Legal, Ethical, and Professional
Issues in Information Security
Principles of Information Security
Chapter 3
Chapter Objectives

Upon completion of this chapter you should be able to:
◦ Use this chapter as a guide for future reference on laws,
regulations, and professional organizations.
◦ Differentiate between laws and ethics.
◦ Identify major national laws that relate to the practice of
information security.
◦ Describe the role of culture as it applies to ethics in
information security.
2
*Law and Ethics in Information Security




Jean-Jacques Rousseau
◦ The Social Contract or Principles of Political Right (1762)
◦ "The rules the members of a society create to balance the right of
the individual to self-determination with the needs of the society as
a whole are called laws."
Laws**
◦ Rules that mandate or prohibit certain behavior in society.
◦ Carry the sanctions of governing authority.
Ethics**
◦ Define socially acceptable behaviors.
◦ Universally recognized examples include murder, theft, assault, and
arson.
Cultural Mores
◦ The fixed moral attitudes or customs of a particular group.
3
Organizational Liability

Liability**
◦ Legal obligation of an entity that extends beyond criminal
or contract law.
◦ Includes obligation to make restitution, or compensate for,
wrongs committed by an organization or its employees.
◦ Organization can be held financially liable (responsible) for
actions of employees.
◦ Obligation increases if organization fails to take due care.
4
Organizational Responsibilities for
Due Care and Due Diligence

Due care**
◦ Must ensure that every employee knows
 what is acceptable or unacceptable behavior
 consequences of illegal or unethical actions.

Due diligence**
◦ Requires organization to
 make a valid effort to protect others
 continually maintain this level of effort
◦ Internet has global reach --- injury/wrong can occur anywhere in the
world.

Jurisdiction**
◦ A court's right to hear a case if a wrong was committed in its territory,
or involves its citizenry --- long arm jurisdiction.
◦ In U.S., any court can impose its authority over individuals or
organizations, if it can establish jurisdiction
5
Policy vs Law

Laws
◦ External legal requirements

Security policies**. Internal (organizational) rules that:
◦ Describe acceptable and unacceptable employee behaviors.
◦ Organizational laws --- including penalties and sanctions.
◦ Must be complete, appropriate and fairly applied in the work place.
◦ In order to be enforceable, policies must be
 Disseminated. Distributed to all individuals and readily available for
employee reference.
 Reviewed. Document distributed in a format that could be read by
employeees.
 Comprehended. Employees understand the requirements --- e.g., quizzes
or other methods of assessment.
 Compliance. Employee agrees to comply with the policy.
 Uniformly enforced, regardless of employee status or assignment.
6
Types of Law

Civil law**
◦ Laws that govern a nation or state.

Criminal law**
◦ Violations harmful to society
◦ Actively enforced by prosecution by the state.

Private law**
◦ regulates relationship between individual and organization.
◦ encompasses family law, commercial law, labor law.

Public law**
◦ regulates structure and administration of government agencies and their relationships with
citizens, employees, and other governments, providing careful checks and balances.
◦ Includes criminal, administrative and constitutional law.
7
U.S. General Computer Crime Laws

Computer Fraud and Abuse Act of 1986 (CFA Act)**
◦ Cornerstone of federal laws and enforcement acts
◦ Addresses threats to computers

Communications Act of 1934
◦ Addresses Telecommunications
◦ modified by Telecommunications Deregulation and Competition Act of
1996
 modernize archaic terminology

Computer Security Act of 1987**
◦ Protect federal computer systems (federal agencies)
◦ Establish minimum acceptable security practices.
8
U.S. Privacy Laws

Privacy Issues
◦ Collection of personal information
◦ Clipper chip - never implemented

Privacy of Customer Information
◦ U.S. Legal Code Privacy of Customer Information Section
 Responsibilities of common carriers (phone co) to protect confidentiality

Federal Privacy Act of 1974**
◦ Regulates government protection of privacy, with some exceptions

Electronic Communications Privacy Act of 1986**
◦ Fourth Amendment - unlawful search and seizure

Health Insurance Portability and Accountability Act of 1996 (HIPAA)**
◦ Kennedy-Kassebaum Act
◦ Privacy of electronic data interchange for health care data

