CSG3309 IT Security Management

Legal, Ethical and Professional issues

 Objectives

• Understand why legal issues are critical to IT Security Management

• Differentiate between law, ethics and cultural mores
• Differentiate between policies, codes of conducts and laws.
• Introduce the Australian Privacy Act and the APP’s
• Introduce various international laws and regulation relating to various aspects of Information
Security
• Understand the importance of ethics and law across cultures
• How to deter unethical behaviour
• Review codes of conduct for various standards and certification organisations
• Identify key Australian and International laws applicable to the management of information
technology.
Law and Ethics
 Introduction

 You must understand the scope of an organisation’s legal

and ethical responsibilities

 To minimize liabilities/reduce risks, the information security

practitioner must:

Understand current legal environment

Stay current with laws and regulations
Watch for new issues that emerge
 What can go wrong?

A lawsuit against Zurich Insurance Group has been launched by Mondelez in a bid
to seek a reported $100 million in damages after an insurance claim was not paid
out in relation to a NotPetya cyberattack.
Source: NetPetya and Act of War

Five senior executives, including the CEO, were fined for their role in
Singapore's most serious security breach, which compromised personal data of 1.5
million SingHealth patients. In addition, two employees were sacked relating to the
breach. A lead in the team and the response manager were found to be negligent.
Source: Employees sacked, CEO fined in SingHealth security breach
 Law and Ethics in Information Security

Laws: rules that mandate or prohibit certain

societal behaviour and are enforced by the
state
Ethics: define socially acceptable behaviour
Cultural mores: fixed moral attitudes or
customs of a particular group; ethics based
on these

Laws carry sanctions of a governing authority; ethics do not

 Organisational Liability & Need for Counsel

 Liability: an entity’s legal obligation or responsibility

 Restitution: a legal requirement to make compensation or
payment resulting from loss or injury
 Due care: insuring that employees know what constitutes
acceptable behaviour and know the consequences of illegal or
unethical actions.
 Due diligence: reasonable steps taken by people or
organisations to meet the obligations imposed by laws or
regulations
 Organisational Liability & Need for Counsel

Jurisdiction: The power to make legal decisions and

judgements, typically an area within which an entity such as
a court or law enforcement agency is empowered to make
legal decisions
Long arm jurisdiction: The ability of a legal entity to
exercise its influence beyond its normal boundaries by
asserting a connection between an out-of-jurisdiction entity
and a local legal case
(Whitman, 2018)
 Types of Law

The law is the system of rules and regulations

enforced to regulate behavior so society can
function efficiently and harmoniously

 Civil: governs nation or state; manages relationships/conflicts between

organisational entities and people.
 Criminal: addresses violations harmful to society; actively enforced by the state.
 Private: regulates relationships between individuals and organisations.
 Public: regulates structure/administration of government agencies and
relationships with citizens, employees, and other governments.
Road map…

Why are IT Security Policies AND

Legal & Ethical issues so intertwined?

Introduction to IT
Legal and Ethical issues
Security Management

IT Security Policies Let’s find out!

Policy underpins all IT Security Management
Security and organisational policies define things like:
• What people can or cannot do
• How things should be done
• Minimum standards
• Expectations and consequences
Documented policies are the most powerful tool an IT Security Manager can have.
• For example:
• Without policies changes to firewall rules are just haphazard adjustments.
• Without policies users can do whatever they want (install software, open connections to dodgy
websites).
• Without policies management can’t communicate expectations to end users.
• Without policies you have no protection against rogue operators or staff.

We’ll come back to this later in the unit. “Oh, we’re on the detour?”
 What is a policy?

Definition (Macquarie dictionary):

1. a definite course of action adopted as expedient or from other
considerations: a business policy.
2. a course or line of action adopted and pursued by a
government, ruler, political party, or the like: the foreign policy
of a country
Policies are rules, and sometimes consequences...
• Your password must be longer than 8 characters, contain at least: one letter, one number and a special character.
• Only Tim from accounting can authorise a change of bank details for a supplier.
• You must cite your sources and use the American Psychological Association (APA) style of referencing.
• Don’t waste company time on reddit or you will be fired.
 Policy… (cont)

 Policies: body of expectations that describe acceptable and unacceptable

employee behaviours in the workplace.

 Policies function as laws within an organisation; must be crafted carefully to

ensure they are complete, appropriate, fairly applied to everyone.

