Chapter 11 laws and ethic information security
7,151 views
39 slides
Dec 24, 2019
Slide 1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
About This Presentation
Chapter 11 laws and ethic information security
Slide Content
1
112/25/2019 1 1
1
Part 2 Access Control 1
Security+ Guide to Network Security Fundamentals, Third Edition
1
11
1 1tohttps://github.com/syaifulahdan/
INFORMATION SECURITY
Law and Ethics Information Security
Introduction
Law and Ethics in Information Security
Organizational Liability and the Need for Counsel
Policy Vs Law
Type of Law
Relevant U.S Laws
General Computer Crime Laws
Privacy
Privacy of Customer Information
Identity Theft
Export and Espionage Laws
U.S Copyright Laws
Financial Reporting
Freedom of Information Act of 1966 (FOIA)
Digital Millenium Copyright Act (DMCA)
State and Local Regulations
Principles of Information Security, 3rd Edition
Internal Laws and Legal Bodies
European Union Cyber Crime Convention
Aggreement on Trade Related Aspect of
Intellectual Property Right
United Nation Charter
Ethics and Information Security
Deterrence to Unethical and Illegal Behavior
Codes of Ethics and Professional Ogranization
Association of Computing Machinery (ACM)
International Information System Security
Certification Consortium, Inc.
System Adminisration Networking, and Security
Institute (SANS)
Information System Audit and Control Association
(ISACA)
Information System Security Association (ISSA)
Key U.S Federal Agencies
112/25/2019 1 1
1
Part 2 Access Control 1
Security+ Guide to Network Security Fundamentals, Third Edition
1
11
1 1tohttps://github.com/syaifulahdan/
INFORMATION SECURITY
Law and Ethics Information Security
Introduction
Law and Ethics in Information Security
Organizational Liability and the Need for Counsel
Policy Vs Law
Type of Law
Relevant U.S Laws
General Computer Crime Laws
Privacy
Privacy of Customer Information
Identity Theft
Export and Espionage Laws
U.S Copyright Laws
Financial Reporting
Freedom of Information Act of 1966 (FOIA)
Digital Millenium Copyright Act (DMCA)
State and Local Regulations
Principles of Information Security, 3rd Edition
Internal Laws and Legal Bodies
European Union Cyber Crime Convention
Aggreement on Trade Related Aspect of
Intellectual Property Right
United Nation Charter
Ethics and Information Security
Deterrence to Unethical and Illegal Behavior
Codes of Ethics and Professional Ogranization
Association of Computing Machinery (ACM)
International Information System Security
Certification Consortium, Inc.
System Adminisration Networking, and Security
Institute (SANS)
Information System Audit and Control Association
(ISACA)
Information System Security Association (ISSA)
Key U.S Federal Agencies
212/25/2019 2 2
2
Part 2 Access Control 2
Security+ Guide to Network Security Fundamentals, Third Edition
2
22
2 2tohttps://github.com/syaifulahdan/
2
Use this chapter as a guide for future reference on
laws, regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the
practice of information security
Understand the role of culture as it applies to ethics
in information security
Learning Objectives
Upon completion of this material, you should be able
to:
2
Part 2 Access Control 2
Security+ Guide to Network Security Fundamentals, Third Edition
2
22
2 2tohttps://github.com/syaifulahdan/
2
Use this chapter as a guide for future reference on
laws, regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the
practice of information security
Understand the role of culture as it applies to ethics
in information security
Learning Objectives
Upon completion of this material, you should be able
to:
312/25/2019 3 3
3
Part 2 Access Control 3
Security+ Guide to Network Security Fundamentals, Third Edition
3
33
3 3tohttps://github.com/syaifulahdan/
3
Introduction
You must understand scope of an organization’s
legal and ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
3
Part 2 Access Control 3
Security+ Guide to Network Security Fundamentals, Third Edition
3
33
3 3tohttps://github.com/syaifulahdan/
3
Introduction
You must understand scope of an organization’s
legal and ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
412/25/2019 4 4
4
Part 2 Access Control 4
Security+ Guide to Network Security Fundamentals, Third Edition
4
44
4 4tohttps://github.com/syaifulahdan/
4
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics
do not
4
Part 2 Access Control 4
Security+ Guide to Network Security Fundamentals, Third Edition
4
44
4 4tohttps://github.com/syaifulahdan/
4
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics
do not
512/25/2019 5 5
5
Part 2 Access Control 5
Security+ Guide to Network Security Fundamentals, Third Edition
5
55
5 5tohttps://github.com/syaifulahdan/
5
