Legal, Ethical, and Professional

Issues in Information Security

Principles of Information Security
Chapter 3
Chapter Objectives
 Upon completion of this chapter you should be able to:
◦ Use this chapter as a guide for future reference on laws,
regulations, and professional organizations.
◦ Differentiate between laws and ethics.
◦ Identify major national laws that relate to the practice of
information security.
◦ Describe the role of culture as it applies to ethics in
information security.

2
 *Law and Ethics in Information Security
 Jean-Jacques Rousseau
◦ The Social Contract or Principles of Political Right (1762)
◦ "The rules the members of a society create to balance the right of
the individual to self-determination with the needs of the society as
a whole are called laws."
 Laws**
◦ Rules that mandate or prohibit certain behavior in society.
◦ Carry the sanctions of governing authority.
 Ethics**
◦ Define socially acceptable behaviors.
◦ Universally recognized examples include murder, theft, assault, and
arson.
 Cultural Mores
◦ The fixed moral attitudes or customs of a particular group.

3
Organizational Liability
 Liability**
◦ Legal obligation of an entity that extends beyond criminal
or contract law.
◦ Includes obligation to make restitution, or compensate for,
wrongs committed by an organization or its employees.
◦ Organization can be held financially liable (responsible) for
actions of employees.
◦ Obligation increases if organization fails to take due care.

4
Organizational Responsibilities for
Due Care and Due Diligence
 Due care**
◦ Must ensure that every employee knows
 what is acceptable or unacceptable behavior
 consequences of illegal or unethical actions.
 Due diligence**
◦ Requires organization to
 make a valid effort to protect others
 continually maintain this level of effort
◦ Internet has global reach --- injury/wrong can occur anywhere in the
world.
 Jurisdiction**
◦ A court's right to hear a case if a wrong was committed in its territory,
or involves its citizenry --- long arm jurisdiction.
◦ In U.S., any court can impose its authority over individuals or
organizations, if it can establish jurisdiction
5
Policy vs Law
 Laws
◦ External legal requirements
 Security policies**. Internal (organizational) rules that:
◦ Describe acceptable and unacceptable employee behaviors.
◦ Organizational laws --- including penalties and sanctions.
◦ Must be complete, appropriate and fairly applied in the work place.
◦ In order to be enforceable, policies must be
 Disseminated. Distributed to all individuals and readily available for
employee reference.
 Reviewed. Document distributed in a format that could be read by
employeees.
 Comprehended. Employees understand the requirements --- e.g., quizzes
or other methods of assessment.
 Compliance. Employee agrees to comply with the policy.
 Uniformly enforced, regardless of employee status or assignment.

6
 Types of Law
 Civil law**
◦ Laws that govern a nation or state.
 Criminal law**
◦ Violations harmful to society
◦ Actively enforced by prosecution by the state.
 Private law**
◦ regulates relationship between individual and organization.
◦ encompasses family law, commercial law, labor law.
 Public law**
◦ regulates structure and administration of government agencies and their relationships with
citizens, employees, and other governments, providing careful checks and balances.
◦ Includes criminal, administrative and constitutional law.

7
U.S. General Computer Crime Laws
 Computer Fraud and Abuse Act of 1986 (CFA Act)**
◦ Cornerstone of federal laws and enforcement acts
◦ Addresses threats to computers
 Communications Act of 1934
◦ Addresses Telecommunications
◦ modified by Telecommunications Deregulation and Competition Act of
1996
 modernize archaic terminology
 Computer Security Act of 1987**
◦ Protect federal computer systems (federal agencies)
◦ Establish minimum acceptable security practices.

8
 U.S. Privacy Laws
 Privacy Issues
◦ Collection of personal information
◦ Clipper chip - never implemented
 Privacy of Customer Information
◦ U.S. Legal Code Privacy of Customer Information Section
 Responsibilities of common carriers (phone co) to protect confidentiality
 Federal Privacy Act of 1974**
◦ Regulates government protection of privacy, with some exceptions
 Electronic Communications Privacy Act of 1986**
◦ Fourth Amendment - unlawful search and seizure
 Health Insurance Portability and Accountability Act of 1996 (HIPAA)**
◦ Kennedy-Kassebaum Act
◦ Privacy of electronic data interchange for health care data
 Financial Services Modernization Act (1999)**
◦ Gramm-Leach-Bliley Act of 1999
◦ Banks, securities firms, and insurance companies - disclosure of privacy policies

