CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

CHAPTER 3

LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

At the end of the chapter, the learners should be able to:

• Describe the functions of and relationships among laws, regulations, and professional
organizations in information security
• Differentiate between laws and ethics
• Identify major national laws that affect the practice of information security

Total Learning Time: Week 5 (3 hours)

Laws and Ethics in Information Security

• Key Terms
• Cultural mores. The fixed moral attitudes or customs of a particular group.
• Ethics. Codes or principles of an individual or group that regulate and define
acceptable behavior.
• Laws. Rules that mandate or prohibit certain behavior and are enforced by the state.

• The key difference between laws and ethics is that laws carry the authority of a governing body
and ethics do not.
• Ethics are based on cultural mores.
• Some ethical standards are universal.
• For example, murder, theft, assault, and arson are actions that deviate from ethical and legal
codes throughout the world.

• Due care. The legal standard that requires a prudent organization and its employees to
act legally and ethically and know the consequences of their actions. Also referred to
as the standard of due care.
• Due diligence. Considered as the subset of the standard of due care, the legal standard
that requires a prudent organization and its employees to maintain the standard of due
care and ensure that their actions are effective. Also referred to as the standard of due
diligence.
• Jurisdiction. A court’s right to hear a case if a wrong is committed in its territory or
involves its citizenry.

Organizational Liability and the Need for Counsel

• Key Terms
• Liability. The legal obligation of an entity that extends beyond criminal or contract law.
• Long-arm jurisdiction. The application of laws to people currently residing outside a
court’s normal jurisdiction, usually granted when a person performs an illegal action
within the court’s jurisdiction and the leaves.
• Restitution. The legal obligation to compensate an injured party for wrongs committed.

• What if an organization does not demand or even encourage strong ethical behavior from its
employees?
• What if an organization does not behave ethically?
• Even if there is no breach of criminal law, there can still be liability - legal responsibility.
• Liability includes the legal obligation to make restitution for wrongs committed.

Ms. Olga Llanera Course Facilitator Page | 1

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

• The bottom line is that if an employee performs an illegal or unethical act that causes some
degree of harm, the employer can be held financially liable for that action, regardless of whether
the employer authorized the act.
• An organization increases its liability if it refuses to take measures known as due care.
• Similarly, due diligence requires that an organization make a valid attempt to continually
maintain this level of effort.
• Whereas due care means the organization acts legally and ethically, due diligence means it
ensures compliance with this level of expected behavior.
• Given the Internet’s global reach, those who could be injured or wronged by an organization’s
employees might live anywhere in the world.
• Under the U.S. legal system, any court can assert its authority over an individual or organization
if it can establish jurisdiction.
• This is sometimes referred to as long-arm jurisdiction when laws are stretched to apply to
parties in distant locations.
• Trying a case in the injured party’s home area is usually favorable to the injured party.

Policy Versus Law

• Policies. Managerial directive that specify acceptable and unacceptable behavior in the
workplace.
• Within an organization, information security professionals help maintain security, via the
establishment and enforcement of policies.
• Policies function as organizational laws, complete with penalties, judicial practices, and
sanctions to require compliance.
• Because these policies function as laws, they must be crafted and implemented with the same
care to ensure that they are complete, appropriate, and fairly applied to everyone in the
workplace.

• The difference between a policy and a law, however, is that ignorance of a policy is an
acceptable defense.

• Criteria to enforce a policy:

• Dissemination (distribution): The organization must be able to demonstrate
that the relevant policy has been made readily available for review by the
employee. Common dissemination techniques include hard copy and electronic
distribution.
• Review (reading): The organization must be able to demonstrate that it
disseminated the document in an intelligible form, including versions of
employees who are illiterate, reading-impaired, and unable to read English.
Common techniques include recordings of the policy in English and alternate
languages.
• Comprehension (understanding): The organization must be able to
demonstrate that the employee understands the requirements and content of the
policy. Common techniques include quizzes and other assessments.
• Compliance (agreement): The organization must be able to demonstrate that
the employee agreed to comply with the policy through act or affirmation.
Common techniques include logon banners, which require a specific action
(mouse click or key stroke) to acknowledgment agreement, or a signed
document clearly indicating the employee has read, understood, and agreed to
comply with the policy.
• Uniform enforcement: The organization must be able to demonstrate that the
policy has been uniformly enforced, regardless of employee status or
assignment.

Only when all of the conditions are met can an organization penalize employees
who violate a policy without fear of legal retribution.

Ms. Olga Llanera Course Facilitator Page | 2

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Types of Law

• Civil law comprises a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizations and people.
• Criminal law addresses activities and conduct harmful to society, and is actively enforced by
the state. Law can also be categorized as private or public.
• Private law encompasses family law, commercial law, and labor law, and regulates the
relationship between individuals and organizations.
• Public law regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments. Public law includes criminal,
administrative, and constitutional law.

Philippine Laws

• Republic Act No. 10173 – An act protecting individual personal information in information and
communications systems in the government and the private sector, creating for this purpose a
national privacy commission , and for other purposes. (The Data Privacy Act of 2012)
• Republic Act No. 10175 – An act defining cybercrime, providing for the prevention,
investigation, suppression and the imposition of penalties therefor and for other purposes. (The
Cybercrime Prevention Act of 2012)
• It aims to address legal issues concerning online interactions and the Internet in the
Philippines.

