Ch12Law&Ethics

advertisement
INFORMATION SECURITY
MANAGEMENT
LAW AND ETHICS
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Introduction
• All information security professionals must understand
the scope of an organization’s legal and ethical
responsibilities
• Educate employees and management about their legal
and ethical obligations concerning proper use of
information technology
Law and Ethics
• Laws vs. Ethics
• Types of Law
•
•
•
•
•
Civil law
Criminal law
Tort law
Private law
Public law
Information Security and the Law
• InfoSec professionals and managers must understand the
legal framework within which their organizations
operate
Relevant U.S. Laws
• The Computer Fraud and Abuse Act of 1986 (CFA Act)
• The Computer Security Act of 1987
• Health Insurance Portability & Accountability Act Of
1996 (HIPAA)
• Financial Services Modernization Act
• Freedom of Information Act of 1966
• Sarbanes-Oxley Act of 2002
Relevant U.S. Laws (cont’d.)
• Privacy Laws
• Privacy of Customer Information Section
• The Federal Privacy Act of 1974
• regulates the government’s use of private information
• Electronic Communications Privacy Act of 1986
These statutes work in cooperation with the Fourth Amendment
of the U.S. Constitution
Relevant U.S. Laws (cont’d.)
• Export and Espionage Laws
– Economic Espionage Act (EEA) of 1996
– The Security and Freedom through Encryption Act of 1997
Recent Laws within past year
• National Cybersecurity Protection Act (NCPA)
• Cybersecurity Enhancement Act of 2014 (CEA)
• Federal Information System Modernization Act of 2014
(FISMA 2014);
• Cybersecurity Workforce Assessment Act (CWWA)
International Laws and Legal Bodies
• There are currently few international laws relating to
privacy and information security
• European Council Cyber-Crime Convention
• The Digital Millennium Copyright Act
• European Union Directive 95/46/EC
• Database Right
State and Local Regulations
• Information security professionals must understand
state laws and regulations
Example:
Georgia Computer Systems Protection Act
Policy Versus Law
• Difference between policy and law
• Policies must be:
– Distributed to all individuals who are expected to comply with
them
– Readily available for employee reference
– Easily understood, with multilingual, visually impaired and lowliteracy translations
– Acknowledged by employee with consent form
– Uniformly enforced for all employees
Ethics and Education
• Key studies reveal that the overriding factor in leveling
the ethical perceptions within a small population is
education
• Employees must be trained on the expected behaviors of
an ethical employee
Unethical and Illegal Behavior
• InfoSec personnel should do everything in their power to
deter unethical and illegal acts
• Categories of unethical behavior
– Ignorance
– Accident
– Intent
Best Approach?
Professional Organizations and their Codes of Ethics
• Some professional organizations have established codes
of conduct and/or codes of ethics
• Other Sources of Ethics Codes:
•
•
•
•
•
ACM
SANS
ISC2
ISACA
ISSA
Ethics
• Rules, not laws that are minimum standards for
professional behavior
• ISC2 Code of Ethics
•
•
•
•
Protect society, the commonwealth and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide dilligent and competent service to principals
Advance and protect the profession
Key Law Enforcement Agencies
• Federal Bureau of Investigation
• InfraGard Program
• National Security Agency
• Information Assurance Directorate (IAD)
•
U.S. Secret Service
• Department of Homeland Security
Managing Investigations in the Organization
It’s not a matter of “if” but “when”
• Investigation Steps
• Documentation is key
• Digital Forensics
Managing Investigations: Digital Forensics
The investigation of what happened and how
– Involves the preservation, identification, extraction,
documentation, and interpretation of computer media for
evidentiary and/or root cause analysis
• Evidentiary material (EM)
– Any information that could potentially support the organizations
legal- or policy-based case against a suspect
Managing Investigations: Digital Forensics
Two key purposes:
 Investigate allegations of digital malfeasance
 Perform root cause analysis
Approaches:
 Protect and forget (patch and proceed)
 Apprehend and prosecute (pursue and prosecute)
Affidavits and Search Warrants
• Investigations begin with an allegation or an
indication of an incident
• Forensics team requests permission to examine
digital media for potential EM
• Affidavit
• Search warrant
Digital Forensics Methodology
Steps in the digital forensics methodology
1.
2.
3.
4.
5.
Identify relevant items of evidentiary value
Acquire (seize) the evidence without alteration or damage
Take steps to assure that the evidence is at every step verifiably
authentic and is unchanged from the time it was seized
Analyze the data without risking modification or unauthorized
access
Report the findings to the proper authority
Digital Forensics Methodology
Figure 12-2: Digital forensics process
Source: Course Technology/Cengage Learning
Evidentiary Procedures
• Organizations should develop specific procedures and
guidance for their use
Download