9
 U.S. Copyright Law**
 Recognizes intellectual property as a protected asset in the U.S.
◦ published word, including electronic formats
 Fair use of copyrighted materials
◦ Includes
 support news reporting
 teaching
 scholarship
 related activities
◦ Use MUST be for educational or library purposes
 not for profit
 not excessive
 include proper acknowledgment to original author

10
 Financial Reporting
 Sarbanes-Oxley Act of 2002**
◦ Affects
 publicly traded corporations
 public accounting firms
◦ result of Enron, among others.
 improve reliability and accuracy of financial reporting.
 increase accountability of corporate governance in publicly traded
companies.
 Executives will need
◦ assurance on reliability and quality of information systems from
information technology managers.
◦ Key issue: compliance with reporting requirements.

11
 Freedom of Information Act of 1996 (FOIA)**
 Any person may request access to federal agency records or
information not determined to be a matter of national security.
◦ Agencies must disclose requested information
 After the request has been reviewed and determined not to pose a
risk to national security.
 Does NOT apply to:
◦ state/local government agencies
◦ private businesses or individuals.

12
 State and Local Regulations
 Locally implemented laws pertaining to information security.
 Information security professionals must be aware of these laws and
comply with them.

13
International Laws and Legal Bodies
 Few international laws relating to privacy and information security.
 European Council Cyper-Crime Convention
◦ 2001. Creates international task force
◦ Improve effectiveness of international investigations
◦ Emphasis on copyright infringement prosecution
◦ Lacks realistic provisions for enforcement
 WTO Agreement on Intellectual Property Rights
◦ Intellectual property rules for multilateral trade system.
 Digital Millenium Copyright Act**
◦ U.S. response to 1995 Directive 95/46/EC by E.U.
◦ U.K. Database Right
 United Nations Charter
◦ Information Warfare provisions.

14
Security Breaches Punishment
 If not caught: illegal to demand a payment in order to “disappear
without a track”
◦ But banks and financial institutions have to keep it quiet…
 If caught in a “lawful” country: fines and/or jail sentence
 AOL employees
http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090
http://www.aolsucks.org/ccaol2.htm

 “$130 mil. stolen in computer crime. Each defendant faces the possibility of
35 years in prison, and more than $1 million in fines or twice the amount
made from the crime, whichever is greater.” http://www.crime-
research.org/news/27.08.2009/3750/

 Malicious kids go to jail http://www.cybercrime.gov/cases.htm

◦ Kevin Mitnick and Robert Morris
 Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html

15
Ethics and Information Security
 Ethical issues of information security professionals
◦ Expected to be leaders in ethical workplace behavior
◦ No binding professional code of ethics
◦ Some professional organizations provide ethical codes of conduct,
 Have no authority to banish violators from professional practice.

16
Cultural Differences and Ethics
 Different nationalities have different perspectives on computer ethics
◦ Asian tradition - collective ownership
◦ Western tradition - intellectual property rights
 Study of computer use ethics among students in 9 nations
◦ Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales,
Netherlands
◦ Studied 3 categories of use
 software license infringement
 illicit use
 misuse of corporate resources

17
 Cultural Differences:
Software License Infringement
 Most nations had similar attitudes toward software piracy
◦ U.S.
 significantly less tolerant (least tolerant)
◦ Other countries
 moderate
 higher piracy rates in Singapore/Hong Kong
 may result from lack of legal disincentives or punitive measures
◦ Netherlands
 most permissive
 least likely to honor copyrights of content creators
 lower piracy rate than Singapore/Hong Kong

18
Cultural Differences:
Illicit Use of Software
 Viruses, hacking, other forms of abuse uniformly condemned as
unacceptable behavior.
 Singapore/Hong Kong
◦ most tolerant
 Sweden/Netherlands
◦ in-between
 U.S., Wales, England, Australia
◦ least tolerant

19
Cultural Differences:
Misuse of Corporate Resources
 Generally lenient attitudes toward
◦ personal use of company computing resources.
 Singapore/Hong Kong
◦ viewed personal use as unethical (least tolerant)
 Other countries
◦ Personal use acceptable if not specifically prohibited
 Netherlands
◦ most lenient

20
Ethics and Education
 Education
◦ overriding factor in leveling the ethical perceptions within a small
population
◦ Employees must be trained and kept aware of topics related to
information security, including expected ethical behaviors..
◦ Many employees may not have formal technical training to
understand that their behavior is unethical or illegal.
 Ethical and legal training is an essential key to developing informed,
well-prepared, and low-risk system users.

