0% found this document useful (0 votes)

5 views

Information Security_Ch03

Uploaded by

Dung Vu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

5 views

Information Security_Ch03

Uploaded by

Dung Vu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 94

Lecturer: Pham Thi Thanh Thuy

Email: [email protected]
Mobile Phone: 0915651748
Principles of Information Security
Sixth Edition

Chapter 3
Legal, Ethical,
and Professional
Issues in
Information
Security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Learning Objectives

• Upon completion of this material, you should

be able to:
– Describe the functions of and relationships among
laws, regulations, and professional organizations in
information security
– Explain the differences between laws and ethics
– Identify major national laws that affect the practice of
information security
– Discuss the role of privacy as it applies to law and
ethics in information security

• Introduction
• Law and Ethics in Information Security
• Relevant U.S. Laws
• International Laws and Legal Bodies
• Ethics and Information Security
• Codes of Ethics of Professional
Organizations
• Key U.S. Federal Agencies

• Law and Ethics in Information Security

Contents

• Law and Ethics in Information Security

Introduction

• You must understand the scope of an

organization’s legal and ethical
responsibilities.
• To minimize liabilities/reduce risks, the
information security practitioner must:
– Understand the current legal environment
– Stay current with laws and regulations
– Watch for new and emerging issues

• Law and Ethics in Information Security

Law and Ethics in Information Security

• Laws
– Rules that mandate or prohibit certain
behavior and are enforced by the state.
– Law is mandatory and enforceable by legal
authorities.

• Ethics
– Regulate and define socially acceptable
behavior.
– Adherence to ethical principles in information
security is voluntary, and there is no legal
enforcement of ethical standards.
– Violations of ethical principles may lead to
reputational damage, loss of trust, and
professional consequences

• Laws carry the authority of a governing

authority; ethics do not
• Laws aim to establish minimum standards
and requirements for protecting information,
ensuring privacy, and preventing
unauthorized access or misuse of data
– Data protection laws, cybersecurity
regulations, and computer crime legislation

• Ethics: Ethical guidelines in information

security can be more specific and tailored to
particular professional roles or contexts
Organizational Liability and the Need for
Counsel
• Liability
– The legal obligation of an entity extending
beyond criminal or contract law;
– Includes the legal obligation to make
restitution
• Restitution
– The legal obligation to compensate an
injured party for wrongs committed

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Organizational Liability and the Need for
Counsel
• Due care
– The legal standard requiring a prudent
organization to act legally and ethically and
know the consequences of actions
• Due diligence
– The legal standard requiring a prudent
organization to maintain the standard of due
care and ensure actions are effective

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Organizational Liability and the Need for
Counsel
• Jurisdiction
– Court’s right to hear a case if the wrong was
committed in its territory or involved its
citizenry
• Long-arm jurisdiction
– Application of laws to those residing outside a
court’s normal jurisdiction; usually granted
when a person acts illegally within the
jurisdiction and leaves

• Policy
– Information security policies are internal
guidelines and directives established by
organizations to define acceptable behaviors,
practices, and procedures for protecting
information.
– Policies are created by the organization itself
and are enforced through internal mechanisms

• Policy
– Information security policies are specific to
individual organizations and can vary in scope
and applicability.

• Criteria for policy enforcement:

– Dissemination (distribution)
– Review (reading)
– Comprehension (understanding)
– Compliance (agreement)
– Uniform enforcement

• Constitutional Law
– Originates with the U.S. Constitution, a state
constitution, or local constitution, bylaws, or
charter.
• Statutory Law
– Originates from a legislative branch specifically
tasked with the creation and publication of laws
and statutes.

