Chapter 3

Legal, Ethical, and Professional

Issues in Information Security
 Learning Objectives
• Upon completion of this material, you should
be able to:
– Describe the functions of and relationships among
laws, regulations, and professional organizations
in information security
– Differentiate between laws and ethics
– Identify major national laws that affect the
practice of information security
– Explain the role of culture as it applies to ethics in
information security

2
 Introduction
• You must understand scope of an
organization’s legal and ethical responsibilities
• To minimize liabilities/reduce risks, the
information security practitioner must:
– Understand current legal environment
– Stay current with laws and regulations
– Watch for new issues that emerge

3
Law and Ethics in Information Security
• Laws: rules that mandate or prohibit
certain behavior and are enforced by the
state.
• Ethics: codes or principles of an
individual or group that regulate and
define acceptable behavior.
• Cultural mores: fixed moral attitudes or
customs of a particular group.

4
• The key difference between laws and ethics is
that
• Laws carry the authority of governing body
ethics do not.
• Ethics in turn are based on cultural mores.
Some ethical standards are universal,for eg
murder,theft,assault ,and arson are actions
that deviate from ethical and legal codes
through out the world

5
Organizational Liability and the Need
for Counsel
• Liability: legal obligation of an entity
extending beyond criminal or contract law.
• Restitution: The legal obligation to
compensate an injured party for wrongs
committed.
• Due care: The legal standard that require a
prudent organization and its employees to act
legally and ethically and know the
consequences of their actions. Also referred to
as the standard of due care

6
• Due diligence: The legal standard that require a
prudent organization and its employees to
maintain the standard of due care and ensure
that their actions are effective. Also referred to
as the standard of due diligence.
• Jurisdiction: A court's right to hear a case if a
wrong was committed in its territory or involves
its citizenry.
• Long arm jurisdiction:The application of laws to
people currently residing outside a court’s
normal jurisdiction, usually granted when a
person performs an illegal action within the
court’s jurisdiction and the leaves.
Principals of Information Security,
7
Fourth Edition
 Policy versus Law
Policies managerial directives that specify
acceptable and unacceptable employee
behaviors in the workplace.

Policies function as organizational laws,

complete with penalties, judicial practices, and
sanctions to require compliance.

8
• Because these policies function as laws, they
must be crafted and implemented with same
care to ensure that they are
complete,appropriate,and fairly applied to
everyone in the workplace.
• The key difference between a policy and a
law,however,is that ignorance of a policy is an
acceptable defense.

Principals of Information Security,

9
Fourth Edition
 Policy versus Law (cont’d.)
Criteria for policy enforcement:
– Dissemination (distribution): common
dissemination techniques include hard copy and
electronic distribution.
– Review (reading): Common techniques include
recordings of the policy in English and alternate
languages.
– Comprehension (understanding):the organization
must be able to demonstrate that the employee
understands the requirements and content of the
policy. Common techniques include quizzes and
other assessments.

Principals of Information Security,

10
Fourth Edition
• Compliance (agreement): A signed document
clearly indicating the employee has
read,understood,and agreed to comply with
the policy.
• Uniform enforcement: the organization must
be able to demonstrate that the policy has
been uniformly enforced, regardless of
employee status or assignment.

Principals of Information Security,

11
Fourth Edition
 Types of Law
• Civil: comprises a wide variety of laws that
govern a nation or state and deal with the
relationships and conflicts between
organizations and people.
• Criminal: addresses activities and conduct
harmful to society and actively enforced by the
state.law can also be categorized as private or
public.

12
• Private: encompasses family law,commerical
law and labor law,and regulates the
relationships between individuals and
organizations
• Public: regulates structure and administration
of government agencies and their
relationships with citizens, employees, and
other governments. Public law includes
criminal,administrative,and constitutional law

Principals of Information Security,

13
Fourth Edition
 Relevant U.S. Laws
• United States has been a leader in the
development and implementation of information
security legislation to prevent misuse and
exploitation of information and information
technology.
• Implementation of information security
legislation contributes to a more reliable business
environment and a stable economy
• U.S. has demonstrated understanding of
problems facing the information security field;
has specified penalties for individuals and
organizations failing to follow requirements set
forth in U.S. civil statutes

