ILLI NOIS I NST I TUTE

OF TECHNOLOGY
Transforming Lives. Inventing the Future. www.iit.edu

Legal, Ethical & Professional Issues

Ray Trygstad
ITM 478 / IT 478 / ITM 578 Spring 2005
Information Technology & Management Programs
Center for Professional Development

ITM 478/578 1
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Objectives
Upon completion of this lesson
students should be able to:
– Differentiate between laws and ethics
– Identify major national laws that relate
to the practice of information security
– Discuss the role of culture as it applies
to ethics in information security

ITM 478/578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Law and Ethics in Information Security

 Laws - rules adopted for determining

expected behavior
– Laws drawn from ethics
 Ethics define socially acceptable
behaviors
 Ethics based on cultural mores:
fixed moral attitudes or customs of
a particular group
ITM 478/578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Types of Law
Civil law
Criminal law
Tort law
Private law
Public law

ITM 478/578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Relevant U.S. Laws - General

 Computer Fraud and Abuse Act of 1986
 National Information Infrastructure
Protection Act of 1996
 USA Patriot Act of 2001
 Telecommunications Deregulation and
Competition Act of 1996
 Communications Decency Act (CDA)
 Computer Security Act of 1987
 Digital Millennium Copyright Act of 1998
 Sarbanes-Oxley Act of 2002
ITM 478/578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Privacy
 Privacy: one of the hottest topics in
information
 Ability to collect information, combine facts
from separate sources, and merge with other
information results in collections of
information previously impossible to create
 Aggregation of data from multiple sources
permits unethical organizations to build
databases of facts with frightening
capabilities
ITM 478/578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Privacy in the U.S.

 Not a Constitutional right but has been
construed by the courts
– “Reasonable expectation” of privacy
 Working definition:
– right not to be disturbed
– right to be anonymous
– right not to be monitored
– right not to have one’s identifying information
exploited
 Construed Constitutional guarantees of
privacy apply only to the Federal
Government ITM 478/578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Privacy of Customer Information

 Privacy of Customer Information Section of
Common Carrier Regulations
 Federal Privacy Act of 1974
 The Electronic Communications Privacy Act
of 1986
 The Health Insurance Portability &
Accountability Act Of 1996 (HIPAA) also
known as the Kennedy-Kassebaum Act
 The Financial Services Modernization Act or
Gramm-Leach-Bliley Act of 1999
ITM 478/578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Freedom of Information Act of 1966 (FOIA)

 The Freedom of Information Act

provides any person with the right to
request access to federal agency
records or information, not determined
to be in the interest of national security
– US Government agencies required to
disclose requested information on receipt
of a written request

ITM 478/578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Freedom of Information Act of 1966 (FOIA)

 Exceptions for information protected

from disclosure
 Act does not apply to
– Congress or Federal courts
– state or local government agencies
– private businesses or individuals
 Many states have their own version
of the FOIA
ITM 478/578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Freedom of Information Act of 2000 (UK)

 In 2000, the United Kingdom passed

their Freedom of Information Act
– Very similar in all respects to U.S. law
– More exceptions

ITM 478/578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

European Union Model

 European Union Directive 95/46/EC effective
October 1998 increases protection of
individuals in processing of personal data &
limits free movement of such data
– Strong consumer protection
– Only allows gathering of information necessary for
transaction
– Personal data cannot be transferred to another
company without permission
 United Kingdom had implemented a version
of this directive called the Database Right
ITM 478/578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

EU Law Portal
Figure 3-4
European Union
Law Web site
http://europa.eu.int/eur-lex/en/

ITM 478/578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

International Laws and Legal Bodies

 Council of Europe: European Council

Cyber-Crime Convention
– Creates an international task force to
oversee a range of security functions
associated with Internet activities,
– Standardizes technology laws across
international borders

ITM 478/578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

International Laws and Legal Bodies

 European Council Cyber-Crime
Convention
– Also attempts to improve effectiveness of
international investigations into breaches
of technology law
 Well received by advocates of
intellectual property rights with
emphasis on copyright infringement
prosecution
ITM 478/578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

UN International Law
Figure 3-46
United Nations
International
Law Web site
http://www.un.org/law/