• Regulatory or Administrative Law

– Originates from an executive branch or
authorized regulatory agency.
– Includes executive orders and regulations.
• Common Law, Case Law, and Precedent
– Originates from a judicial branch or oversight
board
– Involves the interpretation of law based on the
actions of a previous and/or higher court or
board.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Types of Law

• Statutory Law
 Civil law
 Embodies a wide variety of laws pertaining to
relationships between and among individuals and
organizations.
 Includes contract law, employment law, family law,
and tort law.
o Tort law is the subset of civil law that allows individuals to
seek redress in the event of personal, physical, or financial
injury. Perceived damages within civil law are pursued in
civil court and are not prosecuted by the state.
Types of Law

• Statutory Law
 Civil law
 Private law is considered a subset of civil law, and
regulates the relationships among individuals as well
as relationships between individuals and
 organizations; it encompasses family law,
commercial law, and labor law.
Types of Law

• Statutory Law
 Criminal law
 Addresses violations harmful to society and is
actively enforced and prosecuted by the state.
 Addresses statutes associated with traffic law, public
order, property damage, and personal damage,
where the state takes on the responsibility of
seeking retribution on behalf of the plaintiff, or
injured party.
Types of Law

• Private law
 A subset of civil law
 Regulates the relationships among individuals
as well as relationships between individuals and
organizations;
 It encompasses family law, commercial law, and
labor law.
Types of Law

• Public law
 Regulates the structure and administration of
government agencies and their relationships
with citizens, employees, and other
governments.
 Includes criminal law, administrative law, and
constitutional law.
Contents

• Law and Ethics in Information Security

Relevant U.S. Laws

• The US is leader in the development and

implementation of information security
legislation.
• Information security legislation contributes
to a more reliable business environment
and a stable economy.

• The US has demonstrated understanding of

the importance of securing information and
has specified penalties for individuals and
organizations that breach civil and criminal
law.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
General Computer Crime Laws
• Computer Fraud and Abuse Act of 1986
(CFA Act)
 Cornerstone of many computer-related federal
laws and enforcement efforts

• National Information Infrastructure

Protection Act of 1996:
 Modified several sections of the previous act
and increased the penalties for selected crimes
 Severity of the penalties was judged on the
value of the information and the purpose
 For purposes of commercial advantage
 For private financial gain
 In furtherance of a criminal act
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
General Computer Crime Laws

• USA PATRIOT Act of 2001

 Provides law enforcement agencies with broader
latitude in order to combat terrorism-related
activities
• USA PATRIOT Improvement and
Reauthorization Act
 Made permanent 14 of the 16 expanded powers
of the Department of Homeland Security and the
FBI in investigating terrorist activity
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
General Computer Crime Laws

• USA FREEDOM Act inherited select USA

PATRIOT functions as the PATRIOT act
expired in 2015
• Computer Security Act of 1987
 One of the first attempts to protect federal
computer systems by establishing minimum
acceptable security practices

• One of the hottest topics in information

security
• Right of individuals or groups to protect
themselves and personal information from
unauthorized access

• Ability to aggregate data from multiple

sources allows creation of information
databases previously impossible
• The number of statutes addressing an
individual’s right to privacy has grown

• U.S. Regulations
– Privacy of Customer Information Section of the
common carrier regulation
– Federal Privacy Act of 1974
– Electronic Communications Privacy Act of 1986
– Health Insurance Portability and Accountability
Act of 1996 (HIPAA), aka Kennedy-Kassebaum
Act
– Financial Services Modernization Act or
Gramm-Leach- Bliley Act of 1999
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Identity Theft

• It can occur when someone steals a victim’s

personally identifiable information (PII) and
poses as the victim to conduct actions/make
purchases.

• Federal Trade Commission (FTC) oversees

efforts to foster coordination, effective
prosecution of criminals, and methods to
increase victim’s restitution.
• Fraud and Related Activity in Connection with
Identification Documents, Authentication
Features, and Information Act (Title 18,
U.S.C. § 1028).

• If someone suspects identity theft, the FTC

recommends:
– Place an initial fraud alert: Report to one of the
three national credit reporting companies and
ask for an initial fraud alert on your credit report.
– Order your credit reports: Filing an initial fraud
alert entitles you to a free credit report from each
of the three credit reporting companies. Examine
the reports for fraud activity.

• If someone suspects identity theft, the FTC

recommends:
– Create an identity theft report: Filing a complaint
with the FTC will generate an identity theft
affidavit, which can be used to file a police report
and create an identity theft report.
– Monitor your progress: Document all calls,
letters, and communications during the process.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Figure 3-3 U.S. Department of
Justice report on victims of identity
theft in 2012 and 2014

Source: U.S. Federal Trade Commission.

