CHAPTER 3:

Legal, Ethical and Professional Issues in

Information Security
Lesson Objectives:
Upon completion of this material, you should be able to:
Demonstrate that organizations have a business need for information security
Explain why a successful information security program is the responsibility of both an organization’s general
management and IT management
Identify the threats posed to information security and the more common attacks associated with those threats,
and differentiate threats to the information within systems from attacks against the information within
systems
Describe the issues facing software developers, as well as the most common errors made by developers, and
explain how software development programs can create software that is more secure and reliable

INTRODUCTION
As a future information security professional, you must understand the scope of an organization’s legal
and ethical responsibilities. The information security professional plays an important role in an organization’s
approach to managing liability for privacy and security risks. In the modern litigious societies of the world,
sometimes laws are enforced in civil courts, where large damages can be awarded to plaintiffs who bring suits
against organizations. Sometimes these damages are punitive—assessed as a deterrent. To minimize liability
and reduce risks from electronic and physical threats, and to reduce all losses from legal action, information
security practitioners must thoroughly understand the current legal environment, stay current with laws and
regulations, and watch for new and emerging issues. By educating the management and employees of an
organization on their legal and ethical obligations and the proper use of information technology and information
security, security professionals can help keep an organization focused on its primary objectives.

LESSON 1: Law and Ethics in Information Security

• Laws: rules that mandate or prohibit certain societal behavior
• Ethics: define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these
• Laws carry sanctions of a governing authority; ethics do not
Organizational Liability and the Need for Counsel
• Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs
committed
• Organization increases liability if it refuses to take measures known as due care. Due care standards
are met when an organization makes sure that every employee knows what is acceptable or
unacceptable behavior, and knows the consequences of illegal or unethical actions.
• Due diligence requires that an organization make valid effort to protect others and continually maintain
that level of effort

Types of Law
• Civil law represents a wide variety of laws that are recorded in volumes of legal “code
1-1 IAS 101 – Information Assurance and Security 1
CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
• Criminal law addresses violations harmful to society and is actively enforced through prosecution by
the state.
• Tort law allows individuals to seek recourse against others in the event of personal, physical, or
financial injury.
• Private law regulates the relationship between the individual and the organization, and encompasses
family law, commercial law, and labor law.
• Public law regulates the structure and administration of government agencies and their relationships
with citizens, employees, and other governments, providing careful checks and balances. Examples of
public law include criminal, administrative, and constitutional law.
Privacy of Customer Information
 The Privacy of Customer Information Section of the common carrier regulation states that any
proprietary information shall be used explicitly for providing services, and not for any marketing
purposes, and that carriers cannot disclose this information except when necessary to provide their
services.
 Aggregate information is created by combining pieces of nonprivate data—often collected during
software updates and via cookies—that when combined may violate privacy.
 The following agencies, regulated businesses, and individuals are exempt from some of the regulations
so that they can perform their duties:
o Bureau of the Census
o National Archives and Records Administration
o Congress
o Comptroller General
o Federal courts with regard to specific issues using appropriate court orders
o Credit reporting agencies
o Individuals or organizations that demonstrate that information is necessary to protect the health
or safety of that individual
 The Electronic Communications Privacy Act of 1986 is a collection of statutes that regulates the
interception of wire, electronic, and oral communications.
 The Health Insurance Portability and Accountability Act Of 1996 (HIPAA), also known as the Kennedy-
Kassebaum Act, protects the confidentiality and security of health care data by establishing and
enforcing standards and by standardizing electronic data interchange.
o HIPAA has five fundamental principles:
 1. Consumer control of medical information
 2. Boundaries on the use of medical information
1-2 IAS 101 – Information Assurance and Security 1
CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
 3. Accountability for the privacy of private information
 4. Balance of public responsibility for the use of medical information for the greater good
measured against impact to the individual
 5. Security of health information
Identity Theft
 The Federal Trade Commission (FTC) describes identity theft as “occurring when someone uses your
personally identifying information, like your name, Social Security number, or credit card number,
without your permission, to commit fraud or other crimes.”

