Information Security and Assurance

1
Legal, Ethical, and Professional Issues in Information Security

Legal, Ethical and Professional Issues in

Information Security
Learning Objectives

At the end of the module the student is expected to:

1. Understand the importance of Law and Ethics in Information Security

2. Understand the importance of organizational liability
3. Know the difference between policy and law
4. Enumerate and understand the different types of law
5. Enumerate and know the different US relevant laws
6. Understand Ethics and education
7. List organizations that uphold security
8. Understand the Philippine E-commerce law

Introduction
The information security specialized plays an important role in an

organizations methodology to handling liability for privacy and security risks.

In the present time of the world, laws are enforced in civil courts, where large

damages can be awarded to accusers who bring suits against organizations.

Sometimes these damages are disciplinary— assessed as a deterrent. To

minimize liability and reduce risks from electronic and physical threats, and

to reduce all losses from legal action, information security experts must

thoroughly understand the current legal environment, stay current with laws

and regulations, and watch for new and emerging issues. By educating the

management and employees of an organization on their legal and ethical

obligations and the proper use of information technology and information

Course Module
 security, security professionals can help keep an organization focused on its

primary objectives.

Law and Ethics in Information Security

Laws are rules adopted and enforced by governments to manage expected

behavior in society. The key difference between law and ethics is that law

carries the sanction of a governing authority and ethics do not. Ethics are

based on cultural values: relatively fixed moral attitudes or customs of a

societal group.

Organizational Liability

Liability is the legal obligation of an individual that extends beyond criminal

or contract law; it includes the legal obligation to compensate for wrongs

doings. If an employee, acting with or without the authorization of the

employer, performs an illegal or unethical act that causes some degree of

harm, the employer can be held financially liable for that action. An

organization increases its liability if it refuses to take measures known as due

care. Due care standards are met when an organization makes sure that every

employee knows what is acceptable or unacceptable behavior, and knows the

consequences of illegal or unethical actions. Due diligence requires that an

organization make a valid effort to protect others and continually maintains

this level of effort.

 Information Security and Assurance
3
Legal, Ethical, and Professional Issues in Information Security

Policy versus Law

Policies are guidelines that describe acceptable and unacceptable employee

behaviors in the workplace and it function as organizational laws, complete

with penalties, judicial practices, and sanctions to require compliance. Policies

in an organization function as laws, they must be crafted and implemented

with the same care to ensure that they are complete, appropriate, and fairly

applied to everyone in the workplace. The difference between a policy and a

law, however, is that ignorance of a policy is an acceptable defense.

Criteria to make policy to become enforceable.

1. Dissemination (distribution)—the organization must be able to show that

the relevant policy has been made readily available for review by the

employee. Ways to disseminate include hard copy and electronic

distribution.

2. Review (reading)—the organization must be able to show that it

disseminated the document in an intelligible form, including versions for

illiterate, non-English reading, and reading-impaired employees. . Ways to

disseminate include recordings of the policy in English and alternate

languages.

3. Comprehension (understanding)—the organization must be able to show

that the employee understood the requirements and content of the policy.

. Ways to disseminate include quizzes and other assessments.

Course Module
 4. Compliance (agreement)—the organization must be able to show that the

employee agreed to comply with the policy through act or affirmation. .

Ways to disseminate include logon banners, which require a specific action

(mouse click or keystroke) to acknowledge agreement, or a signed

document clearly indicating the employee has read, understood, and

agreed to comply with the policy.

5. Uniform enforcement—the organization must be able to show that the

policy has been uniformly enforced, regardless of employee status or

assignment.

Types of Law
1. Civil law embodies a wide variety of laws pertaining to relationships

between and among individuals and organizations.

2. Criminal law addresses violations harmful to society and is actively

enforced and prosecuted by the state.

3. Tort law is a subset of civil law which allows individuals to seek recourse

against others in the event of personal, physical, or financial injury.

4. Private law regulates the relationships among individuals and among

individuals and organizations, and encompasses family law, commercial

law, and labor law.

5. Public law regulates the structure and administration of government

agencies and their relationships with citizens, employees, and other

governments. Public law includes criminal, administrative, and

constitutional law.
 Information Security and Assurance
5
Legal, Ethical, and Professional Issues in Information Security

Relevant U.S. Laws

United States has been a leader in the development and implementation of

information security legislation to prevent misuse and exploitation of

information and information technology. The following are the different laws

in relation to information security.

