Legal, Ethical and professional issues in Information Security
4,863 views
24 slides
May 30, 2023
Slide 1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Presentation
Principles of Information Security, and Legal, Ethical and professional issues in Information Security, all of these topics are covered in here.
Slide Content
Principles of Information Security, 2nd Edition 2
Introduction
You must understand scope of an organization’s legal and
ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
Introduction
You must understand scope of an organization’s legal and
ethical responsibilities
To minimize liabilities/reduce risks, the information
security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
Principles of Information Security, 2nd Edition 3
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics do not
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal
behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics do not
Organizational Liability and need of Council
Liability:
Legal obligation of an entity that extends beyond
criminal or contract law.
Includes obligation to make restitution, or compensate
for, wrongs committed by an organization or its
employees.
4
Liability:
Legal obligation of an entity that extends beyond
criminal or contract law.
Includes obligation to make restitution, or compensate
for, wrongs committed by an organization or its
employees.
4
Organizational Liability and need of Council
Due care**
Must ensure that every employee knows
what is acceptable or unacceptable behavior ,consequences of illegal or
unethical actions.
Due diligence**
Requires the organization to make a valid effort to protect others continually
maintain this level of effort.
Jurisdiction**
A court's right to hear a case if a wrong was committed in its territory, or
involves its citizenry
Long arm jurisdiction**
To draw an accused individual into its court systems from around the world
or across the country.
5
Due care**
Must ensure that every employee knows
what is acceptable or unacceptable behavior ,consequences of illegal or
unethical actions.
Due diligence**
Requires the organization to make a valid effort to protect others continually
maintain this level of effort.
Jurisdiction**
A court's right to hear a case if a wrong was committed in its territory, or
involves its citizenry
Long arm jurisdiction**
To draw an accused individual into its court systems from around the world
or across the country.
5
Principles of Information Security, 2nd Edition 6
Types of Law
Civil
Criminal
Private
Public
Types of Law
Civil
Criminal
Private
Public
Principles of Information Security, 2nd Edition 7
Relevant U.S. Laws (General)
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act
of 1996
Communications Decency Act of 1996 (CDA)
Computer Security Act of 1987
Relevant U.S. Laws (General)
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act
of 1996
Communications Decency Act of 1996 (CDA)
Computer Security Act of 1987
Principles of Information Security, 2nd Edition 8
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources allows
creation of information databases previously unheard of
Privacy
One of the hottest topics in information security
Is a “state of being free from unsanctioned intrusion”
Ability to aggregate data from multiple sources allows
creation of information databases previously unheard of
Principles of Information Security, 2nd Edition 9
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of 1999
(SAFE)
Export and Espionage Laws
Economic Espionage Act of 1996 (EEA)
Security And Freedom Through Encryption Act of 1999
(SAFE)
Principles of Information Security, 2nd Edition 10
U.S. Copyright Law
Intellectual property is recognized as a protected asset in
the U.S.; copyright law extends to electronic formats.
With proper acknowledgment, permissible to include
portions of others’ work as a reference.
As long as proper acknowledgment is provided to the
original author, it is entirely permissible.
U.S. Copyright Law
Intellectual property is recognized as a protected asset in
the U.S.; copyright law extends to electronic formats.
With proper acknowledgment, permissible to include
portions of others’ work as a reference.
As long as proper acknowledgment is provided to the
original author, it is entirely permissible.
Principles of Information Security, 2nd Edition 11
Freedom of Information Act of 1966 (FOIA)
Allows access to federal agency records or information
not determined to be matter of national security
U.S. government agencies required to disclose any
requested information upon receipt of written request
Some information protected from disclosure
Freedom of Information Act of 1966 (FOIA)
Allows access to federal agency records or information
not determined to be matter of national security
U.S. government agencies required to disclose any
requested information upon receipt of written request
Some information protected from disclosure
Principles of Information Security, 2nd Edition 12
State and Local Regulations
Restrictions on organizational computer technology use
exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
State and Local Regulations
Restrictions on organizational computer technology use
exist at international, national, state, local levels
Information security professional responsible for
understanding state regulations and ensuring
organization is compliant with regulations
Principles of Information Security, 2nd Edition 13
International Laws and Legal Bodies
European Council Cyber-Crime Convention:
Establishes international task force overseeing Internet
security functions for standardized international
technology laws
Attempts to improve effectiveness of international
investigations into breaches of technology law
Well received by intellectual property rights advocates due
to emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
International Laws and Legal Bodies
European Council Cyber-Crime Convention:
Establishes international task force overseeing Internet
security functions for standardized international
technology laws
Attempts to improve effectiveness of international
investigations into breaches of technology law
Well received by intellectual property rights advocates due
to emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
14
International Laws and Legal Bodies
Few international laws relating to privacy and information
security.
European Council Cyber-Crime Convention
2001. Creates an international task force
Improve the effectiveness of international investigations
Emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
WTO Agreement on Intellectual Property Rights
Intellectual property rules for the multilateral trade systems.
Digital Millennium Copyright Act**
U.S. contribution to international effort to reduce impact of
copyright, trademark, and privacy infringement .
