Raval • Fichadia

John Wiley & Sons, Inc. 2007

Policy, Regulation, and

Ethics
Chapter Thirteen

Prepared by: Raval, Fichadia

 Security Leadership of the
administration organization

begins with

Organization and
accountability
nurtures

and concerns

implementation of

compliance with

Security policy reinforces Regulation Ethical behavior

helps prevent/limit
strengthens

Social engineering
Chapter Thirteen Objectives
1. Understand basic concepts of security administration.

2. Comprehend the nature, role, and characteristics of

security policies.

3. Explain the general nature of legislation on computer

security.

4. Comprehend fundamental concepts of business ethics.

5. Understand the nature and characteristics of social

engineering attacks and how to limit or prevent such
attacks.
Policy, Regulation, and Ethics
 Policy
 Systems and procedures must meet policy
requirements.
 Regulation
 Organizations must comply with requirements of
the laws to which it is subject.
 Ethics
 Organizations may choose to generate desired
ethical behavior.
How Security, Regulation, and
Ethics Are Related?
 All three complement each other.
 A minimum is defined by regulatory requirements.
 Policies help ensure that these requirements and
met and in fact, more is done where it is deemed
appropriate and cost effective.
 Promotion of ethical behavior is likely to generate
desired behavior, aligned with meeting regulatory
requirements and honoring policies.
 Environment where ethical behavior is stressed
could foster a sense of duty. People may tend to do
the right thing, beyond the law and policies.
Organization and
Accountability
 Organization structure should ideally represent
accountability consistent with roles of personnel.
 Accountability for information security is typically
assigned to information security director who may
report to
 CEO or
 CIO or
 Other top level executive
 This role must be managed in a multidisciplinary
context because issues of information security are
multidisciplinary.
Security Policies
 Policy: A high level document independent of all
functions, roles, powers, and personalities.
 Security policy: A formal statement of the rules by
which people who are given access to organization’s
technology and information assets must abide.
 Standards: Tend to enforce and tried and tested
practices.
 Procedures: Describe, where necessary, specific
ways of securing information assets.
 Guidelines: Provide examples and interpretation of
the policy and related standards to facilitate policy
implementation.
Purposes of a Security Policy
 Informs users, staff, and managers of
obligations concerning protection of
information technology and assets.
 Provides a baseline to provide assurance for
compliance with the policy.
 Provides a basis for determine what security
tools to use to adequately protect information
assets.
Characteristics of a Policy
 Tenure: Generally, a policy should have a long
tenure, during which it may not change much.
 Requisite variety: Each policy must have requisite
variety. All anticipated requirements to provide
control must be addressed in a policy.
 Feasibility: Policies must go through the test if
feasibility.
 Understandability: Policy must be written so that it
is easy to understand.
 Balance: Policy must balance the need for security
with functionality and usability of information
systems.
Content Areas of an
Information Security Policy
 Purpose
 Scope
 Policy
 Definitions
 Responsibilities
 Administration and interpretations
 Amendments/termination of the policy
 References to applicable policies and standards
 Exceptions
 Violations/enforcement
Area Description of content within the area

Purpose Narrates why this policy is written and how it will benefit the organization.

Scope To whom does the policy apply is clarified in this area.

Policy This is the core of policy – the statement(s) that describe the policy.

Definitions If the policy includes certain terms, these are defined in this area. This allows for a very
specific interpretation of the policy, irrespective of how these terms are used in the
profession.
Responsibilities Identifies who is responsible for enforcement of the policy. If more than one party is
responsible, a clear identification of responsibility of each party with respect to the policy
enforcement should be included.

Administration and Identifies who is responsible to answer questions regarding this policy, to maintain
interpretations records regarding the policy issues and how they were resolved, and to document
violations of the policy and their resoluton.

Amendments/Termination of This part states that (1) the organization reserves the right to modify, amend or terminate
the policy the policy at any time and (2) the policy does not constitute a contract between the
organization and its employees.

References to applicable This section lists policies related to the policy.

standards

Exceptions Here, the policy identifies how to request an exception to the policy, what information
should the request provide, and to whom it should be addressed. Typically, all exception
requests are handled in accordance with an information security exception policy.

Violations/Enforcement Specifies where to report any know violations of the policy, and what consequences could
result from such violations. For example, consequences may result in immediate
suspension of user privileges, a disciplinary action, or reporting the case to appropriate
law enforcement agencies.
Classification of Policies
 Various alternative classifications are
possible.
 Information security policies may be
categorized:
 Using components of an information system.
 In terms of physical security and logical security.
 As system specific or issue specific.
Policy Development Process
 The process must mirror risk management processes.
 Identify critical information systems processes and
assets.
 Understand what risks each information asset faces.
Identify the asset’s vulnerabilities and anticipate types of
threat the asset might be subject to.
 Identify control and security measures to protect the
information asset.
 Develop a policy that provide cost effective protection
measures.
 Periodically, review the policy in light of changes in the
organization and its environment.
Regulatory Requirements
 Regulations exist in the area of information assets
protection, and must be met.
 Such regulations typically define the threshold
needs to protect information assets.
 Compliance of such requirements provides an
assurance that the entity is meeting needs for
protection of information assets at the levels
required by law.
 At the same time, compliance helps the entity
protect its information assets and prosecute those
who compromise the security.
Regulatory Requirements and
Security Objectives
 Information assets protection
 Authentication
 Integrity of logic
 Integrity of communication
 Confidentiality and privacy
 System availability
 Computer crimes
 Table 13.3. Objectives, vulnerabilities, and regulation