Course Module
The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of

many computer-related federal laws and enforcement efforts. The CFA Act

was further modified by the USA Patriot Act of 2001—the abbreviated name

for “Uniting and Strengthening America Act by Providing Appropriate Tools

Required to Intercept and Obstruct Terrorism Act of 2001,” which provides

law enforcement agencies with broader latitude to combat terrorism-related

activities

The Communication Act of 1934 was revised by the Telecommunications

Deregulation and Competition Act of 1996, which attempts to modernize the

outdated terminology.
 Information Security and Assurance
7
Legal, Ethical, and Professional Issues in Information Security

The Computer Security Act of 1987 was one of the first attempts to protect

federal computer systems by establishing minimum acceptable security

practices.

Privacy Laws

1. The Federal Privacy Act of 1974 regulates the government’s use of private

information The Electronic Communications Privacy Act of 1986 is a

collection of statutes that regulates the interception of wire, electronic, and

oral communications.

2. The Health Insurance Portability & Accountability Act Of 1996 (HIPPA),

also known as the Kennedy-Kassebaum Act, is an attempt to protect the

confidentiality and security of health care data by establishing and

enforcing standards and by standardizing electronic data interchange.

HIPPA has five fundamental privacy principles:

1. Consumer control of medical information

2. Boundaries on the use of medical information

3. Accountability for the privacy of private information

4. Balance of public responsibility for the use of medical information for the

greater good measured against impact to the individual

5. Security of health information

Course Module
 3. The Financial Services Modernization Act or Gramm-Leach-Bliley Act of

1999 contains a number of provisions that affect banks, securities firms,

and insurance companies.

Export and Espionage Laws

1. Economic Espionage Act (EEA) 1996. This law attempts to protect trade

secrets “from the foreign government that uses its classic espionage

apparatus to spy on a company

2. The Security and Freedom through Encryption Act of 1997 provides

guidance on the use of encryption, and institutes measures of public

protection from government intervention.

U.S. Copyright Law

U.S. copyright law extends protection to intellectual property, which includes

words published in electronic formats.

1. Freedom of Information Act of 1966 (FOIA) All federal agencies are

required under the Freedom of Information Act (FOIA) to disclose records

requested in writing by any person.

2. Sarbanes-Oxley Act of 2002 enforce accountability for the financial record

keeping and reporting at publicly traded corporations.

 Information Security and Assurance
9
Legal, Ethical, and Professional Issues in Information Security

International laws and legal bodies

1. European Council Cyber-Crime Convention - which empowers an

international task force to oversee a range of Internet security functions,

and to standardize technology laws across international borders.

2. Digital Millennium Copyright Act (DMCA) -) is a U.S.-based international

effort to reduce the impact of copyright, trademark, and privacy

infringement especially via the removal of technological copyright

protection measures.

Ethical Concepts in Information Security

The Ten Commandments of Computer Ethics from The Computer Ethics

Institute

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people's computer work.

3. Thou shalt not snoop around in other people's computer files.

4. Thou shalt not use a computer to steal.

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not copy or use proprietary software for which you have not

paid.

7. Thou shalt not use other people's computer resources without

authorization or proper compensation.

Course Module
 8. Thou shalt not appropriate other people's intellectual output.

9. Thou shalt think about the social consequences of the program you are

writing or the system you are designing.

10. Thou shalt always use a computer in ways that ensure consideration and

respect for your fellow humans.

Ethics and Education

This is especially important in information security, as many employees may

not have the formal technical training to understand that their behavior is

unethical or even illegal. Proper ethical and legal training is vital to creating an

informed, well prepared, and low-risk system user.

Deterring Unethical and Illegal Behavior

It is the responsibility of information security personnel to do everything in

their power to deter unethical and illegal acts, using policy, education and

training, and technology as controls or safeguards to protect the information

and systems.

Many security professionals understand technological means of protection,

but many underestimate the value of policy.

There are three general categories of unethical behavior that organizations

and society should seek to eliminate:

 Information Security and Assurance
11
Legal, Ethical, and Professional Issues in Information Security

 Ignorance

 Accident

 Intent

Deterrence is the best method for preventing an illegal or unethical activity.

Laws, policies, and technical controls are all examples of deterrents. However,

it is generally agreed that laws and policies and their associated penalties only

deter if three conditions are present:

 Fear of penalty:

 Probability of being caught:.

 Probability of penalty being administered

Certifications and Professional Organizations

A number of professional organizations have established codes of conduct

and/or codes of ethics that members are expected to follow. Codes of ethics

can have a positive effect on an individual’s judgment regarding computer use.

