• Laws: rules that mandate or prohibit certain • Uniform enforcement
behavior • Relevant U.S. Laws (General) • Ethics: define socially acceptable behavior – Computer Fraud and Abuse Act of 1986 • Cultural mores: fixed moral attitudes or customs of (CFA Act): Threats to computers a particular group – National Information Infrastructure • Laws carry sanctions of a governing authority; ethics Protection Act of 1996:Criminal intent do not – USA Patriot Act of 2001:Terrorism • Types of Law – Telecommunications Deregulation and – Civil: comprises a wide variety of laws that Competition Act of govern a nation or state and deal with the 1996:Telecommunications relationships and conflicts between organizational entities and people (private – Computer Security Act of 1987:Federal affairs of citizens such as marriage, divorce, agency Information security probate, property ownership) The cybercrime-related laws in the Philippines are: – Criminal: addresses activities and conduct 1. RA 10175 – Cybercrime Prevention act of 2012 harmful to society, and is actively enforced 2. RA 9995 – Anti-Photo and Voyeurism Act of 2009 by the state (murder, robbery, kidnapping, 3. RA 9725 – Anti-Child Pornography Act of 2009 rape, assault) 4. RA 9208 – Anti-Trafficking in Persons Act of 2003 – Private: encompasses family law, 5. RA 8792 – E-Commerce Act of 2000 commercial law, and labor law, and 6. RA 8484 – Access Device Regulation Act of 1998 regulates the relationship between 7. RA 4200 – Anti-Wiretapping Law individuals and organizations • Privacy: “state of being free from unsanctioned – Public: regulates the structure and intrusion” administration of government agencies and – Privacy of Customer Information their relationships with citizens, employees, and other governments. Public law includes – Privacy of Customer Information Section of criminal, administrative, and constitutional common carrier regulation law – Federal Privacy Act of 1974 • Policy Versus Law – Electronic Communications Privacy Act of – Most organizations develop and formalize a 1986 body of expectations called policy – Health Insurance Portability and – Policies serve as organizational laws Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act – ignorance of a policy is an acceptable defense – Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999 – 5 criteria for a policy to become enforceable • Export and Espionage Laws • Dissemination – Economic Espionage Act of 1996 (EEA) • Review – Security And Freedom Through Encryption Act of 1999 (SAFE) • Comprehension • U.S. Copyright Law 2. Thou shalt not interfere with other people’s computer work. – Intellectual property recognized as 3. Thou shalt not snoop around in other protected asset in the U.S.; copyright law people’s computer files. extends to electronic formats 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false • Freedom of Information Act of 1966 (FOIA) witness. – Allows access to federal agency records or 6. Thou shalt not copy or use proprietary information not determined to be matter of software for which you have not paid. national security 7. Thou shalt not use other people’s computer resources without authorization or proper • International Laws and Legal Bodies compensation. 8. Thou shalt not appropriate other people’s – European Council Cyber-Crime Convention: intellectual output. 9. Thou shalt think about the social • Establishes international task force consequences of the program you are overseeing Internet security writing or the system you are designing. functions for standardized 10. Thou shalt always use a computer in ways international that ensure consideration and respect for technology laws your fellow humans. • Attempts to improve effectiveness • Overriding factor in leveling ethical perceptions of international investigations into within a small population is education breaches of technology law • Employees must be trained in expected behaviors • Well received by intellectual of an ethical employee, especially in areas of property rights advocates due to information security emphasis on copyright infringement • Proper ethical training vital to creating informed, prosecution well prepared, and low-risk system user • Lacks realistic provisions for • Deterrence to Unethical and Illegal Behavior enforcement – Deterrence: best method for preventing an – Digital Millennium Copyright Act (DMCA) illegal or unethical activity; e.g., laws, • Ethics and Information Security policies, technical controls
• Ethical Differences Across Cultures – Causes of unethical and illegal behavior
• Cultural differences create difficulty in determining • Ignorance
what is and is not ethical • Accident • Difficulties arise when one nationality’s ethical • Intent behavior conflicts with ethics of another national group – Laws and policies only deter if three conditions are present: • Example: many of ways in which Asian cultures use computer technology is software piracy • Fear of penalty • Ethics and Education • Probability of being caught The Ten Commandments of Computer Ethics from the • Probability of penalty being Computer Ethics Institute administered 1. Thou shalt not use a computer to harm other people. • Codes of Ethics and Professional Organizations • Several professional organizations have established • Professional association with focus codes of conduct/ethics on auditing, control, and security
• Codes of ethics can have positive effect; • Concentrates on providing IT
unfortunately, many employers do not encourage control practices and standards joining of these professional organizations • ISACA has code of ethics for its • Responsibility of security professionals to act professionals ethically and according to policies of employer, professional organization, and laws of society – Computer Security Institute (CSI)
• Major IT Professional Organizations • Provides information and training
to support computer, networking, – Association of Computing Machinery (ACM) and information security professionals • ACM established in 1947 as “the world's first educational and • Though without a code of ethics, scientific computing society” has argued for adoption of ethical behavior among information • Code of ethics contains references security professionals to protecting information confidentiality, causing no harm, – Information Systems Security Association protecting others’ privacy, and (ISSA) respecting others’ intellectual property • Nonprofit society of information security (IS) professionals – International Information Systems Security Certification Consortium, Inc. (ISC)2 • Primary mission to bring together qualified IS practitioners for • Non-profit organization focusing on information exchange and development and implementation educational development of information security certifications and credentials • Promotes code of ethics similar to (ISC)2, ISACA and ACM • Code primarily designed for information security professionals • Other Security Organizations who have certification from (ISC)2 – Internet Society (ISOC): promotes • Code of ethics focuses on four development and implementation of mandatory canons education, standards, policy and education to promote the Internet – System Administration, Networking, and Security Institute (SANS) – Computer Security Division (CSD): division of National Institute for Standards and • Professional organization with a Technology (NIST); promotes industry best large membership dedicated to practices and is important reference for protection of information and information security professionals systems – CERT Coordination Center (CERT/CC): • SANS offers set of certifications center of Internet security expertise called Global Information Assurance operated by Carnegie Mellon University Certification (GIAC) – Computer Professionals for Social – Information Systems Audit and Control Responsibility (CPSR): public organization Association (ISACA) for anyone concerned with impact of computer technology on society