University of Eswatini

Department of Computer Science

IT Laws and Ethics

CSC 262
{2021}

Unit 3: Laws against Computer

Crimes and Malware
“In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks
of doing so”.

(Immanuel Kant 1724 – 1804)

 Table of Contents
Unit 3: Laws against Computer Crimes and Malware .................................................................... 1
Introduction ................................................................................................................................. 1
3.1 Information Security and Privacy Laws ............................................................. 2
3.1.1 South African Laws relevant to Information Security and Privacy.................... 3
3.1.2 United Kingdom Laws Relevant to Information Security and Privacy .............. 5
3.1.3 U.S. Laws Relevant to Information Security and Privacy.................................. 7
3.1.4 International Laws and Legal Bodies ................................................................. 9
3.2 Information Security Policies ........................................................................... 11
3.3 Information Security Standards and Procedures .............................................. 15
3.4 Policies and Procedures .................................................................................... 16
3.5 System use policies and monitoring ................................................................. 16
3.6 Establishing a Security Policy .......................................................................... 17
3.7 Accountability, Liability, and Control .............................................................. 18
3.8 Compliance ....................................................................................................... 20
3.8.1 Event Logs ........................................................................................................ 21
3.8.2 Compliance Liaison .......................................................................................... 21
3.8.3 Remediation ...................................................................................................... 21
3.9 Risks and Liabilities of Computer based Systems............................................ 22
3.10 Legal Issues in IT ............................................................................................. 22
Unit summary............................................................................................................................ 23
Assessment ................................................................................................................................ 24

i
 Unit 3: Laws against Computer

Crimes and Malware

Introduction
In most countries, various laws require organizations to use security controls to protect private
and confidential data. Information is an important tool for successful organisations and
information security law forms a key part of that equation. Information security law is the body
of legal rules, codes, and standards that require you to protect that information and the
information systems that process it, from unauthorized access. The legal risks are potentially
significant if you don‘t take a pragmatic approach. Such risks can be avoided or minimise
through various solutions and precautions. IT professionals and managers involved in managing
information technology systems must possess a rudimentary grasp of the legal framework within
which their organizations operate. The legal environment influences the behaviour of every
organization depending on the nature of the organization and the scale on which it operates. In
this unit we are going to explore the legal framework that can be followed by organizations and
IT professionals in order to ensure information security.

Upon completion of this unit, you will be able to:

Identify and discus laws used that pertains to information

technology

Discus the legal issues that arise from using computers and the
Internet.

Distinguish between policies, standards, and procedures

Discuss policy compliance

Identify a set of policies that are considered ―a must‖ for any

organization

1
 Law refers to the system of rules which a particular
country or community recognizes as regulating the
Law:
actions of its members and which it may enforce by the
imposition of penalties.

A bill is proposed legislation under consideration by a

Bill:
legislature.
Policies are guidelines that describe acceptable and
Policy:
unacceptable employee behaviours in the workplace

A detailed statement of what must be done to comply

Standard: with policy, sometimes viewed as the rules governing
policy compliance.

Step-by-step instructions designed to assist employees in

Procedures
following policies, standards, and guidelines.

Examples of actions that illustrate compliance with

Practices
policies.

Written instructions provided by management that

Information
inform employees and others in the workplace about
security
proper behaviour regarding the use of information and
policy:
information assets.

Nonmandatory recommendations the employee may use

Guidelines:
as a reference in complying with a policy.

A standard that has been widely adopted or accepted by

de facto
a public group rather than a formal standards
standard:
organization.

de jure A standard that has been formally evaluated, approved,

standard: and ratified by a formal standards organization.

3.1 Information Security and Privacy Laws

Information technology poses new and complex ethical and legal issues which result in
legislative responses. These issues include cybercrime and malware. Cybercrimes and malware
raise the need for IT laws that protect the rights of everyone involved in the IT infrastructure as
well the society. This protection can be achieved through enforcing information security and
privacy laws. It is therefore important for IT professionals to understand the laws and regulations
that are relevant to IT and what they need to do in order to comply with such laws. This section
reviews some of these laws. As the Kingdom of Eswatini‘s cybersecurity and privacy bills are
currently going under review (the bills are available on Moodle), we are going to review relevant
laws from other countries.

2
3.1.1 South African Laws relevant to Information Security and Privacy
Information security law is an emerging area of the law in most countries, especially in the third
world countries. In this section we are going to briefly look at information security laws in South
Africa. There is no single law in South Africa that governs all of a company‘s information
security obligations. Rather, it comprises a ‗patchwork‘ of different laws, and even standards and
best practices. The main patchwork comes from the Electronic Communications and
Transactions (ECT) Act (2002). A copy of the Act will be on Moodle, please browse through it.
The purpose of the ECT Act is to:

 Develop a safe, secure and effective environment for the consumer, business and the
Government to conduct and use electronic transactions;
 Provide for the facilitation and regulation of electronic communications and transactions;
 Provide for the development of a national e-strategy for South Africa;
 Promote universal access to electronic communications and transactions and the use of
electronic transactions by SMMEs;
 Provide for human resource development in electronic transactions;
 Prevent abuse of information systems;
 Encourage the use of e-government services; and to provide for matters connected
therewith

The ECT Act includes protection of personal information obtained through electronic
transactions. The ECT Act also offers consumer protection for electronic transactions. The
consumer protection includes information to be provided by the supplier, order cancellation,
unsolicited goods and services and also regulations for supplier performance. Chapter X of the
ECT Act governs the domain name authority and administration and Chapter XI regulates and
specifies limitation of liabilities of service providers of information systems. Chapter XII and
Chapter XIII of the act covers cyber inspections and cybercrimes respectively. The following
sections from ECT Act worthy highlighting:

 Unauthorised access to, interception of or interference with data: section 86 creates a

number of offences in relation to unauthorised access.
 Legal requirements for data messages: Section 11 of the ECT Act recognizes data
messages as legal force. Section 12 recognises that a data message can be used where a
written document is required and section 13 states that when the signature is not
specified, an electronic signature can be used.
 Transactional security: Section 43 (5) of the ECT Act requires the use of a payment
system which is ―sufficiently secure‖.
 Electronic signatures: Ordinary electronic signatures and ―advanced‖ electronic
signatures play a role in securing information pursuant to sections 13 of the ECT Act.
 Computer related extortion, fraud and forgery: In terms of section 87 of the ECT Act;
the victim of an information security attack conducted by means of impersonation or

