New version page

USFSP ACG 6936 - Legal, Ethical and Professional Issues in Information Security

Upgrade to remove ads
Upgrade to remove ads
Unformatted text preview:

Slide 1Slide 2IntroductionLaw and Ethics in Information SecurityOrganizational Liability and the Need for CounselOrganizational Liability and the Need for Counsel (continued)‏Policy versus LawTypes of LawRelevant U.S. LawsGeneral Computer Crime LawsPrivacyPrivacy of Customer InformationIdentity TheftExport and Espionage LawsFigure 3-1 – Export and EspionageU.S. Copyright LawFigure 3-2 – US Copyright OfficeFinancial ReportingFreedom of Information Act of 1966 (FOIA)State and Local RegulationsInternational Laws and Legal BodiesEuropean Council Cyber-Crime ConventionFigure 3-4 – EU Law PortalAgreement on Trade-Related Aspects of Intellectual Property RightsDigital Millennium Copyright Act (DMCA)‏United Nations CharterFigure 3-5 – UN International LawEthics and Information SecurityEthical Differences Across CulturesEthics and EducationDeterrence to Unethical and Illegal BehaviorCodes of Ethics and Professional OrganizationsAssociation of Computing Machinery (ACM)‏International Information Systems Security Certification Consortium, Inc. (ISC)2System Administration, Networking, and Security Institute (SANS)‏Information Systems Audit and Control Association (ISACA)‏Information Systems Security Association (ISSA)‏Key U.S. Federal AgenciesSummarySummary (continued)Slide 41Principles of Information Security, 3rd Edition 2Use this chapter as a guide for future reference on laws, regulations, and professional organizationsDifferentiate between laws and ethicsIdentify major national laws that relate to the practice of information securityUnderstand the role of culture as it applies to ethics in information securityLearning ObjectivesUpon completion of this material, you should be able to:Principles of Information Security, 3rd Edition 3IntroductionYou must understand scope of an organization’s legal and ethical responsibilitiesTo minimize liabilities/reduce risks, the information security practitioner must:Understand current legal environmentStay current with laws and regulations Watch for new issues that emergePrinciples of Information Security, 3rd Edition 4Law and Ethics in Information SecurityLaws: rules that mandate or prohibit certain societal behaviorEthics: define socially acceptable behaviorCultural mores: fixed moral attitudes or customs of a particular group; ethics based on theseLaws carry sanctions of a governing authority; ethics do notPrinciples of Information Security, 3rd Edition 5Organizational Liability and the Need for CounselLiability: legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitutionRestitution: to compensate for wrongs committed by an organization or its employeesDue care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actionsDue diligence: making a valid effort to protect others; continually maintaining level of effortPrinciples of Information Security, 3rd Edition 6Organizational Liability and the Need for Counsel (continued)Jurisdiction: court's right to hear a case if the wrong was committed in its territory or involved its citizenryLong arm jurisdiction: right of any court to impose its authority over an individual or organization if it can establish jurisdictionPrinciples of Information Security, 3rd Edition 7Policy versus LawPolicies: body of expectations that describe acceptable and unacceptable employee behaviors in the workplacePolicies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyoneDifference between policy and law: ignorance of a policy is an acceptable defenseCriteria for policy enforcement: dissemination (distribution), review (reading), comprehension (understanding), compliance (agreement), uniform enforcementPrinciples of Information Security, 3rd Edition 8Types of LawCivil: governs nation or state; manages relationships/conflicts between organizational entities and peopleCriminal: addresses violations harmful to society; actively enforced by the statePrivate: regulates relationships between individuals and organizationsPublic: regulates structure/administration of government agencies and relationships with citizens, employees, and other governmentsPrinciples of Information Security, 3rd Edition 9Relevant U.S. LawsUnited States has been a leader in the development and implementation of information security legislationImplementation of information security legislation contributes to a more reliable business environment and a stable economyU.S. has demonstrated understanding of problems facing the information security field; has specified penalties for individuals and organizations failing to follow requirements set forth in U.S. civil statutesPrinciples of Information Security, 3rd Edition 10General Computer Crime LawsComputer Fraud and Abuse Act of 1986 (CFA Act)National Information Infrastructure Protection Act of 1996USA PATRIOT Act of 2001USA PATRIOT Improvement and Reauthorization ActComputer Security Act of 1987Principles of Information Security, 3rd Edition 11PrivacyOne of the hottest topics in information securityIs a “state of being free from unsanctioned intrusion”Ability to aggregate data from multiple sources allows creation of information databases previously unheard ofPrinciples of Information Security, 3rd Edition 12Privacy of Customer InformationPrivacy of Customer Information Section of the common carrier regulationFederal Privacy Act of 1974 Electronic Communications Privacy Act of 1986Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum ActFinancial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999Principles of Information Security, 3rd Edition 13Identity TheftFederal Trade Commission: “occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes”Fraud And Related Activity In Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028)Principles of Information Security, 3rd Edition 14Export and Espionage LawsEconomic Espionage Act of 1996 (EEA)Security And Freedom Through Encryption Act of 1999 (SAFE)Principles of


View Full Document
Download Legal, Ethical and Professional Issues in Information Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Legal, Ethical and Professional Issues in Information Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Legal, Ethical and Professional Issues in Information Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?