Management of Information Security: Sections 2-1, 2-2, 2-3, 2-4, 2-5

The best method for preventing an illegal or unethical activity

Deterrence

Identity Theft and Assumption Deterrence Act (18 USC 1028) (1998)

Identity theft Attempts to instigate specific penalties for identity theft by identifying the individual who loses their identity as the true victim, not just those commercial and financial credit entities who suffered losses

Three categories of unethical behavior

Ignorance Accident Intent

Examples of deterrence

Laws Policies Technical controls

Traditional Foundations and Frameworks of Ethics

Normative Ethics Meta-ethics Descriptive ethics Applied Ethics Deontological Ethics

Federal Trade Commission Act (FTCA) (1914)

Online commerce and information protection Recently used to challenge organizations with deceptive claims regarding the privacy and security of customers' personal information

Three documents of PCI DSS

PCI DSS Requirements and Assessment Procedures PCI DSS Self-assessment PCI DSS Support documents

Meta-ethics

The study of the meaning of ethical judgments and properties What is right?

Economic Espionage Act (1996)

Trade secrets Prevents abuse of information gained while employed elsewhere

Association for Computing Machinery (ACM)

1) established in 1947 as the world's first educational and scientific computing society 2) strongly promotes education and provides discounted membership for students 3) Code of ethics for computer professionals

Each state or locality may have a number of laws and regulations that affect the use of computer technology.

TRUE

Descriptive Ethics

The study of the choices that have been made by individuals in the past What do others think is right?

Ethical Standards or Approaches

Utilitarian Approach Rights Approach Fairness or Justice Approach Common Good Approach Virtue Approach

Types of statutory law

-criminal law *misdemeanor *felony -civil law *torts

Ten Commandments of Computer Ethics

1) Thou shalt not use a computer to harm other people. 2) Thou shalt not interfere with other people's computer work. 3) Thou shalt not snoop around in other people's computer files. 4) Thou shalt not use a computer to steal. 5) Thou shalt not use a computer to bear false witness. 6) Thou shalt not copy or use proprietary software for which you have not paid. 7) Thou shalt not use other people's computer resources without authorization or proper compensation. 8) Thou shalt not appropriate other people's intellectual output. 9) Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10) Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

International Information Systems Security Certification Consortium, Inc. (ISC)2

1) a nonprofit organization that focuses on the development and implementation of InfoSec certifications and credentials. 2) manages a body of knowledge on InfoSec and administers and evaluates examinations for InfoSec certifications. 3) Code of ethics for InfoSec professionals who have earned one of their certifications.

Information Systems Security Association (ISSA)

1) a nonprofit society of InfoSec professionals 2) mission is to bring together qualified practitioners of InfoSec for information exchange and educational development 3) Has code of ethics and expects members to follow a pledge

Information Systems Audit and Control Association (ISACA)

1) a professional association with a focus on auditing, control, and security. 2) focuses on providing IT control practices and standards. 3) Certified Information Security Manager (CISM); Certified Information Systems Auditor (CISA) 4) Members must abide to their code of ethics

SANS

1) a professional research and education cooperative organization 2) dedicated to the protection of information and systems. 3) has a core IT code of ethics for all certificate holders

Conditions required for laws and policies to deter behavior

1. Fear of penalty 2. Probability of being caught 3. Probability of penalty being administered

NSA

A United States government institution that collects data for security purposes.

GDPR (General Data Protection Regulation)

A group of regulations implemented by the European Union (EU) to protect personal data of EU citizens.

Restitution

A legal requirement to make compensation or payment resulting from a loss or injury.

InfraGard (2001)

A public-private agency of the FBI that promotes the exchange of information between the private and public sectors on issues related to terrorism, intelligence, and security matters.

Virtue Approach

A very ancient ethical model postulating that ethical actions ought to be consistent with so-called ideal virtues that is, those virtues that all of humanity finds most worthy and that, when present, indicate a fully developed humanity.

