1. 112/25/2019 1 1
1
Part 2 Access Control 1Security+ Guide to Network Security Fundamentals, Third Edition
1
11
1 1 tohttps://github.com/syaifulahdan/
INFORMATION SECURITY
Law and Ethics Information Security
Introduction
Law and Ethics in Information Security
Organizational Liability and the Need for Counsel
Policy Vs Law
Type of Law
Relevant U.S Laws
General Computer Crime Laws
Privacy
Privacy of Customer Information
Identity Theft
Export and Espionage Laws
U.S Copyright Laws
Financial Reporting
Freedom of Information Act of 1966 (FOIA)
Digital Millenium Copyright Act (DMCA)
State and Local Regulations
Principles of Information Security, 3rd Edition
Internal Laws and Legal Bodies
European Union Cyber Crime Convention
Aggreement on Trade Related Aspect of
Intellectual Property Right
United Nation Charter
Ethics and Information Security
Deterrence to Unethical and Illegal Behavior
Codes of Ethics and Professional Ogranization
Association of Computing Machinery (ACM)
International Information System Security
Certification Consortium, Inc.
System Adminisration Networking, and Security
Institute (SANS)
Information System Audit and Control Association
(ISACA)
Information System Security Association (ISSA)
Key U.S Federal Agencies
2. 212/25/2019 2 2
2
Part 2 Access Control 2Security+ Guide to Network Security Fundamentals, Third Edition
2
22
2 2 tohttps://github.com/syaifulahdan/
2
Use this chapter as a guide for future reference on
laws, regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the
practice of information security
Understand the role of culture as it applies to ethics
in information security
Learning Objectives
Upon completion of this material, you should be able
to:
3. 312/25/2019 3 3
3
Part 2 Access Control 3Security+ Guide to Network Security Fundamentals, Third Edition
3
33
3 3 tohttps://github.com/syaifulahdan/
3
Introduction
You must understand scope of an organization’s
legal and ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
4. 412/25/2019 4 4
4
Part 2 Access Control 4Security+ Guide to Network Security Fundamentals, Third Edition
4
44
4 4 tohttps://github.com/syaifulahdan/
4
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics
do not
5. 512/25/2019 5 5
5
Part 2 Access Control 5Security+ Guide to Network Security Fundamentals, Third Edition
5
55
5 5 tohttps://github.com/syaifulahdan/
5
Organizational Liability and the Need for
Counsel
Liability: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
Restitution: to compensate for wrongs committed
by an organization or its employees
Due care: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
Due diligence: making a valid effort to protect
others; continually maintaining level of effort
6. 612/25/2019 6 6
6
Part 2 Access Control 6Security+ Guide to Network Security Fundamentals, Third Edition
6
66
6 6 tohttps://github.com/syaifulahdan/
6
Organizational Liability and the Need for
Counsel (continued)
Jurisdiction: court's right to hear a case if the wrong
was committed in its territory or involved its
citizenry
Long arm jurisdiction: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction
7. 712/25/2019 7 7
7
Part 2 Access Control 7Security+ Guide to Network Security Fundamentals, Third Edition
7
77
7 7 tohttps://github.com/syaifulahdan/
7
Policy versus Law
Policies: body of expectations that describe
acceptable and unacceptable employee behaviors in
the workplace
Policies function as laws within an organization;
must be crafted carefully to ensure they are complete,
appropriate, fairly applied to everyone
Difference between policy and law: ignorance of a
policy is an acceptable defense
Criteria for policy enforcement: dissemination
(distribution), review (reading), comprehension
(understanding), compliance (agreement), uniform
enforcement
8. 812/25/2019 8 8
8
Part 2 Access Control 8Security+ Guide to Network Security Fundamentals, Third Edition
8
88
8 8 tohttps://github.com/syaifulahdan/
8
Types of Law
Civil: governs nation or state; manages
relationships/conflicts between organizational
entities and people
Criminal: addresses violations harmful to society;
actively enforced by the state
Private: regulates relationships between individuals
and organizations
Public: regulates structure/administration of
government agencies and relationships with citizens,