Selected Vulnerabilities Illustrative regulatory requirements

Security objective

Information assets Theft Computer Software Copyright Act of 1980

protection Software piracy Digital Millenium Copyright Act (1998)

Authentication Impersonation Electronic signature legislation

Spoofing Digital signature laws
Session hijacking
Man-in-the-middle attack

Integrity of logic Malicious code Uniform Commercial Code

(programs) Buffer overflow

Integrity of Website defacement The Electronic Communications Privacy Act of 1986

communication Active wiretap
Falsification of message

Confidentiality and Eavesdropping Right to Financial Privacy Act of 1978

privacy Passive wiretap The Gramm-Leach-Bliley Act (1999)
Children’s Online Privacy Prevention Act [COPPA]
(1998)
Health Insurance Portability and Accountability Act
[HIPAA] (1996)

System availability Connection flooding Computer Fraud and Abuse Act (1984, 1986, 1996)
Denial of Service (DNS) attack
Distributed Denial of Service
Ethical Behavior in
Organizations
 Ethics: The principles of conduct individuals
and groups use in making and implementing
choices.
 Principles of moral conduct are the
foundation for ethical behavior.
 Ethical behavior may have implications for
information security.
Frameworks for Ethical
Behavior
 A framework is used to determine and evaluate the
ethical dimension of a choice.
 Several frameworks have been proposed.
 Ethical relativism suggests that ethics is something
a person decides. What is right or wrong is relative
to one’s society.
 Utilitarianism argues that what makes an action right
or wrong is outside the action itself; it is determined
by the consequences of the action.
 Deontological theories emphasize the internal
character of the act itself. If an action is done from a
sense of duty, then the action is right.
 Individuals play many roles in their lives:
 The commitments of private life.
 The commitments of employee.
 The commitments as a (business) leader.
 Responsibilities beyond employer’s boundaries.
 Differentiating between roles allows one to define
duty more responsibly and in alignment with what
one can do.
 There may exist conflicts within each role and
between roles.
Business Ethics
 An organization is a group of individuals with shared
values and goals.
 Business as an organization should deserve its
place within the society.
 Organizational legitimacy is a result of the degree of
congruence between social values associated with or
implied by the firm’s activities and the norms of acceptable
behavior in the larger social system to which they belong.
 Individuals as employees should ask questions
concerning consequences of an action, serving
others’ rights, consistency of decisions with basic
values, and feasibility of their actions in the world as
it is.
Ethics and Information
Technology
 Old wine in a new bottle?
 Argument supporting this notion: No new issues have
surfaced due to the presence of computers.
 Argument opposing this notion: Information technology
has created an environment that is quite different and
hence, the dilemmas are different.
 An examination of roles of computers makes it easier to
understnd ethics in the context of information technology.
 Four possible roles of computers in a man-machine
system
Four Roles of Information
Technology
 Nonuse
 Discretionary role: Since computer is used at the
discretion of the user, the user controls the ethical
dimension of use (or nonuse), if any.
 Facilitation role: In this role, computer makes the
compromise of ethics much easier, but the
fundamental ethical dilemma is the same.
 Intrinsic role: Computer is at the core of the
situation. No comparable situation would exist
without the presence of the computer.
 New dilemmas that need to be addressed using existing
frameworks.
Social Engineering
 Definition: The art and science of getting
people to cooperate in the process of
achieving your own goals. People hacking.
 Threats:
 To build and maintain sound security systems,
social dimension – the human side – must also be
considered. Attacks on people are easier, require
very little technology, and can be planned and
implemented quickly.
 Countermeasures
Signs of a Social Engineering
Attack
 The attacker refuses to give contact information.
 The attacker shows signs of urgency and rushes
through the process of communication after
establishing an initial rapport.
 To suggest familiarity and influence, the attacker
resorts to name-dropping.
 There is a likelihood that if necessary, the attacker
would resort to intimidate the prospective informant.
 Minor errors in the attacker’s communication are
common, for example, inserting an odd question into
the communication.
 Typically, the attack includes a request for forbidden
information.
 Social Engineering:
Countermeasures
1. Develop a comprehensive security policy, and revise when
necessary. The security policy should be effectively communicated
to employees, and enforced throughout the organization.

2. Create awareness of exposures to and methods of social

engineering attacks.

3. Train and educate employees to be on the defense. Ongoing

training programs serve as a constant reminder of social
engineering threats, and how to identify and respond to them.

4. Because the attacker has some data about the organization

(people, systems, procedures) on hand, it becomes feasible to
launch the attack. Every measure that would help prevent landing
of data in unauthorized hands should be considered. For example,
shredding reports and dated systems documentation, encrypting
data, and degaussing portable storage media.
 Assurance Considerations
 Policy development, implementation, and enforcement
 Is the policy current? Is it enforced? Are violations and exceptions
to the policy tracked and reported? Who acts on such violations?
Are such actions proper? Overall, is the policy effective?
 Compliance with regulations
 Is an integrated approach used, where legal, technological and
operational aspects are considered together? Or is the compliance
a patch work?
 Who is responsible for compliance? Are the compliance solutions
documented? Are changes in the regulatory requirements
monitored? Is the whistle-blower system effective?
 Ethical behavior
 Does the organization have a code of conduct?
 What structure is in place to nurture ethical behavior in the
organization?
 Who is accountable for promoting organization-wide ethical
conduct?
 What programs are in place to achieve the objective? Are they
effective?
 Security Leadership of the
administration organization

begins with

Organization and
accountability
nurtures

and concerns

implementation of

compliance with

Security policy reinforces Regulation Ethical behavior

helps prevent/limit
strengthens

Social engineering