 Difference between policy and law: ignorance of a policy is an acceptable

defence.
 Policy… (cont)

Criteria for policy enforcement:

Dissemination (Distribution)
Review (Reading)
Comprehension (Understanding)
Compliance (Agreement)
Uniform (Enforcement)
Legislation and Law
International
 Around the world…
• A Directive on attacks against information systems (2013) to tackle large-scale
cyber-attacks
Europe • A Directive on combating the sexual exploitation of children online and child pornog
raphy
(2011) addresses new developments in the online environment, (grooming -
offenders posing as children to lure minors for the purpose of sexual abuse)
• ePrivacy Directive (2002) providers of electronic communications services must
ensure the security of their services and maintain the confidentiality of client
information;
• Framework Decision on combating fraud and counterfeiting (2001) of non-cash
means of payment, which defines the fraudulent behaviours that EU States need to
consider as punishable criminal offences.
• General Data Protection Regulation (GDPR)

Read more on EU Cybercrime response

 Around the world…

 USA PATRIOT Improvement and

Reauthorisation Act: made permanent fourteen
of the sixteen expanded powers of the
Department of Homeland Security and the FBI
in investigating terrorist activity.
 CLOUD Act (Clarifying Lawful Overseas Use
of Data) enacted 2018
(we will come back to this later)
 Around the world… (cont.)

USA
USA (So, so many laws... see textbook!)
Around the world… (cont.)
USA (so, so many laws... see textbook!)
 General Data Protection Regulation - GDPR

General Data Protection Regulation

(GDPR) was approved by the EU
Parliament and enforced on 25 May
2018.

GDPR provides rights for individuals to

know and understand what data is stored
about them and the purpose of its use
General Data Protection Regulation - GDPR

The primary areas of focus for GDPR are:

 consent
 access to personal data
 data erasure
 data portability
 breach notification
 opt-in rather than opt-out
 accountability
 GDPR - Right to be forgotten!
EU Ruling. In Australia this does not exist but would like a new APP, and be much more limited
E.g. “require an APP entity to provide a simple mechanism for an individual to request
destruction or de-identification of personal information that |was provided to the entity by the
individual.“
 International Laws and Legal Bodies

When organisations do business on the Internet, they do

business globally
 Professionals must be sensitive to laws and ethical values of
many different cultures, societies, and countries
 Because of political complexities of relationships among
nations and differences in culture, there are few international
laws relating to privacy and information security
 International laws are important but are limited in their
enforceability
 Agreement on Trade-Related Aspects of Intellectual
Property Rights …

 Created by World Trade organisation (WTO)

 First significant international effort to
protect intellectual property rights
 Outlines requirements for governmental
oversight and legislation providing minimum
levels of protection for intellectual property
Agreement on Trade-Related Aspects of Intellectual
Property Rights… (cont)

Agreement covers five issues:

• Application of basic principles of trading system and
international intellectual property agreements
• Giving adequate protection to intellectual property rights
• Enforcement of those rights by countries in their own
territories
• Settling intellectual property disputes
• Transitional arrangements while new system is being
introduced
Legislation and Law
Australia
 Relevant Australian Laws – High Tech Crime

High tech crime offences are defined in Commonwealth legislation within Part 10.7 -
Computer Offences of the Criminal Code Act 1995.
These include:
computer intrusions e.g. malicious hacking
unauthorised modification of data, including destruction of data
denial-of-service (DoS) attacks
distributed denial of service (DDoS) attacks using botnets
the creation and distribution of malicious software, e.g. viruses, worms, and trojans.
In Australia, each State and Territory has its own legislated computer-related offences
(similar to the Commonwealth legislation).
 Australia’s Cybercrime Legislation Amendment Act
2012…
Cybercrime Legislation Amendment Act 2012

• Establishes the legislative framework for Australia's

accession to the Council of Europe Convention on
Cybercrime (Convention) of which 34 countries are
signatory.

• The Cybercrime Legislation Act 2012 amends the

Telecommunications (Interception and Access) Act 1979 (the
TIA Act), the Criminal Code Act 1995 (the Criminal Code
Act), the Mutual Assistance in Criminal Matters Act 1987 (the
MA Act) and the Telecommunications Act 1997 (the
Telecommunications Act).
Cybercrime Legislation Amendment Act 2012… (cont)

 Aims to
• empower Australia's law enforcement and intelligence agencies
to compel carriers to preserve the communication records of
persons suspected of cyber-based crimes.
• facilitates international cooperation through the cross-border
sharing of communication records
• Addresses data preservation, accessing stored
communications, international co-operation, and cybercrime
offences
 Telecommunications (Interception and Access)
Amendment (Data Retention) Act 2015
Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 amends
 Telecommunications (Interception and Access) Act 1979
 Telecommunications Act 1997