Organizational Liability and the Need for
Counsel
Liability: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
Restitution: to compensate for wrongs committed
by an organization or its employees
Due care: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
Due diligence: making a valid effort to protect
others; continually maintaining level of effort
5
Part 2 Access Control 5
Security+ Guide to Network Security Fundamentals, Third Edition
5
55
5 5tohttps://github.com/syaifulahdan/
5
Organizational Liability and the Need for
Counsel
Liability: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution
Restitution: to compensate for wrongs committed
by an organization or its employees
Due care: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions
Due diligence: making a valid effort to protect
others; continually maintaining level of effort
612/25/2019 6 6
6
Part 2 Access Control 6
Security+ Guide to Network Security Fundamentals, Third Edition
6
66
6 6tohttps://github.com/syaifulahdan/
6
Organizational Liability and the Need for
Counsel (continued)
Jurisdiction: court's right to hear a case if the wrong
was committed in its territory or involved its
citizenry
Long arm jurisdiction: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction
6
Part 2 Access Control 6
Security+ Guide to Network Security Fundamentals, Third Edition
6
66
6 6tohttps://github.com/syaifulahdan/
6
Organizational Liability and the Need for
Counsel (continued)
Jurisdiction: court's right to hear a case if the wrong
was committed in its territory or involved its
citizenry
Long arm jurisdiction: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction
712/25/2019 7 7
7
Part 2 Access Control 7
Security+ Guide to Network Security Fundamentals, Third Edition
7
77
7 7tohttps://github.com/syaifulahdan/
7
Policy versus Law
Policies: body of expectations that describe
acceptable and unacceptable employee behaviors in
the workplace
Policies function as laws within an organization;
must be crafted carefully to ensure they are complete,
appropriate, fairly applied to everyone
Difference between policy and law: ignorance of a
policy is an acceptable defense
Criteria for policy enforcement: dissemination
(distribution), review (reading), comprehension
(understanding), compliance (agreement), uniform
enforcement
7
Part 2 Access Control 7
Security+ Guide to Network Security Fundamentals, Third Edition
7
77
7 7tohttps://github.com/syaifulahdan/
7
Policy versus Law
Policies: body of expectations that describe
acceptable and unacceptable employee behaviors in
the workplace
Policies function as laws within an organization;
must be crafted carefully to ensure they are complete,
appropriate, fairly applied to everyone
Difference between policy and law: ignorance of a
policy is an acceptable defense
Criteria for policy enforcement: dissemination
(distribution), review (reading), comprehension
(understanding), compliance (agreement), uniform
enforcement
812/25/2019 8 8
8
Part 2 Access Control 8
Security+ Guide to Network Security Fundamentals, Third Edition
8
88
8 8tohttps://github.com/syaifulahdan/
8
Types of Law
Civil: governs nation or state; manages
relationships/conflicts between organizational
entities and people
Criminal: addresses violations harmful to society;
actively enforced by the state
Private: regulates relationships between individuals
and organizations
Public: regulates structure/administration of
government agencies and relationships with citizens,
employees, and other governments
8
Part 2 Access Control 8
Security+ Guide to Network Security Fundamentals, Third Edition
8
88
8 8tohttps://github.com/syaifulahdan/
8
Types of Law
Civil: governs nation or state; manages
relationships/conflicts between organizational
entities and people
Criminal: addresses violations harmful to society;
actively enforced by the state
Private: regulates relationships between individuals
and organizations
Public: regulates structure/administration of
government agencies and relationships with citizens,
employees, and other governments
912/25/2019 9 9
9
Part 2 Access Control 9
Security+ Guide to Network Security Fundamentals, Third Edition
9
99
9 9tohttps://github.com/syaifulahdan/
9
Relevant U.S. Laws
United States has been a leader in the development
and implementation of information security
legislation
Implementation of information security legislation
contributes to a more reliable business environment
and a stable economy
EU vs. US on privacy
US vs. China on censureship
U.S. has specified penalties for individuals and
organizations failing to follow requirements set forth
in U.S. civil statutes
9
Part 2 Access Control 9
Security+ Guide to Network Security Fundamentals, Third Edition
9
99
