Management of Information Security: Sections 2-1, 2-2, 2-3, 2-4, 2-5
The best method for preventing an illegal or unethical activity
Deterrence
Identity Theft and Assumption Deterrence Act (18 USC 1028) (1998)
Identity theft Attempts to instigate specific penalties for identity theft by identifying the individual who loses their identity as the true victim, not just those commercial and financial credit entities who suffered losses
Three categories of unethical behavior
Ignorance Accident Intent
Examples of deterrence
Laws Policies Technical controls
Traditional Foundations and Frameworks of Ethics
Normative Ethics Meta-ethics Descriptive ethics Applied Ethics Deontological Ethics
Federal Trade Commission Act (FTCA) (1914)
Online commerce and information protection Recently used to challenge organizations with deceptive claims regarding the privacy and security of customers' personal information
Three documents of PCI DSS
PCI DSS Requirements and Assessment Procedures PCI DSS Self-assessment PCI DSS Support documents
Meta-ethics
The study of the meaning of ethical judgments and properties What is right?
Economic Espionage Act (1996)
Trade secrets Prevents abuse of information gained while employed elsewhere
Association for Computing Machinery (ACM)
1) established in 1947 as the world's first educational and scientific computing society 2) strongly promotes education and provides discounted membership for students 3) Code of ethics for computer professionals
Each state or locality may have a number of laws and regulations that affect the use of computer technology.
TRUE
Descriptive Ethics
The study of the choices that have been made by individuals in the past What do others think is right?
Ethical Standards or Approaches
Utilitarian Approach Rights Approach Fairness or Justice Approach Common Good Approach Virtue Approach
Types of statutory law
-criminal law *misdemeanor *felony -civil law *torts
Ten Commandments of Computer Ethics
1) Thou shalt not use a computer to harm other people. 2) Thou shalt not interfere with other people's computer work. 3) Thou shalt not snoop around in other people's computer files. 4) Thou shalt not use a computer to steal. 5) Thou shalt not use a computer to bear false witness. 6) Thou shalt not copy or use proprietary software for which you have not paid. 7) Thou shalt not use other people's computer resources without authorization or proper compensation. 8) Thou shalt not appropriate other people's intellectual output. 9) Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10) Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
International Information Systems Security Certification Consortium, Inc. (ISC)2
1) a nonprofit organization that focuses on the development and implementation of InfoSec certifications and credentials. 2) manages a body of knowledge on InfoSec and administers and evaluates examinations for InfoSec certifications. 3) Code of ethics for InfoSec professionals who have earned one of their certifications.
Information Systems Security Association (ISSA)
1) a nonprofit society of InfoSec professionals 2) mission is to bring together qualified practitioners of InfoSec for information exchange and educational development 3) Has code of ethics and expects members to follow a pledge
Information Systems Audit and Control Association (ISACA)
1) a professional association with a focus on auditing, control, and security. 2) focuses on providing IT control practices and standards. 3) Certified Information Security Manager (CISM); Certified Information Systems Auditor (CISA) 4) Members must abide to their code of ethics
SANS
1) a professional research and education cooperative organization 2) dedicated to the protection of information and systems. 3) has a core IT code of ethics for all certificate holders
Conditions required for laws and policies to deter behavior
1. Fear of penalty 2. Probability of being caught 3. Probability of penalty being administered
NSA
A United States government institution that collects data for security purposes.
GDPR (General Data Protection Regulation)
A group of regulations implemented by the European Union (EU) to protect personal data of EU citizens.
Restitution
A legal requirement to make compensation or payment resulting from a loss or injury.
InfraGard (2001)
A public-private agency of the FBI that promotes the exchange of information between the private and public sectors on issues related to terrorism, intelligence, and security matters.
Virtue Approach
A very ancient ethical model postulating that ethical actions ought to be consistent with so-called ideal virtues that is, those virtues that all of humanity finds most worthy and that, when present, indicate a fully developed humanity.