Unlawful Access to Stored Communications (18 USC 2701) (1986)

Access to stored communications Provides penalties for illegally accessing communications (such as e-mail and voice mail) stored by a service provider

(SOX) Sarbanes-Oxley Act (2002) (Public Company Accounting Reform and Investor Protection Act)

Accountability Enforces accountability for executives at publicly traded companies; is having ripple effects throughout the accounting, IT, and related units of many organizations

EU-U.S. Safe Harbor Agreement

An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States.

Applied Ethics

An approach that applies moral codes to actions drawn from realistic situations How might we use ethics in practice?

Liability

An entity's legal obligation or responsibility

(GLB) Gramm-Leach-Bliley Act (1999) (also known as the Financial Services Modernization Act)

Banking Repeals the restrictions on banks affiliating with insurance and securities firms; has significant impact on the privacy of personal information used by these industries

Common Good Approach

Based on the work of the Greek philosophers, a notion that life in community yields a positive outcome for the individual, and therefore each individual should contribute to that community. This approach argues that the complex relationships found in a society are the basis of a process founded on ethical reasoning that respects and has compassion for all others, most particularly the most vulnerable members of a society. This approach tends to focus on the common welfare.

(COPPA) Children's Online Privacy Protection Act (1998)

Child privacy protection Provides requirements for online service and Web site providers to ensure the privacy of children under 13 is protected

Types of Law

Constitutional law Statutory law Regulatory or administrative law Common law, Case law, and Precedent

(DMCA) Digital Millennium Copyright Act (update to 17 USC 101) (1998)

Copy protection Provides specific penalties for removing copyright protection from media

Copyright Act (update to U.S. Copyright Law (17 USC)) (1976)

Copyright Protects intellectual property, including publications and software

EU-U.S. Privacy Shield (2016)

Created to replace the invalidated U.S.-EU Safe Harbor agreement, the Privacy Shield is a data transfer mechanism negotiated by U.S. and EU authorities that received an adequacy determination from the European Commission. Only those companies that fell under the jurisdiction of the U.S. Federal Trade Commission could certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions. On July 16, 2020, the Court of Justice of the European Union invalidated the European Commission's adequacy determination for Privacy Shield.

National Information Infrastructure Protection Act (update to 18 USC 1030) (1996)

Criminal intent Categorizes crimes based on defendant's authority to access a protected computer system and criminal intent

Electronic Communications Privacy Act (update to 18 USC) (1986)

Cryptography Regulates interception and disclosure of electronic information; also referred to as the Federal Wiretapping Act

(ITAR) International Traffic in Arms Regulations Act (2012)

Defense information protection Restricts the exportation of technology and information related to defense and military-related services and materiel including research and development information

Part 11, Title 21 of the Code of Federal Regulations (1997)

Electronic records Establishes guidelines for the use and acceptance of electronic signatures and electronic records for all Food & Drug Administration (FDA) regulated industries

Utilitarian Approach

Emphasizes that an ethical action is one that results in the most good, or the least harm; this approach seeks to link consequences to choices.

Security and Freedom Through Encryption Act (1997)

Encryption and digital signatures Affirms the rights of persons in the United States to use and sell products that include encryption and to relax export controls on such products

Federal agencies charged with the protection of federal and nationwide information assets

FBI's National Infrastructure Protection Center (NIPC) FBI InfraGard organization Department of Homeland Security (DHS) National Protection and Programs Directorate NSA U.S. Secret Service.

National Protection and Programs Directorate

Federal Protective Service (FPS) Office of Biometric Identity Management (OBIM) Office of Cyber and Infrastructure Analysis (OCIA) Office of Cybersecurity and Communications (CS&C) Office of Infrastructure Protection (IP)

Computer Security Act (CSA) (1987)

Federal agency information security Requires all federal computer systems that contain classified information to have security plans in place, and requires periodic security training for all individuals who operate, design, or manage such systems

Federal Information Security Modernization Act (2014)

Federal information security updates Updates many outdated federal information security practices, updating FISMA, providing a framework for ensuring effectiveness in information security controls over federal information systems, and centralizing cybersecurity management within DHS

Fairness or Justice Approach

Founded on the work of Aristotle and other Greek philosophers who contributed the idea that all persons who are equal should be treated equally; today, this approach defines ethical actions as those that have outcomes that regard all human beings equally, or that incorporate a degree of fairness based on some defensible standard. This is often described as a "level playing field."