9 9tohttps://github.com/syaifulahdan/
9
Relevant U.S. Laws
United States has been a leader in the development
and implementation of information security
legislation
Implementation of information security legislation
contributes to a more reliable business environment
and a stable economy
EU vs. US on privacy
US vs. China on censureship
U.S. has specified penalties for individuals and
organizations failing to follow requirements set forth
in U.S. civil statutes
1012/25/2019 1010
10
Part 2 Access Control 10
Security+ Guide to Network Security Fundamentals, Third Edition
10
1010
10 10tohttps://github.com/syaifulahdan/
10
General Computer Crime Laws
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act
of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
10
Part 2 Access Control 10
Security+ Guide to Network Security Fundamentals, Third Edition
10
1010
10 10tohttps://github.com/syaifulahdan/
10
General Computer Crime Laws
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act
of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
1112/25/2019 1111
11
Part 2 Access Control 11
Security+ Guide to Network Security Fundamentals, Third Edition
11
1111
11 11tohttps://github.com/syaifulahdan/
11
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources
allows creation of information databases previously
unheard of
11
Part 2 Access Control 11
Security+ Guide to Network Security Fundamentals, Third Edition
11
1111
11 11tohttps://github.com/syaifulahdan/
11
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources
allows creation of information databases previously
unheard of
1212/25/2019 1212
12
Part 2 Access Control 12
Security+ Guide to Network Security Fundamentals, Third Edition
12
1212
12 12tohttps://github.com/syaifulahdan/
12
Privacy of Customer Information
Privacy of Customer Information Section of the
common carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act
of 1996 (HIPAA), aka Kennedy-Kassebaum Act
Financial Services Modernization Act, or Gramm-
Leach-Bliley Act of 1999
12
Part 2 Access Control 12
Security+ Guide to Network Security Fundamentals, Third Edition
12
1212
12 12tohttps://github.com/syaifulahdan/
12
Privacy of Customer Information
Privacy of Customer Information Section of the
common carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act
of 1996 (HIPAA), aka Kennedy-Kassebaum Act
Financial Services Modernization Act, or Gramm-
Leach-Bliley Act of 1999
1312/25/2019 1313
13
Part 2 Access Control 13
Security+ Guide to Network Security Fundamentals, Third Edition
13
1313
13 13tohttps://github.com/syaifulahdan/
13
Identity Theft
Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security number,
or credit card number, without your permission, to
commit fraud or other crimes”
Fraud And Related Activity In Connection With
Identification Documents, Authentication Features,
And Information (Title 18, U.S.C. § 1028)
13
Part 2 Access Control 13
Security+ Guide to Network Security Fundamentals, Third Edition
13
1313
13 13tohttps://github.com/syaifulahdan/
13
Identity Theft
Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security number,
or credit card number, without your permission, to
commit fraud or other crimes”
Fraud And Related Activity In Connection With
Identification Documents, Authentication Features,
And Information (Title 18, U.S.C. § 1028)
1412/25/2019 1414
14
Part 2 Access Control 14
Security+ Guide to Network Security Fundamentals, Third Edition
14
1414
14 14tohttps://github.com/syaifulahdan/
14
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of
1999 (SAFE)
No teeth…
14
Part 2 Access Control 14
Security+ Guide to Network Security Fundamentals, Third Edition
14
1414
14 14tohttps://github.com/syaifulahdan/
14
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of
1999 (SAFE)
No teeth…
1512/25/2019 1515
15
Part 2 Access Control 15
Security+ Guide to Network Security Fundamentals, Third Edition
15
1515
15 15tohttps://github.com/syaifulahdan/
15
Figure 3-1 – Export and
Espionage
15
Part 2 Access Control 15
Security+ Guide to Network Security Fundamentals, Third Edition
15
1515
15 15tohttps://github.com/syaifulahdan/
15
Figure 3-1 – Export and
Espionage
1612/25/2019 1616
16
Part 2 Access Control 16
Security+ Guide to Network Security Fundamentals, Third Edition
16
1616
16 16tohttps://github.com/syaifulahdan/
16
U.S. Copyright Law
Intellectual property recognized as protected asset
in the U.S.; copyright law extends to electronic
formats
With proper acknowledgment, permissible to
include portions of others’ work as reference
U.S. Copyright Office Web site:
www.copyright.gov
16
Part 2 Access Control 16
Security+ Guide to Network Security Fundamentals, Third Edition
16
1616
16 16tohttps://github.com/syaifulahdan/