Unlawful Access to Stored Communications (18 USC 2701) (1986)
Access to stored communications Provides penalties for illegally accessing communications (such as e-mail and voice mail) stored by a service provider
(SOX) Sarbanes-Oxley Act (2002) (Public Company Accounting Reform and Investor Protection Act)
Accountability Enforces accountability for executives at publicly traded companies; is having ripple effects throughout the accounting, IT, and related units of many organizations
EU-U.S. Safe Harbor Agreement
An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States.
Applied Ethics
An approach that applies moral codes to actions drawn from realistic situations How might we use ethics in practice?
Liability
An entity's legal obligation or responsibility
(GLB) Gramm-Leach-Bliley Act (1999) (also known as the Financial Services Modernization Act)
Banking Repeals the restrictions on banks affiliating with insurance and securities firms; has significant impact on the privacy of personal information used by these industries
Common Good Approach
Based on the work of the Greek philosophers, a notion that life in community yields a positive outcome for the individual, and therefore each individual should contribute to that community. This approach argues that the complex relationships found in a society are the basis of a process founded on ethical reasoning that respects and has compassion for all others, most particularly the most vulnerable members of a society. This approach tends to focus on the common welfare.
(COPPA) Children's Online Privacy Protection Act (1998)
Child privacy protection Provides requirements for online service and Web site providers to ensure the privacy of children under 13 is protected
Types of Law
Constitutional law Statutory law Regulatory or administrative law Common law, Case law, and Precedent
(DMCA) Digital Millennium Copyright Act (update to 17 USC 101) (1998)
Copy protection Provides specific penalties for removing copyright protection from media
Copyright Act (update to U.S. Copyright Law (17 USC)) (1976)
Copyright Protects intellectual property, including publications and software
EU-U.S. Privacy Shield (2016)
Created to replace the invalidated U.S.-EU Safe Harbor agreement, the Privacy Shield is a data transfer mechanism negotiated by U.S. and EU authorities that received an adequacy determination from the European Commission. Only those companies that fell under the jurisdiction of the U.S. Federal Trade Commission could certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions. On July 16, 2020, the Court of Justice of the European Union invalidated the European Commission's adequacy determination for Privacy Shield.
National Information Infrastructure Protection Act (update to 18 USC 1030) (1996)
Criminal intent Categorizes crimes based on defendant's authority to access a protected computer system and criminal intent
Electronic Communications Privacy Act (update to 18 USC) (1986)
Cryptography Regulates interception and disclosure of electronic information; also referred to as the Federal Wiretapping Act
(ITAR) International Traffic in Arms Regulations Act (2012)
Defense information protection Restricts the exportation of technology and information related to defense and military-related services and materiel including research and development information
Part 11, Title 21 of the Code of Federal Regulations (1997)
Electronic records Establishes guidelines for the use and acceptance of electronic signatures and electronic records for all Food & Drug Administration (FDA) regulated industries
Utilitarian Approach
Emphasizes that an ethical action is one that results in the most good, or the least harm; this approach seeks to link consequences to choices.
Security and Freedom Through Encryption Act (1997)
Encryption and digital signatures Affirms the rights of persons in the United States to use and sell products that include encryption and to relax export controls on such products
Federal agencies charged with the protection of federal and nationwide information assets
FBI's National Infrastructure Protection Center (NIPC) FBI InfraGard organization Department of Homeland Security (DHS) National Protection and Programs Directorate NSA U.S. Secret Service.
National Protection and Programs Directorate
Federal Protective Service (FPS) Office of Biometric Identity Management (OBIM) Office of Cyber and Infrastructure Analysis (OCIA) Office of Cybersecurity and Communications (CS&C) Office of Infrastructure Protection (IP)
Computer Security Act (CSA) (1987)
Federal agency information security Requires all federal computer systems that contain classified information to have security plans in place, and requires periodic security training for all individuals who operate, design, or manage such systems
Federal Information Security Modernization Act (2014)
Federal information security updates Updates many outdated federal information security practices, updating FISMA, providing a framework for ensuring effectiveness in information security controls over federal information systems, and centralizing cybersecurity management within DHS
Fairness or Justice Approach
Founded on the work of Aristotle and other Greek philosophers who contributed the idea that all persons who are equal should be treated equally; today, this approach defines ethical actions as those that have outcomes that regard all human beings equally, or that incorporate a degree of fairness based on some defensible standard. This is often described as a "level playing field."