International Laws and Legal Bodies
Few international laws relating to privacy and information
security.
European Council Cyber-Crime Convention
2001. Creates an international task force
Improve the effectiveness of international investigations
Emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
WTO Agreement on Intellectual Property Rights
Intellectual property rules for the multilateral trade systems.
Digital Millennium Copyright Act**
U.S. contribution to international effort to reduce impact of
copyright, trademark, and privacy infringement .
15
Policy Versus Law
Most organizations develop and formalize a body of
expectations called policy
Policies serve as organizational laws
To be enforceable, policy:
Disseminate.
Reviewed.
Comprehend.
Compliance.
Policy Versus Law
Most organizations develop and formalize a body of
expectations called policy
Policies serve as organizational laws
To be enforceable, policy:
Disseminate.
Reviewed.
Comprehend.
Compliance.
Principles of Information Security, 2nd Edition 16
Ethics and Information Security
“thou Shalt” is known for “you shall”
Ethics and Information Security
“thou Shalt” is known for “you shall”
Principles of Information Security, 2nd Edition 17
Ethical Differences Across Cultures
Cultural differences create difficulty in determining what is
and is not ethical
Difficulties arise when one nationality’s ethical behavior
conflicts with ethics of another national group
Example: many of ways in which Asian cultures use
computer technology is software piracy
Ethical Differences Across Cultures
Cultural differences create difficulty in determining what is
and is not ethical
Difficulties arise when one nationality’s ethical behavior
conflicts with ethics of another national group
Example: many of ways in which Asian cultures use
computer technology is software piracy
Principles of Information Security, 2nd Edition 18
Ethics and Education
Overriding factor in leveling ethical perceptions within a
small population is education
Employees must be trained in expected behaviors of an
ethical employee, especially in areas of information
security
Proper ethical training vital to creating informed, well
prepared, and low-risk system user
Ethics and Education
Overriding factor in leveling ethical perceptions within a
small population is education
Employees must be trained in expected behaviors of an
ethical employee, especially in areas of information
security
Proper ethical training vital to creating informed, well
prepared, and low-risk system user
Principles of Information Security, 2nd Edition 19
Deterrence (ماھت کور) to Unethical and Illegal
Behavior
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
Deterrence (ماھت کور) to Unethical and Illegal
Behavior
Deterrence: best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
Principles of Information Security, 2nd Edition 20
Codes of Ethics and Professional Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect; unfortunately,
many employers do not encourage joining of these
professional organizations
Responsibility of security professionals to act ethically
and according to policies of employer, professional
organization, and laws of society
Codes of Ethics and Professional Organizations
Several professional organizations have established
codes of conduct/ethics
Codes of ethics can have positive effect; unfortunately,
many employers do not encourage joining of these
professional organizations
Responsibility of security professionals to act ethically
and according to policies of employer, professional
organization, and laws of society
Major IT Professional Organizations and Ethics
Association for Computing Machinery (ACM)
promotes education and provides discounts for students
educational and scientific computing society
International Information Systems Security Certification Consortium (ISC
2
)
develops and implements information security certifications and
credentials
System Administration, Networking, and Security Institute (SANS)
Global Information Assurance Certifications (GIAC)
Information Systems Audit and Control Association (ISACA)
focus on auditing, control and security
Computer Security Institute (CSI)
sponsors education and training for information security
Information Systems Security Association (ISSA)
information exchange and educational development for information
security practitioners
21
Association for Computing Machinery (ACM)
promotes education and provides discounts for students
educational and scientific computing society
International Information Systems Security Certification Consortium (ISC
2
)
develops and implements information security certifications and
credentials
System Administration, Networking, and Security Institute (SANS)
Global Information Assurance Certifications (GIAC)
Information Systems Audit and Control Association (ISACA)
focus on auditing, control and security
Computer Security Institute (CSI)
sponsors education and training for information security
Information Systems Security Association (ISSA)
information exchange and educational development for information
security practitioners
21
Principles of Information Security, 2nd Edition 22
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National Infrastructure
Protection Center (NIPC)
National Security Agency (NSA)
U.S. Secret Service
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National Infrastructure
Protection Center (NIPC)
National Security Agency (NSA)
U.S. Secret Service
Principles of Information Security, 2nd Edition 23
Organizational Liability(یراد ہمذ) and the
Need for Counsel
Liability is legal obligation of an entity; includes legal
obligation to make restitution for wrongs committed
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that an organization make valid
effort to protect others and continually maintain that level
of effort
Organizational Liability(یراد ہمذ) and the
Need for Counsel
Liability is legal obligation of an entity; includes legal
obligation to make restitution for wrongs committed
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that an organization make valid
effort to protect others and continually maintain that level
of effort
Principles of Information Security, 2nd Edition 24
Summary
Many organizations have codes of conduct and/or codes
of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid effort
to protect others and continually maintain that effort
Summary
Many organizations have codes of conduct and/or codes
of ethics
Organization increases liability if it refuses to take
measures known as due care
Due diligence requires that organization make valid effort
to protect others and continually maintain that effort
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 4,863
- Slides 24
- Age 916 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views