Financial Services Modernization Act (1999)**
◦ Gramm-Leach-Bliley Act of 1999
◦ Banks, securities firms, and insurance companies - disclosure of privacy policies
9
U.S. Copyright Law**
Recognizes intellectual property as a protected asset in the U.S.
◦ published word, including electronic formats
 Fair use of copyrighted materials
◦ Includes





support news reporting
teaching
scholarship
related activities
◦ Use MUST be for educational or library purposes
 not for profit
 not excessive
 include proper acknowledgment to original author
10
Financial Reporting

Sarbanes-Oxley Act of 2002**
◦ Affects
 publicly traded corporations
 public accounting firms
◦ result of Enron, among others.
 improve reliability and accuracy of financial reporting.
 increase accountability of corporate governance in publicly traded
companies.

Executives will need
◦ assurance on reliability and quality of information systems from
information technology managers.
◦ Key issue: compliance with reporting requirements.
11
Freedom of Information Act of 1996 (FOIA)**

Any person may request access to federal agency records or
information not determined to be a matter of national security.
◦ Agencies must disclose requested information
 After the request has been reviewed and determined not to pose a
risk to national security.

Does NOT apply to:
◦ state/local government agencies
◦ private businesses or individuals.
12
State and Local Regulations


Locally implemented laws pertaining to information security.
Information security professionals must be aware of these laws and
comply with them.
13
International Laws and Legal Bodies





Few international laws relating to privacy and information security.
European Council Cyper-Crime Convention
◦ 2001. Creates international task force
◦ Improve effectiveness of international investigations
◦ Emphasis on copyright infringement prosecution
◦ Lacks realistic provisions for enforcement
WTO Agreement on Intellectual Property Rights
◦ Intellectual property rules for multilateral trade system.
Digital Millenium Copyright Act**
◦ U.S. response to 1995 Directive 95/46/EC by E.U.
◦ U.K. Database Right
United Nations Charter
◦ Information Warfare provisions.
14
Security Breaches Punishment

If not caught: illegal to demand a payment in order to “disappear
without a track”
◦ But banks and financial institutions have to keep it quiet…

If caught in a “lawful” country: fines and/or jail sentence

AOL employees
http://www.connectedhomemag.com/HomeOffice/Articles/Index.cfm?ArticleID=43090
http://www.aolsucks.org/ccaol2.htm

“$130 mil. stolen in computer crime. Each defendant faces the possibility of
35 years in prison, and more than $1 million in fines or twice the amount
made from the crime, whichever is greater.” http://www.crimeresearch.org/news/27.08.2009/3750/

Malicious kids go to jail http://www.cybercrime.gov/cases.htm
◦ Kevin Mitnick and Robert Morris

Federal cases database (only up to 2006) http://www.justice.gov/criminal/cybercrime/cccases.html
15
Ethics and Information Security

Ethical issues of information security professionals
◦ Expected to be leaders in ethical workplace behavior
◦ No binding professional code of ethics
◦ Some professional organizations provide ethical codes of conduct,
 Have no authority to banish violators from professional practice.
16
Cultural Differences and Ethics
Different nationalities have different perspectives on computer ethics
◦ Asian tradition - collective ownership
◦ Western tradition - intellectual property rights
 Study of computer use ethics among students in 9 nations
◦ Singapore, Hong Kong, U.S., England, Australia, Sweden, Wales,
Netherlands
◦ Studied 3 categories of use

 software license infringement
 illicit use
 misuse of corporate resources
17
Cultural Differences:
Software License Infringement

Most nations had similar attitudes toward software piracy
◦ U.S.
 significantly less tolerant (least tolerant)
◦ Other countries
 moderate
 higher piracy rates in Singapore/Hong Kong
 may result from lack of legal disincentives or punitive measures
◦ Netherlands
 most permissive
 least likely to honor copyrights of content creators
 lower piracy rate than Singapore/Hong Kong
18
Cultural Differences:
Illicit Use of Software




Viruses, hacking, other forms of abuse uniformly condemned as
unacceptable behavior.
Singapore/Hong Kong
◦ most tolerant
Sweden/Netherlands
◦ in-between
U.S., Wales, England, Australia
◦ least tolerant
19
Cultural Differences:
Misuse of Corporate Resources

Generally lenient attitudes toward
◦ personal use of company computing resources.