Fraud and Related Activity in Connection with Access Devices (18 USC 1029) (2004)
Fraud with access devices Defines and formalizes law to counter threats from counterfeit access devices like ID cards, credit cards, telecom equipment, mobile or electronic serial numbers, and the equipment that creates them
(FOIA) Freedom of Information Act (1966)
Freedom of information Allows for the disclosure of previously unreleased information and documents controlled by the U.S. government
(FISMA) Federal Information Security Management Act (2002)
General InfoSec Security Management Act, or FISMA (44 USC 3541 et seq.)2002Requires each federal agency to develop, document, and implement an agency-wide program to provide InfoSec for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source
No Electronic Theft Act (1997)
IP Amends 17 USC 506(a)—copyright infringement, and 18 USC 2319—criminal infringement of copyright (Public Law 105-147) These parts of the U.S. Code amend copyright and criminal statutes to provide greater copyright protection and penalties for electronic copyright infringement
Key difference between policies and laws
Ignorance of policy is a viable defense
Policy vs Law
Laws - passed by state or federal bodies with legal penalties Policies - set by organizations with internal penalties
Standards vs Laws
Laws - passed by state or federal bodies with legal penalties Standards - established by industries w/o legal penalties
Due Care
Measures that an organization takes to ensure every employee knows what is acceptable and what is not.
National Cybersecurity Protection Act (2014)
National cyber infrastructure protection Updates the Homeland Security Act of 2002, which established the Department of Homeland Security, to include a national cybersecurity and communications integration center to share information and facilitate coordination between agencies, and perform analysis of cybersecurity incidents and risks
Cybersecurity Workforce Assessment Act (2014)
National information security employee assessment Tasks DHS to perform an evaluation of the national cybersecurity employee workforce at least every three years, and to develop a plan to improve recruiting and training of cybersecurity employees
(HIPAA) Health Insurance Portability and Accountability Act (1996)
Personal health information protection Requires medical practices to ensure the privacy of personal medical information
Federal Privacy Act (1974)
Privacy Governs federal agency use of personal information
(HITECH) Health Information Technology for Economic and Clinical Health Act (part of ARRA-2009) (2009)
Privacy of PHI Addresses privacy and security concerns associated with the electronic transmission of PHI, in part, through several provisions that strengthen HIPAA rules for civil and criminal enforcement
American Recovery and Reinvestment Act (2009)
Privacy of PHI In the privacy and security area, requires new reporting requirements and penalties for breach of Protected Health Information (PHI)
(FERPA) Family Educational Rights and Privacy Act (20 USC 1232g; 34 CFR Part 99) (1974)
Privacy of student information Also known as the Buckley Amendment; protects the privacy of student education records
Types of law based on how legislation affects individual
Private Law Public Law
(FCRA) Fair Credit Reporting Act (1970)
Protection of credit information Regulates the collection and use of consumer credit information
Due Diligence
Reasonable steps taken by people or organizations to meet the obligations imposed by laws or regulations.
(CAN-SPAM) Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 USC 7701 et seq.) (2003)
Spam Sets the first national standards for regulating the distribution of commercial e-mail, including mobile phone spam
Rights Approach
Suggests that the ethical action is the one that best protects and respects the moral rights of those affected by that action; it begins with a belief that humans have an innate dignity based on their ability to make choices.
Codes of ethics can have a positive effect on an individual's judgment regarding computer use.
TRUE
The long-term value of an InfoSec certification adds leverage to the certification-granting authority to exert influence over its members, including influence in matters of ethical responsibility.
TRUE
The value of certifications vary depending on the certificate.