3
 spoofing could lay a criminal charge of fraud against the attacker based on the attacker‘s
attempt to mislead or misappropriate something of value
 Common law privacy claims: For example, a person submits personal information to an
organisation for a certain purpose and the organisation reveals the information to a third
party who misuses the information causing the person to suffer damage or loss (for
example, in the context of ‗data swops‘ between organisations).
 Communication of data messages: The act also regulates the use of data messages such
as emails and SMSs.
 E-Governance: Sections 27 regulates the acceptance of electronic filing and issuing of
documents.
 Cryptography providers: Section 29 regulates the registration of cryptography and
section 30 regulates the issuing of cryptography services and cryptography products.
 The law of contract: Information technology contracts such as outsourcing, service
provision, application service provider and software licensing agreements are beginning
to impose security obligations on vendors and business partners. These agreements
increasing require the providers of information technology to warrant against security
vulnerabilities, such as viruses and trojan horses, and organisations are more frequently
being contractually obligated to protect a customer‘s, employee‘s, or business partner‘s
personal or confidential information. Similarly, businesses are often required to agree to
security commitments as a condition of participating in certain activities. For example,
merchants that want to accept credit cards must agree to comply with the PCI Data
Security Standard.
 The law of delict: The concepts of ―reasonableness‖ and ―duty of care‖ are being relied
upon to determine whether or not organisations have been negligent in not taking the
necessary security precautions, or are liable for loss suffered where it is proved by a party
who suffered loss that their loss should have been reasonably foreseeable and due to the
others party‘s negligence, loss or damage has been suffered by the other party.
 The law of evidence: In connection with forensics; issues relating to information in
electronic form which may have been modified or deleted in an attempt to hide the
evidence and the taking of necessary steps to ensure that the reliability and admissibility
of the electronic evidence will be maintained in the eyes of a Court of law.
 Common law fraud: for example, identity theft.
 Cybercrime: Any illegal act which involves a computer whether the computer is an
object of a crime, an instrument used to commit a crime or a repository of evidence
related to a crime and includes the statutory cybercrimes set out in sections 85 to 88 of
the ECT Act.

Apart from the ECT Act, South Africa also has the Protection of Personal Information Act
(POPIA) which was passed in 2013. A copy of the POPIA is available on Moodle, please browse
through it. The goal of the POPI Act is to protect data subjects from security breaches, theft, and
discrimination. To accomplish this, it outlines eight principles that South African data processors

4
must follow. Each principle encourages responsibility, security, and consent. It also provides
special protections for distinct categories of data as well as the data of children. POPIA includes
eight conditions for lawful processing including:
 Accountability
 Processing limitation
 Purpose specification
 Further processing limitation
 Information quality
 Openness
 Security safeguards
 Data subject participation
It has been recognised in South Africa that the current hybrid legal framework relating to
cybercrimes has not kept up with the dynamic nature of technology and international standards.
Therefore, in 2015 the first draft of Cybercrimes and Cybersecurity Bill was published in the
South African parliament and it was passed to be an act in June 2021 as the Cybercrime Act. The
Act consolidates and codifies numerous existing offences relating cybercrime as well as creates a
variety of new offences which do not currently exist in the South African law. A copy of the Act
has been uploaded on Moodle, please go through it. The Act creates many new offences such as
hacking, unlawful interception of data, ransomware, cyber forgery and cyber extortion. The
intention of the Act is to:
 Create offences and prescribe penalties;
 Criminalise the distribution of data messages which are harmful and to provide for
interim protection orders;
 Regulate jurisdiction;
 Regulate the powers to investigate, search and gain access to or seize items;
 Regulate aspects of international co-operation in respect to the investigation of
cybercrime;
 Provide for the establishment of a 24/7 point of contact;
 Provide measures to protect National Critical Information Infrastructures;
 Further regulate aspects relating to evidence;
 Impose obligations on electronic communications service providers;
 Allow the country‘s president to enter into agreements with foreign states to promote
cyber security; and
 Align with international best practice and effectively deal with multi-jurisdictional
cybercrime activity.

3.1.2 United Kingdom Laws Relevant to Information Security and Privacy

There are a number of pieces of legislation relevant to information security that must be adhered
to in order to remain legally compliant when using, storing and handling information in the UK.
A summary of the main pieces of UK legislation are includes:

5
 Data Protection Act 1998: The Data Protection Act regulates the use of personal data by
organisations. Personal data is defined as information relating to a living, identifiable
individual. The Act is underpinned by eight guiding principles:
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with that
purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer
than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects
under this Act.
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss
or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an adequate
level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data.
 The Freedom of Information Act: The Freedom of Information Act 2000 provides
public access to information held by public authorities. It does this in two ways:
o Public authorities are obliged to publish certain information about their activities;
and;
o Members of the public are entitled to request information from public authorities.
 The Privacy and Electronic Communications Regulations (PECR): The PECR sits
alongside the Data Protection Act and the GDPR. They give people specific privacy
rights in relation to electronic communications. There are specific rules on:
o Marketing calls, emails, texts and faxes;
o Cookies (and similar technologies);
o Keeping communications services secure; and
o Customer privacy as regards traffic and location data, itemised billing, line
identification, and directory listings.
 Regulation of Investigatory Powers Act (RIPA): RIPA regulates the powers of public
bodies to carry out surveillance and investigation and also deals with the interception of
communications. The Home Office offers guidance and codes of practice relating to
RIPA.
 The Computer Misuse Act: was introduced partly in reaction to a specific legal case and
was intended to deter criminals from using a computer to assist in the commission of a