LESSON 2: International Laws and Legal Bodies

• European Council Cyber-Crime Convention:
– Establishes international task force overseeing Internet security functions for standardized
international technology laws
– Attempts to improve effectiveness of international investigations into breaches of technology law
– Well received by intellectual property rights advocates due to emphasis on copyright
infringement prosecution
– Lacks realistic provisions for enforcement
Digital Millennium Copyright Act (DMCA)
• U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy
infringement
• A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to
processing and free movement of personal data
• The United Kingdom has already implemented a version of this directive called the Database Right.
United Nations Charter
• Makes provisions, to a degree, for information security during information warfare (IW)
• IW involves use of information technology to conduct organized and lawful military operations
• IW is relatively new type of warfare, although military has been conducting electronic warfare
operations for decades
Policy Versus Law
• Most organizations develop and formalize a body of expectations called policy
• Policies serve as organizational laws
• To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged
by employees

1-3 IAS 101 – Information Assurance and Security 1

CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
• Thus, for a policy to become enforceable, it must meet the following five criteria:
• Dissemination (distribution)—The organization must be able to demonstrate that the relevant
policy has been made readily available for review by the employee. Common dissemination
techniques include hard copy and electronic distribution.
• Review (reading)—The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for illiterate, non-English reading, and
reading-impaired employees. Common techniques include recordings of the policy in English
and alternate languages.
• Comprehension (understanding)—The organization must be able to demonstrate that the
employee understood the requirements and content of the policy. Common techniques include
quizzes and other assessments.
• Compliance (agreement)—The organization must be able to demonstrate that the employee
agreed to comply with the policy through act or affirmation. Common techniques include logon
banners, which require a specific action (mouse click or keystroke) to acknowledge agreement,
or a signed document clearly indicating the employee has read, understood, and agreed to
comply with the policy.
• Uniform enforcement—The organization must be able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.