Privacy

• Aggregate information. Collective data that relates to a group or category of people and that
has been altered to remove characteristics or components that make it possible to identify
individuals within the group. Not to be confused with information aggregation.
• Information aggregation. Pieces of nonprivate data that, when combined, may create
information that violates privacy. Not to be confused with aggregate information.
• Privacy. In the context of information security, the right of individuals or groups to protect
themselves and their information from unauthorized access, providing confidentiality.

Identity Theft

• Identity Theft. The unauthorized taking of personally identifiable information with the intent
of committing fraud and abuse of a person’s financial and personal reputation, purchasing goods
and services without authorization, and generally impersonating the victim for illegal or
unethical purposes.
• Personally identifiable information (PII). Information about a person’s history, background
and attributes that can be used to commit identity theft. This information typically includes a
person’s name, address, SSS Number, family information, employment history, and financial
information.
• Related to privacy legislation is the growing body of law on identity theft.
• Identity theft can occur when someone steals a victim’s personally identifiable information(pii)
and uses it to purchase goods and services, conduct other actions while posting as the victim.

Ethics and Information Security

• The Ten Commandments of Computer Ethics from the Computer Ethics Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid

Ms. Olga Llanera Course Facilitator Page | 3

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

7. Thou shalt not use other people’s computer resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the
system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your
fellow humans.

Ethics and Information Security

• Ethical Differences Across Cultures

• Cultural differences can make it difficult to determine what is ethical and what is not –
especially when it comes to the use of computers.
• Studies on ethics and computer use reveal that people of different nationalities have
different perspective; difficulties arise when one nationality’s ethical behavior violates
the ethics of another national group.
• Ethics and Education
• Attitudes toward the ethics of computer use are affected by many factors other than
nationality.
• Difference are found among people within the same country, within the same social
class, and within the same company.
• Key studies reveal that education is the overriding factor in leveling ethical perceptions
within a small population.
• Employees must be trained and kept aware of many topics related to information
security, not the least of which is the expected behavior of an ethical employee.
• This education is especially important in information security, as many employees may
not have the formal technical training to understand that their behavior is unethical or
even illegal.
• Proper ethical and legal training is vital to creating an informed and well-prepared
system user.

• Deterring Unethical and Illegal Behavior

• There are three general causes of unethical and illegal behavior:
• Ignorance. Ignorance of the law is no excuse; however, ignorance of policy and
procedures is. The first method of deterrence is education, which is
accomplished by designing, publishing, and disseminating an organization’s
policies and relevant laws, and obtaining agreement to comply with these
policies and laws from all members of the organization. Reminders, training,
and awareness programs keep policy information in from of employees to
support retention and compliance.
• Accident. People who have authorization and privileges to mange information
within the organization are most likely to cause harm or damage by accident.
Careful planning and control prevent accidental modification to systems and
data.
• Intent. Criminal or unethical intent goes to the state of the mind of the person
performing the act; it is often necessary to establish criminal intent to
successfully prosecute offenders. Protecting a system against those with intent
to cause harm or damage is best accomplished by means of technical controls,
and vigorous litigation or prosecution if these controls fail.
• Whatever the cause of illegal, immoral, or unethical behavior, one thing is certain:
information security personnel must do everything in their power to deter these acts and
to use policy, education and training, and technology to protect information and
systems.
• Many security professionals understand the technology aspect of protection but
underestimate the value of policy.
• However, laws, policies, and their associated penalties only provide deterrence if three
conditions are present:

Ms. Olga Llanera Course Facilitator Page | 4

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

• Fear of penalty. Potential offenders must fear the penalty. Threats of informal
reprimand or verbal warnings do not have the same impact as threat or
imprisonment or forfeiture of pay.
• Probability of being apprehended. Potential offenders must believe there is a
strong possibility of being caught.
• Probability of penalty being applied. Potential offenders must believe that the
penalty will be administered.

Code of Ethics of the Filipino Computing and Information Technology Professional

• For the purposes of this Code, the following terms are defined as follows:
• Information Technology. The preparation, collection, creation, transport, retrieval,
storage, access, presentation and transformation of electronic information in all its forms
including, but not limited to, voice, graphics, text, video, data and image.
• Information Technology Professional. One who develops or provides information
technology products and/or services to the public.

Preamble

I will use my special knowledge and skills for the benefit of the public. I will serve employers and
clients with integrity, subject to an overriding responsibility to the public interest, and I will strive to
enhance the competence and prestige of the professional. By these, I mean:
• I will promote public knowledge, understanding and appreciation of information
technology;
• I will consider the general welfare and public good in the performance of my work;
• I will advertise the goods or professional services in a clear and truthful manner;
• I will comply and strictly abide by the intellectual property laws, patent laws and other
related laws in respect of information technology;
• I will accept full responsibility for the work undertaken an will utilize my skills with
competence and professionalism;
• I will make truthful statements on my areas of competence as well as the capabilities
and qualities of my products and services;
• I will not disclose or use any confidential information obtained in the course of
professional duties without the consent of the parties concerned, except when required
by law;
• I will try to attain the highest quality in both the products and services I offer;
• I will not knowingly participate in the development of Information Technology Systems
that will promote the commission of fraud and other unlawful acts;
• I will uphold and improve the IT professional standards through continuing professional
development in order to enhance the IT profession.

References:

Whitman, Michael E. and Mattord, Herbert J. 2016. Principles of Information Security, 5 th Edition.
Cengage Learning.
https://securitytrails.com/blog/top-10-common-network-security-threats-explained
https://www.geeksforgeeks.org/threats-to-information-security/

Ms. Olga Llanera Course Facilitator Page | 5