Slide 1Slide 2IntroductionLaw and Ethics in Information SecurityOrganizational Liability and the Need for CounselOrganizational Liability and the Need for Counsel (continued)Policy versus LawTypes of LawRelevant U.S. LawsGeneral Computer Crime LawsPrivacyPrivacy of Customer InformationIdentity TheftExport and Espionage LawsFigure 3-1 – Export and EspionageU.S. Copyright LawFigure 3-2 – US Copyright OfficeFinancial ReportingFreedom of Information Act of 1966 (FOIA)State and Local RegulationsInternational Laws and Legal BodiesEuropean Council Cyber-Crime ConventionFigure 3-4 – EU Law PortalAgreement on Trade-Related Aspects of Intellectual Property RightsDigital Millennium Copyright Act (DMCA)United Nations CharterFigure 3-5 – UN International LawEthics and Information SecurityEthical Differences Across CulturesEthics and EducationDeterrence to Unethical and Illegal BehaviorCodes of Ethics and Professional OrganizationsAssociation of Computing Machinery (ACM)International Information Systems Security Certification Consortium, Inc. (ISC)2System Administration, Networking, and Security Institute (SANS)Information Systems Audit and Control Association (ISACA)Information Systems Security Association (ISSA)Key U.S. Federal AgenciesSummarySummary (continued)Slide 41Principles of Information Security, 3rd Edition 2Use this chapter as a guide for future reference on laws, regulations, and professional organizationsDifferentiate between laws and ethicsIdentify major national laws that relate to the practice of information securityUnderstand the role of culture as it applies to ethics in information securityLearning ObjectivesUpon completion of this material, you should be able to:Principles of Information Security, 3rd Edition 3IntroductionYou must understand scope of an organization’s legal and ethical responsibilitiesTo minimize liabilities/reduce risks, the information security practitioner must:Understand current legal environmentStay current with laws and regulations Watch for new issues that emergePrinciples of Information Security, 3rd Edition 4Law and Ethics in Information SecurityLaws: rules that mandate or prohibit certain societal behaviorEthics: define socially acceptable behaviorCultural mores: fixed moral attitudes or customs of a particular group; ethics based on theseLaws carry sanctions of a governing authority; ethics do notPrinciples of Information Security, 3rd Edition 5Organizational Liability and the Need for CounselLiability: legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitutionRestitution: to compensate for wrongs committed by an organization or its employeesDue care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actionsDue diligence: making a valid effort to protect others; continually maintaining level of effortPrinciples of Information Security, 3rd Edition 6Organizational Liability and the Need for Counsel (continued)Jurisdiction: court's right to hear a case if the wrong was committed in its territory or involved its citizenryLong arm jurisdiction: right of any court to impose its authority over an individual or organization if it can establish jurisdictionPrinciples of Information Security, 3rd Edition 7Policy versus LawPolicies: body of expectations that describe acceptable and unacceptable employee behaviors in the workplacePolicies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyoneDifference between policy and law: ignorance of a policy is an acceptable defenseCriteria for policy enforcement: dissemination (distribution), review (reading), comprehension (understanding), compliance (agreement), uniform enforcementPrinciples of Information Security, 3rd Edition 8Types of LawCivil: governs nation or state; manages relationships/conflicts between organizational entities and peopleCriminal: addresses violations harmful to society; actively enforced by the statePrivate: regulates relationships between individuals and organizationsPublic: regulates structure/administration of government agencies and relationships with citizens, employees, and other governmentsPrinciples of Information Security, 3rd Edition 9Relevant U.S. LawsUnited States has been a leader in the development and implementation of information security legislationImplementation of information security legislation contributes to a more reliable business environment and a stable economyU.S. has demonstrated understanding of problems facing the information security field; has specified penalties for individuals and organizations failing to follow requirements set forth in U.S. civil statutesPrinciples of Information Security, 3rd Edition 10General Computer Crime LawsComputer Fraud and Abuse Act of 1986 (CFA Act)National Information Infrastructure Protection Act of 1996USA PATRIOT Act of 2001USA PATRIOT Improvement and Reauthorization ActComputer Security Act of 1987Principles of Information Security, 3rd Edition 11PrivacyOne of the hottest topics in information securityIs a “state of being free from unsanctioned intrusion”Ability to aggregate data from multiple sources allows creation of information databases previously unheard ofPrinciples of Information Security, 3rd Edition 12Privacy of Customer InformationPrivacy of Customer Information Section of the common carrier regulationFederal Privacy Act of 1974 Electronic Communications Privacy Act of 1986Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum ActFinancial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999Principles of Information Security, 3rd Edition 13Identity TheftFederal Trade Commission: “occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes”Fraud And Related Activity In Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028)Principles of Information Security, 3rd Edition 14Export and Espionage LawsEconomic Espionage Act of 1996 (EEA)Security And Freedom Through Encryption Act of 1999 (SAFE)Principles of
View Full Document