• Economic Espionage Act of 1996

• Security and Freedom through Encryption
Act of 1999. The acts include provisions
about encryption that:
– Reinforce the right to use or sell encryption
algorithms, without concern of key registration.
– Prohibit the federal government from requiring
the use of encryption.

• Economic Espionage Act of 1996

• Security and Freedom through Encryption
Act of 1999. The acts include provisions
about encryption that:
– Make it not probable cause to suspect criminal
activity.
– Relax export restrictions.
– Additional penalties for using encryption in a
crime.

• Intellectual property was recognized as a

protected asset in the United States;
copyright law extends to electronic
formats.
• With proper acknowledgment, it is
permissible to include portions of others’ work
as reference.
• U.S. Copyright Office Web site:
www.copyright.gov/.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Financial Reporting

• Sarbanes-Oxley Act of 2002

– Affects the executive management of publicly
traded corporations and public accounting firms
– Seeks to improve the reliability and accuracy of
financial reporting and increase the
accountability of corporate governance in
publicly traded companies
– Penalties for noncompliance range from fines to
jail terms

• Allows access to federal agency records or

information not determined to be matter of
national security.
• U.S. government agencies are required to
disclose any requested information upon
receipt of written request.

• Some information is protected from

disclosure; this act does not apply to
state/local government agencies or private
businesses/individuals.

Source: www.foia.gov.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Payment Card Industry Data Security
Standards (PCI DSS)
• PCI Security Standards Council offers a
standard of performance to which
organizations processing payment cards
must comply
• Designed to enhance security of customer’s
account data

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Payment Card Industry Data Security
Standards (PCI DSS)
• Addresses six areas:
– Build and maintain secure networks/systems
– Protect cardholder data
– Maintain a vulnerability management program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain information security policy

• Federal computer laws are mainly written

specifically for federal information systems;
they have little applicability to private
organizations.
• Information security professionals are
responsible for understanding state
regulations and ensuring that organization
is in compliance with regulations.

• Law and Ethics in Information Security

International Laws and Legal Bodies

• When organizations do business on the

Internet, they do business globally.
• Professionals must be sensitive to the laws
and ethical values of many different
cultures, societies, and countries.

• Because of the political complexities of

relationships among nations and
differences in culture, few international
laws cover privacy and information
security.
• These international laws are important but
are limited in their enforceability.

• Computer Misuse Act 1990: Defined three

“computer misuse offenses”:
– Unauthorized access to computer material.
– Unauthorized access with intent to commit
or facilitate commission of further
offenses.
– Unauthorized acts with intent to impair, or with
recklessness as to impairing, operation of
computer, etc.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
U.K. Computer Security Laws
• Privacy and Electronic Communications (EC
Directive) Regulations 2003
– Focuses on protection against unwanted or
harassing phone, e-mail, and SMS messages
• Police and Justice Act 2006
– Updated the Computer Misuse Act, modified the
penalties, and created new crimes defined as
the “unauthorized acts with intent to impair
operation of computer, etc.”

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Council of Europe Convention on
Cybercrime
• Well received by intellectual property rights
advocates due to emphasis on copyright
infringement prosecution
• Lacks realistic provisions for enforcement

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
WTO and the Agreement on Trade-Related
Aspects of Intellectual Property Rights
• Created by the World Trade Organization
(WTO)
• The first significant international effort to
protect intellectual property rights;
• outlines requirements for governmental
oversight and legislation providing minimum
levels of protection for intellectual property.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
WTO and the Agreement on Trade-Related
Aspects of Intellectual Property Rights
• Agreement covers five issues:
– Application of basic principles of trading system
and international intellectual property
agreements
– Giving adequate protection to intellectual
property rights
– Enforcement of those rights by countries within
their borders
– Settling intellectual property disputes between
WTO members
– Transitional arrangements while new
system is being introduced
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Digital Millennium Copyright Act (DMCA)

• U.S. contribution to international effort to

reduce impact of copyright, trademark, and
privacy infringement
• A response to European Union Directive
95/46/EC

• Prohibits
– Circumvention of protections and
countermeasures
– Manufacture and trafficking of devices
used to circumvent such protections
– Altering information attached or imbedded
in copyrighted material
• Excludes Internet Service Providers (ISPs)
from some copyright infringement
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Contents

• Law and Ethics in Information Security

Ethics and Information Security

• Many professional disciplines have explicit

rules governing the ethical behavior of
members.
• IT and InfoSec do not have binding codes
of ethics.