LESSON 3: Ethics and Information Security

“The Ten Commandments of Computer Ethics” from The Computer Ethics Institute
• 1) Thou shalt not use a computer to harm other people: If it is unethical to harm people by making a
bomb, for example, it is equally bad to write a program that handles the timing of the bomb. Or, to put it
more simply, if it is bad to steal and destroy other people’s books and notebooks, it is equally bad to
access and destroy their files.
• 2) Thou shalt not interfere with other people's computer work: Computer viruses are small
programs that disrupt other people’s computer work by destroying their files, taking huge amounts of
computer time or memory, or by simply displaying annoying messages. Generating and consciously
spreading computer viruses is unethical.
• 3) Thou shalt not snoop around in other people's files: Reading other people’s e-mail messages is
as bad as opening and reading their letters: This is invading their privacy. Obtaining other people’s non-
public files should be judged the same way as breaking into their rooms and stealing their documents.
Text documents on the Internet may be protected by encryption.
• 4) Thou shalt not use a computer to steal: Using a computer to break into the accounts of a
company or a bank and transferring money should be judged the same way as robbery. It is illegal and
there are strict laws against it.
• 5) Thou shalt not use a computer to bear false witness: The Internet can spread untruth as fast as it
can spread truth. Putting out false "information" to the world is bad. For instance, spreading false
rumors about a person or false propaganda about historical events is wrong.
• 6) Thou shalt not use or copy software for which you have not paid: Software is an intellectual
product. In that way, it is like a book: Obtaining illegal copies of copyrighted software is as bad as
photocopying a copyrighted book. There are laws against both. Information about the copyright owner
can be embedded by a process called  watermarking into pictures in the digital format.
1-4 IAS 101 – Information Assurance and Security 1
CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
• 7) Thou shalt not use other people's computer resources without authorization: Multiuser
systems use user id’s and passwords to enforce their memory and time allocations, and to safeguard
information.  You should not try to bypass this authorization system. Hacking a system to break and
bypass the authorization is unethical.
• 8) Thou shalt not appropriate other people's intellectual output: For example, the programs you
write for the projects assigned in this course are your own intellectual output. Copying somebody else’s
program without proper authorization is software piracy and is unethical. Intellectual property is a
form of ownership, and may be protected by copyright laws.
• 9) Thou shalt think about the social consequences of the program you write: You have to think
about computer issues in a more general social framework: Can the program you write be used in a
way that is harmful to society? For example, if you are working for an animation house, and are
producing animated films for children, you are responsible for their contents.
• 10) Thou shalt use a computer in ways that show consideration and respect: Just like public
buses or banks, people using computer communications systems may find themselves in situations
where there is some form of queuing and you have to wait for your turn and generally be nice to other
people in the environment. The fact that you cannot see the people you are interacting with does not
mean that you can be rude to them.
Ethical Differences Across Cultures
• Cultural differences create difficulty in determining what is and is not ethical
• Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group
Ethics and Education
• Overriding factor in leveling ethical perceptions within a small population is education
• Employees must be trained in expected behaviors of an ethical employee, especially in areas of
information security
• Proper ethical training vital to creating informed, well prepared, and low-risk system user
Deterrence to Unethical and Illegal Behavior
• Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical
controls’
• There are three general causes of unethical and illegal behavior:
1. Ignorance—Ignorance of the law is no excuse; however, ignorance of policy and procedures is.
The first method of deterrence is education. This is accomplished by means of designing,
publishing, and disseminating organization policies and relevant laws, and also obtaining
agreement to comply with these policies and laws from all members of the organization.
Reminders, training, and awareness programs keep the policy information in front of the
individual and thus better support retention and compliance.
2. Accident—Individuals with authorization and privileges to manage information within the
organization are most likely to cause harm or damage by accident. Careful planning and control
helps prevent accidental modification to systems and data.
3. Intent—Criminal or unethical intent goes to the state of mind of the person performing the act; it
is often necessary to establish criminal intent to successfully prosecute offenders. Protecting a
1-5 IAS 101 – Information Assurance and Security 1
CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
system against those with intent to cause harm or damage is best accomplished by means of
technical controls, and vigorous litigation or prosecution if these controls fail.
• Laws and policies only deter if three conditions are present:
1. Fear of penalty - Potential offenders must fear the penalty. Threats of informal reprimand or
verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of
pay.
2. Probability of being caught - Potential offenders must believe there is a strong possibility of
being caught. Penalties will not deter illegal or unethical behavior unless there is reasonable
fear of being caught.
3. Probability of penalty being administered - Potential offenders must believe that the penalty will
in fact be administered.

LESSON 4: Codes of Ethics and Professional Organizations

• Several professional organizations have established codes of conduct/ethics
• Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of
these professional organizations
• Responsibility of security professionals to act ethically and according to policies of employer,
professional organization, and laws of society
Association of Computing Machinery (ACM)
• ACM established in 1947 as “the world's first educational and scientific computing society”
• Code of ethics contains references to protecting information confidentiality, causing no harm, protecting
others’ privacy, and respecting others’ intellectual property
International Information Systems Security Certification Consortium, Inc. (ISC) 2
 The (ISC)2 (www.isc2.org) is a non-profit organization that focuses on the development and
implementation of information security certifications and credentials.
 The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who
have earned a certification from (ISC)2.
 This code focuses on four mandatory canons:
o Protect society, the commonwealth, and the infrastructure;
o Act honorably, honestly, justly, responsibly, and legally;
o Provide diligent and competent service to principals; and
o Advance and protect the profession.
System Administration, Networking, and Security Institute (SANS)
• Professional organization with a large membership dedicated to protection of information and systems
• SANS offers set of certifications called Global Information Assurance Certification (GIAC)
Information Systems Audit and Control Association (ISACA)
• Professional association with focus on auditing, control, and security
• Concentrates on providing IT control practices and standards
1-6 IAS 101 – Information Assurance and Security 1
CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
• ISACA has code of ethics for its professionals
Computer Security Institute (CSI)
• Provides information and training to support computer, networking, and information security
professionals
• Though without a code of ethics, has argued for adoption of ethical behavior among information
security professionals
Information Systems Security Association (ISSA)
• Nonprofit society of information security (IS) professionals
• Primary mission to bring together qualified IS practitioners for information exchange and educational
development
• Promotes code of ethics similar to (ISC)2, ISACA and ACM
Other Security Organizations
• Internet Society (ISOC): promotes development and implementation of education, standards, policy and
education to promote the Internet
• Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST);
promotes industry best practices and is important reference for information security professionals
• CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie
Mellon University
• Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned
with impact of computer technology on society

