SlideShare ist ein Scribd-Unternehmen logo

02 Legal, Ethical, and Professional Issues in Information Security

Als PPTX, PDF herunterladen
S
sappingtonkr
Technologie
1 von 34
LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY
 Differentiate between laws and ethics  Identify major national laws that relate to the practice of information security  Understand the role of culture as it applies to ethics in information security Objectives
INTRODUCTION  You must understand scope of an organization’s legal and ethical responsibilities  To minimize liabilities/reduce risks, the information security practitioner must:  Understand current legal environment  Stay current with laws and regulations  Watch for new issues that emerge
LAW AND ETHICS IN INFORMATION SECURITY  Laws: rules that mandate or prohibit certain societal behavior  Ethics: define socially acceptable behavior  Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these  Laws carry sanctions of a governing authority; ethics do not
TYPES OF LAW  Civil  Criminal  Tort  Private  Public
RELEVANT U.S. LAWS (GENERAL)  Computer Fraud and Abuse Act of 1986 (CFA Act)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
PRIVACY  One of the hottest topics in information security  Is a “state of being free from unsanctioned intrusion”  Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
PRIVACY OF CUSTOMER INFORMATION  Privacy of Customer Information Section of common carrier regulation  Federal Privacy Act of 1974  Electronic Communications Privacy Act of 1986  Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act  Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
EXPORT AND ESPIONAGE LAWS  Economic Espionage Act of 1996 (EEA)  Security And Freedom Through Encryption Act of 1999 (SAFE)
U.S. COPYRIGHT LAW  Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats  With proper acknowledgement, permissible to include portions of others’ work as reference  U.S. Copyright Office Web site: www.copyright.gov
FREEDOM OF INFORMATION ACT OF 1966 (FOIA)  Allows access to federal agency records or information not determined to be matter of national security  U.S. government agencies required to disclose any requested information upon receipt of written request  Some information protected from disclosure
STATE AND LOCAL REGULATIONS  Restrictions on organizational computer technology use exist at international, national, state, local levels  Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
INTERNATIONAL LAWS AND LEGAL BODIES  European Council Cyber-Crime Convention:  Establishes international task force overseeing Internet security functions for standardized international technology laws  Attempts to improve effectiveness of international investigations into breaches of technology law  Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution  Lacks realistic provisions for enforcement
DIGITAL MILLENNIUM COPYRIGHT ACT (DMCA)  U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement  A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data
UNITED NATIONS CHARTER  Makes provisions, to a degree, for information security during information warfare (IW)  IW involves use of information technology to conduct organized and lawful military operations  IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
POLICY VERSUS LAW  Most organizations develop and formalize a body of expectations called policy  Policies serve as organizational laws  To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
ETHICS AND INFORMATION SECURITY
ETHICAL DIFFERENCES ACROSS CULTURES  Cultural differences create difficulty in determining what is and is not ethical  Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group  Example: many of ways in which Asian cultures use computer technology is software piracy
ETHICS AND EDUCATION  Overriding factor in leveling ethical perceptions within a small population is education  Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security  Proper ethical training vital to creating informed, well prepared, and low-risk system user
DETERRENCE TO UNETHICAL AND ILLEGAL BEHAVIOR  Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls  Laws and policies only deter if three conditions are present:  Fear of penalty  Probability of being caught  Probability of penalty being administered
CODES OF ETHICS AND PROFESSIONAL ORGANIZATIONS  Several professional organizations have established codes of conduct/ethics  Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations  Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society
ASSOCIATION OF COMPUTING MACHINERY (ACM)  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. (ISC)2  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from (ISC)2  Code of ethics focuses on four mandatory canons
SYSTEM ADMINISTRATION, NETWORKING, AND SECURITY INSTITUTE (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC)
INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals
COMPUTER SECURITY INSTITUTE (CSI)  Provides information and training to support computer, networking, and information security professionals  Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
INFORMATION SYSTEMS SECURITY ASSOCIATION (ISSA)  Nonprofit society of information security (IS) professionals  Primary mission to bring together qualified IS practitioners for information exchange and educational development  Promotes code of ethics similar to (ISC)2, ISACA and ACM
OTHER SECURITY ORGANIZATIONS  Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet  Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals
OTHER SECURITY ORGANIZATIONS (CONTINUED)  CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University  Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society
KEY U.S. FEDERAL AGENCIES  Department of Homeland Security (DHS)  Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)  National Security Agency (NSA)  U.S. Secret Service
ORGANIZATIONAL LIABILITY AND THE NEED FOR COUNSEL  Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort
SUMMARY  Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics  Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)  Types of law: civil, criminal, tort law, private, public
SUMMARY  Relevant U.S. laws:  Computer Fraud and Abuse Act of 1986 (CFA Act)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
SUMMARY  Many organizations have codes of conduct and/or codes of ethics  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that organization make valid effort to protect others and continually maintain that effort