6
 criminal offence or from impairing or hindering access to data stored in a computer. The
Act contains three criminal offences for computer misuse:
o Unauthorised access to computer material;
o Unauthorised access with intent to commit or facilitate commission of further
offences;
o Unauthorised modification of computer material.
 Human Rights Act of 1998: The Human Rights Act puts the rights set out in the 1953
European Convention on Human Rights into UK law. Article 8, relating to privacy, is of
most relevance to information security – it provides a right to respect for an individual‘s
―private and family life, his home and his correspondence‖, a right that is also embedded
within the Data Protection Act.
 Malicious Communications Act of 1988: The Malicious Communications Act makes it
illegal to ―send or deliver letters or other articles for the purposes of causing stress or
anxiety‖. This also applies to electronic communications such as emails and messages via
social networking websites.
 Digital Economy Act of 2010: The Digital Economy Act regulates the use of digital
media in the UK. It deals with issues such as online copyright infringement and the
obligations that internet service providers (ISPs) have to tackle online copyright
infringement.
 Privacy and Electronic Communications (EC Directive) (Amendment) Regulations of
2011: An amendment to the Privacy and Electronic Communications Regulations in 2011
obliged websites to inform users about their use of cookies and seek consent for setting
more privacy intrusive cookies.
 Counter-Terrorism and Security of Act 2015: Accessing websites or other material
which promotes terrorism or violent extremism or which seeks to radicalise individuals to
these causes will likely constitute an offence under the Counter-Terrorism and Security
Act 2015.
 The Network and Information Systems Regulation (2018): The regulation set out
measures designed to ensure critical IT systems in critical sectors of the economy like
banking, energy, health and transport are secure. They will apply to operators of such
―essential services‖ and to ―digital service providers‖. Both operators of essential services
and digital service providers are subject to requirements to keep their networks and
information secure under the new rules to notify security incidents to ―competent
authorities‖ when they occur.

3.1.3 U.S. Laws Relevant to Information Security and Privacy

The United States has led the development and implementation of information security
legislation to prevent misuse and exploitation of information and information technology. The
development of information security legislation promotes the general welfare and creates a stable
environment for a solid economy. In its capacity as a global leader, the United States has
demonstrated a clear understanding of the problems facing the information security field and has

7
specified penalties for individuals and organizations that fail to follow the requirements set forth
in the U.S. civil statutes. Information security and privacy laws in the US include:

 Computer Fraud and Abuse (CFA) Act of 1986: Defines and formalizes laws to counter
threats from computer-related acts and offenses. It is the cornerstone of many computer-
related federal laws and enforcement efforts, the CFA formally criminalizes ―accessing a
computer without authorization or exceeding authorized access‖ for systems containing
information of national interest as determined by the U.S. government.
 National Information Infrastructure Protection Act of 1996: Categorizes crimes based
on defendant‘s authority to access a protected computer system and criminal intent.
 Economic Espionage of 1996: Prevents abuse of information gained while employed
elsewhere. This law that is used to protect trade secrets.
 Security and Freedom through Encryption Act: Affirms the rights of persons in the
United States to use and sell products that include encryption and to relax export controls
on such products (Encryption and digital signature).
 Electronic Communications Privacy Act (ECPA) of 1986: A collection of statutes that
regulate the interception of wire, electronic, and oral communications. These statutes are
frequently referred to as the ―federal wiretapping acts‖.
 Health Insurance Portability and Accountability Act (HIPAA) of 1996: This law
attempts to protect the confidentiality and security of health care data by establishing and
enforcing standards and by standardizing electronic data interchange. Requires medical
practices to ensure the privacy of personal medical information (Personal health
information protection).
 Health Information Technology for Economic and Clinical Health (HITECH) Act of
2009: Addresses privacy and security concerns associated with the electronic
transmission of Private Health Information, in part, through several provisions that
strengthen HIPAA rules for civil and criminal enforcement
 Privacy Act of 1974: A federal law that regulates the government‘s collection, storage,
use, and dissemination of individual personal information contained in records
maintained by the federal government.
 Communication Act (47 USC 151 et seq.) of 1934: Regulates interstate and foreign
telecommunication.
 Fair Credit Reporting Act (FCRA) of 1970: Regulates the collection and use of
consumer credit information.
 Unlawful Access to Stored Communication: Provides penalties for illegally accessing
communications (such as email and voice mail) stored by a service provider.
 Identity Theft and Assumption Deterrence Act of 1998: Attempts to instigate specific
penalties for identity theft by identifying the individual who loses their identity as the true
victim, not just those commercial and financial credit entities who suffered losses
 Federal Information Security Management Act, or FISMA of 2002: Requires each
federal agency to develop, document, and implement an agency-wide program to provide

8
 information security for the information and information systems that support the
operations and assets of the agency, including those provided or managed by another
agency, contractor, or other source
 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003: Sets
the first national standards for regulating the distribution of commercial e-mail, including
mobile phone spam.
 Fraud and Related Activity in Connection with Access Devices (18 USC 1029) of 2004:
Defines and formalizes law to counter threats from counterfeit access devices like ID
cards, credit cards, telecom equipment, mobile or electronic serial numbers, and the
equipment that creates them.
 National Cybersecurity Protection Act of 2014: Updates the Homeland Security Act of
2002, which established the Department of Homeland Security, to include a national
cybersecurity and communications integration centre to share information and facilitate
coordination between agencies, and perform analysis of cybersecurity incidents and risks
 Cybersecurity Workforce Assessment Act of 2014: Tasks DHS to perform an evaluation
of the national cybersecurity employee workforce at least every three years, and to
develop a plan to improve recruiting and training of cybersecurity employees

3.1.4 International Laws and Legal Bodies

Throughout the world, most countries have some combination of laws to protect data, privacy,
and security. As computer capabilities continue to evolve, so do the crimes that new capabilities
enable. Some critics argue that laws do not go far enough to prosecute computer crimes, while
others believe that they should not be invoked when systems are breached but no damage is
done. Even the definition of ―damage‖ is debatable. For instance, has damage occurred if
someone gains unauthorized access to a computer system but does not steal or change data?

IT professionals and information security practitioners must always realize that when their
organizations do business on the Internet, they do business globally. Many domestic laws and
customs do not apply to international trade, which is governed by international treaties and trade
agreements. It may seem obvious, but it is often overlooked, that there are a variety of laws and
ethical practices in place in other parts of the world. Because of the political complexities of the
relationships among nations and cultural differences, few international laws currently relate to
privacy and information security. Therefore, these international security bodies and regulations
are sometimes limited in scope and enforceability.