21
Deterrence to Unethical and Illegal
Behavior
 Use policy, education, training, and technology to
protect information systems.
 3 categories of unethical and illegal behavior
◦ Ignorance
 No excuse for violating law, but allowable for policies.
 Use education, policies, training, awareness programs to keep
individuals aware of policies.
◦ Accident
 Use careful planning and control to prevent accidental
modifications to system and data.
◦ Intent
 Frequent cornerstone for prosecution.
 Best controls are litigation, prosecution, and technical controls.

22
Deterrence
 Best method to prevent illegal or unethical activity.
◦ Laws, policies, and technical controls
 3 conditions required for effective deterrence
◦ Fear of penalty
 reprimand or warnings may not have the same effectiveness as
imprisonment or loss of pay.
◦ Probability of being caught
 must believe there is a strong possibility of being caught.
◦ Probability of penalty being administered
 must believe the penalty will be administered
 Note: threats don’t work --- penalties must be realistic and
enforceable.

23
 Codes of Ethics
 Established by various professional organizations
◦ Produce a positive effect on judgment regarding computer use
◦ Establishes responsibility of security professionals to act ethically
 according to the policies and procedures of their employers,
professional organizations, and laws of society.
◦ Organizations assume responsibility to develop, disseminate, and
enforce policies.

24
Major IT Professional Organizations and
Ethics
 Association for Computing Machinery (ACM)
◦ promotes education and provides discounts for students
◦ educational and scientific computing society
 International Information Systems Security Certification Consortium (ISC2)
◦ develops and implements information security certifications and credentials
 System Administration, Networking, and Security Institute (SANS)
◦ Global Information Assurance Certifications (GIAC)
 Information Systems Audit and Control Association (ISACA)
◦ focus on auditing, control and security
 Computer Security Institute (CSI)
◦ sponsors education and training for information security
 Information Systems Security Association (ISSA)
◦ information exchange and educational development for information security
practitioners

25
Other Security Organizations
 Internet Society (ISOC)
◦ develop education, standards, policy, and education and training to promote the
Internet
 Internet Engineering Task Force (IETF)
◦ develops Internet's technical foundations
 Computer Security Division (CSD) of National Institute for Standards and
Technology (NIST)
◦ Computer Security Resource Center (CSRC)
 Computer Emergency Response Team (CERT)**
◦ CERT Coordination Center (CERT/CC)
◦ Carnegie Mellon University Software Engineering Institute
 Computer Professionals for Social Responsibility (CPSR)
◦ promotes ethical and responsible development and use of computing
◦ watchdog for development of ethical computing

26
U.S. Federal Agencies Related to
Information Security
 Department of Homeland Security (DHS)
◦ Directorate of Information and Infrastructure
 discover and respond to attacks on national information systems and
critical infrastructure
 research and development of software and technology
◦ Science and Technology Directorate
 Research and development activities
 examination of vulnerabilities
 sponsors emerging best practices

 FBI National Infrastructure Protection Center (NIPC)

◦ U.S. government center for threat assessment, warning, investigation, and
response to threats or attacks against U.S. infrastructures
◦ National InfraGard Program
 cooperative effort between public and private organizations and academic
community
 provides free exchange of information with private sector regarding threats and
attacks.

27
U.S. Federal Agencies (2)
 National Security Agency (NSA)**
◦ U.S. cryptologic organization
◦ Centers of Excellence in Information Assurance
Education
 recognition for universities/schools
 acknowledgment on NSA web site
◦ Program to certify curricula in information security
 Information Assurance Courseware Evaluation
 Provides 3 year accreditation
 U.S. Secret Service
◦ Part of Department of Treasury
◦ One mission is to detect and arrest any person committing U.S. federal
offenses related to computer fraud and false identification crimes.

28