Slide 1Slide 2IntroductionLaw and Ethics in Information SecurityOrganizational Liability and the Need for CounselOrganizational Liability and the Need for Counsel (continued)‏Policy versus LawTypes of LawRelevant U.S. LawsGeneral Computer Crime LawsPrivacyPrivacy of Customer InformationIdentity TheftExport and Espionage LawsFigure 3-1 – Export and EspionageU.S. Copyright LawFigure 3-2 – US Copyright OfficeFinancial ReportingFreedom of Information Act of 1966 (FOIA)State and Local RegulationsInternational Laws and Legal BodiesEuropean Council Cyber-Crime ConventionFigure 3-4 – EU Law PortalAgreement on Trade-Related Aspects of Intellectual Property RightsDigital Millennium Copyright Act (DMCA)‏United Nations CharterFigure 3-5 – UN International LawEthics and Information SecurityEthical Differences Across CulturesEthics and EducationDeterrence to Unethical and Illegal BehaviorCodes of Ethics and Professional OrganizationsAssociation of Computing Machinery (ACM)‏International Information Systems Security Certification Consortium, Inc. (ISC)2System Administration, Networking, and Security Institute (SANS)‏Information Systems Audit and Control Association (ISACA)‏Information Systems Security Association (ISSA)‏Key U.S. Federal AgenciesSummarySummary (continued)Slide 41Principles of Information Security, 3rd Edition 2Use this chapter as a guide for future reference on laws, regulations, and professional organizationsDifferentiate between laws and ethicsIdentify major national laws that relate to the practice of information securityUnderstand the role of culture as it applies to ethics in information securityLearning ObjectivesUpon completion of this material, you should be able to:Principles of Information Security, 3rd Edition 3IntroductionYou must understand scope of an organization’s legal and ethical responsibilitiesTo minimize liabilities/reduce risks, the information security practitioner must:Understand current legal environmentStay current with laws and regulations Watch for new issues that emergePrinciples of Information Security, 3rd Edition 4Law and Ethics in Information SecurityLaws: rules that mandate or prohibit certain societal behaviorEthics: define socially acceptable behaviorCultural mores: fixed moral attitudes or customs of a particular group; ethics based on theseLaws carry sanctions of a governing authority; ethics do notPrinciples of Information Security, 3rd Edition 5Organizational Liability and the Need for CounselLiability: legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitutionRestitution: to compensate for wrongs committed by an organization or its employeesDue care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actionsDue diligence: making a valid effort to protect others; continually maintaining level of effortPrinciples of Information Security, 3rd Edition 6Organizational Liability and the Need for Counsel (continued)Jurisdiction: court's right to hear a case if the wrong was committed in its territory or involved its citizenryLong arm jurisdiction: right of any court to impose its authority over an individual or organization if it can establish jurisdictionPrinciples of Information Security, 3rd Edition 7Policy versus LawPolicies: body of expectations that describe acceptable and unacceptable employee behaviors in the workplacePolicies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyoneDifference between policy and law: ignorance of a policy is an acceptable defenseCriteria for policy enforcement: dissemination (distribution), review (reading), comprehension (understanding), compliance (agreement), uniform enforcementPrinciples of Information Security, 3rd Edition 8Types of LawCivil: governs nation or state; manages relationships/conflicts between organizational entities and peopleCriminal: addresses violations harmful to society; actively enforced by the statePrivate: regulates relationships between individuals and organizationsPublic: regulates structure/administration of government agencies and relationships with citizens, employees, and other governmentsPrinciples of Information Security, 3rd Edition 9Relevant U.S. LawsUnited States has been a leader in the development and implementation of information security legislationImplementation of information security legislation contributes to a more reliable business environment and a stable economyU.S. has demonstrated understanding of problems facing the information security field; has specified penalties for individuals and organizations failing to follow requirements set forth in U.S. civil statutesPrinciples of Information Security, 3rd Edition 10General Computer Crime LawsComputer Fraud and Abuse Act of 1986 (CFA Act)National Information Infrastructure Protection Act of 1996USA PATRIOT Act of 2001USA PATRIOT Improvement and Reauthorization ActComputer Security Act of 1987Principles of Information Security, 3rd Edition 11PrivacyOne of the hottest topics in information securityIs a “state of being free from unsanctioned intrusion”Ability to aggregate data from multiple sources allows creation of information databases previously unheard ofPrinciples of Information Security, 3rd Edition 12Privacy of Customer InformationPrivacy of Customer Information Section of the common carrier regulationFederal Privacy Act of 1974 Electronic Communications Privacy Act of 1986Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum ActFinancial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999Principles of Information Security, 3rd Edition 13Identity TheftFederal Trade Commission: “occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes”Fraud And Related Activity In Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028)Principles of Information Security, 3rd Edition 14Export and Espionage LawsEconomic Espionage Act of 1996 (EEA)Security And Freedom Through Encryption Act of 1999 (SAFE)Principles of