ITM 478/578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Export and Espionage Laws

 Economic Espionage Act (EEA)

of 1996
 Security and Freedom Through
Encryption Act of 1997 (SAFE)

ITM 478/578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

What is a Copyright?
 Set of exclusive legal rights authors
have over their works for a limited
period of time; these rights include
– copying the works (including parts of the
works)
– making derivative works
– distributing the works
– performing the works (showing a movie or
playing an audio recording, as well as
performing a dramatic work)
ITM 478/578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

What is a Copyright?
 Copyright exists upon creation
– Author’s rights begin when an original
work of authorship is fixed in a tangible
medium
A work does not have to bear a
copyright notice or be registered to
be copyrighted

ITM 478/578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

US Copyright Law

 Intellectualproperty is recognized as a
protected asset in the US
 US copyright law extends this right to
the published word, including electronic
formats

ITM 478/578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

US Copyright Law: Fair Use

 Fair use of copyrighted materials
includes
– the use to support news reporting,
teaching, scholarship, and a number of
other related permissions
– the purpose of the use has to be for
educational or library purposes, not for
profit, and should not be excessive
 DMCA (more on this in a minute)
ITM 478/578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

What is Fair Use?

 Allow for limited copying or

distribution of published works
without author’s permission
– Examples:
• Quotation of excerpts in a review or critique
• copying of a small part of a work by a teacher
or student to illustrate a lesson

ITM 478/578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

What is Fair Use?

 Determination of fair use based on:
– Purpose and nature of the use
– Nature of the copyrighted work
– Nature and substantiality of the material
used
– Effect of use on the potential market for or
value of the work

ITM 478/578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

What is Fair Use?

 As Kerry Konrad, co-lead litigation

counsel for Lotus Development
Corporation, succinctly said, “if your
use is private, limited, and for the
purpose of reference and illustration
only, it’s likely to be fair.”

ITM 478/578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Licensing of Copyrights

 Iffair use does not apply, using

another’s intellectual property
requires a license
 A license is not a given—the owner
does not have to grant a license nor
give any explanation when they don’t

ITM 478/578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Licensing of Copyrights
 Placing materials on the Web does NOT
place them in the Public Domain unless
such assignment is specifically made
– Some Web sites contain content such as clipart,
buttons, bars, backgrounds, photos, where either
the items have been placed in the public domain
or a license for their use is clearly granted
– Otherwise all works online—graphic arts as well
as text—are protected by copyright, and your
reuse requires a license

ITM 478/578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

US Copyright Office
Figure 3-3
U.S. Copyright
Office Web site
http://www.loc.gov/copyright/

ITM 478/578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Digital Millennium Copyright Act (DMCA)

 The Digital Millennium Copyright Act
(DMCA) is the US version of an
international effort to reduce the
impact of copyright, trademark, and
privacy infringement
 Many legal experts feel DMCA
illegally infringes on Fair Use and has
other adverse effects

ITM 478/578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Impact of DMCA
 Critics claim DCMA has had the
following impacts (among others):
– DMCA is being used to silence researchers,
computer scientists and critics
– Corporations are using it against the
public
– Public/College radio stations can no longer
afford to webcast

ITM 478/578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Impact of DMCA
 Also has had a stifling effect on
computer security research as
prohibits the circumvention of copy
protection and the distribution of
devices that can be used to circumvent
copyrights
– In doing so it treats publishing of security
vulnerabilities as a violation of the law

ITM 478/578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Sarbanes-Oxley Act
 Created to address accounting
“irregularities” (Enron, etc.)
 Requires internal controls & internal
controls reporting
– As part of this, general computer controls
must be implemented and documented
 Informationsecurity controls are a key
component of general computer controls