 Retention Amendments (2 years):

 Phone caller identification, date time a call duration
 Location of calling device
 senders email address
 date and time of email recipients
 Email attachment information, such as size and file formats
 ISP account details
 Cybercrime Act 2001

 The Cybercrime Act 2001 also introduced law enforcement powers

relating to the search and seizure of electronically stored data.
 These powers allow officers to copy data, to access data that is not
physically at the warrant premises, to uplift and move equipment if it is
reasonably believed that the equipment contains or constitutes evidential
material.
IT Security professionals need to be very aware of the tools they
use and distribute.
 Surveillance Devices Act 2004

Purpose is to establish procedures for law enforcement officers to obtain warrants, emergency
authorisations and tracking device authorisations for the installation and use of surveillance devices in
relation to criminal investigations and establish procedures for law enforcement to obtain warrants for the
installation and use of surveillance devices.

• A separate new power is to be inserted in the Surveillance Devices Act 2004 to give agencies the ability to
search electronic devices and access content on those devices.
• These warrants are distinct from surveillance device warrants whereby agencies will be allowed to use
software to monitor inputs and outputs from devices.
• Investigators would be able to enter a premises, access devices, copy data (or take the device themselves)
and conceal their tracks.
• The warrants can be issued by either a judge or “AAT [Administrative Appeals Tribunal] members”.
 Identity-Matching Services Bill 2019

Aims to facilitate the secure, automated exchange of identity information between the federal, state
and territory governments to meet to the objectives of the Intergovernmental Agreement on
Identity Matching Services(IGA)

Under the IGA, the Commonwealth and all states and territories agreed to preserve or introduce
legislation to support the collection, use and disclosure of facial images and related identity
information among the entities via a set of identity matching services in order to support national
security and reduce terrorism and crime

Explanatory Memoranda, Identity Matching Service Bill (2018)

Status: Lapsed (Not proceeding)
Privacy Amendment (Public Health Contact Information) Act 2020

Amended the Privacy Act 1988 to incorporate into primary

legislation the provisions of the Biosecurity (Human
Biosecurity Emergency) (Human Coronavirus with Pandemic
Potential) (Emergency Requirements—Public Health Contact
Information) Determination 2020.

Provides privacy protections for users of, and data collected

by, the COVIDSafe app; and introduces additional privacy
protections.

Also repeals the Biosecurity (Human Biosecurity Emergency)

(Human Coronavirus with Pandemic Potential) (Emergency
Requirements—Public Health Contact Information)
Determination 2020; and provides for the future repeal of
Enacted on May 15, 2020 certain definitions and Part VIIIA of the Privacy Act 1988.
Telecommunications and Other Legislation Amendment
(Assistance and Access) Act 2018
The Telecommunications and Other Legislation Amendment (Assistance and
Access) Act 2018 amends:
 Telecommunications Act 1997 (Telecommunications Act)
 Telecommunications (Interception and Access) Act 1979 (TIA Act)
 Surveillance Devices Act 2004 (SD Act)
 Crimes Act 1914 (Crimes Act)
 Mutual Assistance in Criminal Matters Act 1987 (MACMA),
 Australian Security Intelligence Organisation Act 1979 (ASIO Act)
 Customs Act 1901 (Customs Act)
Telecommunications and Other Legislation Amendment
(Assistance and Access) Act 2018

 Introduced measures to better deal with the challenges posed by encryption.

 The Act provides for three new law enforcement tools, Technical Assistance
Requests (TARs), Technical Assistance Notices (TANs) and Technical Capability
Notices (TCNs).
 The application of TAR’s and TAN’s may involve removal of manufacturing
protection, installing software on devices, requesting information from
manufacturer about devices such as technical information
 Surveillance Amendment (Identify and Disrupt) Act 2021

Aims to amend the Surveillance Devices Act 2004, the Crimes Act 1914 and associated legislation.
Introduces:
• a data disruption warrant which enables the AFP and the ACIC to access data on one or more computers
and perform disruption activities for the purpose of frustrating the commission of criminal activity;
• a network activity warrant to enable the AFP and the ACIC to collect intelligence on criminal networks
operating online;
• an account takeover warrant to allow AFP and the ACIC to takeover a person's online account the purposes
of gathering evidence of criminal activity, and;
• minor amendments to the controlled operations regime, to ensure controlled operations can be conducted
effectively in the online environment.
 Other legislation
 Extradition (Cybercrime) Regulation 2013
implements Australia's extradition obligations under the Council of Europe
Convention on Cybercrime