Empfohlen

Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
Syaiful Ahdan
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
 

Empfohlen

Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
Syaiful Ahdan
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
mtvvvv
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notes
gangadhar9989166446
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
03 cia
03 cia03 cia
03 cia
Jadavsejal
 
Legal, Ethical and Social Issues in Technology
Legal, Ethical and Social Issues in TechnologyLegal, Ethical and Social Issues in Technology
Legal, Ethical and Social Issues in Technology
Rachel Farnese
 
Computer Ethics and Legal Issues
Computer Ethics and Legal IssuesComputer Ethics and Legal Issues
Computer Ethics and Legal Issues
Kak Yong
 

Weitere ähnliche Inhalte

Was ist angesagt?

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 

Was ist angesagt? (20)

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
 
Network security
Network securityNetwork security
Network security
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notes
 
Information security
Information securityInformation security
Information security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Cia security model
Cia security modelCia security model
Cia security model
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Information security
Information securityInformation security
Information security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
03 cia
03 cia03 cia
03 cia
 

Andere mochten auch

Computer Ethics and Legal Issues
Computer Ethics and Legal IssuesComputer Ethics and Legal Issues
Computer Ethics and Legal Issues
Kak Yong
 
Computer Ethics Presentation
Computer Ethics PresentationComputer Ethics Presentation
Computer Ethics Presentation
katespeach
 
Legal, Ethical, and Social Issues in Educational Computing
Legal, Ethical, and Social Issues in Educational ComputingLegal, Ethical, and Social Issues in Educational Computing
Legal, Ethical, and Social Issues in Educational Computing
sappingtonkr
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
Jagan Nath
 
Security and ethical issues - Arber Hoxhallari
Security and ethical issues - Arber HoxhallariSecurity and ethical issues - Arber Hoxhallari
Security and ethical issues - Arber Hoxhallari
Arber Hoxhallari
 
Infosec Law It Web (March 2006)
Infosec Law It Web (March 2006)Infosec Law It Web (March 2006)
Infosec Law It Web (March 2006)
Lance Michalson
 
The Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMM
The Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMMThe Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMM
The Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMM
Hector Del Castillo, CPM, CPMM
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
Oracle
 
Guidance in perspective presentation
Guidance in perspective presentationGuidance in perspective presentation
Guidance in perspective presentation
Katherine Barnachea
 

Andere mochten auch (20)

Legal, Ethical and Social Issues in Technology
Legal, Ethical and Social Issues in TechnologyLegal, Ethical and Social Issues in Technology
Legal, Ethical and Social Issues in Technology
 
Computer Ethics and Legal Issues
Computer Ethics and Legal IssuesComputer Ethics and Legal Issues
Computer Ethics and Legal Issues
 
Computer Ethics Presentation
Computer Ethics PresentationComputer Ethics Presentation
Computer Ethics Presentation
 
Legal, Ethical, and Social Issues in Educational Computing
Legal, Ethical, and Social Issues in Educational ComputingLegal, Ethical, and Social Issues in Educational Computing
Legal, Ethical, and Social Issues in Educational Computing
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 
Security and ethical issues - Arber Hoxhallari
Security and ethical issues - Arber HoxhallariSecurity and ethical issues - Arber Hoxhallari
Security and ethical issues - Arber Hoxhallari
 