employees, and other governments
9. 912/25/2019 9 9
9
Part 2 Access Control 9Security+ Guide to Network Security Fundamentals, Third Edition
9
99
9 9 tohttps://github.com/syaifulahdan/
9
Relevant U.S. Laws
United States has been a leader in the development
and implementation of information security
legislation
Implementation of information security legislation
contributes to a more reliable business environment
and a stable economy
EU vs. US on privacy
US vs. China on censureship
U.S. has specified penalties for individuals and
organizations failing to follow requirements set forth
in U.S. civil statutes
10. 1012/25/2019 10 10
10
Part 2 Access Control 10Security+ Guide to Network Security Fundamentals, Third Edition
10
1010
10 10 tohttps://github.com/syaifulahdan/
10
General Computer Crime Laws
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act
of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
11. 1112/25/2019 11 11
11
Part 2 Access Control 11Security+ Guide to Network Security Fundamentals, Third Edition
11
1111
11 11 tohttps://github.com/syaifulahdan/
11
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources
allows creation of information databases previously
unheard of
12. 1212/25/2019 12 12
12
Part 2 Access Control 12Security+ Guide to Network Security Fundamentals, Third Edition
12
1212
12 12 tohttps://github.com/syaifulahdan/
12
Privacy of Customer Information
Privacy of Customer Information Section of the
common carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act
of 1996 (HIPAA), aka Kennedy-Kassebaum Act
Financial Services Modernization Act, or Gramm-
Leach-Bliley Act of 1999
13. 1312/25/2019 13 13
13
Part 2 Access Control 13Security+ Guide to Network Security Fundamentals, Third Edition
13
1313
13 13 tohttps://github.com/syaifulahdan/
13
Identity Theft
Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security number,
or credit card number, without your permission, to
commit fraud or other crimes”
Fraud And Related Activity In Connection With
Identification Documents, Authentication Features,
And Information (Title 18, U.S.C. § 1028)
14. 1412/25/2019 14 14
14
Part 2 Access Control 14Security+ Guide to Network Security Fundamentals, Third Edition
14
1414
14 14 tohttps://github.com/syaifulahdan/
14
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of
1999 (SAFE)
No teeth…
15. 1512/25/2019 15 15
15
Part 2 Access Control 15Security+ Guide to Network Security Fundamentals, Third Edition
15
1515
15 15 tohttps://github.com/syaifulahdan/
15
Figure 3-1 – Export and
Espionage
16. 1612/25/2019 16 16
16
Part 2 Access Control 16Security+ Guide to Network Security Fundamentals, Third Edition
16
1616
16 16 tohttps://github.com/syaifulahdan/
16
U.S. Copyright Law
Intellectual property recognized as protected asset
in the U.S.; copyright law extends to electronic
formats
With proper acknowledgment, permissible to
include portions of others’ work as reference
U.S. Copyright Office Web site:
www.copyright.gov
17. 1712/25/2019 17 17
17
Part 2 Access Control 17Security+ Guide to Network Security Fundamentals, Third Edition
17
1717
17 17 tohttps://github.com/syaifulahdan/
17
Financial Reporting
Sarbanes-Oxley Act of 2002
Affects executive management of publicly traded
corporations and public accounting firms
Seeks to improve reliability and accuracy of financial
reporting and increase the accountability of corporate
governance in publicly traded companies
Penalties for noncompliance range from fines to jail
terms
18. 1812/25/2019 18 18
18
Part 2 Access Control 18Security+ Guide to Network Security Fundamentals, Third Edition
18
1818
18 18 tohttps://github.com/syaifulahdan/
18
Freedom of Information Act of 1966
(FOIA)
Allows access to federal agency records or
information not determined to be matter of national
security
U.S. government agencies required to disclose any
requested information upon receipt of written
request
Some information protected from disclosure
19. 1912/25/2019 19 19
19
Part 2 Access Control 19Security+ Guide to Network Security Fundamentals, Third Edition
19
1919
19 19 tohttps://github.com/syaifulahdan/
19
Digital Millennium Copyright Act (DMCA)
U.S. contribution to international effort to reduce
impact of copyright, trademark, and privacy
infringement
A response to European Union Directive 95/46/EC,
