Legal, Ethical, and

Professional Issues in
Principles of Information
Security
Information
Security
Chapter 3

Chapter Objectives
Upon

completion of this chapter you should be

able to:
Use this chapter as a guide for future reference
on laws, regulations, and professional
organizations.
Differentiate between laws and ethics.
Identify major national laws that relate to the
practice of information security.
Describe the role of culture as it applies to ethics
in information security.

*Law and Ethics in Information

Security

Jean-Jacques Rousseau
The Social Contract or Principles of Political
Right (1762)
"The rules the members of a society create to balance
the right of the individual to self-determination with
the needs of the society as a whole are called laws."
Laws**
Rules that mandate or prohibit certain behavior in
society.
Carry the sanctions of governing authority.
Ethics**
Define socially acceptable behaviors.
Universally recognized examples include murder, theft,
assault, and arson.
Cultural Mores
The fixed moral attitudes or customs of a particular
group.
3

Organizational Liability

Liability**
Legal obligation of an entity that extends
beyond criminal or contract law.
Includes obligation to make restitution, or
compensate for, wrongs committed by an
organization or its employees.
Organization can be held financially liable
(responsible) for actions of employees.
Obligation increases if organization fails to take
due care.

Organizational Responsibilities
for
Due
Care and Due Diligence

Due care**
Must ensure that every employee knows
what is acceptable or unacceptable behavior
consequences of illegal or unethical actions.

Due diligence**
Requires organization to
make a valid effort to protect others
continually maintain this level of effort

Internet has global reach --- injury/wrong can occur

anywhere in the world.

Jurisdiction**
A court's right to hear a case if a wrong was committed in its
territory, or involves its citizenry --- long arm jurisdiction.
In U.S., any court can impose its authority over individuals
or organizations, if it can establish jurisdiction
5

Policy vs Law

Laws
External legal requirements

Security policies**. Internal (organizational) rules that:

Describe acceptable and unacceptable employee
behaviors.
Organizational laws --- including penalties and sanctions.
Must be complete, appropriate and fairly applied in the
work place.
In order to be enforceable, policies must be
Disseminated. Distributed to all individuals and readily
available for employee reference.
Reviewed. Document distributed in a format that could be
read by employeees.
Comprehended. Employees understand the requirements --e.g., quizzes or other methods of assessment.
Compliance. Employee agrees to comply with the policy.
Uniformly enforced, regardless of employee status or
assignment.
6

Types of Law

Civil law**
Laws that govern a nation or state.

Criminal law**
Violations harmful to society
Actively enforced by prosecution by the state.

Private law**
regulates relationship between individual and organization.
encompasses family law, commercial law, labor law.

Public law**
regulates structure and administration of government agencies and their
relationships with citizens, employees, and other governments, providing
careful checks and balances.
Includes criminal, administrative and constitutional law.

U.S. General Computer

Crime Laws

Computer Fraud and Abuse Act of 1986 (CFA Act)**

Cornerstone of federal laws and enforcement acts
Addresses threats to computers

Communications Act of 1934

Addresses Telecommunications
modified by Telecommunications Deregulation and

Competition Act of 1996

modernize archaic terminology

Computer Security Act of 1987**

Protect federal computer systems (federal agencies)
Establish minimum acceptable security practices.

U.S. Privacy Laws

Privacy Issues
Collection of personal information
Clipper chip - never implemented

Privacy of Customer Information

U.S. Legal Code Privacy of Customer Information Section
Responsibilities of common carriers (phone co) to protect confidentiality

Federal Privacy Act of 1974**

Regulates government protection of privacy, with some exceptions

Electronic Communications Privacy Act of 1986**

Fourth Amendment - unlawful search and seizure

Health Insurance Portability and Accountability Act of 1996

(HIPAA)**
Kennedy-Kassebaum Act
Privacy of electronic data interchange for health care data

