Legal, Ethical, and Professional Issues in Information Security Principles of Information Security Chapter 3

Embed Size (px)

Text of Legal, Ethical, and Professional Issues in Information Security Principles of Information Security...

  • Slide 1
  • Legal, Ethical, and Professional Issues in Information Security Principles of Information Security Chapter 3
  • Slide 2
  • Chapter Objectives Upon completion of this chapter you should be able to: Use this chapter as a guide for future reference on laws, regulations, and professional organizations. Differentiate between laws and ethics. Identify major national laws that relate to the practice of information security. Describe the role of culture as it applies to ethics in information security. 2
  • Slide 3
  • *Law and Ethics in Information Security Jean-Jacques Rousseau The Social Contract or Principles of Political Right (1762) "The rules the members of a society create to balance the right of the individual to self-determination with the needs of the society as a whole are called laws." Laws** Rules that mandate or prohibit certain behavior in society. Carry the sanctions of governing authority. Ethics** Define socially acceptable behaviors. Universally recognized examples include murder, theft, assault, and arson. Cultural Mores The fixed moral attitudes or customs of a particular group. 3
  • Slide 4
  • Organizational Liability Liability** Legal obligation of an entity that extends beyond criminal or contract law. Includes obligation to make restitution, or compensate for, wrongs committed by an organization or its employees. Organization can be held financially liable (responsible) for actions of employees. Obligation increases if organization fails to take due care. 4
  • Slide 5
  • Organizational Responsibilities for Due Care and Due Diligence Due care** Must ensure that every employee knows what is acceptable or unacceptable behavior consequences of illegal or unethical actions. Due diligence** Requires organization to make a valid effort to protect others continually maintain this level of effort Internet has global reach --- injury/wrong can occur anywhere in the world. Jurisdiction** A court's right to hear a case if a wrong was committed in its territory, or involves its citizenry --- long arm jurisdiction. In U.S., any court can impose its authority over individuals or organizations, if it can establish jurisdiction 5
  • Slide 6
  • Policy vs Law Laws External legal requirements Security policies**. Internal (organizational) rules that: Describe acceptable and unacceptable employee behaviors. Organizational laws --- including penalties and sanctions. Must be complete, appropriate and fairly applied in the work place. In order to be enforceable, policies must be Disseminated. Distributed to all individuals and readily available for employee reference. Reviewed. Document distributed in a format that could be read by employeees. Comprehended. Employees understand the requirements --- e.g., quizzes or other methods of assessment. Compliance. Employee agrees to comply with the policy. Uniformly enforced, regardless of employee status or assignment. 6
  • Slide 7
  • Types of Law Civil law** Laws that govern a nation or state. Criminal law** Violations harmful to society Actively enforced by prosecution by the state. Private law** regulates relationship between individual and organization. encompasses family law, commercial law, labor law. Public law** regulates structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Includes criminal, administrative and constitutional law. 7
  • Slide 8
  • U.S. General Computer Crime Laws Computer Fraud and Abuse Act of 1986 (CFA Act)** Cornerstone of federal laws and enforcement acts Addresses threats to computers Communications Act of 1934 Addresses Telecommunications modified by Telecommunications Deregulation and Competition Act of 1996 modernize archaic terminology Computer Security Act of 1987** Protect federal computer systems (federal agencies) Establish minimum acceptable security practices. 8
  • Slide 9
  • U.S. Privacy Laws Privacy Issues Collection of personal information Clipper chip - never implemented Privacy of Customer Information U.S. Legal Code Privacy of Customer Information Section Responsibilities of common carriers (phone co) to protect confidentiality Federal Privacy Act of 1974** Regulates government protection of privacy, with some exceptions Electronic Communications Privacy Act of 1986** Fourth Amendment - unlawful search and seizure Health Insurance Portability and Accountability Act of 1996 (HIPAA)** Kennedy-Kassebaum Act Privacy of electronic data interchange for health care data Financial Services Modernization Act (1999)** Gramm-Leach-Bliley Act of 1999 Banks, securities firms, and insurance companies - disclosure of privacy policies 9
