Legal, Ethical, and

Professional Issues
in Information
Security
 Law and Ethics in
Information Security
Laws: collection of rules and regulation that mandate or prohibit certain behavior and enforced by
the state
Ethics: define socially acceptable behavior
Cultural mores: the fixed moral attitudes or customs of a particular group
Policy Versus Law
Policies: guidelines that describe acceptable and unacceptable employee behaviors in the
workplace
policies function as laws: they must be crafted and implemented with the same care to ensure
that they are complete, appropriate, and fairly applied to everyone in the workplace
Criteria for policy enforcement:
Dissemination (distribution)
Review (reading)
Comprehension (understanding)
Compliance (agreement)
Uniform enforcement
Types of Law

Civil law: deal with the relationships and conflicts between organizational entities and people
Criminal law: addresses activities and conduct harmful to society
Private law: encompasses family law, commercial law, and labor law, and regulates the relationship
between individuals and organizations
Public law: regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments. Public law includes criminal,
administrative
Relevant U.S. Laws

the United States has been a leader in the development and implementation of information
security legislation to prevent misuse and exploitation of information and information technology.
The implementation of information security legislation contributes to a more reliable business
environment, which in turn, enables a stable economy.
General Computer Crime
Laws

Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related
federal laws and enforcement efforts
National Information Infrastructure Protection Act of 1996:
◦ modified several sections of the previous act and increased the penalties for selected crimes
◦ The severity of the penalty depends on the value of the information
◦ For purposes of commercial advantage
◦ For private financial gain
◦ In furtherance of a criminal act
General Computer Crime
Laws

USA PATRIOT Act of 2001: which provides law enforcement agencies with broader latitude in order
to combat terrorism-related activities
Computer Security Act of 1987: It was one of the first attempts to protect federal computer systems
by establishing minimum acceptable security practices
Privacy

Individuals and groups right to protect themselves and their personal information from unauthorized
access
Aggregate data from multiple sources allow creation of information database that was previously
impossible
the number of statutes addressing an individual’s right to privacy has grown
The Privacy of Customer Information Section of the common carrier regulation states that any
proprietary information shall be used explicitly for providing services, and not for any marketing
purposes, and that carriers cannot disclose this information except when necessary to provide their
services
Privacy of Customer
Information
Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they
release private information about individuals or businesses without permission. The following
agencies, regulated businesses, and individuals are exempt from some of the regulations so that
they can perform their duties:
◦ Bureau of the Census
◦ National Archives and Records Administration
◦ Federal courts with regard to specific issues using appropriate court orders
◦ Credit reporting agencies
◦ Individuals or organizations that demonstrate that information is necessary to protect the health or
safety of that individual
◦ The Electronic Communications Privacy Act of 1986 is a collection of statutes that regulates the
interception of wire, electronic, and oral communications.
◦ Health Insurance Portability and Accountability Act Of 1996 (HIPAA): protects the confidentiality and
security of health care data by establishing and enforcing standards
Identity Theft

someone uses your personally identifying information, like your name, Social Security number, or credit
card number, without your permission to commit fraud or other crimes
Organizations can also be victims of identity theft by means of URL manipulation or DNS redirection
If someone suspects identity theft Federal Trade Commission (FTC) recommends
◦ Place and initial fraud alert: report to the three dominant consumer reporting companies that your identity is
threatened so that they may place a fraud alert on your record
◦ Register your concern with the FTC There is a form to register a complaint at the FTC’s identity theft site
◦ if your card is theft close them
◦ Report the incident to either your local police or police in the location where the identity theft occurred
Export and Espionage Laws

The Security and Freedom through Encryption Act of 1999: provides guidance on the
use of encryption and provides protection from government intervention. The acts
include provisions that:
◦ Reinforce right to use or sell encryption algorithms, without concern of key registration
◦ Prohibit the federal government from requiring the use of encryption
◦ use of encryption is not probable cause to suspect criminal activity
◦ Provide additional penalties for the use of encryption in the commission of a criminal act
U.S. Copyright Law
Intellectual property is a protected asset in the United States
With proper acknowledgement it is permissible to include portions of someone else’s work as reference
Fair use of copyright material includes support teaching, scholarship, educational, library purpose
Financial Reporting: improve the reliability and accuracy of financial reporting, as well as increase the
accountability of corporate governance, in publicly traded companies. Penalties for non-compliance range
from fines to jail terms.
Freedom of Information Act: allows any person to request access to federal agency records or
information not determined to be a matter of national security.
Agencies of the federal government are required to disclose any requested information on receipt of a
written request. the act does not apply to state or local government agencies or to private businesses or
individuals,
 Ethics and information security
Offline The Ten Commandments of Computer Ethics

not use a computer to harm other people.

not interfere with other people’s computer work.
not snoop around in other people’s computer files.
not use a computer to steal.
not use a computer to bear false witness.
not copy or use proprietary software for which you have not paid.
not use other people’s computer resources without authorization or proper compensation.
not appropriate other people’s intellectual output.
think about the social consequences of the program you are writing or the system you are designing.
 always use a computer in ways that ensure consideration and respect for your fellow humans.
Codes of Ethics and
Professional Organizations
professional organizations have established codes of ethics
Codes of ethics can have a positive effect on people’s judgment regarding computer use
responsibility of security professionals to act ethically and according to the policies and
procedures of their employers, their professional organizations, and the laws of society
Major IT professional
organizations