Fraud and Related Activity in Connection with Access Devices (18 USC 1029) (2004)

Fraud with access devices Defines and formalizes law to counter threats from counterfeit access devices like ID cards, credit cards, telecom equipment, mobile or electronic serial numbers, and the equipment that creates them

(FOIA) Freedom of Information Act (1966)

Freedom of information Allows for the disclosure of previously unreleased information and documents controlled by the U.S. government

(FISMA) Federal Information Security Management Act (2002)

General InfoSec Security Management Act, or FISMA (44 USC 3541 et seq.)2002Requires each federal agency to develop, document, and implement an agency-wide program to provide InfoSec for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source

No Electronic Theft Act (1997)

IP Amends 17 USC 506(a)—copyright infringement, and 18 USC 2319—criminal infringement of copyright (Public Law 105-147) These parts of the U.S. Code amend copyright and criminal statutes to provide greater copyright protection and penalties for electronic copyright infringement

Key difference between policies and laws

Ignorance of policy is a viable defense

Policy vs Law

Laws - passed by state or federal bodies with legal penalties Policies - set by organizations with internal penalties

Standards vs Laws

Laws - passed by state or federal bodies with legal penalties Standards - established by industries w/o legal penalties

Due Care

Measures that an organization takes to ensure every employee knows what is acceptable and what is not.

National Cybersecurity Protection Act (2014)

National cyber infrastructure protection Updates the Homeland Security Act of 2002, which established the Department of Homeland Security, to include a national cybersecurity and communications integration center to share information and facilitate coordination between agencies, and perform analysis of cybersecurity incidents and risks

Cybersecurity Workforce Assessment Act (2014)

National information security employee assessment Tasks DHS to perform an evaluation of the national cybersecurity employee workforce at least every three years, and to develop a plan to improve recruiting and training of cybersecurity employees

(HIPAA) Health Insurance Portability and Accountability Act (1996)

Personal health information protection Requires medical practices to ensure the privacy of personal medical information

Federal Privacy Act (1974)

Privacy Governs federal agency use of personal information

(HITECH) Health Information Technology for Economic and Clinical Health Act (part of ARRA-2009) (2009)

Privacy of PHI Addresses privacy and security concerns associated with the electronic transmission of PHI, in part, through several provisions that strengthen HIPAA rules for civil and criminal enforcement

American Recovery and Reinvestment Act (2009)

Privacy of PHI In the privacy and security area, requires new reporting requirements and penalties for breach of Protected Health Information (PHI)

(FERPA) Family Educational Rights and Privacy Act (20 USC 1232g; 34 CFR Part 99) (1974)

Privacy of student information Also known as the Buckley Amendment; protects the privacy of student education records

Types of law based on how legislation affects individual

Private Law Public Law

(FCRA) Fair Credit Reporting Act (1970)

Protection of credit information Regulates the collection and use of consumer credit information

Due Diligence

Reasonable steps taken by people or organizations to meet the obligations imposed by laws or regulations.

(CAN-SPAM) Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 USC 7701 et seq.) (2003)

Spam Sets the first national standards for regulating the distribution of commercial e-mail, including mobile phone spam

Rights Approach

Suggests that the ethical action is the one that best protects and respects the moral rights of those affected by that action; it begins with a belief that humans have an innate dignity based on their ability to make choices.

Codes of ethics can have a positive effect on an individual's judgment regarding computer use.

TRUE

The long-term value of an InfoSec certification adds leverage to the certification-granting authority to exert influence over its members, including influence in matters of ethical responsibility.

TRUE

The value of certifications vary depending on the certificate.