Infosec Law It Web (March 2006)
Infosec Law It Web (March 2006)Infosec Law It Web (March 2006)
Infosec Law It Web (March 2006)
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
 
OpenText SlideShare – Mitigate Compliance Risks through secure information ex...
OpenText SlideShare – Mitigate Compliance Risks through secure information ex...OpenText SlideShare – Mitigate Compliance Risks through secure information ex...
OpenText SlideShare – Mitigate Compliance Risks through secure information ex...
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
The Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMM
The Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMMThe Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMM
The Product Manager Pathfinder - ProductCamp SoCal - H. Del Castillo, AIPMM
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
 
The 340B Program and Implications of the Mega Guidance
The 340B Program and Implications of the Mega GuidanceThe 340B Program and Implications of the Mega Guidance
The 340B Program and Implications of the Mega Guidance
 
Chp1 electronic commerce2009
Chp1 electronic commerce2009Chp1 electronic commerce2009
Chp1 electronic commerce2009
 
Chp10 public policy
Chp10 public policyChp10 public policy
Chp10 public policy
 
Professional and Ethical, Issues and Responsibilities
Professional and Ethical, Issues and ResponsibilitiesProfessional and Ethical, Issues and Responsibilities
Professional and Ethical, Issues and Responsibilities
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
Guidance in perspective presentation
Guidance in perspective presentationGuidance in perspective presentation
Guidance in perspective presentation
 
Professional and Ethical Impact of Using Social Networking in a Professional ...
Professional and Ethical Impact of Using Social Networking in a Professional ...Professional and Ethical Impact of Using Social Networking in a Professional ...
Professional and Ethical Impact of Using Social Networking in a Professional ...
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
 

Ähnlich wie 02 Legal, Ethical, and Professional Issues in Information Security

ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdfch03-Legal- Ethica and Professional Issues in IS (7-8).pdf
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf
ssuserceaa40
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
hyacinthshackley2629
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
Nicholas Davis
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
Nicholas Davis
 

Ähnlich wie 02 Legal, Ethical, and Professional Issues in Information Security (20)

Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdfch03-Legal- Ethica and Professional Issues in IS (7-8).pdf
ch03-Legal- Ethica and Professional Issues in IS (7-8).pdf
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
 
1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx1ITC358ICT Management and Information SecurityChapter 12.docx
1ITC358ICT Management and Information SecurityChapter 12.docx
 
whitman_ch04.ppt
whitman_ch04.pptwhitman_ch04.ppt
whitman_ch04.ppt
 
STUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdfSTUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdf
 
lesson333.ppt
lesson333.pptlesson333.ppt
lesson333.ppt
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptx
 
Chapter3.ppt
Chapter3.pptChapter3.ppt
Chapter3.ppt
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptx
 
3999779.ppt
3999779.ppt3999779.ppt
3999779.ppt
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