16
U.S. Copyright Law
Intellectual property recognized as protected asset
in the U.S.; copyright law extends to electronic
formats
With proper acknowledgment, permissible to
include portions of others’ work as reference
U.S. Copyright Office Web site:
www.copyright.gov
1712/25/2019 1717
17
Part 2 Access Control 17
Security+ Guide to Network Security Fundamentals, Third Edition
17
1717
17 17tohttps://github.com/syaifulahdan/
17
Financial Reporting
Sarbanes-Oxley Act of 2002
Affects executive management of publicly traded
corporations and public accounting firms
Seeks to improve reliability and accuracy of financial
reporting and increase the accountability of corporate
governance in publicly traded companies
Penalties for noncompliance range from fines to jail
terms
17
Part 2 Access Control 17
Security+ Guide to Network Security Fundamentals, Third Edition
17
1717
17 17tohttps://github.com/syaifulahdan/
17
Financial Reporting
Sarbanes-Oxley Act of 2002
Affects executive management of publicly traded
corporations and public accounting firms
Seeks to improve reliability and accuracy of financial
reporting and increase the accountability of corporate
governance in publicly traded companies
Penalties for noncompliance range from fines to jail
terms
1812/25/2019 1818
18
Part 2 Access Control 18
Security+ Guide to Network Security Fundamentals, Third Edition
18
1818
18 18tohttps://github.com/syaifulahdan/
18
Freedom of Information Act of 1966
(FOIA)
Allows access to federal agency records or
information not determined to be matter of national
security
U.S. government agencies required to disclose any
requested information upon receipt of written
request
Some information protected from disclosure
18
Part 2 Access Control 18
Security+ Guide to Network Security Fundamentals, Third Edition
18
1818
18 18tohttps://github.com/syaifulahdan/
18
Freedom of Information Act of 1966
(FOIA)
Allows access to federal agency records or
information not determined to be matter of national
security
U.S. government agencies required to disclose any
requested information upon receipt of written
request
Some information protected from disclosure
1912/25/2019 1919
19
Part 2 Access Control 19
Security+ Guide to Network Security Fundamentals, Third Edition
19
1919
19 19tohttps://github.com/syaifulahdan/
19
Digital Millennium Copyright Act (DMCA)
U.S. contribution to international effort to reduce
impact of copyright, trademark, and privacy
infringement
A response to European Union Directive 95/46/EC,
which adds protection to individuals with regard to
processing and free movement of personal data
19
Part 2 Access Control 19
Security+ Guide to Network Security Fundamentals, Third Edition
19
1919
19 19tohttps://github.com/syaifulahdan/
19
Digital Millennium Copyright Act (DMCA)
U.S. contribution to international effort to reduce
impact of copyright, trademark, and privacy
infringement
A response to European Union Directive 95/46/EC,
which adds protection to individuals with regard to
processing and free movement of personal data
2012/25/2019 2020
20
Part 2 Access Control 20
Security+ Guide to Network Security Fundamentals, Third Edition
20
2020
20 20tohttps://github.com/syaifulahdan/
20
State and Local Regulations
Restrictions on organizational computer technology
use exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
20
Part 2 Access Control 20
Security+ Guide to Network Security Fundamentals, Third Edition
20
2020
20 20tohttps://github.com/syaifulahdan/
20
State and Local Regulations
Restrictions on organizational computer technology
use exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
2112/25/2019 2121
21
Part 2 Access Control 21
Security+ Guide to Network Security Fundamentals, Third Edition
21
2121
21 21tohttps://github.com/syaifulahdan/
21
International Laws and Legal Bodies
IT professionals and IS practitioners should realize
that when organizations do business on the Internet,
they do business globally
Professionals must be sensitive to laws and ethical
values of many different cultures, societies, and
countries
Because of political complexities of relationships
among nations and differences in culture, there are
few international laws relating to privacy and
information security
These international laws are important but are limited
in their enforceability
21
Part 2 Access Control 21
Security+ Guide to Network Security Fundamentals, Third Edition
21
2121
21 21tohttps://github.com/syaifulahdan/
21
International Laws and Legal Bodies
IT professionals and IS practitioners should realize
that when organizations do business on the Internet,
they do business globally
Professionals must be sensitive to laws and ethical
values of many different cultures, societies, and