• Professional associations and certification

agencies work to maintain ethical codes of
conduct.
– Can prescribe ethical conduct
– Do not always have the ability to ban violators
from practice in field

The Ten Commandments of Computer

Ethics from the Computer Ethics
Institute
1. Thou shalt not use a computer to harm other
people.
2. Thou shalt not interfere with other people's
computer work.
3. Thou shalt not snoop around in other
people's computer files.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Offline

The Ten Commandments of Computer

Ethics from the Computer Ethics Institute
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false
witness.
6. Thou shalt not copy or use proprietary
software for which you have not paid.

7. Thou shalt not use other people's computer

resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people's
intellectual output.
9. Thou shalt think about the social consequences
of the program you are writing or the system you
are designing.
10.Thou shalt always use a computer in ways that
ensure consideration and respect for your fellow
humans.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Ethical Differences Across Cultures

• Cultural differences create difficulty in

determining what is and is not ethical.
• Difficulties arise when one nationality’s
ethical behavior conflicts with the ethics of
another national group.

• Scenarios are grouped into:

– Software license infringement
– Illicit use
– Misuse of corporate resources
• Cultures have different views on the
scenarios.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Table 3.2 Rates and Commercial Values
of Unlicensed PC Software Installations
Biennially from 2009 to 2015
Worldwide by Region
Commerc Commerc Commerc Commerc
Rates of
ial Value ial Value ial Value ial Value
Rates of Rates of Rates of Unlicense
of of of of
Unlicensed Unlicensed Unlicensed d
Unlicense Unlicense Unlicense Unlicense
Software Software Software Software
d d d d
Installation Installation Installation Installatio
Software Software Software Software
s in 2015 s in 2013 s in 2011 ns in
($M) ($M) ($M) ($M)
2009
in 2015 in 2013 in 2011 in 2009

Asia Pacific 61% 62% 60% 59% $19,064 $21,041 $20,998 $16,544
Central & 58% 61% 62% 64% $3,136 $5,318 $6,133 $4,673
Eastern
Europe
Latin America 55% 59% 61% 63% $5,787 $8,422 $7,459 $6,210
Middle East & 57% 59% 58% 59% $3,696 $4,309 $4,159 $2,887
Africa
North 17% 19% 19% 21% $10,016 $10,853 $10,958 $9,379
America
Western 28% 29% 32% 34% $10,543 $12,766 $13,749 $11,750
Europe
Total 39% 43% 42% 43% $52,242 $62,709 $63,456 $51,443
Worldwide
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Ethics and Education

• Education is the overriding factor in

leveling ethical perceptions within a small
population.
• Employees must be trained and kept
aware of the expected behavior of an
ethical employee, as well as many other
information security topics.
• Proper ethical training is vital to creating
informed and a well-prepared system user.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Deterring Unethical and Illegal Behavior

• Three general causes of unethical and

illegal behavior: ignorance, accident, intent
• Deterrence: best method for preventing an
illegal or unethical activity; for example,
laws, policies, technical controls

• Laws and policies only deter if three

conditions are present:
– Fear of penalty
– Probability of being apprehended
– Probability of penalty being applied

• Law and Ethics in Information Security

Codes of Ethics of Professional
Organizations
• Many professional organizations have
established codes of conduct/ethics.
• Codes of ethics can have a positive effect;
unfortunately, many employers do not
encourage joining these professional
organizations.

information www.issa.org Professional association of Professional security

Systems information systems security information sharing
Security professionals; provides education
Association forum, publications, and peer
networking for members

