CHAPTER: 03

Legal, Ethical, and Professional Issues in Information Security

1. Law and Ethics in Information Security

 Laws: These are rules created by the government to control behavior. Breaking the law
results in punishment, such as fines or jail time.

 Ethics: These are moral rules about what is right and wrong. They are not enforced by law
but by social norms.

 Cultural mores: These are customs and moral values specific to a group or society.

Example:

 If someone hacks a system to steal data, it is illegal because laws prohibit it.

 If someone secretly reads a colleague’s private email, it may not be illegal, but it is
unethical.

2. Policy Versus Law

 Policies: These are rules within an organization that define what employees can and cannot
do.

 Policies work like laws within the workplace but do not apply outside the organization.

Criteria for Policy Enforcement

1. Dissemination (distribution): The policy must be shared with employees.

2. Review (reading): Employees should read and understand it.

3. Comprehension (understanding): They should clearly know what the policy means.

4. Compliance (agreement): They must agree to follow the policy.

5. Uniform enforcement: The rules should apply to everyone equally.

Example:

 A company has a policy against sharing passwords. If an employee shares a password, they
might be fired or warned, even though no law was broken.

3. Types of Law

1. Civil Law: Deals with disputes between individuals or organizations.

o Example: If a company sells faulty software, a customer can sue for damages.

2. Criminal Law: Deals with actions that harm society.

o Example: Hacking into a bank's system and stealing money is a criminal offense.

3. Private Law: Covers areas like family law, business law, and labor law.
 o Example: A company firing an employee unfairly falls under labor law.

4. Public Law: Regulates how government agencies work and how they interact with citizens.

o Example: Laws that protect citizens’ personal data from government misuse.

4. Relevant U.S. Laws

The U.S. has several laws to protect information security. These laws ensure businesses are secure
and prevent misuse of technology.

5. General Computer Crime Laws

1. Computer Fraud and Abuse Act (1986): The main law against hacking and online fraud.

2. National Information Infrastructure Protection Act (1996):

o Increased punishments for computer-related crimes.

o The penalty depends on:

 Value of stolen information

 Whether the crime was for financial gain or another criminal act.

3. USA PATRIOT Act (2001):

o Helps law enforcement track online terrorism activities.

4. Computer Security Act (1987):

o Set minimum security rules for government computers.

Example:

 If someone steals a company's customer database and sells it, they can be punished under
the CFA Act.

6. Privacy

 Privacy means people and companies have the right to protect their personal information.

 Companies collect a lot of data, and laws prevent misuse.

Privacy of Customer Information

 The Federal Privacy Act (1974):

o Stops government agencies from sharing private data without permission.

o Exceptions: Census Bureau, courts, credit agencies, and in cases of health/safety

 Health Insurance Portability and Accountability Act (HIPAA - 1996):

o Protects healthcare data from being misused.

Example:

 A hospital cannot share a patient’s medical records without consent.

7. Identity Theft

 Happens when someone steals your personal details (name, Social Security number, credit
card) to commit fraud.

 Companies can also be attacked through URL manipulation or DNS redirection.

Steps to Take if Identity is Stolen

1. Place a fraud alert with consumer reporting agencies.

2. Report to the Federal Trade Commission (FTC).

3. Close stolen credit cards.

4. Report to the police.

Example:

 If a hacker gets your bank details and uses them to make online purchases, that is identity
theft.

8. Export and Espionage Laws

1. Security and Freedom through Encryption Act (1999):

o People can use and sell encryption freely.

o The government cannot force someone to use encryption.

o Encryption alone is not a reason for the police to suspect a crime.

Example:

 A company using strong encryption to protect customer data cannot be forced to share
encryption keys with the government.

9. U.S. Copyright Law

 Intellectual property (books, music, software) is protected by law.

 Fair use allows small parts of copyrighted material to be used for education or research.
  Financial Reporting Laws ensure companies report finances accurately.

Example:

 Using a small paragraph from a book in a research paper is allowed (fair use).

 Copying an entire book without permission is illegal.

10. Freedom of Information Act (FOIA)

 Allows people to request government records unless they are related to national security.

 Does not apply to private companies or individuals.

Example:

 A journalist can request public government documents but not private company data.

11. State and Local Regulations

 Each state can have its own cybersecurity laws.

 Example: Georgia's Computer Systems Protection Act (1991) protects against cyber attacks.

12. Ethics and Information Security

The Ten Commandments of Computer Ethics

1. Do not harm people using a computer.

2. Do not interfere with others’ work.

3. Do not snoop into other people’s files.

4. Do not steal using a computer.

5. Do not spread lies online.

6. Do not use illegal software.

7. Do not misuse computer resources.

8. Do not steal intellectual property.

9. Think about the social impact of your programs.

10. Respect others when using a computer.

Example:

 Hacking into someone’s account is both illegal and unethical.

 Professional organizations have codes of ethics to guide IT professionals.

 These codes help in making ethical decisions in computer security.

Responsibilities of Security Professionals

1. Follow ethical standards.

2. Follow employer policies.

3. Follow laws.

4. Ensure ethical policies are enforced.

Example:

 A cybersecurity expert should not use their skills to hack systems for personal gain.