Chapter 3 Review

1. What is the difference between law and ethics?

The difference between law and ethics is that law is a set of rules and regulations that are
universal and should be accepted and followed by society and organizations. Ethics on the
other hand was derived from the latin word mores and Greek word Ethos means the beliefs and
customs that help shape the character of individuals and how people interact with one another
2. What is civil law, and what does it accomplish?
A wide variety of laws that govern a nation or state and deal with the relationships and conflicts
between organisational and entities and people.
3. What are the primary examples of public law?
Criminal, administrative and constitutional law.
4. Which law amended the Computer Fraud and Abuse Act of 1986, and what did it
change?
The National Information Infrastructure Protection of 1996 amended the Computer Fraud and
Abuse Act of 1986. It modified several sections of the CFA Act, and increased the penalties for
selected crime.
5. Which law was specifically created to deal with encryption policy in the United States?
The Security and Freedom through Encryption Act of 1999.
6. What is privacy in an information security context?
Privacy is not absolute freedom from observation, but rather it is a more precise State of being
free from unsanctioned intrusion.
7. What is another name for the Kennedy-Kassebaum Act(1996), and why is it important
to organisations that are not in the health care industry?
The Health Insurance Portability and Accountability Act of 1996(HIPAA) protects the
confidentiality and security of health-care data by establishing and enforcing standards and by
standardising electronic data interchange. It impacts all health-care organisations including

doctors practices, health clinics, life insurers, and universities, as well as some organisations
which have self-insured employee health programs or manage data related to health-care.
The act requires organisations that retain health-care information to use information security
information security mechanisms to protect information, as well as policies and procedures to
maintain this security. HIPPAA provides guidelines for the use of electronic signatures based on
security standards that ensure message integrity, user authentication and nonrepudiation.
8. If you work for a financial service organisation such as bank or credit union, which
1999 law affects your use of customer data? What other affects does it have?
The law from 1999 that affects the use of customer data by financial institutions is the Financial
Services Modernisation Act or Gramm-Leah-Bliley Act of 1999. Specifically, this act requires all
financial institutions to disclose their privacy policies on the sharing of non-public personal
information. It also requires due notice to customers, so that they can request that their
information not be shared with third parties. In addition, the act ensures that the privacy policies
effect in an organisation are both fully disclosed when a customer initiates a business
relationship, and distributed at least annually for the duration of the professional association.
9. What is the primary purpose of the USA PATRIOT ACT?
The purpose of the USA Patriot Act is to deter and punish terrorist acts in the united States and
around the world, and to enhance law enforcement investigatory tools.
10. Which 1997 law provides guidance on the use of encryption?
The Security and Freedom through Encryption Act of 1997
11. What is intellectual property? Is it afforded the same protection in every country of
the world? What laws currently protect it in the United States and Europe?
Intellectual property is recognised as a protected asset in the United States. The U.S Copyright
laws extend this privilege to the published word, including electronic formats. Fair use of
copyrighted materials includes their use to support news reporting, teaching, scholarship, and a
number of other related activities, so long as the use if for educational or library purposes, not
for profit, and is not excessive. As long as proper acknowledgement is provided to the original
author of such works, including a proper description of the location of source materials(citation)
and the work is not represented as ones own, it is entirely permissible to include portions of
someone elses work as reference.

The laws that currently protect it in the United States and Europe are the; Agreement on TradeRelated Aspects of Intellectual Property Rights (TRIPS) and Digital Millennium Copyright Act
(DMCA).
12. How does the Sarbanes-Oxley Act of 2002 affect information security managers?
Executives working in firms covered by this law will seek assurance on the reliability and quality
of information systems from senior information technology managers. In turn, IT managers will
likely ask information security managers to verify the confidentiality and integrity of those same
information systems in a process in the industry as sub-certification.
13. What is due care? Why should an organisation make sure to exercise due care in its
usual course of operations?
An organisation increases its liability if it refuses to take measures known as due care. Due care
has been taken when an organisation makes sure that every employee knows what is
acceptable or unacceptable behaviour, and knows the consequences of illegal or unethical
actions. The more active a role an organisation takes in observation the due care concept; the
less likely it will be liable for its employees illegal and/or unethical actions.
14. How does due diligence different from due care? Why are both important?
Due diligence requires that an organisation make a valid effort to protect others and continually
maintain this level of effort. Due care has been taken when an organisation makes sure that
every employee knows what is acceptable r unacceptable behaviour and knows the
consequences of illegal or unethical actions. They are both important because an organisation
not practicing both due diligence and due care increase their chance of being found liable
should an incident occur.
15. What is a policy? How is it different from a law?
A policy is a formalised body of expectations that describe acceptable and unacceptable
employee behaviours in the workplace. The difference between a policy and a law is that
ignorance of a policy is an acceptable defence.
16. What are the three general categories of unethical and illegal behaviour?
Ignorance , Accident and Intent. OR software license infringement, illicit Use and Misuse of
Corporate Resources.
17. What is the best method for preventing an illegal or unethical activity?

Deterrence is the best method for preventing an illegal or unethical activity. In order for
deterrence to be effective, those affected by the deterrence must a) fear the penalty, b)have an
expectation of detection/apprehension and c)expect that if apprehended, the penalty will be
applied.
18. Of the information security organisations listed that have codes of ethics, which has
been established for the longest time? When was it founded?
The Association of Computing Machinery (ACM) was established in 1947 as the worlds first
educational and scientific computing society.
19. Of the organisations listed that have code of ethics, which is focused on auditing and
control?
The information Systems Audit and Control Association (ISACA).
20. What can be done to deter someone from committing a crime?
Three elements are usually considered necessary to control behaviour:
* Fear of penalty- Potential offenders must fear the penalty. Threats of informal reprimand or
verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of
pay.
* Probability of being caught- potential offenders must believe there is a strong possibility of
being caught. Penalties will not deter illegal or unethical behaviour unless there is reasonable
fear of being caught.
* Probability of penalty being administrated- Potential offenders must believe that the penalty
will in fact be administrated.