TRUE

Communications Act (47 USC 151 et seq.) (1934)

Telecommunications Includes amendments found in the Telecommunications Deregulation and Competition Act of 1996; this law regulates interstate and foreign telecommunications (amended 1996 and 2001)

USA PATRIOT Improvement and Reauthorization Act (update to 18 USC 1030) (2006)

Terrorism and extreme drug trafficking Renews critical sections of the USA PATRIOT Act

USA Freedom Act (2015)

Terrorist tracking Updates the Foreign Intelligence Surveillance Act (FISA); transfers the requirement to collect and report communications to/from known terrorist phone numbers to communications carriers, to be provided to select federal agencies upon request, among other updates to surveillance activities

Long-Arm Jurisdiction

The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case.

Forensics

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting.

Slippery Slope

The ease with which a person can justify an action based on a previously justified action

Jurisdiction

The power to make legal decisions and judgments, typically an area within which an entity such as a court or law enforcement agency is empowered to make legal decisions.

Deontological Ethics

The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.

Normative Ethics

The study of what makes actions right or wrong How should people act?

(CFA) Computer Fraud and Abuse Act (also known as Fraud and Related Activity in Connection with Computers) (18 USC 1030) (1986)

Threats to computers Defines and formalizes laws to counter threats from computer-related acts and offenses (amended 1996, 2001, and 2006)

General prohibition on pen register and trap-and-trace device use; exception (18 USC 3121 et seq.) (1993)

Trap and trace restrictions Prohibits the use of electronic "pen registers" and trap-and-trace devices without a court order

Some ethics are thought to be universal

True

the InfoSec practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.

True

PCI DSS (Payment Card Industry Data Security Standard)

a set of industry standards that are mandated for any organization that handles credit, debit, and specialty payment cards created by the Payment Card Industry Security Standards Council in an effort to reduce credit card fraud.

Morality

defines acceptable and unacceptable behavior within a group context

European Council Cybercrime Convention

empowers an international task force to oversee a range of Internet security functions and to standardize technology laws across international borders

FBI's National Infrastructure Protection Center (NIPC)

established in 1998 and served as the U.S. government's focal point for threat assessment and the warning, investigation, and response to threats or attacks against critical U.S. infrastructures. The NIPC was folded into the DHS after the 2001 terrorist attacks to increase communications and focus the department's efforts in cyber defense. It is now a part of DHS's National Protection and Programs Directorate.

What is Public Law?

government is directly involved; regulates relationships between individuals and government Includes Criminal Law, Administrative Law, Constitutional Law

Office of Cybersecurity and Communications (CS&C)

has the mission of assuring the security, resiliency, and reliability of the nation's cyber and communications infrastructure.

National Centers of Academic Excellence in Cyber Operations

intended to be a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science (CS), computer engineering (CE), and/or electrical engineering (EE) disciplines, with extensive opportunities for hands-on applications via labs/exercises.

Federal Protective Service (FPS)

is a federal law enforcement agency that provides integrated security and law enforcement services to federally owned and leased buildings, facilities, properties, and other assets.

The key difference between law and ethics

law carries the sanction of a governing authority and ethics do not

Office of Infrastructure Protection (IP)

leads the coordinated national effort to reduce risk to critical infrastructure posed by acts of terrorism. IP thus increases the nation's level of preparedness and the ability to respond and quickly recover in the event of an attack, natural disaster, or other emergency.

Office of Biometric Identity Management (OBIM)

provides biometric identity services to DHS and its mission partners that advance informed decision making by producing accurate, timely, and high-fidelity biometric identity information while protecting individuals privacy and civil liberties.

Office of Cyber and Infrastructure Analysis (OCIA)

provides consolidated all-hazards consequence analysis, ensuring there is an understanding and awareness of cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the nation's critical infrastructure.

What is Private Law?

regulates disputes between private individuals or groups. Civil Law

Laws

rules adopted and enforced by governments to codify expected behavior in modern society

Ethics

the organized study of how humans ought to act, or a set of rules we should live by

Cultural Mores

the relatively fixed moral attitudes or customs of a societal `group