02 Legal, Ethical, and Professional Issues in Information Security

  • 1. LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY
  • 2.  Differentiate between laws and ethics  Identify major national laws that relate to the practice of information security  Understand the role of culture as it applies to ethics in information security Objectives
  • 3. INTRODUCTION  You must understand scope of an organization’s legal and ethical responsibilities  To minimize liabilities/reduce risks, the information security practitioner must:  Understand current legal environment  Stay current with laws and regulations  Watch for new issues that emerge
  • 4. LAW AND ETHICS IN INFORMATION SECURITY  Laws: rules that mandate or prohibit certain societal behavior  Ethics: define socially acceptable behavior  Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these  Laws carry sanctions of a governing authority; ethics do not
  • 5. TYPES OF LAW  Civil  Criminal  Tort  Private  Public
  • 6. RELEVANT U.S. LAWS (GENERAL)  Computer Fraud and Abuse Act of 1986 (CFA Act)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
  • 7. PRIVACY  One of the hottest topics in information security  Is a “state of being free from unsanctioned intrusion”  Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
  • 8. PRIVACY OF CUSTOMER INFORMATION  Privacy of Customer Information Section of common carrier regulation  Federal Privacy Act of 1974  Electronic Communications Privacy Act of 1986  Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act  Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
  • 9. EXPORT AND ESPIONAGE LAWS  Economic Espionage Act of 1996 (EEA)  Security And Freedom Through Encryption Act of 1999 (SAFE)
  • 10. U.S. COPYRIGHT LAW  Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats  With proper acknowledgement, permissible to include portions of others’ work as reference  U.S. Copyright Office Web site: www.copyright.gov
  • 11. FREEDOM OF INFORMATION ACT OF 1966 (FOIA)  Allows access to federal agency records or information not determined to be matter of national security  U.S. government agencies required to disclose any requested information upon receipt of written request  Some information protected from disclosure
  • 12. STATE AND LOCAL REGULATIONS  Restrictions on organizational computer technology use exist at international, national, state, local levels  Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
  • 13. INTERNATIONAL LAWS AND LEGAL BODIES  European Council Cyber-Crime Convention:  Establishes international task force overseeing Internet security functions for standardized international technology laws  Attempts to improve effectiveness of international investigations into breaches of technology law  Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution  Lacks realistic provisions for enforcement
  • 14. DIGITAL MILLENNIUM COPYRIGHT ACT (DMCA)  U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement  A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data
  • 15. UNITED NATIONS CHARTER  Makes provisions, to a degree, for information security during information warfare (IW)  IW involves use of information technology to conduct organized and lawful military operations  IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
  • 16. POLICY VERSUS LAW  Most organizations develop and formalize a body of expectations called policy  Policies serve as organizational laws  To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
  • 18. ETHICAL DIFFERENCES ACROSS CULTURES  Cultural differences create difficulty in determining what is and is not ethical  Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group  Example: many of ways in which Asian cultures use computer technology is software piracy
  • 19. ETHICS AND EDUCATION  Overriding factor in leveling ethical perceptions within a small population is education  Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security  Proper ethical training vital to creating informed, well prepared, and low-risk system user
  • 20. DETERRENCE TO UNETHICAL AND ILLEGAL BEHAVIOR  Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls  Laws and policies only deter if three conditions are present:  Fear of penalty  Probability of being caught  Probability of penalty being administered
  • 21. CODES OF ETHICS AND PROFESSIONAL ORGANIZATIONS  Several professional organizations have established codes of conduct/ethics  Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations  Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society
  • 22. ASSOCIATION OF COMPUTING MACHINERY (ACM)  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
  • 23. INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. (ISC)2  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from (ISC)2  Code of ethics focuses on four mandatory canons
  • 24. SYSTEM ADMINISTRATION, NETWORKING, AND SECURITY INSTITUTE (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC)
  • 25. INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals
  • 26. COMPUTER SECURITY INSTITUTE (CSI)  Provides information and training to support computer, networking, and information security professionals  Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
  • 27. INFORMATION SYSTEMS SECURITY ASSOCIATION (ISSA)  Nonprofit society of information security (IS) professionals  Primary mission to bring together qualified IS practitioners for information exchange and educational development  Promotes code of ethics similar to (ISC)2, ISACA and ACM
  • 28. OTHER SECURITY ORGANIZATIONS  Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet  Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals
  • 29. OTHER SECURITY ORGANIZATIONS (CONTINUED)  CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University  Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society
  • 30. KEY U.S. FEDERAL AGENCIES  Department of Homeland Security (DHS)  Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)  National Security Agency (NSA)  U.S. Secret Service
  • 31. ORGANIZATIONAL LIABILITY AND THE NEED FOR COUNSEL  Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort
  • 32. SUMMARY  Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics  Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)  Types of law: civil, criminal, tort law, private, public
  • 33. SUMMARY  Relevant U.S. laws:  Computer Fraud and Abuse Act of 1986 (CFA Act)  National Information Infrastructure Protection Act of 1996  USA Patriot Act of 2001  Telecommunications Deregulation and Competition Act of 1996  Communications Decency Act of 1996 (CDA)  Computer Security Act of 1987
  • 34. SUMMARY  Many organizations have codes of conduct and/or codes of ethics  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that organization make valid effort to protect others and continually maintain that effort