Course Module
1. Association of Computing Machinery (ACM) The ACM (www.acm.org) is a

respected professional society, originally established in 1947, as “the world's

first educational and scientific computing society.” It is one of the few

organizations that strongly promotes education, and provides discounted

membership for students. The ACM’s code of ethics requires members to

perform their duties in a manner befitting an ethical computing professional.

2. International Information Systems Security Certification Consortium, Inc.

(ISC)2 The (ISC)2 manages a body of knowledge on information security and

administers and evaluates examinations for information security

certifications.

Four mandatory canons:

1. Protect society, the commonwealth, and the infrastructure

2. Act honorably, honestly, justly, responsibly, and legally

3. Provide diligent and competent service to principals

4. Advance and protect the profession.

 Information Security and Assurance
13
Legal, Ethical, and Professional Issues in Information Security

3. System Administration, Networking, and Security Institute (SANS) Founded in

1989, SANS is a professional research and education cooperative organization

with currently over 156,000 security professionals, auditors, system

administrators, and network administrators.

4. Information Systems Audit and Control Association (ISACA) The

Information Systems Audit and Control Association, or ISACA

(www.isaca.org), is a professional association with a focus on auditing, control,

and security.

5. CSI - Computer Security Institute (CSI) The Computer Security Institute

(www.gocsi.com) provides information and certification to support the

computer, networking, and information security professional.

6. Information Systems Security Association The Information Systems Security

Association (ISSA) (www.issa.org) is a nonprofit society of information

security professionals. As a professional association, its primary mission is to

bring together qualified practitioners of information security for information

exchange and educational development. ISSA provides conferences, meetings,

publications, and information resources to promote information security

awareness and education.

Course Module
Other Security Organizations

1. The Internet Society or ISOC (www.isoc.org) is a nonprofit, nongovernmental,

international professional organization. It promotes the development and

implementation of education, standards, policy, and education and training to

promote the Internet.

2. The Internet Engineering Task Force (IETF) consists of individuals from the

computing, networking, and telecommunications industries, and is

responsible for developing the Internet’s technical foundations.

3. The Computer Security Division (CSD) of the National Institute for Standards

and Technology (NIST) runs the Computer Security Resource Center (CSRC)—

an essential resource for any current or aspiring information security

professional.

4. The CERT Coordination Center, or CERT/CC (www.cert.org), is a center of

Internet security expertise which is part of the Software Engineering Institute,

a federally funded research and development center operated by Carnegie

Mellon University.
 Information Security and Assurance
15
Legal, Ethical, and Professional Issues in Information Security

Philippine E-commerce law

In 1999, the Philippines Y2K Law was the first law crafted and deliberated

online by the private sector.

Republic Act 8792, was signed into law last June 14, 2000. It is a landmark

legislation in the history of the Philippines. Not only has this bill made the

country a legitimate player in the global marketplace. The Philippine

Internet community has played a major role in pushing for its passage. The

law took effect last June 19, 2000.

Here are the salient features of Republic Act 8792:

1. It gives legal recognition of electronic data messages, electronic

documents, and electronic signatures. (section 6 to 13)

2. Allows the formation of contracts in electronic form. (section 16)

3. Makes banking transactions done through ATM switching networks

absolute once consummated. (section 16)

4. Parties are given the right to choose the type and level of security

methods that suit their needs. (section 24)

5. Provides the mandate for the electronic implementation of transport

documents to facilitate carriage of goods. This includes documents such

as, but not limited to, multi-modal, airport, road, rail, inland waterway,

courier, post receipts, transport documents issued by freight

Course Module
 forwarders, marine/ocean bill of lading, non-negotiable seaway bill,

charter party bill of lading. (section 25 and 26)

6. Mandates the government to have the capability to do e-commerce

within 2 years or before June 19, 2002. (section 27)

7. Mandates RPWeb to be implemented. RPWeb is a strategy that intends

to connect all government offices to the Internet and provide universal

access to the general public. The Department of Transportation and

Communications, National Telecommunications Commission, and

National Computer Center will come up with policies and rules that shall

lead to substantial reduction of costs of telecommunication and Internet

facilities to ensure the implementation of RPWeb. (section 28)

8. Made cable, broadcast, and wireless physical infrastructure within the

activity of telecommunications. (section 28)

9. Empowers the Department of Trade and Industry to supervise the

development of e-commerce in the country. It can also come up with

policies and regulations, when needed, to facilitate the growth of e-

commerce. (section 29)

10. Provided guidelines as to when a service provider can be liable. (section

30)

11. Authorities and parties with the legal right can only gain access to

electronic documents, electronic data messages, and electronic

signatures. For confidentiality purposes, it shall not share or convey to

any other person. (section 31 and 32)