ITM 478/578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Sarbanes-Oxley Act
 Section 404 -- Management Assessment
of Internal Controls
 Rules Required. The [Securities and
Exchange] Commission shall prescribe rules
requiring each annual report…to contain an
internal control report, which shall--
– state the responsibility of management for
establishing and maintaining an adequate
internal control structure and procedures for
financial reporting; and
– contain an assessment, as of the end of the most
recent fiscal year of the issuer, of the
effectiveness of the internal control structure and
procedures of the issuer for financial reporting
ITM 478/578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Sarbanes-Oxley Act
 Access controls, authorization,
auditability, data integrity and
availability (disaster recovery) are
key elements of controls to ensure
compliance with section 404
 Because there is external financial
auditor involvement in assuring
rules compliance, this draws audit
firms into IT security auditing or at
least verification of IT security audits
ITM 478/578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

State & Local Regulations

 Each state or locality may have laws
and regulations that impact the use of
computer technology
 Information security professionals have
a responsibility to understand state
laws and regulations and insure
organization’s security policies and
procedures comply
ITM 478/578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

United Nations Charter

 To some degree the United Nations
Charter provides provisions for
information security during
Information Warfare
 Information Warfare (IW) involves use
of information technology to conduct
offensive operations as part of an
organized and lawful military operation
by a sovereign state
ITM 478/578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Information Warfare

 IW is a relatively new application of

warfare, although the military has been
conducting electronic warfare and
counter-warfare operations for decades,
jamming, intercepting, and spoofing
enemy communications

ITM 478/578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Policy Versus Law

 Most organizations develop and formalize
a body of expectations called policy
 Policies function in an organization like
laws
 For a policy to become enforceable, it
must meet certain standards
 Only when all conditions are met, does
the organization have a reasonable
expectation of effective policy
ITM 478/578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Standards for Enforceable Policy

Enforceable policy must be:
– Distributed to all individuals who are
expected to comply
– Readily available for employee reference
– Easily understood with multi-language
translations and translations for visually
impaired, or literacy-impaired employees
– Acknowledged by the employee, usually by
means of a signed consent form
ITM 478/578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Content of Corporate Use Policies

 Rights  Tracking
 Responsibilities – What tracking will be
done
 Privileges – Who will do it
 Prohibitions – What circumstances
– Activities – How will the information
– Uses will be stored
• “business only” (strict) – Who will have access to it
or “business and
reasonable personal use”  Communicating
(loose) information
• Similar to telephone use  Virus detection
policies
– Harassment  Export restrictions
– Overloading resources  Waiver of Privacy
 Disclaimers
ITM 478/578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Ethical Concepts in Information Security

10 Commandments of Computer Ethics
from The Computer Ethics Institute
1. Thou shalt not use a computer to harm other
people.
2. Thou shalt not interfere with other people’s
computer work.
3. Thou shalt not snoop around in other
people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false
witness [lie].
ITM 478/578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Ethical Concepts in Information Security

10 Commandments of Computer Ethics
from The Computer Ethics Institute
6. Thou shalt not copy or use proprietary software for
which you have not paid.
7. Thou shalt not use other people’s computer resources
without authorization or proper compensation.
8. Thou shalt not appropriate other people’s
intellectual output.
9. Thou shalt think about the social consequences of
the program you are writing or the system you are
designing.
10. Thou shalt always use a computer in ways that
insure consideration and respect for your fellow
humans.
ITM 478/578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Cultural Differences in Ethical Concepts

 Differences in cultures cause problems in
determining what is ethical and what is not
ethical
 Studies of ethical sensitivity to computer use
reveal different nationalities have different
perspectives
 Difficulties arise when one nationality’s
ethical behavior contradicts that of another
national group

ITM 478/578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Ethics and Education

 Employees must be trained in topics related
to information security, including expected
behaviors of an ethical employee
 Especially important in areas of information
security; many employees may not have the
formal technical training to understand what
behavior is unethical or illegal
 Proper ethical and legal training is vital to
creating an informed, well prepared, and
low-risk system user
ITM 478/578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Deterrence to Unethical and Illegal Behavior

 Deterrence - preventing an illegal or

unethical activity
– Examples of deterrents: Laws, policies,
technical controls
 Laws and policies only deter if three
conditions are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered
ITM 478/578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Codes of Ethics, Certifications, and Professional Organizations

 Many organizations have codes of conduct

and/or codes of ethics
– Codes of ethics can have a positive effect
– Unfortunately, having a code of ethics is not
enough
 Security professionals must act ethically
and according to the policies and
procedures of their employer, their
professional organization, and the laws of
society
ITM 478/578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Association of Computing Machinery

