Professional Documents
Culture Documents
Whitman Ch03
Whitman Ch03
Sixth Edition
Chapter 3
Legal, Ethical,
and Professional
Issues in
Information
Security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Learning Objectives
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Introduction
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Law and Ethics in Information Security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Organizational Liability and the Need for
Counsel (1 of 2)
• Liability: the legal obligation of an entity extending
beyond criminal or contract law; includes the legal
obligation to make restitution
• Restitution: the legal obligation to compensate an
injured party for wrongs committed
• Due care: the legal standard requiring a prudent
organization to act legally and ethically and know the
consequences of actions
• Due diligence: the legal standard requiring a prudent
organization to maintain the standard of due care and
ensure actions are effective
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Organizational Liability and the Need for
Counsel (2 of 2)
• Jurisdiction: court’s right to hear a case if the wrong was
committed in its territory or involved its citizenry
• Long-arm jurisdiction: application of laws to those
residing outside a court’s normal jurisdiction; usually
granted when a person acts illegally within the
jurisdiction and leaves
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Policy Versus Law (1 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Policy Versus Law (2 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Types of Law
• Constitutional
• Statutory
– Civil
Tort
– Criminal
• Regulatory or Administrative
• Common Case, and Precedent
• Private and Public
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Relevant U.S. Laws
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
General Computer Crime Laws (1 of 2)
• Computer Fraud and Abuse Act of 1986 (CFA Act):
Cornerstone of many computer-related federal laws and
enforcement efforts
• National Information Infrastructure Protection Act of
1996:
– Modified several sections of the previous act and
increased the penalties for selected crimes
– Severity of the penalties was judged on the value of the
information and the purpose
For purposes of commercial advantage
For private financial gain
In furtherance of a criminal act
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
General Computer Crime Laws (2 of 2)
• USA PATRIOT Act of 2001: Provides law enforcement
agencies with broader latitude in order to combat
terrorism-related activities
• USA PATRIOT Improvement and Reauthorization Act:
Made permanent 14 of the 16 expanded powers of the
Department of Homeland Security and the FBI in
investigating terrorist activity
• USA FREEDOM Act inherited select USA PATRIOT
functions as the PATRIOT act expired in 2015
• Computer Security Act of 1987: One of the first attempts
to protect federal computer systems by establishing
minimum acceptable security practices
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Privacy (1 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Privacy (2 of 2)
• U.S. Regulations
– Privacy of Customer Information Section of the common
carrier regulation
– Federal Privacy Act of 1974
– Electronic Communications Privacy Act of 1986
– Health Insurance Portability and Accountability Act of
1996 (HIPAA), aka Kennedy-Kassebaum Act
– Financial Services Modernization Act or Gramm-Leach-
Bliley Act of 1999
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 3-2 Information aggregation
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Identity Theft (1 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Identity Theft (2 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 3-3 U.S. Department of
Justice report on victims of identity
theft in 2012 and 2014
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
U.S. Copyright Law
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Financial Reporting
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Freedom of Information Act of 1966 (FOIA)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 3-5 U.S. government FOIA
requests and processing
Source: www.foia.gov.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Payment Card Industry Data Security
Standards (PCI DSS)
• PCI Security Standards Council offers a standard of
performance to which organizations processing
payment cards must comply
• Designed to enhance security of customer’s account
data
• Addresses six areas:
– Build and maintain secure networks/systems
– Protect cardholder data
– Maintain a vulnerability management program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain information security policy
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
State and Local Regulations
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
International Laws and Legal Bodies
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Council of Europe Convention on
Cybercrime
• Created international task force to oversee Internet
security functions for standardized international
technology laws
• Attempts to improve effectiveness of international
investigations into breaches of technology law
• Well received by intellectual property rights advocates
due to emphasis on copyright infringement prosecution
• Lacks realistic provisions for enforcement
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
WTO and the Agreement on Trade-Related
Aspects of Intellectual Property Rights
• Created by the World Trade Organization (WTO)
• The first significant international effort to protect intellectual
property rights; outlines requirements for governmental
oversight and legislation providing minimum levels of
protection for intellectual property.
• Agreement covers five issues:
– Application of basic principles of trading system and
international intellectual property agreements
– Giving adequate protection to intellectual property rights
– Enforcement of those rights by countries within their borders
– Settling intellectual property disputes between WTO members
– Transitional arrangements while new system is being
introduced
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Digital Millennium Copyright Act (DMCA)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Offline (1 of 2)
The Ten Commandments of Computer Ethics from the
Computer Ethics Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer
work.
