Management of Information Security Chapter 2

ten commandments of computer ethics

-Thou shalt not use a computer to harm other people. -Thou shalt not interfere with other people's computer work. -Thou shalt not snoop around in other people's computer files. -Thou shalt not use a computer to steal. -Thou shalt not use a computer to bear false witness. -Thou shalt not copy or use proprietary software for which you have not paid. -Thou shalt not use other people's computer resources without authorization or proper compensation. -Thou shalt not appropriate other people's intellectual output. -Thou shalt think about the social consequences of the program you are writing or the system you are designing. -Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

infraguard

A U.S. association consisting of regional chapters of the Federal Bureau of Investigation (FBI) and affiliations of public, private, and academic organizations that cooperate to exchange information on the protection of critical national information resources.

digital malfeasance

A crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.

federal protective service

A federal law enforcement agency that provides integrated security and law enforcement services to federally owned and leased buildings, facilities, properties, and other assets.

restitution

A legal requirement to make compensation or payment resulting from a loss or injury.

international information systems security certification consortium (ISC)

A nonprofit organization that focuses on the development and implementation of InfoSec certifications and credentials and manages a body of knowledge on InfoSec and administers and evaluates examinations for InfoSec certifications.

information systems security association (ISSA)

A nonprofit society of InfoSec professionals. Its primary mission is to bring together qualified practitioners of InfoSec for information exchange and educational development. It provides conferences, meetings, publications, and information resources to promote InfoSec awareness and education.

information systems audit and control association (ISACA)

A professional association with a focus on auditing, control, and security. Its membership comprises both technical and managerial professionals. It focuses on providing IT control practices and standards. The organization offers the Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) certifications.

sans

A professional research and education cooperative organization. The organization, which enjoys a large professional membership, is dedicated to the protection of information and systems.

virtue approach

A very ancient ethical model postulating that ethical actions ought to be consistent with so-called ideal virtues that is, those virtues that all of humanity finds most worthy and that, when present, indicate a fully developed humanity. In most virtue-driven ethical frameworks, the virtues include honesty, courage, compassion, generosity, tolerance, love, fidelity, integrity, fairness, self-control, and prudence.

fairness approach

AKA justice approach , suggests that the ethical action is the one that best protects and respects the moral rights of those affected by that action; it begins with a belief that humans have an innate dignity based on their ability to make choices.

health information technology for economic and clinical health act 2009

Addresses privacy and security concerns associated with the electronic transmission of PHI, in part, through several provisions that strengthen HIPAA rules for civil and criminal enforcement

criminal law

Addresses violations harmful to society and is actively enforced and prosecuted by the state.

security and freedom through encryption act 1997

Affirms the rights of persons in the United States to use and sell products that include encryption and to relax export controls on such products

freedom of information act 1966

Allows for the disclosure of previously unreleased information and documents controlled by the U.S. government

evidentiary material

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect.

family educational rights and privacy act 1974

Also known as the Buckley Amendment; protects the privacy of student education records

applied ethics

An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice.

liability

An entity's legal obligation or responsibility.

identity theft and assumption deterrence act 1998

Attempts to instigate specific penalties for identity theft by identifying the individual who loses their identity as the true victim, not just those commercial and financial credit entities who suffered losses

common good approach

Based on the work of the Greek philosophers, a notion that life in community yields a positive outcome for the individual, and therefore each individual should contribute to that community. This approach argues that the complex relationships found in a society are the basis of a process founded on ethical reasoning that respects and has compassion for all others, most particularly the most vulnerable members of a society. This approach tends to focus on the common welfare.

national information infrastructure protection act 1996

Categorizes crimes based on defendant's authority to access a protected computer system and criminal intent

private law

Considered a subset of civil law, and regulates the relationships among individuals as well as relationships between individuals and organizations; it encompasses family law, commercial law, and labor law.

fraud and related activity in connection with access devices 2004

Defines and formalizes law to counter threats from counterfeit access devices like ID cards, credit cards, telecom equipment, mobile or electronic serial numbers, and the equipment that creates them

computer fraud and abuse act 1986

Defines and formalizes laws to counter threats from computer-related acts and offenses (amended 1996, 2001, and 2006)

civil law

Embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. It includes contract law, employment law, family law, and tort law.

utilitarian approach

Emphasizes that an ethical action is one that results in the most good, or the least harm; this approach seeks to link consequences to choices.

sarbanes oxley acy 2002

Enforces accountability for executives at publicly traded companies; is having ripple effects throughout the accounting, IT, and related units of many organizations

part 2 title 21 of the code of federal rights 1997

Establishes guidelines for the use and acceptance of electronic signatures and electronic records for all Food & Drug Administration (FDA) regulated industries

federal privacy act 1974

Governs federal agency use of personal information

office of cybersecurity and communications

Has the mission of assuring the security, resiliency, and reliability of the nation's cyber and communications infrastructure.

american recovery and reinvestment act 2009

In the privacy and security area, requires new reporting requirements and penalties for breach of Protected Health Information (PHI)

communications act 1934

Includes amendments found in the Telecommunications Deregulation and Competition Act of 1996; this law regulates interstate and foreign telecommunications (amended 1996 and 2001)

digital forensics

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much art as science.

