Professional Documents
Culture Documents
1
Legal, Ethical, and Professional Issues in Information Security
Introduction
The information security specialized plays an important role in an
In the present time of the world, laws are enforced in civil courts, where large
minimize liability and reduce risks from electronic and physical threats, and
to reduce all losses from legal action, information security experts must
thoroughly understand the current legal environment, stay current with laws
and regulations, and watch for new and emerging issues. By educating the
Course Module
security, security professionals can help keep an organization focused on its
primary objectives.
behavior in society. The key difference between law and ethics is that law
carries the sanction of a governing authority and ethics do not. Ethics are
societal group.
Organizational Liability
harm, the employer can be held financially liable for that action. An
care. Due care standards are met when an organization makes sure that every
with the same care to ensure that they are complete, appropriate, and fairly
the relevant policy has been made readily available for review by the
distribution.
languages.
that the employee understood the requirements and content of the policy.
Course Module
4. Compliance (agreement)—the organization must be able to show that the
assignment.
Types of Law
1. Civil law embodies a wide variety of laws pertaining to relationships
3. Tort law is a subset of civil law which allows individuals to seek recourse
constitutional law.
Information Security and Assurance
5
Legal, Ethical, and Professional Issues in Information Security
information and information technology. The following are the different laws
Course Module
The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of
many computer-related federal laws and enforcement efforts. The CFA Act
was further modified by the USA Patriot Act of 2001—the abbreviated name
activities
outdated terminology.
Information Security and Assurance
7
Legal, Ethical, and Professional Issues in Information Security
The Computer Security Act of 1987 was one of the first attempts to protect
practices.
Privacy Laws
1. The Federal Privacy Act of 1974 regulates the government’s use of private
oral communications.
4. Balance of public responsibility for the use of medical information for the
Course Module
3. The Financial Services Modernization Act or Gramm-Leach-Bliley Act of
1. Economic Espionage Act (EEA) 1996. This law attempts to protect trade
secrets “from the foreign government that uses its classic espionage
protection measures.
Institute
6. Thou shalt not copy or use proprietary software for which you have not
paid.
9. Thou shalt think about the social consequences of the program you are
10. Thou shalt always use a computer in ways that ensure consideration and
not have the formal technical training to understand that their behavior is
unethical or even illegal. Proper ethical and legal training is vital to creating an
their power to deter unethical and illegal acts, using policy, education and
and systems.
Ignorance
Accident
Intent
Laws, policies, and technical controls are all examples of deterrents. However,
it is generally agreed that laws and policies and their associated penalties only
Fear of penalty:
and/or codes of ethics that members are expected to follow. Codes of ethics
Course Module
1. Association of Computing Machinery (ACM) The ACM (www.acm.org) is a
certifications.
and security.
Course Module
Other Security Organizations
2. The Internet Engineering Task Force (IETF) consists of individuals from the
3. The Computer Security Division (CSD) of the National Institute for Standards
and Technology (NIST) runs the Computer Security Resource Center (CSRC)—
professional.
Mellon University.
Information Security and Assurance
15
Legal, Ethical, and Professional Issues in Information Security
Republic Act 8792, was signed into law last June 14, 2000. It is a landmark
legislation in the history of the Philippines. Not only has this bill made the
Internet community has played a major role in pushing for its passage. The
4. Parties are given the right to choose the type and level of security
as, but not limited to, multi-modal, airport, road, rail, inland waterway,
Course Module
forwarders, marine/ocean bill of lading, non-negotiable seaway bill,
National Computer Center will come up with policies and rules that shall
30)
11. Authorities and parties with the legal right can only gain access to