Singapore/Hong Kong
◦ viewed personal use as unethical (least tolerant)

Other countries
◦ Personal use acceptable if not specifically prohibited

Netherlands
◦ most lenient
20
Ethics and Education


Education
◦ overriding factor in leveling the ethical perceptions within a small
population
◦ Employees must be trained and kept aware of topics related to
information security, including expected ethical behaviors..
◦ Many employees may not have formal technical training to
understand that their behavior is unethical or illegal.
Ethical and legal training is an essential key to developing informed,
well-prepared, and low-risk system users.
21
Deterrence to Unethical and Illegal
Behavior

Use policy, education, training, and technology to
protect information systems.

3 categories of unethical and illegal behavior
◦ Ignorance
 No excuse for violating law, but allowable for policies.
 Use education, policies, training, awareness programs to keep
individuals aware of policies.
◦ Accident
 Use careful planning and control to prevent accidental
modifications to system and data.
◦ Intent
 Frequent cornerstone for prosecution.
 Best controls are litigation, prosecution, and technical controls.
22
Deterrence


Best method to prevent illegal or unethical activity.
◦ Laws, policies, and technical controls
3 conditions required for effective deterrence
◦ Fear of penalty
 reprimand or warnings may not have the same effectiveness as
imprisonment or loss of pay.
◦ Probability of being caught
 must believe there is a strong possibility of being caught.
◦ Probability of penalty being administered
 must believe the penalty will be administered
 Note: threats don’t work --- penalties must be realistic and
enforceable.
23
Codes of Ethics

Established by various professional organizations
◦ Produce a positive effect on judgment regarding computer use
◦ Establishes responsibility of security professionals to act ethically
 according to the policies and procedures of their employers,
professional organizations, and laws of society.
◦ Organizations assume responsibility to develop, disseminate, and
enforce policies.
24
Major IT Professional Organizations and
Ethics






Association for Computing Machinery (ACM)
◦ promotes education and provides discounts for students
◦ educational and scientific computing society
International Information Systems Security Certification Consortium (ISC2)
◦ develops and implements information security certifications and credentials
System Administration, Networking, and Security Institute (SANS)
◦ Global Information Assurance Certifications (GIAC)
Information Systems Audit and Control Association (ISACA)
◦ focus on auditing, control and security
Computer Security Institute (CSI)
◦ sponsors education and training for information security
Information Systems Security Association (ISSA)
◦ information exchange and educational development for information security
practitioners
25
Other Security Organizations





Internet Society (ISOC)
◦ develop education, standards, policy, and education and training to promote the
Internet
Internet Engineering Task Force (IETF)
◦ develops Internet's technical foundations
Computer Security Division (CSD) of National Institute for Standards and
Technology (NIST)
◦ Computer Security Resource Center (CSRC)
Computer Emergency Response Team (CERT)**
◦ CERT Coordination Center (CERT/CC)
◦ Carnegie Mellon University Software Engineering Institute
Computer Professionals for Social Responsibility (CPSR)
◦ promotes ethical and responsible development and use of computing
◦ watchdog for development of ethical computing
26
U.S. Federal Agencies Related to
Information Security

Department of Homeland Security (DHS)
◦ Directorate of Information and Infrastructure
 discover and respond to attacks on national information systems and
critical infrastructure
 research and development of software and technology
◦ Science and Technology Directorate
 Research and development activities
 examination of vulnerabilities
 sponsors emerging best practices

FBI National Infrastructure Protection Center (NIPC)
◦ U.S. government center for threat assessment, warning, investigation, and
response to threats or attacks against U.S. infrastructures
◦ National InfraGard Program
 cooperative effort between public and private organizations and academic
community
 provides free exchange of information with private sector regarding threats and
attacks.
27
U.S. Federal Agencies (2)

National Security Agency (NSA)**
◦ U.S. cryptologic organization
◦ Centers of Excellence in Information Assurance
Education
 recognition for universities/schools
 acknowledgment on NSA web site
◦ Program to certify curricula in information security
 Information Assurance Courseware Evaluation
 Provides 3 year accreditation

U.S. Secret Service
◦ Part of Department of Treasury
◦ One mission is to detect and arrest any person committing U.S. federal
offenses related to computer fraud and false identification crimes.
28