Chapter 3: Legal, Ethical, and Professional Issues in Information Security

Association of Computing Machinery (ACM)

"the world's first educational and scientific computing society"

True

(True or False) IW involves use of information technology to conduct organized and lawful military operations

True

(True or False) IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades

True

(True or False) Policies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone

True

(True or False) Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society

Relevant US Laws

- Computer Fraud and Abuse Act of 1986 (CFA Act)‏ - National Information Infrastructure Protection Act of 1996 - USA PATRIOT Act of 2001 - USA PATRIOT Improvement and Reauthorization Act - Computer Security Act of 1987

Export and Espionage Laws

- Economic Espionage Act of 1996 (EEA)‏ - Security And Freedom Through Encryption Act of 1999 (SAFE)‏

European Council Cyber-Crime Convention

- Establishes international task force overseeing Internet security functions for standardized international technology laws - Attempts to improve effectiveness of international investigations into breaches of technology law - Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution - Lacks realistic provisions for enforcement

Privacy of Customer Information

- Federal Privacy Act of 1974 - Electronic Communications Privacy Act of 1986 - Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act - Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Identity Theft

- Federal Trade Commission: "occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes" - Fraud And Related Activity In Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028)‏

System Administration, Networking, and Security Institute (SANS)‏

- Professional organization with a large membership dedicated to protection of information and systems - _______ offers set of certifications called Global Information Assurance Certification (GIAC)‏

Due care

insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions

Liability

legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitution

Due diligence

making a valid effort to protect others; continually maintaining level of effort

Private

regulates relationships between individuals and organizations

Public

regulates structure/administration of government agencies and relationships with citizens, employees, and other governments

Long arm jurisdiction

right of any court to impose its authority over an individual or organization if it can establish jurisdiction

Laws

rules that mandate or prohibit certain societal behavior

Restitution

to compensate for wrongs committed by an organization or its employees

Digital Millennium Copyright Act (DMCA)‏

A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data

Agreement on Trade-Related Aspects of Intellectual Property Rights

Agreement covers five issues: 1. Application of basic principles of trading system and international intellectual property agreements 2. Giving adequate protection to intellectual property rights 3. Enforcement of those rights by countries in their own territories 4. Settling intellectual property disputes 5. Transitional arrangements while new system is being introduced

dissemination (distribution), review (reading), comprehension (understanding), compliance (agreement), uniform enforcement

Criteria for policy enforcement

International Information Systems Security Certification Consortium, Inc. (ISC)2

Nonprofit organization focusing on development and implementation of information security certifications and credentials

Information Systems Security Association (ISSA)‏

Primary mission to bring together qualified IS practitioners for information exchange and educational development

Information Systems Audit and Control Association (ISACA)‏

Professional association with focus on auditing, control, and security

State and Local Regulations

Restrictions on organizational computer technology use exist at international, national, state, local levels Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations

Financial Reporting

Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance in publicly traded companies - Sarbanes-Oxley Act of 2002

International Laws and Legal Bodies

These international laws are important but are limited in their enforceability

ignorance, accident, intent

Three general causes of unethical and illegal behavior

Freedom of Information Act of 1966 (FOIA)

U.S. government agencies required to disclose any requested information upon receipt of written request

Criminal

addresses violations harmful to society; actively enforced by the state

Deterrence

best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls

Policies

body of expectations that describe acceptable and unacceptable employee behaviors in the workplace

Jurisdiction

court's right to hear a case if the wrong was committed in its territory or involved its citizenry

Ethics

define socially acceptable behavior

Cultural mores

fixed moral attitudes or customs of a particular group; ethics based on these

Civil Law

governs nation or state; manages relationships/conflicts between organizational entities and people

U.S. Copyright Law

Intellectual property recognized as protected asset in the U.S.; ____________ extends to electronic formats

Privacy

Is a "state of being free from unsanctioned intrusion"

- Fear of penalty - Probability of being caught - Probability of penalty being administered

Laws and policies only deter if three conditions are present:

United Nations Charter

Makes provisions, to a degree, for information security during information warfare (IW)‏