There are additional difficulties in legislating and enforcing laws that affect global networks.
Because when many countries are involved when break-ins and other crimes occur, the issues of
jurisdiction arise. Other issues include: should e-mail messages be monitored for libellous or
other illegal content, and, if so, who should have monitoring responsibility? Should e-mail be
subject to the same laws as mail delivered by the postal service, or should it be more akin to
telephone conversations and the laws that apply to them?

9
In 2001, the Council of Europe drafted the European Council Cybercrime Convention, which
empowers an international task force to oversee a range of Internet security functions and to
standardize technology laws across international borders. It also attempts to improve the
effectiveness of international investigations into breaches of technology law. This convention is
well received by advocates of intellectual property rights because it provides for copyright
infringement prosecution. As with any complex international legislation, the Cybercrime
Convention lacks any realistic provisions for enforcement. The goal of the convention is to
simplify the acquisition of information for law enforcement agents in certain types of
international crimes as well as during the extradition process. The convention has more than its
share of sceptics who see it as an attempt by the European community to exert undue influence
to control a complex problem. Critics of the convention say that it could create more problems
than it resolves. As the product of a number of governments, the convention tends to favour the
interests of national agencies over the rights of businesses, organizations, and individuals.
Until October 2015, many U.S. organizations that worked internationally with EU countries and
organizations had to comply with the EU-US Safe Harbor Framework, a set of guidelines
implemented between 1998 and 2000 and designed to facilitate data transfers between EU and
U.S. regulated organizations. Differences in the regulations between these two groups had
created difficulties in transferring customer data, especially due to the EU‘s stricter privacy
regulations. In October 2015, the European Court of Justice (ECJ) overturned the Safe Harbor
Framework, claiming the self-certification provisions were inadequate to protect customer
privacy data. In 2016, a replacement framework known as the EU-US Privacy Shield was
developed between the United States and the EU. A similar framework has also been developed
for U.S. and Swiss business commerce.
The General Data Protection Regulation (GDPR) 2016/679 is a regulation in EU law on data
protection and privacy in the European Union and the European Economic Area. The EU-US
Privacy Shield is an agreement between the EU and United States that allows for the transfer of
personal data from the EU to the United States. The GDPR has specific requirements regarding
the transfer of data out of the EU. One of these requirements is that transfers can occur only to
countries deemed to have adequate data protection laws. The Privacy Shield is designed to
implement a program in which participating companies are deemed as having adequate
protection, which will facilitate the transfer of information.

The Protection of Personal Information (POPI) Act is South Africa‘s equivalent of the EU
GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to
lawfully process the personal information of data subjects (both natural and juristic persons). If
you decide to process personal information in South Africa, it is your responsibility to comply
with the conditions. The goal of the POPI Act is to protect data subjects from security breaches,
theft, and discrimination.
The Commonwealth Secretariat (2017) proposed the Model Law on Computer and Computer-
Related Crime which aims to support Commonwealth countries in putting a place a legal

10
framework for criminalisation and investigation of computer and computer-related crimes. The
Model Law is closely related to the Model Law on Electronic Evidence, as well as the Model
Law on Electronic Transactions. The Model Law is also closely related to amendments to the
Harare Scheme relating to Mutual Legal Assistance in Criminal Matters within the
Commonwealth, approved by Law Ministers in 2011. Those amendments include new provisions
as to the interception of telecommunications and postal items; covert electronic surveillance; the
use of live video links in the course of investigations and judicial procedures; and asset recovery.
A copy of this document is available on Moodle. International treaties and Interpol, enabled by
global information systems, have made it possible to extradite, prosecute, arrest, and imprison
people suspected of criminal activity on a global basis.

3.2 Information Security Policies

To remain profitable in a competitive environment, organizations must use all resources wisely
through establishing, implementing, monitoring, and reviewing effective policies and
procedures. Policies and procedures include information regarding efficient acquisition, use, and
disposal of systems and devices. Policies are written in a language that is general enough to deal
with routine developments in business and technology. Standards, guidelines, and procedures
emanate from policies and they provide specific actionable directions to all employees.
Standards, guidelines, and procedures are written by experts such as system administrators and
can change as the specific circumstances within the organization change. Thus, while a policy
specifies a general direction for the organization to follow, without concerns for how to get there,
standards, guidelines, and procedures focus on how to get where the policy desires to go (see
Figure 1).

Policy Standard Guideline

Mandatory Mandatory Voluntary adoption

Sets general
Pre-standard
direction

Approved and
Builds on the policy Outlines optional
backed by
with specifics items
management

Figure 1: Policies, standards and guidelines

Policies can be defined as general guidelines that describe acceptable and unacceptable employee
behaviours in the workplace. They function as organizational laws, complete with penalties,
judicial practices, and sanctions to require compliance. Because these policies function as laws,

11
they must be crafted and implemented with the same care to ensure that they are complete,
appropriate, and fairly applied to everyone in the workplace. The difference between a policy
and a law, however, is that ignorance of a policy is an acceptable defence and ignorance of the
law is not an excuse (ignorantia juris non excusat). Policies direct how issues should be
addressed and how technologies should be used in an organization. Policies do not specify the
proper operation of equipment or software; this information should be placed in the standards,
procedures, and practices of users‘ manuals and systems documentation. Figure 2 shows the
relationship between policies, standards, procedures and guidelines.

Policies

Standards
Detailed minimum specifications for compliance

Guidelines
Recommendations for compliance

Procedures
Step-by-step instructions for compliance

Figure 2: Relationship among policies, standards, guideline and procedures

An organization‘s policies should reflect their objectives for their information security programs.
Policies should:

 state reasons why policy is needed

 describe what is covered by the policies
 define contacts and responsibilities
 discuss how violations will be handled
 flexible
Policies should be like a building foundation; built to last and resistant to change or erosion. In
addition, policies must:

 balance protection with productivity

 be implementable and enforceable
 be driven by business objectives and convey the amount of risk senior management is
willing to accept.
 be easily accessible and understood by the intended reader
 be created with the intent to be in place for several years and regularly reviewed with
approved changes made as needed.
For a policy to become enforceable, it must meet the following five criteria:

12
  Proper Dissemination: The organization must be able to demonstrate that the relevant
policy has been made readily available for review by the employee. Common
dissemination techniques include hard copy and electronic distribution.
 Read: The organization must be able to demonstrate that it disseminated the document in
an intelligible form, including versions for illiterate, non-English reading, and reading-
impaired employees. Common techniques include recordings of the policy in English and
alternate languages.
 Understood: The organization must be able to demonstrate that the employee understood
the requirements and content of the policy. Common techniques include quizzes and
other assessments.
 Compliance: The organization must be able to demonstrate that the employee agreed to
comply with the policy through act or affirmation. Common techniques include logon
banners, which require a specific action (mouse click or keystroke) to acknowledge
agreement, or a signed document clearly indicating the employee has read, understood,
and agreed to comply with the policy.
 Uniform enforcement: The organization must be able to demonstrate that the policy has
been uniformly enforced, regardless of employee status or assignment.

