Chapter 3: Legal, Ethical, and Professional Issues in Information Security
Association of Computing Machinery (ACM)
"the world's first educational and scientific computing society"
True
(True or False) IW involves use of information technology to conduct organized and lawful military operations
True
(True or False) IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
True
(True or False) Policies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone
True
(True or False) Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society
Relevant US Laws
- Computer Fraud and Abuse Act of 1986 (CFA Act) - National Information Infrastructure Protection Act of 1996 - USA PATRIOT Act of 2001 - USA PATRIOT Improvement and Reauthorization Act - Computer Security Act of 1987
Export and Espionage Laws
- Economic Espionage Act of 1996 (EEA) - Security And Freedom Through Encryption Act of 1999 (SAFE)
European Council Cyber-Crime Convention
- Establishes international task force overseeing Internet security functions for standardized international technology laws - Attempts to improve effectiveness of international investigations into breaches of technology law - Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution - Lacks realistic provisions for enforcement
Privacy of Customer Information
- Federal Privacy Act of 1974 - Electronic Communications Privacy Act of 1986 - Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act - Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
Identity Theft
- Federal Trade Commission: "occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes" - Fraud And Related Activity In Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028)
System Administration, Networking, and Security Institute (SANS)
- Professional organization with a large membership dedicated to protection of information and systems - _______ offers set of certifications called Global Information Assurance Certification (GIAC)
Due care
insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions
Liability
legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitution
Due diligence
making a valid effort to protect others; continually maintaining level of effort
Private
regulates relationships between individuals and organizations
Public
regulates structure/administration of government agencies and relationships with citizens, employees, and other governments
Long arm jurisdiction
right of any court to impose its authority over an individual or organization if it can establish jurisdiction
Laws
rules that mandate or prohibit certain societal behavior
Restitution
to compensate for wrongs committed by an organization or its employees
Digital Millennium Copyright Act (DMCA)
A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data
Agreement on Trade-Related Aspects of Intellectual Property Rights
Agreement covers five issues: 1. Application of basic principles of trading system and international intellectual property agreements 2. Giving adequate protection to intellectual property rights 3. Enforcement of those rights by countries in their own territories 4. Settling intellectual property disputes 5. Transitional arrangements while new system is being introduced
dissemination (distribution), review (reading), comprehension (understanding), compliance (agreement), uniform enforcement
Criteria for policy enforcement
International Information Systems Security Certification Consortium, Inc. (ISC)2
Nonprofit organization focusing on development and implementation of information security certifications and credentials
Information Systems Security Association (ISSA)
Primary mission to bring together qualified IS practitioners for information exchange and educational development
Information Systems Audit and Control Association (ISACA)
Professional association with focus on auditing, control, and security
State and Local Regulations
Restrictions on organizational computer technology use exist at international, national, state, local levels Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
Financial Reporting
Seeks to improve reliability and accuracy of financial reporting and increase the accountability of corporate governance in publicly traded companies - Sarbanes-Oxley Act of 2002
International Laws and Legal Bodies
These international laws are important but are limited in their enforceability
ignorance, accident, intent
Three general causes of unethical and illegal behavior
Freedom of Information Act of 1966 (FOIA)
U.S. government agencies required to disclose any requested information upon receipt of written request
Criminal
addresses violations harmful to society; actively enforced by the state
Deterrence
best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls
Policies
body of expectations that describe acceptable and unacceptable employee behaviors in the workplace
Jurisdiction
court's right to hear a case if the wrong was committed in its territory or involved its citizenry
Ethics
define socially acceptable behavior
Cultural mores
fixed moral attitudes or customs of a particular group; ethics based on these
Civil Law
governs nation or state; manages relationships/conflicts between organizational entities and people
U.S. Copyright Law
Intellectual property recognized as protected asset in the U.S.; ____________ extends to electronic formats
Privacy
Is a "state of being free from unsanctioned intrusion"
- Fear of penalty - Probability of being caught - Probability of penalty being administered
Laws and policies only deter if three conditions are present:
United Nations Charter
Makes provisions, to a degree, for information security during information warfare (IW)