countries
Because of political complexities of relationships
among nations and differences in culture, there are
few international laws relating to privacy and
information security
These international laws are important but are limited
in their enforceability
2212/25/2019 2222
22
Part 2 Access Control 22
Security+ Guide to Network Security Fundamentals, Third Edition
22
2222
22 22tohttps://github.com/syaifulahdan/
22
European Union Cyber-Crime Convention
Establishes international task force overseeing
Internet security functions for standardized
international technology laws
Attempts to improve effectiveness of international
investigations into breaches of technology law
Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution
Lacks realistic provisions for enforcement
22
Part 2 Access Control 22
Security+ Guide to Network Security Fundamentals, Third Edition
22
2222
22 22tohttps://github.com/syaifulahdan/
22
European Union Cyber-Crime Convention
Establishes international task force overseeing
Internet security functions for standardized
international technology laws
Attempts to improve effectiveness of international
investigations into breaches of technology law
Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution
Lacks realistic provisions for enforcement
2312/25/2019 2323
23
Part 2 Access Control 23
Security+ Guide to Network Security Fundamentals, Third Edition
23
2323
23 23tohttps://github.com/syaifulahdan/
23
Figure 3-4 – EU Law Portal
23
Part 2 Access Control 23
Security+ Guide to Network Security Fundamentals, Third Edition
23
2323
23 23tohttps://github.com/syaifulahdan/
23
Figure 3-4 – EU Law Portal
2412/25/2019 2424
24
Part 2 Access Control 24
Security+ Guide to Network Security Fundamentals, Third Edition
24
2424
24 24tohttps://github.com/syaifulahdan/
24
Agreement on Trade-Related Aspects of
Intellectual Property Rights
Created by World Trade Organization (WTO)
First significant international effort to protect
intellectual property rights
Agreement covers five issues:
Application of basic principles of trading system and
international intellectual property agreements
Giving adequate protection to intellectual property
rights
Enforcement of those rights by countries in their own
territories
Settling intellectual property disputes
Transitional arrangements while new system is being
introduced
24
Part 2 Access Control 24
Security+ Guide to Network Security Fundamentals, Third Edition
24
2424
24 24tohttps://github.com/syaifulahdan/
24
Agreement on Trade-Related Aspects of
Intellectual Property Rights
Created by World Trade Organization (WTO)
First significant international effort to protect
intellectual property rights
Agreement covers five issues:
Application of basic principles of trading system and
international intellectual property agreements
Giving adequate protection to intellectual property
rights
Enforcement of those rights by countries in their own
territories
Settling intellectual property disputes
Transitional arrangements while new system is being
introduced
2512/25/2019 2525
25
Part 2 Access Control 25
Security+ Guide to Network Security Fundamentals, Third Edition
25
2525
25 25tohttps://github.com/syaifulahdan/
25
United Nations Charter
Makes provisions, to a degree, for information
security during information warfare (IW)
IW involves use of information technology to
conduct organized and lawful military operations
IW is relatively new type of warfare, although
military has been conducting electronic warfare
operations for decades
25
Part 2 Access Control 25
Security+ Guide to Network Security Fundamentals, Third Edition
25
2525
25 25tohttps://github.com/syaifulahdan/
25
United Nations Charter
Makes provisions, to a degree, for information
security during information warfare (IW)
IW involves use of information technology to
conduct organized and lawful military operations
IW is relatively new type of warfare, although
military has been conducting electronic warfare
operations for decades
2612/25/2019 2626
26
Part 2 Access Control 26
Security+ Guide to Network Security Fundamentals, Third Edition
26
2626
26 26tohttps://github.com/syaifulahdan/
26
Ethics and Information Security
26
Part 2 Access Control 26
Security+ Guide to Network Security Fundamentals, Third Edition
26
2626
26 26tohttps://github.com/syaifulahdan/
26
Ethics and Information Security
2712/25/2019 2727
27
Part 2 Access Control 27
Security+ Guide to Network Security Fundamentals, Third Edition
27
2727
27 27tohttps://github.com/syaifulahdan/
27
Ethical Differences Across Cultures
Cultural differences create difficulty in determining
what is and is not ethical
Difficulties arise when one nationality’s ethical
behavior conflicts with ethics of another national