Only when all of these conditions are met can an organization penalize employees who violate
the policy without fear of legal retribution. Policies can be organization-wide, issue-specific or
system specific. In addition, policy should never contradict law; policy must be able to stand up
in court, if challenged; and policy must be properly administered through dissemination and
documented acceptance. Otherwise, an organization leaves itself exposed to significant liability.
According to National Institute of Standards and Technology (NIST), organizations must define
three types of security policies:

 Enterprise information security policies (EISP): In short, EISP details what a

company‘s philosophy is on security and helps to set the direction, scope, and tone for all
of an organization‘s security efforts. The EISP does the job of explaining the
organization‘s belief on how their security program should be structured as it pertains to
the different types of roles and responsibilities that exist in the company‘s security arena
that ensure that key information is safe from an intrusion. Components of the EISP
includes:
o Statement of Purpose: What the policy is for
o Information Technology Security Elements: Defines information security. Key
elements of an EISP includes:
 Network security
 Application security
 Risk management
 Disaster recovery
 Physical security
 Identity and access management

13
  Incident management
 Compliance management
 Training and awareness
o Need for Information Technology Security: justifies importance of information
security in the organization
o Information Technology Security Responsibilities and Roles: Defines
organizational structure
o References Information Technology standards and guidelines
 Issue-Specific Security Policies (ISSP): ISSP addresses specific technology, requires
updates frequently, and contains a statement on the organization‘s position on specific
issues. This policy addresses topics such as; who has access to the internet, use of
personal equipment on company networks, use of photocopy equipment, and prohibitions
against hacking. Components of ISSP includes:
o Statement of Purpose:
 Scope and Applicability
 Definition of Technology Addressed
 Responsibilities
o Authorized Access and Usage of Equipment:
 User Access
 Fair and Responsible Use
 Protection of Privacy
o Prohibited Usage of Equipment:
 Disruptive Use or Misuse
 Criminal Use
 Offensive or Harassing Materials
 Copyrighted, Licensed or other Intellectual Property
 Other Restrictions
o Systems Management:
 Management of Stored Materials
 Employer Monitoring
 Virus Protection
 Physical Security
 Encryption
o Violations of Policy:
 Procedures for Reporting Violations
 Penalties for Violations
o Policy Review and Modification:
 Scheduled Review of Policy and Procedures for Modification
o Limitations of Liability:
 Statements of Liability or Disclaimers

14
  Systems-specific Security Policies (SysSP): SysSP, is a policy that functions as
instructions or procedures that are to be used when configuring systems. An example of a
SysSP is a document provided by management to guide the configuration of technology
intended to support information security. Therefore, the SsySP provides directions to
system administrators on implementing managerial policy. Each type of equipment has
its own type of policies. Two general methods of implementing such controls are:
o Access control lists
o Configuration rules

3.3 Information Security Standards and Procedures

Standards provides specifications for products, services and systems which enables them to
work. If used consistently, standards ensure quality, safety and efficiency. Standards may take
the form of a Reference Document that provides details about the criteria involved. A variety of
groups have created standards that offer guidance on how information security could or should
be applied to industry segments or geographic areas. The important difference between standards
and laws is that laws can be enforced by outside agencies, whereas standards simply rely on the
goodwill of the people who use them. Laws are system of rules, or statutes made by the
government. Some industries have security requirements defined at least in part by government
regulations; banking, health care, and education come to mind, as well as their regulations‘
acronyms. Other industries impose binding requirements on themselves that include significant
enforcement mechanisms; for example, the credit card processing requirements from the
Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of industry
standards that are mandated for any organization that handles credit, debit, and specialty
payment cards. This standard was created by the Payment Card Industry Security Standards
Council in an effort to reduce credit card fraud. Therefore, standards can be described as
mandatory actions or rules that give formal policies support and direction. One of the more
difficult parts of writing standards for an information security program is getting a company-
wide consensus on what standards need to be in place. Standards can:

 Be used to indicate expected user behaviour

 Might specify what hardware and software solutions are available and supported
 Be compulsory and must be enforced to be effective
Standards unlike policies, are more detailed statements of what must be done to comply with the
policy. They have the same requirements for compliance as policies. Standards may be informal
or part of an organizational culture, as in de facto standards. Or, standards may be published,
scrutinized, and ratified by a group, as in formal or de jure standards. Practices, procedures, and
guidelines effectively explain how to comply with policy. An information security policy
provides rules for protection of the organization‘s information assets.

15
3.4 Policies and Procedures
Very often some of the best things that people can do to secure their information systems are not
necessarily technical in nature. Instead, they may involve changes within the organization and/or
better management of people‘s use of information systems. In general, policies and procedures
that guide users‘ decisions and establish responsibilities include the following:

 Confidential Information Policy: outlines how sensitive information will be handled,

stored, transmitted, and destroyed
 Security Policy: explains technical controls on all organizational computer systems, such
as access limitations, audit-control software, firewalls, and so on
 Use Policy: outlines the organization‘s policy regarding appropriate use of in-house
computer systems; may mandate no Internet surfing, use of company computer systems
only for employment-related purposes, restricted use of social networking and e-mail,
and so on
 Backup Policy: explains requirements for backing up data so that critical data can be
restored in case of data loss
 Account Management Policy: lists procedures for adding new users to systems and
removing users who have left the organization
 Incident Handling Procedures: lists procedures to follow when handling a security
breach
 Disaster Recovery Plan: lists all the steps an organization will take to restore computer
operations in case of a natural or deliberate disaster

While establishing such policies and procedures is crucial, they need to be clearly
communicated; organizations often require employees to acknowledge the acceptance of policies
in order to mitigate risks arising from employee noncompliance, and mechanisms should be in
place for enforcing these. Needless to say, such policies and procedures need to be continually
reviewed and updated to account for environmental changes. Companies can take several of the
following actions when creating an IT usage policy:

 Establishing Guidelines for Use of Company Software

 Defining the Appropriate Use of IT Resources
 Structuring Information Systems to Protect Data and Information
 Installing and Maintaining a Corporate Firewall
More fundamental to security than management techniques such as these is that you make every
effort to hire trustworthy employees and treat them well. Trustworthy employees who are treated
well are less likely to commit offenses affecting the organization‘s information systems.