  • Slide 10
  • U.S. Copyright Law** Recognizes intellectual property as a protected asset in the U.S. published word, including electronic formats Fair use of copyrighted materials Includes support news reporting teaching scholarship related activities Use MUST be for educational or library purposes not for profit not excessive include proper acknowledgment to original author 10
  • Slide 11
  • Financial Reporting Sarbanes-Oxley Act of 2002** Affects publicly traded corporations public accounting firms result of Enron, among others. improve reliability and accuracy of financial reporting. increase accountability of corporate governance in publicly traded companies. Executives will need assurance on reliability and quality of information systems from information technology managers. Key issue: compliance with reporting requirements. 11
  • Slide 12
  • Freedom of Information Act of 1996 (FOIA)** Any person may request access to federal agency records or information not determined to be a matter of national security. Agencies must disclose requested information After the request has been reviewed and determined not to pose a risk to national security. Does NOT apply to: state/local government agencies private businesses or individuals. 12
  • Slide 13
  • State and Local Regulations Locally implemented laws pertaining to information security. Information security professionals must be aware of these laws and comply with them. 13
  • Slide 14
  • International Laws and Legal Bodies Few international laws relating to privacy and information security. European Council Cyper-Crime Convention 2001. Creates international task force Improve effectiveness of international investigations Emphasis on copyright infringement prosecution Lacks realistic provisions for enforcement WTO Agreement on Intellectual Property Rights Intellectual property rules for multilateral trade system. Digital Millenium Copyright Act** U.S. response to 1995 Directive 95/46/EC by E.U. U.K. Database Right United Nations Charter Information Warfare provisions. 14
  • Slide 15
  • Security Breaches Punishment If not caught: illegal to demand a payment in order to disappear without a track But banks and financial institutions have to keep it quiet If caught in a lawful country: fines and/or jail sentence AOL employees http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090 http://www.aolsucks.org/ccaol2.htm $130 mil. stolen in computer crime. Each defendant faces the possibility of 35 years in prison, and more than $1 million in fines or twice the amount made from the crime, whichever is greater. http://www.crime- research.org/news/27.08.2009/3750/ http://www.crime- research.org/news/27.08.2009/3750/ Malicious kids go to jail http://www.cybercrime.gov/cases.htm http://www.cybercrime.gov/cases.htm Kevin Mitnick and Robert Morris Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html http://www.justice.gov/criminal/cybercrime/cccases.html 15
  • Slide 16
  • Ethics and Information Security Ethical issues of information security professionals Expected to be leaders in ethical workplace behavior No binding professional code of ethics Some professional organizations provide ethical codes of conduct, Have no authority to banish violators from professional practice. 16
  • Slide 17
  • Cultural Differences and Ethics Different nationalities have different perspectives on computer ethics Asian tradition - collective ownership Western tradition - intellectual property rights Study of computer use ethics among students in 9 nations Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales, Netherlands Studied 3 categories of use software license infringement illicit use misuse of corporate resources 17
  • Slide 18
  • Cultural Differences: Software License Infringement Most nations had similar attitudes toward software piracy U.S. significantly less tolerant (least tolerant) Other countries moderate higher piracy rates in Singapore/Hong Kong may result from lack of legal disincentives or punitive measures Netherlands most permissive least likely to honor copyrights of content creators lower piracy rate than Singapore/Hong Kong 18
  • Slide 19
  • Cultural Differences: Illicit Use of Software Viruses, hacking, other forms of abuse uniformly condemned as unacceptable behavior. Singapore/Hong Kong most tolerant Sweden/Netherlands in-between U.S., Wales, England, Australia least tolerant 19
  • Slide 20
  • Cultural Differences: Misuse of Corporate Resources Generally lenient attitudes toward personal use of company