group
Example: many of the ways in which Asian cultures
use computer technology is considered software
piracy by other nations
27
Part 2 Access Control 27
Security+ Guide to Network Security Fundamentals, Third Edition
27
2727
27 27tohttps://github.com/syaifulahdan/
27
Ethical Differences Across Cultures
Cultural differences create difficulty in determining
what is and is not ethical
Difficulties arise when one nationality’s ethical
behavior conflicts with ethics of another national
group
Example: many of the ways in which Asian cultures
use computer technology is considered software
piracy by other nations
2812/25/2019 2828
28
Part 2 Access Control 28
Security+ Guide to Network Security Fundamentals, Third Edition
28
2828
28 28tohttps://github.com/syaifulahdan/
28
Ethics and Education
Overriding factor in leveling ethical perceptions
within a small population is education
Employees must be trained in expected behaviors of
an ethical employee, especially in areas of
information security
Proper ethical training vital to creating informed,
well prepared, and low-risk system user
28
Part 2 Access Control 28
Security+ Guide to Network Security Fundamentals, Third Edition
28
2828
28 28tohttps://github.com/syaifulahdan/
28
Ethics and Education
Overriding factor in leveling ethical perceptions
within a small population is education
Employees must be trained in expected behaviors of
an ethical employee, especially in areas of
information security
Proper ethical training vital to creating informed,
well prepared, and low-risk system user
2912/25/2019 2929
29
Part 2 Access Control 29
Security+ Guide to Network Security Fundamentals, Third Edition
29
2929
29 29tohttps://github.com/syaifulahdan/
29
Deterrence to Unethical and Illegal
Behavior
Three general causes of unethical and illegal
behavior: ignorance, accident, intent
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical
controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
29
Part 2 Access Control 29
Security+ Guide to Network Security Fundamentals, Third Edition
29
2929
29 29tohttps://github.com/syaifulahdan/
29
Deterrence to Unethical and Illegal
Behavior
Three general causes of unethical and illegal
behavior: ignorance, accident, intent
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical
controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
3012/25/2019 3030
30
Part 2 Access Control 30
Security+ Guide to Network Security Fundamentals, Third Edition
30
3030
30 30tohttps://github.com/syaifulahdan/
30
Codes of Ethics and Professional
Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect;
unfortunately, many employers do not encourage
joining these professional organizations
Responsibility of security professionals to act
ethically and according to policies of employer,
professional organization, and laws of society
30
Part 2 Access Control 30
Security+ Guide to Network Security Fundamentals, Third Edition
30
3030
30 30tohttps://github.com/syaifulahdan/
30
Codes of Ethics and Professional
Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect;
unfortunately, many employers do not encourage
joining these professional organizations
Responsibility of security professionals to act
ethically and according to policies of employer,
professional organization, and laws of society
3112/25/2019 3131
31
Part 2 Access Control 31
Security+ Guide to Network Security Fundamentals, Third Edition
31
3131
31 31tohttps://github.com/syaifulahdan/
31
Association of Computing Machinery
(ACM)
ACM established in 1947 as “the world's first
educational and scientific computing society”
Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
31
Part 2 Access Control 31
Security+ Guide to Network Security Fundamentals, Third Edition
31
3131
31 31tohttps://github.com/syaifulahdan/
31
Association of Computing Machinery
(ACM)
ACM established in 1947 as “the world's first
educational and scientific computing society”
Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
3212/25/2019 3232
32
Part 2 Access Control 32
Security+ Guide to Network Security Fundamentals, Third Edition
32
3232
32 32tohttps://github.com/syaifulahdan/
32
International Information Systems
Security Certification Consortium, Inc.
(ISC)
2
Nonprofit organization focusing on development
and implementation of information security
certifications and credentials
Code primarily designed for information security
professionals who have certification from (ISC)
2
Code of ethics focuses on four mandatory canons
32
Part 2 Access Control 32
Security+ Guide to Network Security Fundamentals, Third Edition
32
3232
32 32tohttps://github.com/syaifulahdan/
32
International Information Systems
Security Certification Consortium, Inc.
