?
With proper acknowledgement, permissible to include portions of others’ work as reference
Legal, Ethical, and Professional Issues in Information Security
U.S. Copyright Law
?
Allows access to federal agency records or information not determined to be matter of national security
Legal, Ethical, and Professional Issues in Information Security
Freedom of Information Act of 1966 (FOIA)
?
U.S. government agencies required to disclose any requested information upon receipt of written request. Some information protected from disclosure
Legal, Ethical, and Professional Issues in Information Security
Freedom of Information Act of 1966 (FOIA)
?
Restrictions on organizational computer technology use exist at international, national, state, local levels
Legal, Ethical, and Professional Issues in Information Security
State and Local Regulations
? responsible for understanding state regulations and ensuring organization is compliant with regulations
State and Local Regulations
Legal, Ethical, and Professional Issues in Information Security
Information security professional
Establishes international task force overseeing Internet security functions for standardized international technology laws
International Laws and Legal Bodies
Legal, Ethical, and Professional Issues in Information Security
European Council Cyber-Crime Convention
Attempts to improve effectiveness of international investigations into breaches of technology law
International Laws and Legal Bodies
Legal, Ethical, and Professional Issues in Information Security
European Council Cyber-Crime Convention
Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution
International Laws and Legal Bodies
Legal, Ethical, and Professional Issues in Information Security
European Council Cyber-Crime Convention
Lacks realistic provisions for enforcement
International Laws and Legal Bodies
Legal, Ethical, and Professional Issues in Information Security
European Council Cyber-Crime Convention
U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement
Legal, Ethical, and Professional Issues in Information Security
Digital Millennium Copyright Act (DMCA)
A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data
Legal, Ethical, and Professional Issues in Information Security
Digital Millennium Copyright Act (DMCA)
Makes provisions, to a degree, for information security during information warfare (IW)
Legal, Ethical, and Professional Issues in Information Security
United Nations Charter
?
involves use of information technology to conduct organized and lawful military operations
United Nations Charter
Legal, Ethical, and Professional Issues in Information Security
IW (Information Warefare)
?
is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
United Nations Charter
Legal, Ethical, and Professional Issues in Information Security
IW (Information Warefare)
Most organizations develop and formalize a body of expectations called ?
Policy Versus Law
Legal, Ethical, and Professional Issues in Information Security
policy
?
serve as organizational laws
Policy Versus Law
Legal, Ethical, and Professional Issues in Information Security
Policies
To be enforceable, ? must be distributed, readily available, easily understood, and acknowledged by employees
Policy Versus Law
Legal, Ethical, and Professional Issues in Information Security
policy
To be enforceable, ? must be distributed, readily available, easily understood, and acknowledged by employees
Policy Versus Law
Legal, Ethical, and Professional Issues in Information Security
policy
The ten commandments of Computer Ethics
Ethics and Information Security
Legal, Ethical, and Professional Issues in Information Security
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other people’s computer work
- Thou shalt not snoop around in other people’s computer files
- Thou shalt not use a computer to steal
- Thou shalt not use a computer to bear false witness
- Thou shalt not copy or use proprietary software for which you have not paid
- Thou shalt not use other people’s computer resources without authorization or proper compensation
- Thou shalt not appropriate other people’s intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
?
create difficulty in determining what is and is not ethical
Ethical Differences Across Cultures
Legal, Ethical, and Professional Issues in Information Security
Cultural differences
?
arise when one nationality’s ethical behavior conflicts with ethics of another national group
Ethical Differences Across Cultures
Legal, Ethical, and Professional Issues in Information Security
Difficulties
Overriding factor in leveling ethical perceptions within a small population is ?
Ethics and Education
Legal, Ethical, and Professional Issues in Information Security
education
Employees must be trained in expected behaviors of an ethical employee, especially in areas of ?
Ethics and Education
Legal, Ethical, and Professional Issues in Information Security
information security
? vital to creating informed, well prepared, and low risk system user
Ethics and Education
Legal, Ethical, and Professional Issues in Information Security
Proper ethical training
?
best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls
Deterrence to Unethical and Illegal Behavior
Legal, Ethical, and Professional Issues in Information Security
Deterrence
?, ??, ???
Laws and policies only deter if three conditions are present
Deterrence to Unethical and Illegal Behavior
Legal, Ethical, and Professional Issues in Information Security
- Fear of penalty
- Probability of being caught
- Probability of penalty being administered
Several professional organizations have established ?