Financial Services Modernization Act (1999)**

Gramm-Leach-Bliley Act of 1999
Banks, securities firms, and insurance companies - disclosure of privacy
policies

U.S. Copyright Law**

Recognizes intellectual property as a protected asset in
the U.S.
published word, including electronic formats
Fair use of copyrighted materials
Includes

support news reporting

teaching
scholarship
related activities

Use MUST be for educational or library purposes

not for profit
not excessive
include proper acknowledgment to original author

10

Financial Reporting
Sarbanes-Oxley

Act of 2002**

Affects
publicly traded corporations
public accounting firms

result of Enron, among others.

improve reliability and accuracy of financial reporting.
increase accountability of corporate governance in
publicly traded companies.

Executives will need

assurance on reliability and quality of information
systems from information technology managers.
Key issue: compliance with reporting requirements.

11

Freedom of Information Act of 1996

(FOIA)**

Any person may request access to federal agency

records or information not determined to be a matter of
national security.
Agencies must disclose requested information
After the request has been reviewed and determined
not to pose a risk to national security.

Does NOT apply to:

state/local government agencies
private businesses or individuals.

12

State and Local

Regulations
Locally implemented laws pertaining to information

security.

Information security professionals must be aware of

these laws and comply with them.

13

International Laws and Legal

Bodies

Few international laws relating to privacy and

information security.
European Council Cyper-Crime Convention
2001. Creates international task force
Improve effectiveness of international investigations
Emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
WTO Agreement on Intellectual Property Rights
Intellectual property rules for multilateral trade
system.
Digital Millenium Copyright Act**
U.S. response to 1995 Directive 95/46/EC by E.U.
U.K. Database Right
United Nations Charter
Information Warfare provisions.
14

Security Breaches
Punishment
If not caught: illegal to demand a payment in order to

disappear without a track

But banks and financial institutions have to keep it quiet

If caught in a lawful country: fines and/or jail

sentence

AOL employees
http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090
http://www.aolsucks.org/ccaol2.htm

$130 mil. stolen in computer crime. Each defendant faces

the possibility of 35 years in prison, and more than $1 million
in fines or twice the amount made from the crime, whichever
is greater. http://www.crime-research.org/news/27.08.2009/3750/

Malicious kids go to jail

http://www.cybercrime.gov/cases.htm

Kevin Mitnick and Robert Morris

Federal cases database (only up to 2006)

http://www.justice.gov/criminal/cybercrime/cccases.html

15

Ethics and Information

Security
Ethical issues of information security
professionals
Expected to be leaders in ethical workplace behavior
No binding professional code of ethics
Some professional organizations provide ethical
codes of conduct,
Have no authority to banish violators from
professional practice.

16

Cultural Differences and

Ethics
Different nationalities have different perspectives on

computer ethics
Asian tradition - collective ownership
Western tradition - intellectual property rights
Study of computer use ethics among students in 9 nations
Singapore, Hong Kong, U.S., England, Australia, Sweden,
Wales, Netherlands
Studied 3 categories of use
software license infringement
illicit use
misuse of corporate resources

17

Cultural Differences:
Software License Infringement
Most

nations had similar attitudes toward

software piracy
U.S.
significantly less tolerant (least tolerant)
Other countries
moderate
higher piracy rates in Singapore/Hong Kong
may result from lack of legal disincentives or punitive
measures

Netherlands
most permissive
least likely to honor copyrights of content creators
lower piracy rate than Singapore/Hong Kong
18

Cultural Differences:
Illicit Use of Software

Viruses, hacking, other forms of abuse uniformly

condemned as unacceptable behavior.

Singapore/Hong Kong
most tolerant

Sweden/Netherlands
in-between

U.S., Wales, England, Australia

least tolerant

19

Cultural Differences:
Misuse of Corporate Resources
Generally

lenient attitudes toward

personal use of company computing resources.