 Mutual Assistance in Criminal Matters (Cybercrime) Regulation 2013

implements Australia's mutual assistance obligations under the Council of
Europe Convention on Cybercrime

 Spam Act 2003

effective on 10 April 2004. illegal to send, or cause to be sent, ‘unsolicited
commercial electronic messages’ that have an Australian link
Australian Privacy Act and the APP’s
Privacy
 Privacy Act 1988

The Privacy Act is Australian law that regulates the handling of personal
information about individuals.
The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set
out standards, rights and obligations for the handling, holding, use, accessing and
correction of personal information (including sensitive information)
There are exemptions to the Privacy Act
 Most small business do not need to comply if the annual turnover is less than $3
million
 Local councils
 State or territory governments
 Various government agencies
 Privacy – Australian Privacy Principles
The 13 APPs are contained in schedule 1 of the Privacy Act 1988
APP 1 — Open and transparent management of personal information
• Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly
expressed and up to date APP privacy policy.
APP 2 — Anonymity and pseudonymity
• Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited
exceptions apply.
APP 3 — Collection of solicited personal information
• Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the
collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
• Outlines how APP entities must deal with unsolicited personal information.
.
 Privacy – Australian Privacy Principles

APP 5 — Notification of the collection of personal information

• Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of
certain matters
APP 6 — Use or disclosure of personal information
• Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7 — Direct marketing
• An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are
met.
APP 8 — Cross-border disclosure of personal information
• Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
APP 9 — Adoption, use or disclosure of government related identifiers
• Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual
as its own identifier, or use or disclose a government related identifier of an individual.
 Privacy – Australian Privacy Principles

APP 10 — Quality of personal information

• An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date
and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses
is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 — Security of personal information
• An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and
loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-
identify personal information in certain circumstances.
APP 12 — Access to personal information
• Outlines an APP entity’s obligations when an individual requests to be given access to personal information held
about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 — Correction of personal information
• Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
 Notifiable Data Breach Scheme (NDB)

Agencies and organisations regulated under the Australian Privacy Act (1988) need
to comply with recent amendment, the Notifiable Data Breach Scheme (NDB),
enforced on February 22, 2018.
The NDB scheme sets out obligations for notifying affected individuals and the
Australian Information Commissioner (OAIC) about data breach that could result in
serious harm to an individual.
Serious harm can be psychological, emotional, physical, reputational, or other forms of harm. Understanding whether
serious harm could occur requires an evaluation of the context of the data breach. For instance, unauthorised access to
sensitive medical data or financial information.
OAIC https://www.oaic.gov.au
 Optus Breach
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator for
privacy and freedom of information in Australia. The OAIC claim to uphold rights to access government-held
information and have ensure personal information is protected.

2022 Optus data breach Class Action

Maurice Blackburn has made a representative complaint to the Office of the Australian Information
Commissioner (OAIC) against Optus for a breach of the Privacy Act 1988 (Cth) over the Optus data breach
that involved millions of current and former Optus account holders.

Compromised customer data includes’ names, dates of birth, phone numbers, email addresses, and, for a
subset of customers, addresses, ID document numbers such as driver's license or passport numbers.

The complaint alleges that Optus breached privacy laws by failing to adequately protect the personal
information of its current and former customers.
 International Law and Australia ….
Telecommunications Legislation Amendment (International Production Orders) Bill 2020
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has commenced a review into the
effectiveness of the Bill
The bill aims to amend the Telecommunications (Interception and Access) Act 1979 to:
• provide a framework for Australian agencies to obtain independently-authorised international production orders for
interception, stored communications and telecommunications data directly to designated communications
providers in foreign countries with which Australia has a designated international agreement
• amend the regulatory framework to allow Australian communications providers to intercept and disclose electronic
information in response to an incoming order or request from a foreign country with which Australia has an
agreement
• make amendments contingent on the commencement of the proposed Federal Circuit and Family Court of Australia
Act 2020; and
• remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants.