Codes of Ethics and Professional Organizations
Legal, Ethical, and Professional Issues in Information Security
codes of conduct/ethics
?
can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations
Codes of Ethics and Professional Organizations
Legal, Ethical, and Professional Issues in Information Security
Codes of ethics
?
to act ethically and according to policies of employer, professional organization, and laws of society
Codes of Ethics and Professional Organizations
Legal, Ethical, and Professional Issues in Information Security
Responsibility of security professionals
?
established in 1947 as “the world’s first educational and scientific computing society”
Legal, Ethical, and Professional Issues in Information Security
ACM (Association of Computing Machinery)
?
contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
Association of Computing Machinery (ACM)
Legal, Ethical, and Professional Issues in Information Security
Code of ethics
?
Non-profit organization focusing on development and implementation of information security certifications and credentials
Legal, Ethical, and Professional Issues in Information Security
International Information Systems Security Certification Consortium, Inc. (ISC)^2
Code primarily designed for information security professionals who have certification from ?
International Information Systems Security Certification Consortium, Inc
Legal, Ethical, and Professional Issues in Information Security
(ISC)^2 (International Information Systems Security Certification Consortium, Inc.
Code of ethics focuses on four ?
International Information Systems Security Certification Consortium, Inc
Legal, Ethical, and Professional Issues in Information Security
mandatory canons
?
Professional organization with a large membership dedicated to protection of information and systems
Legal, Ethical, and Professional Issues in Information Security
System Administration, Networking, and Security Institute (SANS)
SANS offers set of certifications called ?
System Administration, Networking, and Security Institute (SANS)
Legal, Ethical, and Professional Issues in Information Security
Global Information Assurance Certification (GIAC)
Professional association with focus on auditing, control, and security
Legal, Ethical, and Professional Issues in Information Security
Information Systems Audit and Control Association (ISACA)
Concentrates on providing IT control practices and standards
Legal, Ethical, and Professional Issues in Information Security
Information Systems Audit and Control Association (ISACA)
has code of ethics for its professionals
Legal, Ethical, and Professional Issues in Information Security
Information Systems Audit and Control Association (ISACA)
Provides information and training to support computer, networking, and information security professionals
Legal, Ethical, and Professional Issues in Information Security
Computer Security Institute (CSI)
Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
Legal, Ethical, and Professional Issues in Information Security
Computer Security Institute (CSI)
Nonprofit society of information security (IS) professionals
Legal, Ethical, and Professional Issues in Information Security
Information Systems Security Association (ISSA)
Primary mission to bring together qualified IS practitioners for information exchange and educational development
Legal, Ethical, and Professional Issues in Information Security
Information Systems Security Association (ISSA)
Promotes code of ethics similar to (ISC)^2, ISACA and ACM
Legal, Ethical, and Professional Issues in Information Security
Information Systems Security Association (ISSA)
promotes development and implementation of education, standards, policy and
education to promote the Internet
Other Security Organizations
Legal, Ethical, and Professional Issues in Information Security
Internet Society (ISOC)
division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals
Other Security Organizations
Legal, Ethical, and Professional Issues in Information Security
Computer Security Division (CSD)
center of Internet security expertise operated by Carnegie Mellon University
Other Security Organizations(continued)
Legal, Ethical, and Professional Issues in Information Security
CERT Coordination Center (CERT/CC)
public organization for anyone concerned with impact of computer technology on society
Other Security Organizations(continued)
Legal, Ethical, and Professional Issues in Information Security
Computer Professionals for Social Responsibility (CPSR)
?, ??, ???, ????
(4) Key U.S. Federal Agencies
Other Security Organizations(continued)
Legal, Ethical, and Professional Issues in Information Security
- Department of Homeland Security (DHS)
- Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)
- National Security Agency (NSA)
- U.S. Secret Service
?
is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed
Organizational Liability and the Need for Counsel
Legal, Ethical, and Professional Issues in Information Security
Liability
Organization increases liability if it refuses to take measures known as ?
Organizational Liability and the Need for Counsel
Legal, Ethical, and Professional Issues in Information Security
due care
?
requires that an organization make valid effort to protect others and continually maintain that level of effort
Organizational Liability and the Need for Counsel
Legal, Ethical, and Professional Issues in Information Security
Due diligence