TRUE
Communications Act (47 USC 151 et seq.) (1934)
Telecommunications Includes amendments found in the Telecommunications Deregulation and Competition Act of 1996; this law regulates interstate and foreign telecommunications (amended 1996 and 2001)
USA PATRIOT Improvement and Reauthorization Act (update to 18 USC 1030) (2006)
Terrorism and extreme drug trafficking Renews critical sections of the USA PATRIOT Act
USA Freedom Act (2015)
Terrorist tracking Updates the Foreign Intelligence Surveillance Act (FISA); transfers the requirement to collect and report communications to/from known terrorist phone numbers to communications carriers, to be provided to select federal agencies upon request, among other updates to surveillance activities
Long-Arm Jurisdiction
The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case.
Forensics
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting.
Slippery Slope
The ease with which a person can justify an action based on a previously justified action
Jurisdiction
The power to make legal decisions and judgments, typically an area within which an entity such as a court or law enforcement agency is empowered to make legal decisions.
Deontological Ethics
The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.
Normative Ethics
The study of what makes actions right or wrong How should people act?
(CFA) Computer Fraud and Abuse Act (also known as Fraud and Related Activity in Connection with Computers) (18 USC 1030) (1986)
Threats to computers Defines and formalizes laws to counter threats from computer-related acts and offenses (amended 1996, 2001, and 2006)
General prohibition on pen register and trap-and-trace device use; exception (18 USC 3121 et seq.) (1993)
Trap and trace restrictions Prohibits the use of electronic "pen registers" and trap-and-trace devices without a court order
Some ethics are thought to be universal
True
the InfoSec practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
True
PCI DSS (Payment Card Industry Data Security Standard)
a set of industry standards that are mandated for any organization that handles credit, debit, and specialty payment cards created by the Payment Card Industry Security Standards Council in an effort to reduce credit card fraud.
Morality
defines acceptable and unacceptable behavior within a group context
European Council Cybercrime Convention
empowers an international task force to oversee a range of Internet security functions and to standardize technology laws across international borders
FBI's National Infrastructure Protection Center (NIPC)
established in 1998 and served as the U.S. government's focal point for threat assessment and the warning, investigation, and response to threats or attacks against critical U.S. infrastructures. The NIPC was folded into the DHS after the 2001 terrorist attacks to increase communications and focus the department's efforts in cyber defense. It is now a part of DHS's National Protection and Programs Directorate.
What is Public Law?
government is directly involved; regulates relationships between individuals and government Includes Criminal Law, Administrative Law, Constitutional Law
Office of Cybersecurity and Communications (CS&C)
has the mission of assuring the security, resiliency, and reliability of the nation's cyber and communications infrastructure.
National Centers of Academic Excellence in Cyber Operations
intended to be a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science (CS), computer engineering (CE), and/or electrical engineering (EE) disciplines, with extensive opportunities for hands-on applications via labs/exercises.
Federal Protective Service (FPS)
is a federal law enforcement agency that provides integrated security and law enforcement services to federally owned and leased buildings, facilities, properties, and other assets.
The key difference between law and ethics
law carries the sanction of a governing authority and ethics do not
Office of Infrastructure Protection (IP)
leads the coordinated national effort to reduce risk to critical infrastructure posed by acts of terrorism. IP thus increases the nation's level of preparedness and the ability to respond and quickly recover in the event of an attack, natural disaster, or other emergency.
Office of Biometric Identity Management (OBIM)
provides biometric identity services to DHS and its mission partners that advance informed decision making by producing accurate, timely, and high-fidelity biometric identity information while protecting individuals privacy and civil liberties.
Office of Cyber and Infrastructure Analysis (OCIA)
provides consolidated all-hazards consequence analysis, ensuring there is an understanding and awareness of cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the nation's critical infrastructure.
What is Private Law?
regulates disputes between private individuals or groups. Civil Law
Laws
rules adopted and enforced by governments to codify expected behavior in modern society
Ethics
the organized study of how humans ought to act, or a set of rules we should live by
Cultural Mores
the relatively fixed moral attitudes or customs of a societal `group