SPG | Unit-2
1) What is the best method for preventing illegal or unethical
behavior?
Deterrence is th e best method for preventing an illegal or unethical activity.
Laws, policies, and technical controls are all examples of deterrents. However,
laws and policies and th eir associated penalties only deter if th ree conditions
are
present.
1. Fear of penalty- Threats of informal reprimand or verbal warnings may not
have the same impact as the threat of termination, imprisonment, or forfeiture
of pay.
2. Probability of being caught- There must be a strong possibility that
perpetrators
of illegal or unethical acts will be caught.
3. Probability of penalty being administered- The organization must be willing
and
able to impose the penalty.
2) Of the professional organizations discussed in this chapter,
which has been in existence the longest time? When was it
founded?
The ACM (www.acm.org), a well-respected professional society, was
established in 1947 as the world's first educational and scientific computing
society. It is one of the few organizations that strongly promotes education
and provide discounted membership for students. The ACM's code of ethics
requires members to perform their duties in a manner befitting an ethical
computing professional. The code contains specific references to protecting
the confidentiality of information, causing no harm (with specific references to
viruses), protecting the privacy of others, and respecting the intellectual
property and copyrights of others. The ACM also publishes a wide variety of
professional computing publications, including the highly regarded
Communications
of the ACM.
3) Of the professional organizations discussed in this chapter,
which is focused on auditing and control?
The (!SC)' (www.iscz.org) is a nonprofit organization that focuses on the
development
and implementation of InfoSec certifications and credentials. The (!SC)'
manages a body of knowledge on InfoSec and administers and evaluates
examinations for InfoSec certifications. The code of ethics put forth by (!SC)'
is primarily designed for InfoSec professionals who have earned one of their
certifications.
This code includes four mandatory canons:
• Protect society, the common good, necessary public trust and confidence,
and the
infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.s
Through this code, (!SC)' seeks to provide sound guidance that will enable
reliance on the ethicality and trustworthiness of the InfoSec professional as
the guardian of the information and systems.
4) What is the stated purpose of the SANS organization? In what
ways is it involved in professional certification for InfoSec
professionals?
Founded in 1989, SANS (www.sans.org) is a professional research and
education cooperative organization. The organization, which enjoys a large
professional membership, is dedicated to the protection of information and
systems. SANS has a core IT code of ethics for all certificate holders that
includes the following tenets:
• I will strive to know myself and be honest about my capability.
• I will conduct my business in a manner that assures the IT profession is
considered
one of integrity and professionalism.
• I respect privacy and confidentiality. 6
Individuals who seek one of SANS's Global Information Assurance
Certification
(GIAC) credentials must agree to comply with a supplemental code of ethics,
which
opens with the following:
Respect for the Public
5) What is the difference between criminal law and civil law?
Criminal Law
Civil Law
Criminal Law deals with offences that
are committed against the society.
Civil Law is a general law. It solves
disputes between 2 organisations
or individuals.
To settle the dispute, a
The punishment of the offence would be
compensation is provided to the
as per the seriousness of the criminal
aggrieved party in civil law cases.
offence committed. Also, a fine could be
No such punishment is given in
imposed.
such cases.
In the case of Criminal law it the
Government of India that needs to file
the petition.
Civil Law to exist needs the
aggrieved individual or
organisation.
Criminal law punishes the convicts,
protects the citizens and ensures law
and order in the land.
The objective of Civil Law is to
protect the rights of an individual or
organisation. It needs to ensure the
wrongs done to be rectified against
the sufferer.
The petition cannot be filed directly in a
court but a complaint must be first
registered with the police and its
investigation needs to be carried out.
Thereafter a case can be filed in the
court.
The aggrieved party can file a case
in a tribunal or a court
The accused is prosecuted in the court
of law
The victim or aggrieved party can
sue those who offended it
In these cases the court is empowered
charge a fine, imprison the guilty of a
crime, or discharge the defendant.
The court in such cases can only
pass judgement to compensate for
damage done to the aggrieved
party.
Here, the defendant is considered either The defendant here is considered
guilty or not guilty by the court.
to be either liable or not liable.
Criminal law deals with specific serious
crimes like murder, rape, robbery etc.
Civil Law deals with Property,
Money, Housing, Divorce, custody
of a child in the event of divorce
etc.
6) What is tort law and what does it permit an individual to do?
Civil law embodies a wide variety of laws pertaining to relationships between
and among individuals and organizations. Civil law includes contract law,
employment law, family law, and tort law. Tort law is the subset of civil law
that allows individuals to seek redress in the event of personal, physical, or
financial injury. Perceived damages within civil law are pursued in civil court
and are not prosecuted by the state.
Different Types of Tort Claims