14
 General Computer Crime Laws
• Computer Fraud and Abuse Act of 1986 (CFA Act):
cornerstone of many computer-related federal
laws and enforcement efforts.
• The CFAA was amended by the National
infrastructure protection Act of 1996,which
modified several sections of the previous act and
increased the penalties for selected crimes.
The Severity of penalty depends on the value of
information obtained and whether the offense is judged
to have been committed for the following reasons
• For purposes of commercial advantage
• For private financial gain
• In furtherance of a criminal act
15
 General Computer Crime Laws
(cont’d.)
• USA PATRIOT Act of 2001: provides law
enforcement agencies with broader latitude in
order to combat terrorism-related activities
• USA PATRIOT Improvement and Reauthorization
Act: made permanent fourteen of the sixteen
expanded powers of the Department of
Homeland Security and the FBI in investigating
terrorist activity
• Computer Security Act of 1987: one of the first
attempts to protect federal computer systems by
establishing minimum acceptable security
practices

Principals of Information Security,

16
Fourth Edition
 General computer crime laws contd
• In 2002 ,congress passed the federal
information security management
Act(FISMA),which mandates that all federal
agencies establish information security
programs to protect the information assets.

Principals of Information Security,

17
Fourth Edition
 privacy
• Aggregate information: collective data that
relates to a group or category of people and
that has been altered to remove
characteristics or components that make it
possible to identify individuals within the
group.
• Information aggregation: Pieces of nonprivate
data that,when combined ,may create
information that violates privacy

Principals of Information Security,

18
Fourth Edition
• Privacy: In the context of information security
,the right of individuals or groups to protect
themselves and their information from
unauthorized access,providing confidentiality.
• Many organizations collect,swap and sell
personal as a commodity ,and as a result
many people are looking to governments to
protect their privacy from such organizations.

Principals of Information Security,

19
Fourth Edition
• The ability to collect information,combine
facts from separate sources,and merge it all
with other information has resulted in
databases that were previously impossible to
create.
• One technology that was proposed to monitor
private communications known as the clipper
chip,used an algorithm with a two-part key
that was managed by two separate
government agencies

Principals of Information Security,

20
Fourth Edition
• The chip was reportedly designed to protect
individual communications while allowing the
government to decrypt suspect transimissions.

Principals of Information Security,

21
Fourth Edition
• The privacy of customer information section
of the common carrier regulation states that
any proprietary information shall be used
explicitly for providing services,and not for
marketing purposes.
• The federal privacy Act of 1974 regulates
government agencies and holds them
accountable if they release private
information about individuals or businesses
without permission.

Principals of Information Security,

22
Fourth Edition
• The Health Insurance portability and
Accountability Act of 1996(HIPAA), protects
the confidentiality and security of healthcare
data by establishing and enforcing standards
and by standardizing electronic data
interchange.

Principals of Information Security,

23
Fourth Edition
 Privacy
• One of the hottest topics in information
security
• Is a “state of being free from unsanctioned
intrusion”
• Ability to aggregate data from multiple
sources allows creation of information
databases previously impossible
• The number of statutes addressing an
individual’s right to privacy has grown

24
 Privacy (cont’d.)
• US Regulations
– Privacy of Customer Information Section of the
common carrier regulation
– Federal Privacy Act of 1974
– Electronic Communications Privacy Act of 1986
– Health Insurance Portability and Accountability
Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act
– Financial Services Modernization Act, or Gramm-
Leach-Bliley Act of 1999

25
 Privacy (cont’d.)
• Identity Theft
– Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security
number, or credit card number, without your
permission, to commit fraud or other crimes”
– Fraud And Related Activity In Connection With
Identification Documents, Authentication
Features, And Information (Title 18, U.S.C. § 1028)

26
• The U.S. Federal Trade Commission (FTC) now
oversee efforts to faster coordination among
groups ,more effective prosecution of
criminals engaged in identity theft,and
methods to increase restitution made to
victims.
• The FTC recommends that people take the
following four steps when they suspect they
are victims of identity theft.