(ISC)
2
Nonprofit organization focusing on development
and implementation of information security
certifications and credentials
Code primarily designed for information security
professionals who have certification from (ISC)
2
Code of ethics focuses on four mandatory canons
3312/25/2019 3333
33
Part 2 Access Control 33
Security+ Guide to Network Security Fundamentals, Third Edition
33
3333
33 33tohttps://github.com/syaifulahdan/
33
System Administration, Networking, and
Security Institute (SANS)
Professional organization with a large membership
dedicated to protection of information and systems
SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
33
Part 2 Access Control 33
Security+ Guide to Network Security Fundamentals, Third Edition
33
3333
33 33tohttps://github.com/syaifulahdan/
33
System Administration, Networking, and
Security Institute (SANS)
Professional organization with a large membership
dedicated to protection of information and systems
SANS offers set of certifications called Global
Information Assurance Certification (GIAC)
3412/25/2019 3434
34
Part 2 Access Control 34
Security+ Guide to Network Security Fundamentals, Third Edition
34
3434
34 34tohttps://github.com/syaifulahdan/
34
Information Systems Audit and Control
Association (ISACA)
Professional association with focus on auditing,
control, and security
Concentrates on providing IT control practices and
standards
ISACA has code of ethics for its professionals
34
Part 2 Access Control 34
Security+ Guide to Network Security Fundamentals, Third Edition
34
3434
34 34tohttps://github.com/syaifulahdan/
34
Information Systems Audit and Control
Association (ISACA)
Professional association with focus on auditing,
control, and security
Concentrates on providing IT control practices and
standards
ISACA has code of ethics for its professionals
3512/25/2019 3535
35
Part 2 Access Control 35
Security+ Guide to Network Security Fundamentals, Third Edition
35
3535
35 35tohttps://github.com/syaifulahdan/
35
Information Systems Security
Association (ISSA)
Nonprofit society of information security (IS)
professionals
Primary mission to bring together qualified IS
practitioners for information exchange and
educational development
Promotes code of ethics similar to (ISC)
2, ISACA,
and ACM
35
Part 2 Access Control 35
Security+ Guide to Network Security Fundamentals, Third Edition
35
3535
35 35tohttps://github.com/syaifulahdan/
35
Information Systems Security
Association (ISSA)
Nonprofit society of information security (IS)
professionals
Primary mission to bring together qualified IS
practitioners for information exchange and
educational development
Promotes code of ethics similar to (ISC)
2, ISACA,
and ACM
3612/25/2019 3636
36
Part 2 Access Control 36
Security+ Guide to Network Security Fundamentals, Third Edition
36
3636
36 36tohttps://github.com/syaifulahdan/
36
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National
InfraGard Program
National Security Agency (NSA)
U.S. Secret Service
36
Part 2 Access Control 36
Security+ Guide to Network Security Fundamentals, Third Edition
36
3636
36 36tohttps://github.com/syaifulahdan/
36
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National
InfraGard Program
National Security Agency (NSA)
U.S. Secret Service
3712/25/2019 3737
37
Part 2 Access Control 37
Security+ Guide to Network Security Fundamentals, Third Edition
37
3737
37 37tohttps://github.com/syaifulahdan/
37
Summary
Laws: rules that mandate or prohibit certain
behavior in society; drawn from ethics
Ethics: define socially acceptable behaviors; based
on cultural mores (fixed moral attitudes or customs
of a particular group)
Types of law: civil, criminal, private, public
37
Part 2 Access Control 37
Security+ Guide to Network Security Fundamentals, Third Edition
37
3737
37 37tohttps://github.com/syaifulahdan/
37
Summary
Laws: rules that mandate or prohibit certain
behavior in society; drawn from ethics
Ethics: define socially acceptable behaviors; based
on cultural mores (fixed moral attitudes or customs
of a particular group)
Types of law: civil, criminal, private, public
3812/25/2019 3838
38
Part 2 Access Control 38
Security+ Guide to Network Security Fundamentals, Third Edition
38
3838
38 38tohttps://github.com/syaifulahdan/
38
Summary (continued)
Relevant U.S. laws:
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of
1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
38
Part 2 Access Control 38
Security+ Guide to Network Security Fundamentals, Third Edition
38
3838
38 38tohttps://github.com/syaifulahdan/
38
Summary (continued)
Relevant U.S. laws:
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of
1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization
Act
Computer Security Act of 1987
3912/25/2019 3939
39
Part 2 Access Control 39
Security+ Guide to Network Security Fundamentals, Third Edition
39
3939
39 39tohttps://github.com/syaifulahdan/
39
Summary (continued)
Many organizations have codes of conduct and/or
codes of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid
effort to protect others and continually maintain that
effort
39
Part 2 Access Control 39
Security+ Guide to Network Security Fundamentals, Third Edition
39
3939
39 39tohttps://github.com/syaifulahdan/
39
Summary (continued)
Many organizations have codes of conduct and/or
codes of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid
effort to protect others and continually maintain that
effort
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 7,151
- Slides 39
- Favorites 1
- Age 2170 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views