3.5 System use policies and monitoring

The focus of your organization‘s IT security policy framework is to reduce your exposure to
risks, threats, and vulnerabilities. It is important to relate policy definition and standards to

16
practical design requirements. These requirements will properly apply the best security controls
and countermeasures. Policy statements must set limits as well as refer to standards, procedures,
and guidelines. Policies define how security controls and countermeasures must be used to
comply with laws and regulations. Examples of some basic IT security policies include the
following:

 Acceptable Use Policy (AUP): The AUP defines the actions that are and are not allowed
with respect to the use of organization-owned IT assets. This policy is specific to the User
Domain and mitigates risk between an organization and its employees.
 Security Awareness Policy: This policy defines how to ensure that all personnel are
aware of the importance of security and behavioural expectations under the
organization‘s security policy. This policy is specific to the User Domain and is relevant
when you need to change organizational security awareness behaviour.
 Asset Classification Policy: This policy defines an organization‘s data classification
standard. It tells what IT assets are critical to the organization‘s mission. It usually
defines the organization‘s systems, uses, and data priorities and identifies assets within
the seven domains of a typical IT infrastructure.
 Asset Protection Policy: This policy helps organizations define a priority for mission-
critical IT systems and data. This policy is aligned with an organization‘s Business
Impact Analysis (BIA) and is used to address risks that could threaten the organization‘s
ability to continue operations after a disaster.
 Asset Management Policy: This policy includes the security operations and management
of all IT assets within the seven domains of a typical IT infrastructure.
 Vulnerability Assessment and Management: This policy defines an organization-wide
vulnerability window for production operating system and application software. You
develop organization-wide vulnerability assessment and management standards,
procedures, and guidelines from this policy.
 Threat Assessment and Monitoring: This policy defines an organization-wide threat
assessment and monitoring authority. You should also include specific details regarding
the LAN-to-WAN Domain and AUP compliance in this policy.

Organizations need to tailor their IT security policy framework to their environment. After
conducting a security assessment of their IT setup, many organizations align policy definitions to
gaps and exposures. Policies typically require executive management and general legal counsel
review and approval.

3.6 Establishing a Security Policy

As highlighted earlier, security policy defines an organization‘s security requirements, as well as
the controls and sanctions needed to meet those requirements. A good security policy delineates
responsibilities and the behaviour expected of members of the organization. It outlines what
needs to be done but not how to do it. Remember, the details of how to accomplish the goals of
the policy are typically provided in separate documents and procedure guidelines. Apart from the

17
National Institute of Standards and Technology (NIST), the SANS (SysAdmin, Audit, Network,
Security) Institute‘s website (www.sans.org) also offers additional security-related policy
templates that can help an organization to quickly develop effective security policies. The
templates and other security policies include:

 Ethics Policy: This template defines the means to establish a culture of openness, trust,
and integrity in business practices.
 Information Sensitivity Policy: This sample policy defines the requirements for
classifying and securing the organization‘s information in a manner appropriate to its
level of sensitivity.
 Risk Assessment Policy: This template defines the requirements and provides the
authority for the information security team to identify, assess, and remediate risks to the
organization‘s information infrastructure associated with conducting business.
 Personal Communication Devices and Voice-mail Policy: This sample policy describes
security requirements for personal communication devices and voice mail.

Whenever possible, automated system rules should mirror an organization‘s written policies.
Automated system rules can often be put into practice using the configuration options in a
software program. For example, if a written policy states that passwords must be changed every
30 days, then all systems should be configured to enforce this policy automatically. However,
users will often attempt to circumvent security policies or simply ignore them altogether. When
applying system security restrictions, IT professionals must sometimes make trade-offs between
ease of use and increased security; however, when a decision is made to favour ease of use,
security incidents sometimes increase. As security techniques continue to advance in
sophistication, they become more transparent to end users.

A growing area of concern for security experts is the use of wireless devices to access corporate
email; store confidential data; and run critical applications, such as inventory management and
sales force automation. Mobile devices such as smartphones can be susceptible to viruses and
worms. However, the primary security threat for mobile devices continues to be loss or theft of
the device. Wary companies have begun to include special security requirements for mobile
devices as part of their security policies. In some cases, users of laptops and mobile devices must
use a virtual private network (a method employing encryption to provide secure access to a
remote computer over the Internet) to gain access to their corporate network.

3.7 Accountability, Liability, and Control

Along with privacy and property laws, new information technologies are challenging existing
liability laws and social practices for holding individuals and institutions accountable. These
challenges raise questions like:

 If a person is injured by a machine controlled, in part, by software, who should be held

accountable and, therefore, held liable?

18
  Should a public bulletin board or an electronic service, permit the transmission of
pornographic or offensive material (as broadcasters), or should they be held harmless
against any liability for what users transmit (as is true of common carriers, such as the
telephone system)?
 What about the Internet? If you outsource your information processing, can you hold the
external vendor liable for injuries done to your customers?
 Who is liable for any economic harm caused to individuals or businesses that could not
access their e-mail during a period when the mail server is down?
 If consumers pay for cell phone service, come to rely on it, and then are denied service
for a significant period of time, is the cell phone provider liable to damages?
These questions reveal the difficulties faced by information systems executives who ultimately
are responsible for any harm done by systems they have selected and installed. Beyond IT
managers, in as much as computer software is part of a machine, and the machine injures
someone physically or economically, the producer of the software and the operator can be held
liable for damages. In as much as the software acts like a book, storing and displaying
information, courts have been reluctant to hold authors, publishers, and booksellers liable for
contents (the exception being instances of fraud or defamation), and hence courts have been
wary of holding software authors liable for software. In general, it is very difficult (if not
impossible) to hold software producers liable for their software products that are considered to be
like books, regardless of the physical or economic harm that results. Historically, print
publishers, books, and periodicals have not been held liable because of fears that liability claims
would interfere with rights that guarantee freedom of expression.