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Table 3-3 Professional Organizations of
Interest to Information Security
Professionals (2 of 2)
Professional Web Resource
Description Focus
Organization Location
International www.isc2.org International consortium Requires certificants
Information Systems dedicated to improving the to follow its published
Security Certification quality of security code of ethics
Consortium (ISQ2 professionals through SSCP
and CISSP certifications
SANS Institute's www.giac.org GIAC certifications focus on Requires certificants
Global Information four security areas: security to follow its published
Assurance administration, security code of ethic
Certification management IT audits, and
software security, these
areas have standard, gold,
and expert levels

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Major IT and InfoSec Professional
Organizations (2 of 5)
• International Information Systems Security
Certification Consortium, Inc. (ISC)2
– Nonprofit organization focusing on the
development and implementation of information
security certifications and credentials.
– Code is primarily designed for the information
security professionals who have certification
from (ISC)2.
– Code of ethics focuses on four mandatory
canons.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Major IT and InfoSec Professional
Organizations (3 of 5)
• SANS (originally System Administration,
Networking, and Security Institute)
– Professional organization with a large
membership dedicated to the protection of
information and systems.
– SANS offers a set of certifications called
Global Information Assurance
Certification (GIAC).

• Law and Ethics in Information Security

Key U.S. Federal Agencies (1 of 3)

• Department of Homeland Security (DHS)

– Mission is to protect the citizens as well as the
physical and informational assets of the United
States.
– United States Computer Emergency Readiness
Team (US-CERT) provides mechanisms to
report phishing and malware.

• U.S. Secret Service

– In addition to protective services, it is
charged with safeguarding the nation’s
financial infrastructure and payments system
to preserve the integrity of the economy.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Key U.S. Federal Agencies (2 of 3)
• Federal Bureau of Investigation
– Primary law enforcement agency; investigates
traditional crimes and cybercrimes
– Key priorities include computer/network
intrusions, identity theft, and fraud
– Federal Bureau of Investigation’s National
InfraGard Program
 Maintains an intrusion alert network
 Maintains a secure Web site for communication
about suspicious activity or intrusions
 Sponsors local chapter activities
 Operates a help desk for questions

• National Security Agency (NSA)

– Is the nation’s cryptologic organization
– Responsible for signal intelligence and
information assurance (security)
– Information Assurance Directorate (IAD) is
responsible for the protection of systems that
store, process, and transmit information of high
national value

Source: USSS.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Figure 3-11 FBI Cyber’s Most Wanted list

Source: fbi.gov.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Summary (1 of 3)

• Laws: rules that mandate or prohibit certain

behavior in society; drawn from ethics
• Ethics: define socially acceptable
behaviors, based on cultural mores (fixed
moral attitudes or customs of a particular
group)
• Types of law: civil, criminal, private, and
public

• Relevant U.S. laws:

– Computer Fraud and Abuse Act of 1986 (CFA Act)
– National Information Infrastructure Protection Act of 1996
– USA PATRIOT Act of 2001
– USA PATRIOT Improvement and Reauthorization Act
– USA FREEDOM Act of 2015
– Computer Security Act of 1987
– Fraud and Related Activity in Connection with
Identification Documents, Authentication Features, and
Information Act (Title 18, U.S.C. § 1028)

• Many organizations have codes of

conduct and/or codes of ethics.
• Organization increases liability if it
refuses to take measures known as due
care.
• Due diligence requires that organizations
make a valid effort to protect others and
continually maintain that effort.

1. Explain the differences between laws and

ethics in information security?
2. Explain the differences between Policy and
Law in information security?
3. What should you do to protect your
personal information?