Singapore/Hong

Kong

viewed personal use as unethical (least

tolerant)
Other

countries

Personal use acceptable if not specifically

prohibited
Netherlands

most lenient

20

Ethics and Education

Education
overriding factor in leveling the ethical perceptions
within a small population
Employees must be trained and kept aware of
topics related to information security, including
expected ethical behaviors..
Many employees may not have formal technical
training to understand that their behavior is
unethical or illegal.

Ethical and legal training is an essential key to

developing informed, well-prepared, and low-risk
system users.

21

Deterrence to Unethical and

Illegal Behavior

Use policy, education, training, and

technology to protect information systems.

3 categories of unethical and illegal behavior

Ignorance
No excuse for violating law, but allowable for policies.
Use education, policies, training, awareness
programs to keep individuals aware of policies.
Accident
Use careful planning and control to prevent
accidental modifications to system and data.
Intent
Frequent cornerstone for prosecution.
Best controls are litigation, prosecution, and
technical controls.
22

Deterrence

Best method to prevent illegal or unethical

activity.
Laws, policies, and technical controls
3 conditions required for effective deterrence
Fear of penalty
reprimand or warnings may not have the same
effectiveness as imprisonment or loss of pay.

Probability of being caught

must believe there is a strong possibility of being
caught.

Probability of penalty being administered

must believe the penalty will be administered
Note: threats dont work --- penalties must be
realistic and enforceable.
23

Codes of Ethics

Established by various professional organizations

Produce a positive effect on judgment regarding
computer use
Establishes responsibility of security professionals to
act ethically
according to the policies and procedures of their
employers, professional organizations, and laws of
society.

Organizations assume responsibility to develop,

disseminate, and enforce policies.

24

Major IT Professional
Organizations and Ethics

Association for Computing Machinery (ACM)

promotes education and provides discounts for students
educational and scientific computing society
International Information Systems Security Certification Consortium
(ISC2)
develops and implements information security certifications and
credentials
System Administration, Networking, and Security Institute (SANS)
Global Information Assurance Certifications (GIAC)
Information Systems Audit and Control Association (ISACA)
focus on auditing, control and security
Computer Security Institute (CSI)
sponsors education and training for information security
Information Systems Security Association (ISSA)
information exchange and educational development for
information security practitioners
25

Other Security
Organizations

Internet Society (ISOC)

develop education, standards, policy, and education and training
to promote the Internet
Internet Engineering Task Force (IETF)
develops Internet's technical foundations
Computer Security Division (CSD) of National Institute for Standards
and Technology (NIST)
Computer Security Resource Center (CSRC)
Computer Emergency Response Team (CERT)**
CERT Coordination Center (CERT/CC)
Carnegie Mellon University Software Engineering Institute
Computer Professionals for Social Responsibility (CPSR)
promotes ethical and responsible development and use of
computing
watchdog for development of ethical computing

26

U.S. Federal Agencies Related to

Information Security

Department of Homeland Security (DHS)

Directorate of Information and Infrastructure
discover and respond to attacks on national information
systems and critical infrastructure
research and development of software and technology

Science and Technology Directorate

Research and development activities
examination of vulnerabilities
sponsors emerging best practices

FBI National Infrastructure Protection Center

(NIPC)
U.S. government center for threat assessment, warning,
investigation, and response to threats or attacks against U.S.
infrastructures
National InfraGard Program
cooperative effort between public and private organizations and
academic community
provides free exchange of information with private sector regarding
threats and attacks.
27

U.S. Federal Agencies (2)

National

Security Agency (NSA)**

U.S. cryptologic organization

Centers of Excellence in Information
Assurance Education
recognition for universities/schools
acknowledgment on NSA web site
Program to certify curricula in information security
Information Assurance Courseware Evaluation
Provides 3 year accreditation
U.S.

Secret Service

Part of Department of Treasury

One mission is to detect and arrest any person committing U.S.
federal offenses related to computer fraud and false
identification crimes.
28