Chapter 11Law and EthicsChapter OverviewChapter ObjectivesSet-up NotesLecture Notes and Teaching Tips with Quick QuizzesQuick QuizQuick QuizQuick QuizQuick QuizQuick QuizQuick QuizKey TermsManagement of Information Security 11-1Chapter 11Law and EthicsChapter OverviewChapter 11 covers the topics of law and ethics. In this chapter readers will learn to identify major national and international laws that relate to the practice of information security as well as come to understand the role of culture as it applies to ethics in information security.Chapter ObjectivesWhen you complete this chapter, you will be able to:Differentiate between law and ethicsIdentify major national and international laws that relate to the practice of information securityUnderstand the role of culture as it applies to ethics in information securityAccess current information on laws, regulations, and relevant professional organizationsSet-up NotesThis chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours.Management of Information Security 11-2Lecture Notes and Teaching Tips with Quick QuizzesIntroductionAs a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities. To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, andethical issues as they emerge. By educating employees and management about their legal and ethical obligations and the proper use of information technology and information security, security professionals can keep an organization focused on its primary objectives. Law and Ethics in Information SecurityLaws are rules adopted and enforced by governments to codify expected behavior in modern society. The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not. Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group. Quick Quiz1. What should an information security practitioner do that can minimize the organization’s legal liabilities? ANSWER: To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.2. What are the major differences between law and ethics? ANSWER: The law carries the sanction of a governing authority and ethics do not. Ethics are also based on cultural mores: relatively fixed moral attitudes or customs of a societal group.Management of Information Security 11-3The Legal EnvironmentThe information security professional and managers involved in information security must possess a rudimentary grasp of the legal framework within which their organizations operate. This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates.Types of LawCivil law embodies a wide variety of laws pertaining to relationships between and amongindividuals and organizations. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.Management of Information Security 11-4Relevant U.S. LawsTable 11-1 summarizes the U.S. federal laws relevant to information security:Management of Information Security 11-5The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related federal laws and enforcement efforts. It was amended in October 1996 by the National Information Infrastructure Protection Act of 1996, which modified several sections of the previous act, and increased the penalties for selected crimes. The CFA Act was further modified by the USA Patriot Act of 2001—the abbreviated name for “Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” which provides law enforcement agencies with broader latitude to combat terrorism-related activities. Some of the laws modified by the Patriot Act date from the earliest laws created to deal with electronic technology.The Communication Act of 1934 was revised by the Telecommunications Deregulation and Competition Act of 1996, which attempts to modernize the archaic terminology of the older act. The Computer Security Act of 1987 was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.The Computer Security Act of 1987 charged the National Bureau of Standards, in cooperation with the National Security Agency, with the following tasks:Developing standards, guidelines, and associated methods and techniques for computer systemsDeveloping uniform standards and guidelines for most federal computer systemsManagement of Information Security 11-6Developing technical, management, physical, and administrative standards and guidelinesfor the cost-effective security and privacy of sensitive information in federal computer systemsDeveloping guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practiceDeveloping validation procedures for, and evaluate the effectiveness of, standards and guidelines through research and liaison with other government and private agenciesThe Computer Security Act also established a Computer System Security and Privacy Advisory Board within the Department of Commerce. The