MD Riyad Visa
No ratings yet
MD Riyad Visa
3 pages
Legal, Ethical, and Professional Issues in
No ratings yet
Legal, Ethical, and Professional Issues in
34 pages
Lewis Nkosi - Mating Birds PDF
50% (4)
Lewis Nkosi - Mating Birds PDF
71 pages
Data Protection Officer
From Everand
Data Protection Officer
Sarah Taylor
No ratings yet
Prelims 83%
100% (1)
Prelims 83%
11 pages
Illegal Migration Into Assam - LT Gen S K Sinha's Report of 1998
100% (1)
Illegal Migration Into Assam - LT Gen S K Sinha's Report of 1998
29 pages
Security INFO CISSP R-whitmanch04
No ratings yet
Security INFO CISSP R-whitmanch04
56 pages
Information Security Ch03 2.1.2024
No ratings yet
Information Security Ch03 2.1.2024
58 pages
Information Security - Ch03
No ratings yet
Information Security - Ch03
57 pages
3 ITE403 Whitman Ch03 W3C1
No ratings yet
3 ITE403 Whitman Ch03 W3C1
28 pages
Module 4 Legal, Ethical, and Professional Issues in Information Security
No ratings yet
Module 4 Legal, Ethical, and Professional Issues in Information Security
27 pages
CSE332 Lecture 20 LPU Official
No ratings yet
CSE332 Lecture 20 LPU Official
20 pages
CSE332 Lecture 20
No ratings yet
CSE332 Lecture 20
19 pages
03-LegalEthicIssueOnIS
No ratings yet
03-LegalEthicIssueOnIS
57 pages
Legal, Ethical and Professional Issues in Information Security
No ratings yet
Legal, Ethical and Professional Issues in Information Security
16 pages
IAS Study Guide Module 3
No ratings yet
IAS Study Guide Module 3
8 pages
Chapter 3 - Legal, Ethical, and Professional Issues in Information Security
No ratings yet
Chapter 3 - Legal, Ethical, and Professional Issues in Information Security
7 pages
CH3
No ratings yet
CH3
7 pages
Cle Unit-Iii
No ratings yet
Cle Unit-Iii
15 pages
CSC 262 Unit 3 - Laws against Cybercrime and Malware
No ratings yet
CSC 262 Unit 3 - Laws against Cybercrime and Malware
25 pages
Module 6
No ratings yet
Module 6
58 pages
unit 6
No ratings yet
unit 6
48 pages
Principles of Information Security 7E - Module 6
No ratings yet
Principles of Information Security 7E - Module 6
37 pages
Law and Ethics in Information Security
No ratings yet
Law and Ethics in Information Security
25 pages
Legal, Ethical and Professional Issues in Information Security
No ratings yet
Legal, Ethical and Professional Issues in Information Security
10 pages
Topic 2-Law and Ethics in Information Security
100% (2)
Topic 2-Law and Ethics in Information Security
9 pages
w2 Legal Ethical Professional Issues
No ratings yet
w2 Legal Ethical Professional Issues
24 pages
ISA1 Module1Topic4
No ratings yet
ISA1 Module1Topic4
29 pages
Legal, Ethical, and Professional Issues in Information Security
No ratings yet
Legal, Ethical, and Professional Issues in Information Security
28 pages
CS3p Legal&Planning
No ratings yet
CS3p Legal&Planning
52 pages
Upon Completion of This Chapter, You Should Be Able To
No ratings yet
Upon Completion of This Chapter, You Should Be Able To
24 pages
Legal, Ethical, and Professional Issues in Information Security
No ratings yet
Legal, Ethical, and Professional Issues in Information Security
28 pages
AIS 7 Chapter 3
No ratings yet
AIS 7 Chapter 3
5 pages
CHAPTER 3 Legal Ethical and Professional Issues in Is
No ratings yet
CHAPTER 3 Legal Ethical and Professional Issues in Is
50 pages
IS UNIT-2 Notes - 240423 - 090216
No ratings yet
IS UNIT-2 Notes - 240423 - 090216
28 pages
Lecture 3 Legal Ethical and Professional Issues
No ratings yet
Lecture 3 Legal Ethical and Professional Issues
26 pages
5 Historical Perspective of Legal Concepts
No ratings yet
5 Historical Perspective of Legal Concepts
8 pages
Legal, Ethical, and Professional
No ratings yet
Legal, Ethical, and Professional
18 pages
KLD PPT Presenation Legal Ethical and Professional Issues in Information Security KLD
No ratings yet
KLD PPT Presenation Legal Ethical and Professional Issues in Information Security KLD
33 pages
Info Sec Reviewer
No ratings yet
Info Sec Reviewer
10 pages
Unit 2
No ratings yet
Unit 2
28 pages
Lecture Six
No ratings yet
Lecture Six
9 pages
Law & Ethics: Introduction To Computer Security
No ratings yet
Law & Ethics: Introduction To Computer Security
23 pages
Lecture 03 - Legal, Ethical & Professional-1
No ratings yet
Lecture 03 - Legal, Ethical & Professional-1
68 pages
Unit-2 Info Secu
No ratings yet
Unit-2 Info Secu
11 pages
Law & Ethics, Policies & Guidelines, and Security Awareness: Modifications by Prof. Dong Xuan and Adam C. Champion
No ratings yet
Law & Ethics, Policies & Guidelines, and Security Awareness: Modifications by Prof. Dong Xuan and Adam C. Champion