Intentional Torts

Unintentional Torts

Strict Liability Torts
8) What are the three primary types of public law?
Public Law includes criminal law, administrative law, and constitutional law.
Criminal law is defined as a body of rules and statutes that defines conduct
prohibited by the government because it threatens and harms public safety
and welfare and that establishes punishment to be imposed for the
commission of such acts. This term general refers to substantive criminal laws,
which are laws that define crime and can establish punishments. Based on
their nature, crimes are categorized as felonies or misdemeanors. Laws
passed by congress or a state must define crimes with certainty. This means
that both the courts and citizens have a clear understanding of a criminal
law’s requirements and prohibitions. The elements of a criminal law must be
stated explicitly, and the statute must embody some reasonably discoverable
standard of guilt.
Administrative law is the branch of law governing the creation and operation
of administrative agencies. This branch of law includes the powers granted to
administrative agencies, substantive rules that such agencies make, and the
legal relationship between such agencies, other government bodies, and the
public at large. Administrative law includes the laws and legal principles that
govern the administrative and regulation of government agencies, both
Federal and State). Governmental agencies must act within Constitutional
parameters.
Constitutional law is the written text of the state and federal constitutions.
The body of judicial precedent that has gradually developed through a
process in which courts interpret, apply, and explain the meaning of particular
constitutional provisions and principles during a legal proceeding.
Constitutional law includes executive, legislative, and judicial actions that
conform with the norms prescribed by a constitutional provision. A state of
federal law is said to be constitutional when its consistent with the text of a
constitutional provision and any relevant judicial interpretations. A law that is
inconsistent with either the written text or judicial interpretation of a
constitutional provision is unconstitutional.
9) Which law amended the Computer Fraud and Abuse Act of 1986,
and what did it change?
The Computer Fraud and Abuse (CFA) Act of 1986, presented in the following
Offline box, is the cornerstone of many computer-related federal Jaws and
enforcement efforts. It was amended in October 1996 by the National
Information Infrastructure
Protection Act of 1996, which modified several sections of the previous act
and increased the penalties for selected crimes. Punishment for offenses
prosecuted underthis statute varies from fines to imprisonment for up to 20
years or can include both.The penalty depends on the value of the information
obtained and whether the offenseis judged to have been committed for one of
the following reasons:
• For purposes of commercial advantage
• For private financial gain
• In furtherance of a criminal act
10) What is the USA PATRIOT Act? When was it initially
established and when was it significantly modified?
The USA PATRIOT Act was enacted in response to the attacks of September
11, 2001, and became law less than two months after those attacks.
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in
the United States and around the world, to enhance law enforcement
investigatory tools, and other purposes, some of which include:




To strengthen U.S. measures to prevent, detect and prosecute
international money laundering and financing of terrorism;
To subject to special scrutiny foreign jurisdictions, foreign financial
institutions, and classes of international transactions or types of accounts
that are susceptible to criminal abuse;
To require all appropriate elements of the financial services industry to
report potential money laundering;
To strengthen measures to prevent use of the U.S. financial system for
personal gain by corrupt foreign officials and facilitate repatriation of
stolen assets to the citizens of countries to whom such assets belong.
Some of the laws modified by the USA PATRIOT Act are among the earliest
laws created to deal with electronic technology. Certain portions of the USA
PATRlOT Act were extended in 2006, 2010, and 2011.
11) what is privacy in the context of information security?
privacy In the context of information security, the right of individuals or groups
to protect themselves and their information from unauthorized access,
providing
Confidentiality.
In the context of information security, social engineering is
used by attackers to gain system access or information that may lead to
system access.There are several social engineering techniques, which
usually involve a perpetrator posing as a person who is higher in the
organizational hierarchy than the victim.
12) What is another name for the Kennedy- Kassebaum Act
(1996), and why is it important to organizations that are not in the
health care industry?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996,
also known as the Kennedy-Kassebaum Act, attempts to protect the
confidentiality and security of health care data by establishing and enforcing
standards and by standardizing electronic data interchange. HIPAA affects all
health care organizations, including small medical practices, health clinics, life
insurers, and universities, as well as some organizations that have selfinsured employee health programs. It provides for stiff penalties for
organizations that fail to comply with the law, with up to $250,000 and/or 10
years imprisonment for knowingly misusing client information. Organizations
were required to comply with the act as of April 14, 2003.
13) If you work for a financial service organization (such as a bank
or credit union), which law from 1999 affects your use of customer
data? What other effects does it have?
14) Which 1997 law provides guidance on the use of encryption?
The Security and Freedom Through Encryption (SAFE) Act of 1997 provides
guidance on the use of encryption and institutes measures of public protection
from government intervention. Specifically, the act:
• Reinforces an individual's right to use or sell encryption algorithms without
concern for the impact of other regulations requiring some form of key
registration. Key registration is when a cryptographic key (or its text equivalent)
is stored with another party to be used to break the encryption of the data
under
some circumstances. This is often called key escrow.
• Prohibits the federal government from requiring the use of encryption for
contracts, grants, other official documents, and correspondence.
• States that the use of encryption is not probable cause to suspect criminal
activity.
• Relaxes export restrictions by amending the Export Administration Act of
1979.
• Provides additional penalties for the use of encryption in the commission of a
criminal act.
15) What is intellectual property? Is it offered the same protection
in every country? What laws currently protect intellectual property
in the United States and Europe?
Intellectual property rights are the rights given to persons over the creations of
their minds. They usually give the creator an exclusive right over the use of
his/her creation for a certain period of time.Many organizations create or
support the development of intellectual property (IP) as part of their business
operations. Intellectual property can be trade secrets, copyrights,
trademarks, and patents. IP is protected by copyright and other Jaws, carries
the expectation of proper attribution or credit to its source, and potentially
requires the acquisition of permission for its use, as specified in those Jaws.
For example, the use of a song in a movie or a photo in a publication may
require a specific payment or royalty.
16) What is a policy? How does it differ from a law?
Policies are rules, principles, guidelines or frameworks that are adopted or
designed by an organization to achieve long term goals. These are usually set
out in a written format that is easily accessible. Policies are formulated to
direct and exert influence on all the major decisions to be made within the
organization and keep all activities within a set of established boundaries.
Policies are only documents and not law, but these policies can lead to new
laws. Laws are set standards, principles, and procedures that must be
followed in society. ... Policies can be called a set of rules that guide any
government or any organization. Laws are administered through the courts.
17) What is due care? Why would an organization want to make
sure it exercises due care in its usual course of operations?
due care Measures that an organization takes to ensure every employee
knows what is
acceptable and what is not.





Due of care is a fiduciary responsibility held by company directors
which requires them to live up to a certain standard of care.
The Due requires them to make decisions in good faith and in a
reasonably prudent manner.
The Due of care also applies to other roles within the financial industry,
including accountants, auditors, and manufacturers.
Failure to uphold the Due of care may result in legal action by
shareholders or clients.
Along with the Due of care, the other main fiduciary Due is the Due of
loyalty; the Due of loyalty seeks to prevent directors from acting against
the best interests of the corporation.
18) What should an organization do to deter someone from
violating policy or committing a crime?
Unethical behaviors can plague a workplace, whether an executive steals
money from the company or an associate falsifies documents. Unethical
behaviors can damage a company's credibility, causing the business to lose
customers and ultimately shut down. However, business owners and their
management teams can work with employees to prevent unethical behaviors.
19) What is digital forensics, and when is it used in a business
setting?
Investigations involving the preservation, identification, extraction,
documentation, and interpretation of computer media for evidentiary and
root cause analysis. Like traditional forensics, digital forensics follows clear,
well-defined methodologies but still tends to be as much art as science.Digital
forensics is based on the field of traditional forensics. Forensics allows
investigators to determine what happened by examining the results of an
event criminal, natural, intentional, or accidental. It also allows them to
determine how the event happened by examining activities, individual actions,
physical evidence, and testimony related to the event. What it may never do is
figure out the why.
Digital forensics involves applying traditional forensics methodologies to the
digital arena, focusing on information stored in an electronic format on any
one of a number of electronic devices th at range from computers to mobile
phones to portable media. Like forensics, it follows clear, well-defined
methodologies but still tends to be as much art as science. This means the
natural curiosity and personal skill of the investigator play a key role in
discovering potential evidentiary material (EM), also known as items of
potential evidentiary value. An item does not become evidence until it is
formally admitted to evidence by a judge or other ruling official.
20) What is evidentiary material?
Evidentiary material (EM) is known as "items of potential evidentiary value,"
any information that could potentially support the organization's legal or
policy-based case against a suspect. evidentiary material policy (EM policy)
The policy document that guides the development and implementation of EM
procedures regarding the collection, handling, and storage of items of
potential evidentiary value, as well as the organization and conduct of EM
collection teams.It is defined as a material used as evidence in front of a
judge at the time of interrogation. There are evidentiary rules related to
constituting of evidences. These are helpful in conducting the presentation
and determination of evidences. An example of something evidentiary be a
video tape that has been destroyed before presenting it in front the judge.