office of infrastructure protection

Leads the coordinated national effort to reduce risk to critical infrastructure posed by acts of terrorism. IP thus increases the nation's level of preparedness and the ability to respond and quickly recover in the event of an attack, natural disaster, or other emergency.

due care

Measures that an organization takes to ensure every employee knows what is acceptable and what is not.

common law

Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board.

statutory law

Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes.

regulatory law

Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations.

constitutional law

Originates with the U.S. Constitution, a state constitution, or local constitution, bylaws, or charter.

search warrant

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination. An affidavit becomes a search warrant when signed by an approving authority.

economic espionage act 1996

Prevents abuse of information gained while employed elsewhere

general prohibition on pen register and trap and trace device use

Prohibits the use of electronic "pen registers" and trap-and-trace devices without a court order

copyright act 1976

Protects intellectual property, including publications and software

office of biometric identity management

Provides biometric identity services to DHS and its mission partners that advance informed decision making by producing accurate, timely, and high-fidelity biometric identity information while protecting individuals privacy and civil liberties.

office of cyber and infrastructure analysis

Provides consolidated all-hazards consequence analysis, ensuring there is an understanding and awareness of cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the nation's critical infrastructure.

unlawful access to stored communications 1986

Provides penalties for illegally accessing communications (such as e-mail and voice mail) stored by a service provider

childrens online privacy protection act 1998

Provides requirements for online service and Web site providers to ensure the privacy of children under 13 is protected

digital millennium copyright act 1998

Provides specific penalties for removing copyright protection from media

due diligence

Reasonable steps taken by people or organizations to meet the obligations imposed by laws or regulations.

federal trade commission act 1914

Recently used to challenge organizations with deceptive claims regarding the privacy and security of customers' personal information

electronic communications privacy act 1986

Regulates interception and disclosure of electronic information; also referred to as the Federal Wiretapping Act

fair credit reporting act 1970

Regulates the collection and use of consumer credit information

public law

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

usa patriot improvement and reauthorization act 2006

Renews critical sections of the USA PATRIOT Act

gramm leach bliley act 1999

Repeals the restrictions on banks affiliating with insurance and securities firms; has significant impact on the privacy of personal information used by these industries

computer security act 1987

Requires all federal computer systems that contain classified information to have security plans in place, and requires periodic security training for all individuals who operate, design, or manage such systems

federal information security management act 2002

Requires each federal agency to develop, document, and implement an agency-wide program to provide InfoSec for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source

health insurance portability and accountability act 1996

Requires medical practices to ensure the privacy of personal medical information

international traffic in arms regulations act 2012

Restricts the exportation of technology and information related to defense and military-related services and materiel including research and development information

controlling the assault of non solicited pornography and marketing 2003

Sets the first national standards for regulating the distribution of commercial e-mail, including mobile phone spam

rights approach

Suggests that the ethical action is the one that best protects and respects the moral rights of those affected by that action; it begins with a belief that humans have an innate dignity based on their ability to make choices.

affidavit

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place. The facts, the items, and the place must be specified in the affidavit.

cybersecurity workforce assessment act 2014

Tasks DHS to perform an evaluation of the national cybersecurity employee workforce at least every three years, and to develop a plan to improve recruiting and training of cybersecurity employees

long arm jurisdiction

The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case.

deterrence

The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place.

ethics

The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment.

forensics

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental.

e discovery

The identification and preservation of evidentiary material related to a specific legal action.

probability of penalty being administered

The organization must be willing and able to impose the penalty.

em policy

The policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.

jurisdiction

The power to make legal decisions and judgments, typically an area within which an entity such as a court or law enforcement agency is empowered to make legal decisions.

descriptive ethics

The study of the choices that have been made by individuals in the past that is, what do others think is right?

meta ethics

The study of the meaning of ethical judgments and properties that is, what is right?

deontological ethics

The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.

normative ethics

The study of what makes actions right or wrong, also known as moral theory that is, how should people act?

association for computing machinery (ACM)

The world's first educational and scientific computing society. It is one of the few organizations that strongly promotes education and provide discounted membership for students.

probability of being caught

There must be a strong possibility that perpetrators of illegal or unethical acts will be caught.

no electronic theft act 1997

These parts of the U.S. Code amend copyright and criminal statutes to provide greater copyright protection and penalties for electronic copyright infringement

fear of penalty

Threats of informal reprimand or verbal warnings may not have the same impact as the threat of termination, imprisonment, or forfeiture of pay.

federal information security modernization act 2014

Updates many outdated federal information security practices, updating FISMA, providing a framework for ensuring effectiveness in information security controls over federal information systems, and centralizing cybersecurity management within DHS

usa freedom act 2015

Updates the Foreign Intelligence Surveillance Act (FISA); transfers the requirement to collect and report communications to/from known terrorist phone numbers to communications carriers, to be provided to select federal agencies upon request, among other updates to surveillance activities

national cybersecurity protection act 2014

Updates the Homeland Security Act of 2002, which established the Department of Homeland Security, to include a national cybersecurity and communications integration center to share information and facilitate coordination between agencies, and perform analysis of cybersecurity incidents and risks

ignorance, accident, and intent

What are the three categories of unethical behavior?

tort law

is the subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.