Status: Enacted 23 July 2021, Act

 International Law and Australia … (cont)
Telecommunications Legislation Amendment The PJCIS is now considering this in
(International Production Orders) Act 2021 and the the review with regards to data stored
CLOUD Act: in Australia using services such as
Amazon
• CLOUD Act (Clarifying Lawful Overseas Use of Data)
enacted 2018
• provides that the obligation to comply with search warrant
• What does this
requirements apply regardless of whether a
communication, record or other information is located
mean for your
within or outside of the United States
COVID App
• allow federal law enforcement to compel U.S.-based
technology companies via warrant or subpoena to provide data?
requested data stored on servers regardless of whether
the data are stored in the U.S. or not
 SCC’s and Data Responsibilities
SCC’s
The Standard Contractual
Clauses (SCCs) are standard
sets of contractual terms and
conditions which the sender and
the receiver of personal data
both sign up to, aimed at
protecting personal data leaving
the European Economic Area
(EEA) through contractual
obligations in compliance with
GDPR requirements
Data Responsibilities
• Data owner: responsible for the
security and use of a particular set of
information
• Data custodian: responsible for
storage, maintenance, and protection
of information
• Data users: end users who work with
information to perform their daily jobs
supporting the mission of the
organisation
 Australian Freedom of Information Legislation

Freedom of Information Amendment

(Reform) Act 2010

 Individuals have the right to request

access to documents from Australian
Government ministers and most agencies
under the Freedom of Information Act
1982 (FOI Act).
 State and Local Regulations

 Restrictions on organisational computer technology use exist

at international, national, state, local levels.

Information security professional

responsible for understanding
state regulations and ensuring
organisation is compliant with
regulations
 State Privacy Legislation
State Legislation

ACT Information Privacy Act 2014 (ACT)

NSW Privacy and Personal Information Protection Act 1998 (NSW)

Health records and information Privacy Act 2002 (NSW)
QLD Information Privacy Act 2009 (Qld)

NT Information Act 2002 (NT)

WA Currently does not have privacy legislation – BUT …

Protection of Information (Entry Registration Information Relating to COVID-19 and
Other Infectious Diseases) Act 2021 Updates to State and Territory
privacy legislation can be
SA Currently does not have privacy legislation found on the OAIC website
TAS Personal Information and Protection Act 2004 (Tas)

VIC Privacy and Data Protection Act 2014 (VIC)

Health Records Act 2001 (VIC)
 Australian Copyright Law

 Intellectual property recognised as protected asset in

the law extends to electronic formats.

 With proper acknowledgment, permissible to include

portions of others’ work as reference.

 Australian Copyright Office Web site:

http://www.copyright.org.au/

 Copyright (International Protection) Regulations 1969

 ACORN – Australian Cybercrime Online Reporting
Network
“The Australian Cybercrime Online Reporting Network (ACORN) is a national
policing initiative of the Commonwealth, State and Territory governments.
A national online system that allows the public to securely report instances of
cybercrime.
The ACORN has been designed and is delivered in collaboration with:
• All Australian police agencies
• The Australian Criminal Intelligence Commission
• The Australian Attorney-General’s Department
• The Australian Competition and Consumer Commission
• The Australian Communications and Media Authority
• ​The Office of the Children's eSafety Commissioner
 Privacy, surveillance – and security
Privacy and security can sometimes be in conflict.
• Libertarians often argue against surveillance for security:
• but… “Liberty and security exist on a sliding scale: the more liberty one
possesses, the more one exposes oneself to risk of attack.” - Matthew
Beard, a research associate with the Centre for Faith, Ethics & Society at the
University of Notre Dame. (Beard, 2014)
• For example, security & intelligence organisations often want back-
doors and to break encryption:
• but… "There's no option to make a device secure against bad guys, but
insecure against good guys." - Edward Snowden (CuriosityStream, 2016).
 Relevant laws, some key points

 Many, many laws affect you.

 It’s almost certain that at least one law covers an
activity or action you will take.
 Australian business may need to be aware of
European and American laws, especially if doing
business overseas.
 Professional Organizations and Their Codes of Ethics

A number of professional organizations have established codes of

conduct and/or codes of ethics that members are expected to follow
Codes of ethics can have a positive effect on an individual’s
judgment regarding computer use
It remains the individual responsibility of security professionals to act
ethically and according to the policies and procedures of their
employers, their professional organizations, and the laws of society

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Ethical Differences Across Cultures

Cultural differences create difficulty in determining what is and is not ethical

Difficulties arise when one nationality’s ethical behaviour conflicts with ethics of
another national group
Scenarios are grouped into:
Software Licence Infringement
Illicit Use
Misuse of Corporate Resources.