32 pages
Ais7 Chapter 3
No ratings yet
Ais7 Chapter 3
4 pages
CH1 Lo1
No ratings yet
CH1 Lo1
15 pages
ISAM_L3-1
No ratings yet
ISAM_L3-1
7 pages
Unit 5
No ratings yet
Unit 5
10 pages
Unit 5 Notes
No ratings yet
Unit 5 Notes
11 pages
chap 3 notes
No ratings yet
chap 3 notes
5 pages
Basic Concepts in Legal, Regulations, Investigations, and Compliance
No ratings yet
Basic Concepts in Legal, Regulations, Investigations, and Compliance
22 pages
7639 Laws and Ethics in Information Security
No ratings yet
7639 Laws and Ethics in Information Security
6 pages
Law Assignment 2
No ratings yet
Law Assignment 2
10 pages
Lecture 03 - Legal, Ethical & Professional-3
No ratings yet
Lecture 03 - Legal, Ethical & Professional-3
69 pages
Instructor: Lectures: Office Hours: Textbooks
No ratings yet
Instructor: Lectures: Office Hours: Textbooks
51 pages
INF10003 2022 L10 Cyber
No ratings yet
INF10003 2022 L10 Cyber
34 pages
Legal, Ethical, and Professional Issues in Information Security
No ratings yet
Legal, Ethical, and Professional Issues in Information Security
58 pages
PPT Ch03-Amr PDF
No ratings yet
PPT Ch03-Amr PDF
56 pages
Week#04 Lecture #01
No ratings yet
Week#04 Lecture #01
17 pages
Pentesting For Small Business
From Everand
Pentesting For Small Business
VICTOR P HENDERSON
5/5 (1)
Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications
From Everand
Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications
Alan Calder
No ratings yet
CYBERSECURITY FOR BEGINNERS: A Step-by-Step Guide to Protecting Your Digital World (2024 Crash Course)
From Everand
CYBERSECURITY FOR BEGINNERS: A Step-by-Step Guide to Protecting Your Digital World (2024 Crash Course)
CALDWELL YATWES
No ratings yet
Speedy Trial Report For Patrick Brinson and Veldora Arthur
No ratings yet
Speedy Trial Report For Patrick Brinson and Veldora Arthur
7 pages
Yugmans Guide To Ghelspad
100% (4)
Yugmans Guide To Ghelspad
133 pages
Zapanta vs. Montesa (Digest)
100% (1)
Zapanta vs. Montesa (Digest)
2 pages
Kaspersky Endpoint Detection and Response Optimum: The Problem
No ratings yet
Kaspersky Endpoint Detection and Response Optimum: The Problem
2 pages
PDF Preliminary Review of Related Literature and Studies
No ratings yet
PDF Preliminary Review of Related Literature and Studies
9 pages
Overview of Philippine
No ratings yet
Overview of Philippine
4 pages
Lesson 1. Law Enforcement Agencies ARREST
No ratings yet
Lesson 1. Law Enforcement Agencies ARREST
5 pages
Duress - CONTRACT
No ratings yet
Duress - CONTRACT
7 pages
Fehl On The ICC
No ratings yet
Fehl On The ICC
7 pages
PPL V Valdez
No ratings yet
PPL V Valdez
8 pages
People vs. Bigcas
No ratings yet
People vs. Bigcas
3 pages
United States v. Ronald Ustica, Joseph Testa, and Anthony Senter, 847 F.2d 42, 2d Cir. (1988)
No ratings yet
United States v. Ronald Ustica, Joseph Testa, and Anthony Senter, 847 F.2d 42, 2d Cir. (1988)
13 pages
Toofan Singh V State of Tamil Nadu
No ratings yet
Toofan Singh V State of Tamil Nadu
13 pages
Pimentel V Pimentel
No ratings yet
Pimentel V Pimentel
2 pages
Lesson 2 Non-Institutional
No ratings yet
Lesson 2 Non-Institutional
9 pages
Aruna Chadha vs. State
No ratings yet
Aruna Chadha vs. State
20 pages
United States Court of Appeals, Second Circuit.: No. 328, Docket 35287
No ratings yet
United States Court of Appeals, Second Circuit.: No. 328, Docket 35287
9 pages
Case Digests (July - Dec 2003)
No ratings yet
Case Digests (July - Dec 2003)
52 pages
Pocso Study in Karnataka As Basis Support Gaps in The System Gaps in Convergences Between Cjs and Cps
No ratings yet
Pocso Study in Karnataka As Basis Support Gaps in The System Gaps in Convergences Between Cjs and Cps
18 pages
Ccje Dip Bscrim CLJ3 FLP
No ratings yet
Ccje Dip Bscrim CLJ3 FLP
103 pages
The Victim and Witness Protection Act of 1982
No ratings yet
The Victim and Witness Protection Act of 1982
15 pages
Black Money-Part-1
No ratings yet
Black Money-Part-1
9 pages
G.R. No. 103119 October 21, 1992 Sulpicio INTOD, Petitioner, vs. Honorable Court of Appeals and People of THE PHILIPPINES, Respondents
0% (1)
G.R. No. 103119 October 21, 1992 Sulpicio INTOD, Petitioner, vs. Honorable Court of Appeals and People of THE PHILIPPINES, Respondents
11 pages
D-REED004 Summative Assessment 1: Samuel Barrett-Wayne E. Alcoseba
No ratings yet
D-REED004 Summative Assessment 1: Samuel Barrett-Wayne E. Alcoseba
4 pages
Cival Law
No ratings yet
Cival Law
186 pages
USA v. Shayota - Order On Pretrial Motions PDF
No ratings yet
USA v. Shayota - Order On Pretrial Motions PDF
17 pages

