Lecture 3 Flashcards by J D

rules that mandate or prohibit certain societal behavior

Law and Ethics in Information Security

Legal, Ethical, and Professional Issues in Information Security

Laws

How well did you know this?

Not at all

Perfectly

define socially acceptable behavior

Law and Ethics in Information Security

Legal, Ethical, and Professional Issues in Information Security

Ethics

How well did you know this?

Not at all

Perfectly

fixed moral attitudes or customs of a particular group; ethics based on these

Law and Ethics in Information Security

Legal, Ethical, and Professional Issues in Information Security

Cultural mores

How well did you know this?

Not at all

Perfectly

fixed moral attitudes or customs of a particular group; ethics based on these

Law and Ethics in Information Security

Legal, Ethical, and Professional Issues in Information Security

Cultural mores

How well did you know this?

Not at all

Perfectly

? carry sanctions of a governing authority; ?? do not

Law and Ethics in Information Security

Legal, Ethical, and Professional Issues in Information Security

Laws
Ethics

How well did you know this?

Not at all

Perfectly

?, ??, ???, ????, ?????

(5) Types of Law

Legal, Ethical, and Professional Issues in Information Security

Civil
Criminal
Tort
Private
Public

How well did you know this?

Not at all

Perfectly

?, ??, ???, ????, ?????, ??????

(6) Relevant U.S. Laws (General)

Legal, Ethical, and Professional Issues in Information Security

Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act of 1996 (CDA)
Computer Security Act of 1987

How well did you know this?

Not at all

Perfectly

One of the hottest topics in information security

Legal, Ethical, and Professional Issues in Information Security

Privacy

How well did you know this?

Not at all

Perfectly

Is a “state of being free from unsanctioned intrusion”

Legal, Ethical, and Professional Issues in Information Security

Privacy

How well did you know this?

Not at all

Perfectly

Ability to aggregate data from multiple sources allows creation of information databases previously unheard of

Legal, Ethical, and Professional Issues in Information Security

Privacy

How well did you know this?

Not at all

Perfectly

Ability to aggregate data from multiple sources allows creation of information databases previously unheard of

Legal, Ethical, and Professional Issues in Information Security

Privacy

How well did you know this?

Not at all

Perfectly

?, ??, ???, ????, ?????

(5) Privacy of Customer Information

Legal, Ethical, and Professional Issues in Information Security

Privacy of Customer Information Section of common carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act
Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

How well did you know this?

Not at all

Perfectly

?, ??

(2) Export and Espionage Laws

Legal, Ethical, and Professional Issues in Information Security

Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of 1999 (SAFE)

How well did you know this?

Not at all

Perfectly

?, ??

Intellectual property recognized as protected asset in the U.S.; ?? extends to electronic formats

Legal, Ethical, and Professional Issues in Information Security

U.S. Copyright Law
copyright law

How well did you know this?

Not at all

Perfectly

With proper acknowledgement, permissible to include portions of others’ work as reference

Legal, Ethical, and Professional Issues in Information Security

U.S. Copyright Law

How well did you know this?

Not at all

Perfectly

Allows access to federal agency records or information not determined to be matter of national security

Legal, Ethical, and Professional Issues in Information Security

Freedom of Information Act of 1966 (FOIA)

How well did you know this?

Not at all

Perfectly

U.S. government agencies required to disclose any requested information upon receipt of written request. Some information protected from disclosure

Legal, Ethical, and Professional Issues in Information Security

Freedom of Information Act of 1966 (FOIA)

How well did you know this?

Not at all

Perfectly

Restrictions on organizational computer technology use exist at international, national, state, local levels

Legal, Ethical, and Professional Issues in Information Security

State and Local Regulations

How well did you know this?

Not at all

Perfectly

? responsible for understanding state regulations and ensuring organization is compliant with regulations

State and Local Regulations

Legal, Ethical, and Professional Issues in Information Security

Information security professional

How well did you know this?

Not at all

Perfectly

Establishes international task force overseeing Internet security functions for standardized international technology laws

International Laws and Legal Bodies

Legal, Ethical, and Professional Issues in Information Security

European Council Cyber-Crime Convention

How well did you know this?

Not at all

Perfectly

Attempts to improve effectiveness of international investigations into breaches of technology law

International Laws and Legal Bodies

Legal, Ethical, and Professional Issues in Information Security

European Council Cyber-Crime Convention

How well did you know this?

Not at all

Perfectly

Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution

International Laws and Legal Bodies

Legal, Ethical, and Professional Issues in Information Security

European Council Cyber-Crime Convention

How well did you know this?

Not at all

Perfectly

Lacks realistic provisions for enforcement

International Laws and Legal Bodies

Legal, Ethical, and Professional Issues in Information Security

European Council Cyber-Crime Convention

How well did you know this?

Not at all

Perfectly

U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement

Legal, Ethical, and Professional Issues in Information Security

Digital Millennium Copyright Act (DMCA)

How well did you know this?