which adds protection to individuals with regard to
processing and free movement of personal data
20. 2012/25/2019 20 20
20
Part 2 Access Control 20Security+ Guide to Network Security Fundamentals, Third Edition
20
2020
20 20 tohttps://github.com/syaifulahdan/
20
State and Local Regulations
Restrictions on organizational computer technology
use exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
21. 2112/25/2019 21 21
21
Part 2 Access Control 21Security+ Guide to Network Security Fundamentals, Third Edition
21
2121
21 21 tohttps://github.com/syaifulahdan/
21
International Laws and Legal Bodies
IT professionals and IS practitioners should realize
that when organizations do business on the Internet,
they do business globally
Professionals must be sensitive to laws and ethical
values of many different cultures, societies, and
countries
Because of political complexities of relationships
among nations and differences in culture, there are
few international laws relating to privacy and
information security
These international laws are important but are limited
in their enforceability
22. 2212/25/2019 22 22
22
Part 2 Access Control 22Security+ Guide to Network Security Fundamentals, Third Edition
22
2222
22 22 tohttps://github.com/syaifulahdan/
22
European Union Cyber-Crime Convention
Establishes international task force overseeing
Internet security functions for standardized
international technology laws
Attempts to improve effectiveness of international
investigations into breaches of technology law
Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution
Lacks realistic provisions for enforcement
23. 2312/25/2019 23 23
23
Part 2 Access Control 23Security+ Guide to Network Security Fundamentals, Third Edition
23
2323
23 23 tohttps://github.com/syaifulahdan/
23
Figure 3-4 – EU Law Portal
24. 2412/25/2019 24 24
24
Part 2 Access Control 24Security+ Guide to Network Security Fundamentals, Third Edition
24
2424
24 24 tohttps://github.com/syaifulahdan/
24
Agreement on Trade-Related Aspects of
Intellectual Property Rights
Created by World Trade Organization (WTO)
First significant international effort to protect
intellectual property rights
Agreement covers five issues:
Application of basic principles of trading system and
international intellectual property agreements
Giving adequate protection to intellectual property
rights
Enforcement of those rights by countries in their own
territories
Settling intellectual property disputes
Transitional arrangements while new system is being
introduced
25. 2512/25/2019 25 25
25
Part 2 Access Control 25Security+ Guide to Network Security Fundamentals, Third Edition
25
2525
25 25 tohttps://github.com/syaifulahdan/
25
United Nations Charter
Makes provisions, to a degree, for information
security during information warfare (IW)
IW involves use of information technology to
conduct organized and lawful military operations
IW is relatively new type of warfare, although
military has been conducting electronic warfare
operations for decades
26. 2612/25/2019 26 26
26
Part 2 Access Control 26Security+ Guide to Network Security Fundamentals, Third Edition
26
2626
26 26 tohttps://github.com/syaifulahdan/
26
Ethics and Information Security
27. 2712/25/2019 27 27
27
Part 2 Access Control 27Security+ Guide to Network Security Fundamentals, Third Edition
27
2727
27 27 tohttps://github.com/syaifulahdan/
27
Ethical Differences Across Cultures
Cultural differences create difficulty in determining
what is and is not ethical
Difficulties arise when one nationality’s ethical
behavior conflicts with ethics of another national
group
Example: many of the ways in which Asian cultures
use computer technology is considered software
piracy by other nations
28. 2812/25/2019 28 28
28
Part 2 Access Control 28Security+ Guide to Network Security Fundamentals, Third Edition
28
2828
28 28 tohttps://github.com/syaifulahdan/
28
Ethics and Education
Overriding factor in leveling ethical perceptions
within a small population is education
Employees must be trained in expected behaviors of
an ethical employee, especially in areas of
information security
Proper ethical training vital to creating informed,
well prepared, and low-risk system user
29. 2912/25/2019 29 29
29
Part 2 Access Control 29Security+ Guide to Network Security Fundamentals, Third Edition