3. Thou shalt not snoop around in other people's
computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for
which you have not paid.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Offline (2 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Ethical Differences Across Cultures
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Table 3.2 Rates and Commercial Values of
Unlicensed PC Software Installations
Biennially from 2009 to 2015
Worldwide by Region
Commerc Commerc Commerc Commerc
Rates of
ial Value ial Value ial Value ial Value
Rates of Rates of Rates of Unlicense
of of of of
Unlicensed Unlicensed Unlicensed d
Unlicense Unlicense Unlicense Unlicense
Software Software Software Software
d d d d
Installation Installation Installation Installatio
Software Software Software Software
s in 2015 s in 2013 s in 2011 ns in
($M) ($M) ($M) ($M)
2009
in 2015 in 2013 in 2011 in 2009
Asia Pacific 61% 62% 60% 59% $19,064 $21,041 $20,998 $16,544
Central & 58% 61% 62% 64% $3,136 $5,318 $6,133 $4,673
Eastern
Europe
Latin America 55% 59% 61% 63% $5,787 $8,422 $7,459 $6,210
Middle East & 57% 59% 58% 59% $3,696 $4,309 $4,159 $2,887
Africa
North 17% 19% 19% 21% $10,016 $10,853 $10,958 $9,379
America
Western 28% 29% 32% 34% $10,543 $12,766 $13,749 $11,750
Europe
Total 39% 43% 42% 43% $52,242 $62,709 $63,456 $51,443
Worldwide
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Ethics and Education
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Deterring Unethical and Illegal Behavior
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 3-6 Deterrents to illegal or
unethical behavior
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Codes of Ethics of Professional
Organizations
• Many professional organizations have established
codes of conduct/ethics.
• Codes of ethics can have a positive effect;
unfortunately, many employers do not encourage joining
these professional organizations.
• Responsibility of security professionals is to act ethically
and according to the policies of the employer, the
professional organization, and the laws of society.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Table 3-3 Professional Organizations of
Interest to Information Security
Professionals (1 of 2)
Professional Web Resource
Description Focus
Organization Location
Association of www.acm.org Code of 24 imperatives of personal Ethics of security
Computing and ethical responsibilities for professionals
Machinery security professionals
information www.isaca.org Focus on auditing, information Tasks and knowledge
Systems Audit security, business process analysis, required of the
and Control and IS information systems
Association planning through the OSA and OSM audit professional
certifications
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Table 3-3 Professional Organizations of
Interest to Information Security
Professionals (2 of 2)
Professional Web Resource
Description Focus
Organization Location
International Information www.isc2.org International consortium Requires certificants to
Systems Security dedicated to improving the follow its published
Certification quality of security code of ethics
Consortium (ISQ2 professionals through SSCP
and CISSP certifications
SANS Institute's Global www.giac.org GIAC certifications focus on Requires certificants to
Information Assurance four security areas: security follow its published
Certification administration, security code of ethic
management IT audits, and
software security, these
areas have standard, gold,
and expert levels
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Major IT and InfoSec Professional
Organizations (1 of 5)
• Association of Computing Machinery (ACM)
– Established in 1947 as “the world’s first educational and
scientific computing society.”
– Code of ethics contains references to protecting
information confidentiality, causing no harm, protecting
others’ privacy, and respecting others’ intellectual property
and copyrights.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Major IT and InfoSec Professional
Organizations (2 of 5)
• International Information Systems Security Certification
Consortium, Inc. (ISC)2
– Nonprofit organization focusing on the development and
implementation of information security certifications and
credentials.
– Code is primarily designed for the information security
professionals who have certification from (ISC)2.
– Code of ethics focuses on four mandatory canons.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Major IT and InfoSec Professional
Organizations (3 of 5)
• SANS (originally System Administration, Networking,
and Security Institute)
– Professional organization with a large membership
dedicated to the protection of information and systems.
– SANS offers a set of certifications called Global
Information Assurance Certification (GIAC).
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Major IT and InfoSec Professional
Organizations (4 of 5)
• ISACA (originally Information Systems Audit and Control
Association)
– Professional association with focus on auditing, control,
and security
– Concentrates on providing IT control practices and
standards
– ISACA has a code of ethics for its professionals
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Major IT and InfoSec Professional
Organizations (5 of 5)
• Information Systems Security Association (ISSA)
– Nonprofit society of InfoSec professionals
– Primary mission to bring together qualified IS practitioners
for information exchange and educational development
– Promotes code of ethics similar to (ISC)2, ISACA, and
ACM
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Key U.S. Federal Agencies (1 of 3)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Key U.S. Federal Agencies (2 of 3)
• Federal Bureau of Investigation
– Primary law enforcement agency; investigates traditional
crimes and cybercrimes
– Key priorities include computer/network intrusions,
identity theft, and fraud
– Federal Bureau of Investigation’s National InfraGard
Program
Maintains an intrusion alert network
Maintains a secure Web site for communication about
suspicious activity or intrusions
Sponsors local chapter activities
Operates a help desk for questions
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Key U.S. Federal Agencies (3 of 3)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 3-9 U.S. Secret Service
Operation Firewall
Source: USSS.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 3-11 FBI Cyber’s Most Wanted list
Source: fbi.gov.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Summary (1 of 3)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Summary (2 of 3)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Summary (3 of 3)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.