Cultures have different views on the scenarios

 ACM – Association of Computer Machinery

The ACM is a respected professional society, originally established in

1947, as “the world's first educational and scientific computing
society”
The ACM’s code of ethics requires members to perform their duties
in a manner befitting an ethical computing professional

Source: Management of Information Security, 5th Edition - © Cengage Learning

 (ISC)2 - International Information Systems Security
Certification Consortium
The code of ethics put forth by (ISC) 2 is primarily designed for
information security professionals who have earned one of their
certifications
This code includes four mandatory canons:
• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession

Source: Management of Information Security, 5th Edition - © Cengage Learning

 SANS

Founded in 1989, SANS is a professional research and education

cooperative organization with over 156,000 security professionals,
auditors, system and network administrators
The SANS GIAC Code of Ethics requires:
• Respect for the public
• Respect for the certification
• Respect for my employer
• Respect for myself

Source: Management of Information Security, 5th Edition - © Cengage Learning

 ISACA

ISACA is a professional association with a focus on auditing, control,

and security
Members and ISACA certification holders shall:
 Support the implementation of, and encourage compliance with, appropriate
standards, procedures, and controls for information systems
 Perform their duties with objectivity, due diligence and professional care, in
accordance with professional standards and best practices
 Serve in the interest of stakeholders in a lawful and honest manner, while
maintaining high standards of conduct and character, and not engage in
acts discreditable to the profession

Source: Management of Information Security, 5th Edition - © Cengage Learning

 ISACA… (cont.)

 Maintain the privacy and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority
 Such information shall not be used for personal benefit or released to inappropriate
parties
 Maintain competency in their respective fields, and agree to undertake only those activities
that they can reasonably expect to complete with professional competence
 Inform appropriate parties of the results of work performed, revealing all significant facts
known to them
 Support the professional education of stakeholders in enhancing their understanding of
information systems security and control

Source: Management of Information Security, 5th Edition - © Cengage Learning

 ISSA – Information Systems Security Association

The Information Systems Security Association (ISSA) (www.issa.org) is a nonprofit

society of information security professionals

As a professional association, its primary mission is to bring together qualified

practitioners of information security for information exchange and educational
development

ISSA provides conferences, meetings, publications, and information resources to

promote information security awareness and education

ISSA also promotes a code of ethics, similar to those of (ISC)2, ISACA, and the ACM,
“promoting management practices that will ensure the confidentiality, integrity, and
availability of organizational information resources.”
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Major IT Professional organisations

 Association of Computing Machinery (ACM)

 International Information Systems Security Certification Consortium, Inc.
(ISC)2System
 Administration, Networking, and Security Institute (SANS)
 Information Systems Audit and Control Association (ISACA)
 The Ten Commandments of Computer Ethics
(Computer Ethics Institute)
Thou shalt not:
1.0 Use a computer to harm other people
2.0 Interfere with other people's computer work
3.0 Snoop around in other people's computer files
4.0 Use a computer to steal
5.0 Use a computer to bear false witness
6.0 Copy or use proprietary software for which you have not paid
7.0 Use other people's computer resources without authorization or proper compensation
8.0 Appropriate other people's intellectual output
9.0 Thou shalt think about the social consequences of the program you are writing or the
system you are designing
10.0 Thou shalt always use a computer in ways that ensure consideration and respect for your
fellow humans
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Deterring Unethical & Illegal Behavior

Three general causes of unethical and illegal behaviour:

ignorance, accident, intent
Deterrence: best method for preventing an illegal or unethical
activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
 Other Resources

The International Association of Privacy Professionals (IAPP) is a resource for

professionals who want to develop and advance their careers by helping
organisations successfully manage risk and protect data
https://iapp.org

Privacy Watchdog in Australia Australian Privacy Foundation (AFP)

https://privacy.org.au
 Summary
• Laws are formally adopted rules for acceptable behavior in modern society. Ethics are socially acceptable behaviors
• The key difference between laws and ethics is that laws bear the sanction of a governing authority and ethics do
not
• Organizations formalize desired behaviors in documents called policies
• Unlike laws, policies must be read and explicitly agreed to by employees before they are binding
• Policies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate,
fairly applied to everyone.
• The Australian Cybercrime Online Reporting Network (ACORN) is a national online system that allows the public to
securely report instances of cybercrime
• As IT/Security professionals, you must understand the scope of an organization’s legal and ethical responsibilities.
• Good IT security policy should ensure an organisation’s processes and activities align with legal obligations.
• It’s almost certain that at least one law covers an activity or action you will take.
• Australian business may need to be aware of European and American laws, especially if doing business overseas.
• A number of professional organizations have established codes of conduct and/or codes of ethics that members are
expected to follow.