Principals of Information Security,

27
Fourth Edition
• Place an initial fraud alert
• Order your credit reports
• Create an identity theft report
• Monitor your progress

Principals of Information Security,

28
Fourth Edition
 Privacy (cont’d.)
• If someone suspects identity theft
– Report to the three dominant consumer reporting
companies that your identity is threatened
– Account
• Close compromised account
• Dispute accounts opened without permission
– Register your concern with the FTC
– Report the incident to either your local police or
police in the location where the identity theft
occurred
Principals of Information Security,
29
Fourth Edition
 Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
• Protects the confidentiality and security of health care
data by establishing and enforcing standards and by
standardizing electronic data interchange
HIPPAA has five fundamental principles:
• Consumer control of medical information
• Boundaries on the use of medical information
• Accountability for the privacy of private information
• Balance of public responsibility for the use of medical
information for the greater good measured against
impact to the individual
• Security of health information

Principals of Information Security,

30
Fourth Edition
 Export and Espionage Laws
• Economic Espionage Act of 1996 (EEA).this law
attempts to prevent trade secrets from being
illegally shared.
• Security And Freedom Through Encryption Act
of 1999 (SAFE) provides the guidance for the
use of encryption and provides protection
from government intervention. The acts
include provisions about encryption that:
– Reinforce the right to use or sell encryption
algorithms, without concern of key registration.
Key registration is the storage of a cryptographic
key with another party for breaking the
encryption of data.This is often called key
“escrow”. 31
• Prohibit the federal government from
requiring the use of encryption for
contracts,grants,and other official documents
and correspondence.
• State that the use of encryption is not
probable cause to suspect criminal activity.
Relax export restrictions by amending the
export administration act of 1979.
• Provide additional penalties for the use of
encryption in the commission of a criminal
act.
Principals of Information Security,
32
Fourth Edition
Figure 3-1 Export and Espionage

33
 U.S. Copyright Law
• Intellectual property recognized as protected
asset in the U.S.; copyright law extends to
electronic formats
• With proper acknowledgment, permissible to
include portions of others’ work as reference
• U.S. Copyright Office Web site:
www.copyright.gov

34
 Financial Reporting
• Sarbanes-Oxley Act of 2002,also known as SOX,or the
corporate and auditing accountability and
responsibility Act,is a critical piece of legislation that
affects executive management of publicly traded
corporations and public accounting firms
• This laws Seeks to improve the reliability and accuracy
of financial reporting and increase the accountability of
corporate governance in publicly traded companies.
• Penalties for noncompliance range from fines to jail
terms
• Reliability assurance will require additional emphasis
on confidentiality and integrity

35
 Freedom of Information Act of 1966
(FOIA)
• The FOIA allows any person to request access
to federal agency records or information not
determined to be matter of national security.
• Agencies of the federal government are
required to disclose any requested
information upon receipt of written request.

36
 State and Local Regulations
• Restrictions on organizational computer
technology use exist at international, national,
state, local levels
• Information security professional responsible
for understanding state regulations and
ensuring organization is compliant with
regulations

37
 International Laws and Legal Bodies
• When organizations do business on the Internet,
they do business globally
• Professionals must be sensitive to laws and
ethical values of many different cultures,
societies, and countries
• Because of political complexities of relationships
among nations and differences in culture, there
are few international laws relating to privacy and
information security
• These international laws are important but are
limited in their enforceability
38
 European Council Cyber-Crime
Convention
• Establishes international task force overseeing
Internet security functions for standardized
international technology laws
• Attempts to improve effectiveness of
international investigations into breaches of
technology law
• Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution
• Lacks realistic provisions for enforcement
39
 Agreement on Trade-Related Aspects
of Intellectual Property Rights
• Created by World Trade Organization (WTO)
• First significant international effort to protect
intellectual property rights
• Outlines requirements for governmental
oversight and legislation providing minimum
levels of protection for intellectual property

40
 Agreement on Trade-Related Aspects
of Intellectual Property Rights (cont’d.)
• Agreement covers five issues:
– Application of basic principles of trading system
and international intellectual property agreements
– Giving adequate protection to intellectual
property rights
– Enforcement of those rights by countries in their
own territories
– Settling intellectual property disputes
– Transitional arrangements while new system is
being introduced
Principals of Information Security,
41
Fourth Edition
 Digital Millennium Copyright Act
(DMCA)
• U.S. contribution to international effort to reduce
impact of copyright, trademark, and privacy
infringement
• A response to European Union Directive 95/46/EC,
• Prohibits
– Circumvention of protections and countermeasures
– Manufacture and trafficking of devices used to circumvent
such protections
– Prohibits altering information attached or imbedded in
copyrighted material
• Excludes ISPs from some copyright infringement

42
 Ethics and Information Security
• Many Professional groups have explicit rules
governing ethical behavior in the workplace
• IT and IT security do not have binding codes of
ethics
• Professional associations and certification
agencies work to establish codes of ethics
– Can prescribe ethical conduct
– Do not always have the ability to ban violators
from practice in field