What about Software as a Service (SaaS)? ATM machines are a service provided to bank
customers. Should this service fail, customers will be inconvenienced and perhaps harmed
economically if they cannot access their funds in a timely manner. Should liability protections be
extended to software publishers and operators of defective financial, accounting, simulation, or
marketing systems?

Software is very different from books. Software users may develop expectations of infallibility
about software; software is less easily inspected than a book, and it is more difficult to compare
with other software products for quality; software claims actually to perform a task rather than
describe a task, as a book does; and people come to depend on services essentially based on
software. Given the centrality of software to everyday life, the chances are excellent that liability
law will extend its reach to include software even when the software merely provides an
information service.

Telephone systems have not been held liable for the messages transmitted because they are
regulated by common carriers. In return for their right to provide telephone service, they must
provide access to all, at reasonable rates, and achieve acceptable reliability. But broadcasters and
cable television stations are subject to a wide variety of constraints on content and facilities. In

19
the United States, with few exceptions, Websites are not held liable for content posted on their
sites regardless if it was placed by the Website owners or users.

The debate over liability and accountability for unintentional consequences of system use raises
a related but independent moral dimension: What is an acceptable, technologically feasible level
of system quality? At what point should system managers say, ―Stop testing, we‘ve done all we
can to perfect this software. Ship it!‖ Individuals and organizations may be held responsible for
avoidable and foreseeable consequences, which they have a duty to perceive and correct. And the
grey area is that some system errors are foreseeable and correctable only at very great expense,
an expense so great that pursuing this level of perfection is not feasible economically—no one
could afford the product.

A zero defect in software code of any complexity cannot be achieved and the seriousness of
remaining bugs cannot be estimated. Hence, there is a technological barrier to perfect software,
and users must be aware of the potential for catastrophic failure. The software industry has not
yet arrived at testing standards for producing software of acceptable quality but in perfect
performance. Although software bugs and facility catastrophes are likely to be widely reported in
the press, by far the most common source of business system failure is data quality. Few
companies routinely measure the quality of their data, but individual organizations report data
error rates ranging from 0.5 to 30 percent.

3.8 Compliance
The last 30 years have seen an explosion in computing power and in the number of ways
computers are used. The increased reliance on networked resources, hardware, and software has
created many new opportunities for the malicious use of resources. Information has become a
valued asset to organizations and an attractive target of attackers. As information-related crime
has grown, so has legislation and regulation to protect organizations and individuals from
criminal activity. Today‘s organizations are increasingly subject to various laws enacted to
protect the privacy of electronic information. Each organization must comply with laws and
regulations, although the specific laws and regulations to which an organization is subject
depend on the organization‘s location, the type of information it handles, and the industries in
which it operates.

Compliance is ensuring conformance with information security policies, standards, laws, and
regulations. An organization‘s security policy sets the tone for the way they approach security
activities. Think of a security policy in terms of traffic laws. Traffic laws maintain a certain
degree of order and safety on the roads. If these laws aren‘t enforced, the roads become
dangerous. An information security policy is no different. The security policy isn‘t much good if
it isn‘t enforced. This is where compliance enters the picture. When policies are enforced, the
organization complies with those policies. Three primary means are used to ensure compliance:
 Event logs
 Compliance liaison
 Remediation
20
3.8.1 Event Logs
Event logs are records of actions that the operating system or application software creates. An
event log records which user or system accessed data or a resource and when. You can think of
event logs as being similar to the system a public library uses to keep track of who checks out
books. When a book is late or missing, the library checks its records to determine who last
checked out the book. When an information security breach occurs in your organization, an event
log helps determine what happened to the system and when. It can help in tracking down of the
culprit or help in fixing the problem. You can change the amount of information that event logs
record. Recording every event requires a tremendous amount of disk space and can actually slow
down your computers. It also means that reading through the log files is more difficult. On the
other hand, logging too few events may cause some important details to be missed. It is
important to record all the actions that may be needed in the future to investigate security
problems. It is also important to ensure that access to the event logs is controlled to prevent an
attacker to be able to compromise the system and then erase any trace of the attack.

3.8.2 Compliance Liaison

As organizations and security policies become larger and more complex, it becomes difficult to
stay compliant. A compliance liaison makes sure all personnel are aware of and comply with the
organization‘s policies. Different departments within an organization might have different
security ideas or needs. A compliance liaison works with each department to ensure it
understands, implements, and monitors compliance. A compliance liaison can also help
departments understand how to include information security in their daily operations. Another
important role of a compliance liaison is dealing with outsourcing service providers. After going
through the trouble of creating interoperability documents, you need to ensure the rules you‘ve
set down are being followed. The compliance liaison reviews agreement requirements
throughout any outsourcing engagement. This review helps validate whether or not a service
provider is in compliance with current agreements.

3.8.3 Remediation
Mitigating vulnerabilities reduces the risk of attacks against your computers and networks. In
some cases, the best solution is to block an intruder and deny access to a resource. In other cases,
it is possible to remove the vulnerability. Remediation involves fixing something that is broken
or defective. With computer systems, remediation refers to fixing security vulnerabilities. Of
course, some problems are more important than others. High-risk issues should be fixed before
lower-risk ones. When possible, the best option is to remove vulnerabilities. If vulnerabilities
cannot be effectively removed, the next best step is to remove the ability of an attacker to exploit
the vulnerability. Security policies should always be designed to protect an organization‘s assets
from attack. Compliance is extremely important in securing information technology systems.