Information Security_Ch03

Uploaded by

Information Security_Ch03

Uploaded by

Lecturer: Pham Thi Thanh Thuy

• Upon completion of this material, you should

• Law and Ethics in Information Security

• Law and Ethics in Information Security

• You must understand the scope of an

• Law and Ethics in Information Security

• Laws carry the authority of a governing

• Ethics: Ethical guidelines in information

• Criteria for policy enforcement:

• Regulatory or Administrative Law

• Law and Ethics in Information Security

• The US is leader in the development and

• The US has demonstrated understanding of

• National Information Infrastructure

• USA PATRIOT Act of 2001

• USA FREEDOM Act inherited select USA

• One of the hottest topics in information

• Ability to aggregate data from multiple

• It can occur when someone steals a victim’s

• Federal Trade Commission (FTC) oversees

• If someone suspects identity theft, the FTC

• If someone suspects identity theft, the FTC

Source: U.S. Federal Trade Commission.

• Economic Espionage Act of 1996

• Economic Espionage Act of 1996

• Intellectual property was recognized as a

• Sarbanes-Oxley Act of 2002

• Allows access to federal agency records or

• Some information is protected from

• Federal computer laws are mainly written

• Law and Ethics in Information Security

• When organizations do business on the

• Because of the political complexities of

• Computer Misuse Act 1990: Defined three

• U.S. contribution to international effort to

• Law and Ethics in Information Security

• Many professional disciplines have explicit

• Professional associations and certification

The Ten Commandments of Computer

The Ten Commandments of Computer

7. Thou shalt not use other people's computer

• Cultural differences create difficulty in

• Scenarios are grouped into:

• Education is the overriding factor in

• Three general causes of unethical and

• Laws and policies only deter if three

• Law and Ethics in Information Security

information www.issa.org Professional association of Professional security

• Law and Ethics in Information Security

• Department of Homeland Security (DHS)

• U.S. Secret Service

• National Security Agency (NSA)

• Laws: rules that mandate or prohibit certain

• Relevant U.S. laws:

• Many organizations have codes of

1. Explain the differences between laws and

You might also like