Principals of Information Security,

43
Fourth Edition
44
Ethical Differences Across Cultures
• Cultural differences create difficulty in
determining what is and is not ethical
• Difficulties arise when one nationality’s ethical
behavior conflicts with ethics of another national
group
• Scenarios are grouped into:
– Software License Infringement
– Illicit Use
– Misuse of Corporate Resources
• Cultures have different views on the scenarios

45
 Ethics and Education
• Overriding factor in levelling ethical
perceptions within a small population is
education
• Employees must be trained in expected
behaviors of an ethical employee, especially in
areas of information security
• Proper ethical training is vital to creating
informed, well prepared, and low-risk system
user

46
 Deterring Unethical and Illegal
Behavior
• Three general causes of unethical and illegal
behavior: ignorance, accident, intent
• Deterrence: best method for preventing an illegal
or unethical activity; e.g., laws, policies, technical
controls
• Laws and policies only deter if three conditions
are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered

47
 Codes of Ethics and Professional
Organizations
• Several professional organizations have
established codes of conduct/ethics
• Codes of ethics can have positive effect;
unfortunately, many employers do not encourage
joining these professional organizations
• Responsibility of security professionals to act
ethically and according to policies of employer,
professional organization, and laws of society

48
Major IT Professional Organizations
• Association of Computing Machinery (ACM)
– Established in 1947 as “the world's first
educational and scientific computing society”
– Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property

49
 Major IT Professional Organizations
(cont’d.)
• International Information Systems Security
Certification Consortium, Inc. (ISC)2
– Nonprofit organization focusing on development
and implementation of information security
certifications and credentials
– Code primarily designed for information security
professionals who have certification from (ISC)2
– Code of ethics focuses on four mandatory canons

50
 Major IT Professional Organizations
(cont’d.)
• System Administration, Networking, and
Security Institute (SANS)
– Professional organization with a large membership
dedicated to protection of information and
systems
– SANS offers set of certifications called Global
Information Assurance Certification (GIAC)

51
 Major IT Professional Organizations
(cont’d.)
• Information Systems Audit and Control
Association (ISACA)
– Professional association with focus on auditing,
control, and security
– Concentrates on providing IT control practices and
standards
– ISACA has code of ethics for its professionals

52
 Major IT Professional Organizations
(cont’d.)
• Information Systems Security Association
(ISSA)
– Nonprofit society of information security (IS)
professionals
– Primary mission to bring together qualified IS
practitioners for information exchange and
educational development
– Promotes code of ethics similar to (ISC)2, ISACA,
and ACM

53
 Key U.S. Federal Agencies
• Department of Homeland Security (DHS)
– Made up of five directorates, or divisions
– Mission is to protect the people as well as the
physical and informational assets of the US
• Federal Bureau of Investigation’s National
InfraGard Program
– Maintains an intrusion alert network
– Maintains a secure Web site for communication
about suspicious activity or intrusions
– Sponsors local chapter activities
– Operates a help desk for questions

54
Key U.S. Federal Agencies (cont’d.)
• National Security Agency (NSA)
– Is the Nation’s cryptologic organization
– Protects US information systems
– Produces foreign intelligence information
– Responsible for signal intelligence and information
system security
• U.S. Secret Service
– In addition to protective services, charged with the
detection and arrest of persons committing a federal
office relating to computer fraud or false identification

Principals of Information Security,

55
Fourth Edition
 Summary
• Laws: rules that mandate or prohibit certain
behavior in society; drawn from ethics
• Ethics: define socially acceptable behaviors;
based on cultural mores (fixed moral attitudes
or customs of a particular group)
• Types of law: civil, criminal, private, public

56
 Summary (cont’d.)
• Relevant U.S. laws:
– Computer Fraud and Abuse Act of 1986 (CFA Act)
– National Information Infrastructure Protection Act
of 1996
– USA PATRIOT Act of 2001
– USA PATRIOT Improvement and Reauthorization
Act
– Computer Security Act of 1987
– Title 18, U.S.C. § 1028
57
 Summary (cont’d.)
• Many organizations have codes of conduct
and/or codes of ethics
• Organization increases liability if it refuses to
take measures known as due care
• Due diligence requires that organization make
valid effort to protect others and continually
maintain that effort

58