SUMMARY
 Laws are formally adopted rules for acceptable behavior in modern society. Ethics are socially
acceptable behaviors. The key difference between laws and ethics is that laws carry the authority of a
governing body and ethics do not.
 Organizations formalize desired behaviors in documents called policies. Policies must be read and
agreed to before they are binding.
 Civil law comprises a wide variety of laws that are used to govern a nation or state. Criminal law
addresses violations that harm society and are enforced by agents of the state or nation.
 Private law focuses on individual relationships, and public law governs regulatory agencies.
 Key U.S. laws protecting privacy include the Federal Privacy Act of 1974, the Electronic
Communications Privacy Act of 1986, and the Health Insurance Portability and Accountability Act of
1996.
 The desire to protect national security, trade secrets, and a variety of other state and private assets has
led to several laws restricting what information and information management and security resources
may be exported from the United States.
 Intellectual property is recognized as a protected asset in this country. U.S. copyright law extends this
privilege to the published word, including electronic media.

1-7 IAS 101 – Information Assurance and Security 1

CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
 Studies have determined that individuals of differing nationalities have differing perspectives on ethical
practices regarding the use of computer technology.
 Deterrence can prevent an illegal or unethical activity from occurring. Deterrence requires significant
penalties, a high probability of apprehension, and an expectation of enforcement of penalties.
 As part of an effort to encourage ethical behavior, a number of professional organizations have
established codes of conduct or codes of ethics that their members are expected to follow.
 There are a number of U.S. federal agencies responsible for protecting American information resources
and investigating threats to, or attacks on, these resources

Activity 1. Review Questions

1. What is the difference between law and ethics?
2. What is civil law, and what does it accomplish?
3. What are the primary examples of public law?
Activity 2. Case Exercises
Iris called the company security hotline. The hotline was an anonymous way to report any suspicious activity or
abuse of company policy, although Iris chose to identify herself. The next morning, she was called to a meeting
with an investigator from corporate security, which led to more meetings with others in corporate security, and
then finally a meeting with the director of human resources and Gladys Williams, the CIO of SLS.
Questions:
1. Why was Iris justified in determining who the owner of the CD was?
2. Should Iris have approached Henry directly, or was the hotline the most effective way to take
action? Why do you think so?
3. Should Iris have placed the CD back at the coffee station and forgotten the whole thing? Explain
why that action would have been ethical or unethical.

NAME: ______________________________________ COURSE & YEAR: ___________________

ACTIVITY ANSWER SHEET

Activity 1. Review Questions

1-8 IAS 101 – Information Assurance and Security 1
CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security
1. What is the difference between law and ethics?

2. What is civil law, and what does it accomplish?

3. What are the primary examples of public law?

Activity 2. Case Exercises

1. Why was Iris justified in determining who the owner of the CD was?

1-9 IAS 101 – Information Assurance and Security 1

CHAPTER 3:
Legal, Ethical and Professional Issues in
Information Security

2. Should Iris have approached Henry directly, or was the hotline the most effective way to take
action? Why do you think so?

3. Should Iris have placed the CD back at the coffee station and forgotten the whole thing? Explain
why that action would have been ethical or unethical.

1-10 IAS 101 – Information Assurance and Security 1