21
3.9 Risks and Liabilities of Computer based Systems
Risk is the likelihood that something bad will happen to an asset. It is the level of exposure to
some event that has an effect on an asset. In the context of IT, an asset can be a computer, a
database, or a piece of information. Examples of risk include the following:

 Losing data
 Losing business because a disaster has destroyed your building
 Failing to comply with laws and regulations
A threat is any action that could damage an asset. Information systems face both natural and
human-induced threats. The threats of flood, earthquake, or severe storms require organizations
to create plans to ensure that business operation continues and that the organization can recover.
A business Continuity Plan (BCP) gives priorities to the functions an organization needs to keep
going. A Disaster Recovery Plan (DRP) defines how a business gets back on its feet after a major
disaster such as a fire or hurricane. Human-caused threats to a computer system include viruses,
malicious code, and unauthorized access. These threats can harm an individual, business, or
organization. Vulnerability is a weakness that allows a threat to be realized or to have an effect
on an asset. To understand what vulnerability is, think about lighting a fire. Lighting a fire is not
necessarily bad. If you are cooking a meal on a grill, you will need to light a fire in the grill. The
grill is designed to contain the fire and should pose no danger if used properly. On the other
hand, lighting a fire in a computer data centre will likely cause damage. A grill is not vulnerable
to fire, but a computer data centre is. A threat by itself does not always cause damage; there must
be vulnerability for a threat to be realized. Vulnerabilities can often result in legal liabilities. Any
vulnerability that allows a threat to be realized may result in legal action. Since computers must
run software to be useful, and since humans write software, software programs inevitably contain
errors. Thus, software vendors must protect themselves from the liabilities of their own
vulnerabilities with an End-User License Agreement (EULA). A EULA takes effect when the
user opens the package and installs the software. All software vendors use EULAs. That means
the burden of protecting IT systems and data lies on internal information systems security
professionals.

3.10 Legal Issues in IT

There is also lack of clear guidance for legislations. Many organisations have found it difficult to
incorporate new data protection legislation into existing company policies and procedures. Legal
issues in computing are complex because the Internet is global different countries have different
laws. For example, you might access Internet content in your browser that is regulated by local
law but the content itself is hosted in another server in another country which is governed by
another set of laws. What is legal in one country might not necessarily be legal in another
country.

Laws are rules adopted and enforced by governments to codify expected behaviour in modem
society. They are largely drawn from the ethics of a culture, which define socially acceptable

22
behaviours that conform to the widely held principles of the members of that society. The key
difference between law and ethics is that law carries the sanction of a governing authority and
ethics do not. Ethics, in tum, are based on cultural mores, which are the relatively fixed moral
attitudes or customs of a societal group. Some ethics are thought to be universal. For example,
murder, theft, and assault are actions that deviate from ethical and legal codes in most, if not all,
the world‘s cultures. As a future IT professional, you will be required to understand the scope of
an organization‘s legal and ethical responsibilities. The IT professional should play an important
role in an organization‘s approach to controlling liability for privacy and security risks. In the
modern litigious societies of the world, sometimes laws are enforced in civil courts and plaintiffs
are awarded large payments for damages or to punish defendants. To minimize these liabilities,
the IT practitioner must understand the current legal environment and keep apprised of new laws,
regulations, and ethical issues as they emerge. By educating employees and management about
their legal and ethical obligations and the proper use of information technology and information
security, security professionals can keep their organizations focused on their primary mission.

Beyond that, however, the IT professional has a unique position within the organization. Each is
trusted with one of the most valuable assets the organization has: its information. Not only are
these professionals responsible for protecting the information, they are privy to the secrets and
structures of the systems that store, transmit, use, and protect that information. Thus, they are
individuals who must be beyond reproach, with the highest ethical and moral standards. The
Roman poet Juvenal, in his work Satire VI, asked ―Quis custodiet ipsos custodies?‖ (loosely
translated, ―Who will watch the watchmen?‖). This expression has gained unique meaning
within the information security community, as IT professionals, above all else, understand the
challenges and need for accountability. Partly for this reason, it is not yet the industry standard
for organizations to hire new employees directly into information security positions, unless they
have established experience at other organizations where they have proven their trustworthiness.
While this standard may change in years to come, most organizations still expect new hires to
prove themselves worthy of the responsibility associated with this high-trust role. Therefore, it is
imperative for you to understand and take to heart this expectation of trust, the expectation of
being beyond ethical reproach, as you continue your professional journey into information
security.

Unit summary
In this unit you learned about information security. Information technology poses new and
complex ethical and legal issues which resulted in new legislative responses in the form of IT
law. IT law is an emerging area of the law in most countries, especially in the third world
countries. Since the Kingdom of Eswatini is still currently working on their own cybersecurity
and privacy laws, we looked at relevant IT laws from other countries: South Africa, UK and
USA. Even though some countries have laws that govern IT, many domestic laws and customs
do not apply to international trade, which is governed by international treaties and trade
agreements.

23
Legal issues in IT are also made complex because the Internet is a global network which spans
over different countries which have different laws. Also, because of the political complexities of
the relationships among nations and cultural differences, few international laws currently relate
to privacy and information security. Therefore, these international security bodies and
regulations are sometimes limited in scope and enforceability. The debate over liability and
accountability for unintentional consequences of system use raises an independent moral
dimension. This moral dimension raises the question: What is an acceptable, technologically
feasible level of system quality? Within an organization, information security professionals help
maintain security via the establishment and enforcement of policies and standards. Standards are
mandatory actions or rules that give formal policies support and direction. One of the more
difficult parts of writing standards for an information security program is getting a company-
wide consensus on what standards need to be in place. By creating and using these policies and
procedures, an organization can best protect itself from challenges by employees who have been
subject to unfavourable action (administrative or legal) resulting from an investigation.

Assessment
1. Define the following terms:
a. Procedure
b. Standard
c. Information security
2. State any two (2) purposes of the South African (ECT) Act.
3. Briefly describe the difference between a law and a bill.
4. State and explain any three (3) reasons why countries require information security laws.
5. Discus any two (2) difficulties that can be encountered in legislating and enforcing laws
that affect global networks.
6. Describe the regulation offered by the General Data Protection Regulation (GDPR).
7. Why is it important to have international laws and legal bodies governing global
networks?
8. Discuss the process of managing IS security and describe various IS controls that can
help in ensuring IS security.
9. Briefly explain how compliance is ensured.

24