 The ACM (www.acm.org) is a respected
professional society
– originally established in 1947 as “the
world’s first educational and scientific
computing society”
 Their code of ethics requires members
to perform their duties in a manner
befitting an ethical computing
professional
ITM 478/578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Association of Computing Machinery

 The code contains specific references to

protecting the confidentiality of
information, causing no harm,
protecting the privacy of others, and
respecting the intellectual property and
copyrights of others

ITM 478/578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

International Information Systems Security Certification Consortium

 The (ISC)2 (www.isc2.org) is a non-profit

organization
– focuses on the development and
implementation of information security
certifications and credentials
 The code of ethics put forth by (ISC) 2 is
primarily designed for information
security professionals who have earned
a certification from (ISC)2
ITM 478/578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

(ISC)2 Code
code focuses on four mandatory
 (ISC)2
canons:
– Protect society, the commonwealth, and
the infrastructure
– Act honorably, honestly, justly,
responsibly, and legally
– Provide diligent and competent service to
principals
– Advance and protect the profession

ITM 478/578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

System Administration, Networking, and Security Institute

 The System Administration,

Networking, and Security Institute, or
SANS (www.sans.org), is a professional
organization with a large membership
dedicated to the protection of
information and systems
 SANS offers a certifications called the
Global Information Assurance
Certification or GIAC
ITM 478/578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Information Systems Audit and Control Association

 The Information Systems Audit and

Control Association or ISACA
(www.isaca.org) is a professional
association with a focus on auditing,
control, and security
 Although it does not focus exclusively
on information security, the Certified
Information Systems Auditor or CISA
certification does contain many
information security components
ITM 478/578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Information Systems Audit and Control Association

 The ISACA also has a code of ethics

for professionals
 Requires many of the same high
standards for ethical performance as
the other organizations and
certifications

ITM 478/578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

CSI - Computer Security Institute

 The Computer Security Institute
(www.gocsi.com) provides information and
certification to support the computer,
networking, and information security
professional
 While CSI does not promote a single
certification certificate like the CISSP or
GISO, it does provide a range of technical
training classes in the areas of Internet
Security, Intrusion Management, Network
Security, Forensics, as well as technical
networking
ITM 478/578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Other Security Organizations

 Information Systems Security Association
(ISSA)® (www.issa.org)
 Internet Society or ISOC (www.isoc.org)
 Computer Security Division (CSD) of the
National Institute for Standards and
Technology (NIST)
– contains a resource center known as the Computer
Security Resource Center (csrc.nist.gov) housing
one of the most comprehensive sets of publicly
available information on the entire suite of
information security topics
ITM 478/578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Other Security Organizations

 CERT® Coordination Center or

CERT/CC (www.cert.org) is a center of
Internet security expertise operated by
Carnegie Mellon University
 Computer Professionals for Social
Responsibility (CPSR) promotes the
development of ethical computing

ITM 478/578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Key U.S. Federal Agencies

 The Department of Homeland
Security’s National Infrastructure
Protection Center (NIPC)
(www.nipc.gov)
– National InfraGard Program
 National Security Agency (NSA)
– The NSA is “the Nation’s cryptologic
organization”
– NSA Information Assurance Directorate
ITM 478/578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Other Key Federal Agencies

Figure 3-14
U.S. Secret
Service Web site
http://www.secretservice.gov/

ITM 478/578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Organizational Liability and the Need for Counsel

 Liability is the legal obligation of an entity

– Liability extends beyond legal obligation or
contract to include liability for a wrongful act and
the legal obligation to make restitution
– An organization increases its liability if it refuses
to take strong measures known as due care
 Due diligence requires that an organization
make a valid effort to protect others and
continually maintain this level of effort

ITM 478/578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

Our Private Directory for this Course

 Answers to chapter review questions

 InfoSec Library as self-extracting .zip
file (distributed on CD to live students)
 Can only be accessed from Blackboard

ITM 478/578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Tra ns fo rm ing Live s . Inve nting the Future .
www.iit.edu

The End…

Questions?

ITM 478/578 60