Not at all

Perfectly

A response to European Union Directive 95/46/EC, which **adds protection to individuals with regard to processing and free movement of personal data** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Digital Millennium Copyright Act (DMCA)

Makes provisions, to a degree, for information security during information warfare (IW) ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

United Nations Charter

# ? involves use of **information technology** to conduct organized and **lawful military operations** | United Nations Charter ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

IW (Information Warefare)

# ? is relatively **new type of warfare**, although military has been conducting electronic warfare operations for decades | United Nations Charter ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

IW (Information Warefare)

Most organizations develop and formalize a body of expectations called **?** | Policy Versus Law ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

policy

# ? serve as organizational laws | Policy Versus Law ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Policies

To be enforceable, **?** must be distributed, readily available, easily understood, and acknowledged by employees | Policy Versus Law ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

policy

The ten commandments of Computer Ethics | Ethics and Information Security ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

1. Thou shalt **not** use a computer to **harm other people** 2. Thou shalt **not interfere with other people's computer work** 3. Thou shalt **not snoop around** in other people's computer files 4. Thou shalt **not** use a computer to **steal** 5. Thou shalt **not** use a computer to **bear false witness** 6. Thou shalt **not copy or use proprietary software** for which you have not paid 7. Thou shalt **not use other people's computer resource**s without authorization or proper compensation 8. Thou shalt **not appropriate other people's intellectual output** 9. Thou shalt **think about the social consequences of the program you are writing** or the system you are designing 10. Thou **shalt** always use a computer in ways that **ensure consideration and respect for your fellow humans**

# ? create difficulty in determining what is and is not ethical | Ethical Differences Across Cultures ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Cultural differences

# ? arise when one **nationality’s ethical behavior conflicts with ethics of another national group** | Ethical Differences Across Cultures ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Difficulties

Overriding factor in leveling ethical perceptions within a small population is **?** | Ethics and Education ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

education

Employees must be trained in expected behaviors of an ethical employee, especially in areas of **?** | Ethics and Education ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

information security

**?** vital to creating informed, well prepared, and low risk system user | Ethics and Education ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Proper ethical training

# ? best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls | Deterrence to Unethical and Illegal Behavior ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Deterrence

# ?, ??, ??? Laws and policies only deter if three conditions are present | Deterrence to Unethical and Illegal Behavior ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

* Fear of penalty * Probability of being caught * Probability of penalty being administered

Several professional organizations have established **?** | Codes of Ethics and Professional Organizations ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

codes of conduct/ethics

# ? can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations | Codes of Ethics and Professional Organizations ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Codes of ethics

# ? to act ethically and according to policies of employer, professional organization, and laws of society | Codes of Ethics and Professional Organizations ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Responsibility of security professionals

# ? established in 1947 as “the world's first educational and scientific computing society” ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

ACM (Association of Computing Machinery)

# ? contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property | Association of Computing Machinery (ACM) ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Code of ethics

# ? Non-profit organization focusing on development and implementation of information security certifications and credentials ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

International Information Systems Security Certification Consortium, Inc. (ISC)^2

Code primarily designed for information security professionals who have certification from **?** | International Information Systems Security Certification Consortium, Inc ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

(ISC)^2 (International Information Systems Security Certification Consortium, Inc.

Code of ethics focuses on four **?** | International Information Systems Security Certification Consortium, Inc ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

mandatory canons

# ? Professional organization with a large membership dedicated to **protection of information and systems** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

System Administration, Networking, and Security Institute (SANS)

SANS offers set of certifications called **?** | System Administration, Networking, and Security Institute (SANS) ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Global Information Assurance Certification (GIAC)

Professional association with focus on **auditing, control, and security** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Information Systems Audit and Control Association (ISACA)

Concentrates on **providing IT control practices and standards** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Information Systems Audit and Control Association (ISACA)

has code of ethics for its professionals ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Information Systems Audit and Control Association (ISACA)

**Provides information and training** to support computer, networking, and **information security professionals** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Computer Security Institute (CSI)

Though without a code of ethics, has argued for adoption of ethical behavior among **information security professionals** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Computer Security Institute (CSI)

Nonprofit society of **information security (IS) professionals** ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Information Systems Security Association (ISSA)

**Primary mission to bring together qualified IS practitioners** for information exchange and educational development ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Information Systems Security Association (ISSA)

Promotes code of ethics similar to (ISC)^2, ISACA and ACM ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Information Systems Security Association (ISSA)

promotes development and implementation of education, standards, policy and **education to promote the Internet** | Other Security Organizations ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Internet Society (ISOC)

**division of National Institute for Standards and Technology (NIST)**; promotes industry best practices and is important reference for **information security professionals** | Other Security Organizations ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Computer Security Division (CSD)

**center of Internet security expertise** operated by Carnegie Mellon University | Other Security Organizations(continued) ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

CERT Coordination Center (CERT/CC)

public organization for anyone concerned with **impact of computer technology on society** | Other Security Organizations(continued) ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Computer Professionals for Social Responsibility (CPSR)

# ?, ??, ???, ???? (4) Key U.S. Federal Agencies | Other Security Organizations(continued) ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

* Department of Homeland Security (DHS) * Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC) * National Security Agency (NSA) * U.S. Secret Service

# ? is **legal obligation of an entity**; includes legal obligation to make restitution for wrongs committed | Organizational Liability and the Need for Counsel ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Liability

**Organization increases liability** if it refuses to take measures known as **?** | Organizational Liability and the Need for Counsel ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

due care

# ? requires that an organization **make valid effort to protect others** and continually maintain that level of effort | Organizational Liability and the Need for Counsel ## Footnote **Legal, Ethical, and Professional Issues in Information Security**

Due diligence