Professional Documents
Culture Documents
Chapter 3 For PDF
Chapter 3 For PDF
CHAPTER 3
• Describe the functions of and relationships among laws, regulations, and professional
organizations in information security
• Differentiate between laws and ethics
• Identify major national laws that affect the practice of information security
• Key Terms
• Cultural mores. The fixed moral attitudes or customs of a particular group.
• Ethics. Codes or principles of an individual or group that regulate and define
acceptable behavior.
• Laws. Rules that mandate or prohibit certain behavior and are enforced by the state.
• The key difference between laws and ethics is that laws carry the authority of a governing body
and ethics do not.
• Ethics are based on cultural mores.
• Some ethical standards are universal.
• For example, murder, theft, assault, and arson are actions that deviate from ethical and legal
codes throughout the world.
• Due care. The legal standard that requires a prudent organization and its employees to
act legally and ethically and know the consequences of their actions. Also referred to
as the standard of due care.
• Due diligence. Considered as the subset of the standard of due care, the legal standard
that requires a prudent organization and its employees to maintain the standard of due
care and ensure that their actions are effective. Also referred to as the standard of due
diligence.
• Jurisdiction. A court’s right to hear a case if a wrong is committed in its territory or
involves its citizenry.
• Key Terms
• Liability. The legal obligation of an entity that extends beyond criminal or contract law.
• Long-arm jurisdiction. The application of laws to people currently residing outside a
court’s normal jurisdiction, usually granted when a person performs an illegal action
within the court’s jurisdiction and the leaves.
• Restitution. The legal obligation to compensate an injured party for wrongs committed.
• What if an organization does not demand or even encourage strong ethical behavior from its
employees?
• What if an organization does not behave ethically?
• Even if there is no breach of criminal law, there can still be liability - legal responsibility.
• Liability includes the legal obligation to make restitution for wrongs committed.
• The bottom line is that if an employee performs an illegal or unethical act that causes some
degree of harm, the employer can be held financially liable for that action, regardless of whether
the employer authorized the act.
• An organization increases its liability if it refuses to take measures known as due care.
• Similarly, due diligence requires that an organization make a valid attempt to continually
maintain this level of effort.
• Whereas due care means the organization acts legally and ethically, due diligence means it
ensures compliance with this level of expected behavior.
• Given the Internet’s global reach, those who could be injured or wronged by an organization’s
employees might live anywhere in the world.
• Under the U.S. legal system, any court can assert its authority over an individual or organization
if it can establish jurisdiction.
• This is sometimes referred to as long-arm jurisdiction when laws are stretched to apply to
parties in distant locations.
• Trying a case in the injured party’s home area is usually favorable to the injured party.
• Policies. Managerial directive that specify acceptable and unacceptable behavior in the
workplace.
• Within an organization, information security professionals help maintain security, via the
establishment and enforcement of policies.
• Policies function as organizational laws, complete with penalties, judicial practices, and
sanctions to require compliance.
• Because these policies function as laws, they must be crafted and implemented with the same
care to ensure that they are complete, appropriate, and fairly applied to everyone in the
workplace.
• The difference between a policy and a law, however, is that ignorance of a policy is an
acceptable defense.
Only when all of the conditions are met can an organization penalize employees
who violate a policy without fear of legal retribution.
Types of Law
• Civil law comprises a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizations and people.
• Criminal law addresses activities and conduct harmful to society, and is actively enforced by
the state. Law can also be categorized as private or public.
• Private law encompasses family law, commercial law, and labor law, and regulates the
relationship between individuals and organizations.
• Public law regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments. Public law includes criminal,
administrative, and constitutional law.
Philippine Laws
• Republic Act No. 10173 – An act protecting individual personal information in information and
communications systems in the government and the private sector, creating for this purpose a
national privacy commission , and for other purposes. (The Data Privacy Act of 2012)
• Republic Act No. 10175 – An act defining cybercrime, providing for the prevention,
investigation, suppression and the imposition of penalties therefor and for other purposes. (The
Cybercrime Prevention Act of 2012)
• It aims to address legal issues concerning online interactions and the Internet in the
Philippines.
Privacy
• Aggregate information. Collective data that relates to a group or category of people and that
has been altered to remove characteristics or components that make it possible to identify
individuals within the group. Not to be confused with information aggregation.
• Information aggregation. Pieces of nonprivate data that, when combined, may create
information that violates privacy. Not to be confused with aggregate information.
• Privacy. In the context of information security, the right of individuals or groups to protect
themselves and their information from unauthorized access, providing confidentiality.
Identity Theft
• Identity Theft. The unauthorized taking of personally identifiable information with the intent
of committing fraud and abuse of a person’s financial and personal reputation, purchasing goods
and services without authorization, and generally impersonating the victim for illegal or
unethical purposes.
• Personally identifiable information (PII). Information about a person’s history, background
and attributes that can be used to commit identity theft. This information typically includes a
person’s name, address, SSS Number, family information, employment history, and financial
information.
• Related to privacy legislation is the growing body of law on identity theft.
• Identity theft can occur when someone steals a victim’s personally identifiable information(pii)
and uses it to purchase goods and services, conduct other actions while posting as the victim.
• The Ten Commandments of Computer Ethics from the Computer Ethics Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid
7. Thou shalt not use other people’s computer resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the
system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your
fellow humans.
• Fear of penalty. Potential offenders must fear the penalty. Threats of informal
reprimand or verbal warnings do not have the same impact as threat or
imprisonment or forfeiture of pay.
• Probability of being apprehended. Potential offenders must believe there is a
strong possibility of being caught.
• Probability of penalty being applied. Potential offenders must believe that the
penalty will be administered.
• For the purposes of this Code, the following terms are defined as follows:
• Information Technology. The preparation, collection, creation, transport, retrieval,
storage, access, presentation and transformation of electronic information in all its forms
including, but not limited to, voice, graphics, text, video, data and image.
• Information Technology Professional. One who develops or provides information
technology products and/or services to the public.
Preamble
I will use my special knowledge and skills for the benefit of the public. I will serve employers and
clients with integrity, subject to an overriding responsibility to the public interest, and I will strive to
enhance the competence and prestige of the professional. By these, I mean:
• I will promote public knowledge, understanding and appreciation of information
technology;
• I will consider the general welfare and public good in the performance of my work;
• I will advertise the goods or professional services in a clear and truthful manner;
• I will comply and strictly abide by the intellectual property laws, patent laws and other
related laws in respect of information technology;
• I will accept full responsibility for the work undertaken an will utilize my skills with
competence and professionalism;
• I will make truthful statements on my areas of competence as well as the capabilities
and qualities of my products and services;
• I will not disclose or use any confidential information obtained in the course of
professional duties without the consent of the parties concerned, except when required
by law;
• I will try to attain the highest quality in both the products and services I offer;
• I will not knowingly participate in the development of Information Technology Systems
that will promote the commission of fraud and other unlawful acts;
• I will uphold and improve the IT professional standards through continuing professional
development in order to enhance the IT profession.
References:
Whitman, Michael E. and Mattord, Herbert J. 2016. Principles of Information Security, 5 th Edition.
Cengage Learning.
https://securitytrails.com/blog/top-10-common-network-security-threats-explained
https://www.geeksforgeeks.org/threats-to-information-security/