29
2929
29 29 tohttps://github.com/syaifulahdan/
29
Deterrence to Unethical and Illegal
Behavior
Three general causes of unethical and illegal
behavior: ignorance, accident, intent
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical
controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
30. 3012/25/2019 30 30
30
Part 2 Access Control 30Security+ Guide to Network Security Fundamentals, Third Edition
30
3030
30 30 tohttps://github.com/syaifulahdan/
30
Codes of Ethics and Professional
Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect;
unfortunately, many employers do not encourage
joining these professional organizations
Responsibility of security professionals to act
ethically and according to policies of employer,
professional organization, and laws of society
31. 3112/25/2019 31 31
31
Part 2 Access Control 31Security+ Guide to Network Security Fundamentals, Third Edition
31
3131
31 31 tohttps://github.com/syaifulahdan/
31
Association of Computing Machinery
(ACM)
ACM established in 1947 as “the world's first
educational and scientific computing society”
Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
32. 3212/25/2019 32 32
32
Part 2 Access Control 32Security+ Guide to Network Security Fundamentals, Third Edition
32
3232
32 32 tohttps://github.com/syaifulahdan/
32
International Information Systems
Security Certification Consortium, Inc.
(ISC)2
Nonprofit organization focusing on development
and implementation of information security
certifications and credentials
Code primarily designed for information security
professionals who have certification from (ISC)2
Code of ethics focuses on four mandatory canons
33. 3312/25/2019 33 33
33
Part 2 Access Control 33Security+ Guide to Network Security Fundamentals, Third Edition
33
3333
33 33 tohttps://github.com/syaifulahdan/
33
System Administration, Networking, and
Security Institute (SANS)
Professional organization with a large membership
dedicated to protection of information and systems
SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
34. 3412/25/2019 34 34
34
Part 2 Access Control 34Security+ Guide to Network Security Fundamentals, Third Edition
34
3434
34 34 tohttps://github.com/syaifulahdan/
34
Information Systems Audit and Control
Association (ISACA)
Professional association with focus on auditing,
control, and security
Concentrates on providing IT control practices and
standards
ISACA has code of ethics for its professionals
35. 3512/25/2019 35 35
35
Part 2 Access Control 35Security+ Guide to Network Security Fundamentals, Third Edition
35
3535
35 35 tohttps://github.com/syaifulahdan/
35
Information Systems Security
Association (ISSA)
Nonprofit society of information security (IS)
professionals
Primary mission to bring together qualified IS
practitioners for information exchange and
educational development
Promotes code of ethics similar to (ISC)2, ISACA,
and ACM
36. 3612/25/2019 36 36
36
Part 2 Access Control 36Security+ Guide to Network Security Fundamentals, Third Edition
36
3636
36 36 tohttps://github.com/syaifulahdan/
36
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National
InfraGard Program
National Security Agency (NSA)
U.S. Secret Service
37. 3712/25/2019 37 37
37
Part 2 Access Control 37Security+ Guide to Network Security Fundamentals, Third Edition
37
3737
37 37 tohttps://github.com/syaifulahdan/
37
Summary
Laws: rules that mandate or prohibit certain
behavior in society; drawn from ethics
Ethics: define socially acceptable behaviors; based
on cultural mores (fixed moral attitudes or customs
of a particular group)
Types of law: civil, criminal, private, public
38. 3812/25/2019 38 38
38
Part 2 Access Control 38Security+ Guide to Network Security Fundamentals, Third Edition
38
3838
38 38 tohttps://github.com/syaifulahdan/
38
Summary (continued)
Relevant U.S. laws:
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of
1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
39. 3912/25/2019 39 39
39
Part 2 Access Control 39Security+ Guide to Network Security Fundamentals, Third Edition
39
3939
39 39 tohttps://github.com/syaifulahdan/
39
Summary (continued)
Many organizations have codes of conduct and/or
codes of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid
effort to protect others and continually maintain that
effort