Transcript
Chapter 09 Law and Ethics
Chapter Overview
Chapter 09 covers the topics of law and ethics. In this chapter readers will learn to identify major national and international laws that relate to the practice of information security as well as come to understand the role of culture as it applies to ethics in information security.
Chapter Objectives
When you complete this chapter, you will be able to:
Differentiate between law and ethics
Identify major national and international laws that relate to the practice of information security
Understand the role of culture as it applies to ethics in information security
Access current information on laws, regulations, and relevant professional organizations
Set-up Notes
This chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours.
Lecture Notes and Teaching Tips with Quick Quizzes
Introduction
As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities.
To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
By educating employees and management about their legal and ethical obligations and the proper use of information technology and information security, security professionals can keep an organization focused on its primary objectives.
Law and Ethics in Information Security
Laws are rules adopted and enforced by governments to codify expected behavior in modern society.
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.
Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group.
Quick Quiz
What should an information security practitioner do that can minimize the organization’s legal liabilities? ANSWER: To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
What are the major differences between law and ethics? ANSWER: The law carries the sanction of a governing authority and ethics do not. Ethics are also based on cultural mores: relatively fixed moral attitudes or customs of a societal group.
The Legal Environment
The information security professional and managers involved in information security must possess a rudimentary grasp of the legal framework within which their organizations operate.
This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates.
Types of Law
Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations.
Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state.
Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury.
Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law.
Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
Public law includes criminal, administrative, and constitutional law.
Relevant U.S. Laws
Table 11-1 summarizes the U.S. federal laws relevant to information security:
The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related federal laws and enforcement efforts.
It was amended in October 1996 by the National Information Infrastructure Protection Act of 1996, which modified several sections of the previous act, and increased the penalties for selected crimes.
The CFA Act was further modified by the USA Patriot Act of 2001—the abbreviated name for “Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” which provides law enforcement agencies with broader latitude to combat terrorism-related activities. Some of the laws modified by the Patriot Act date from the earliest laws created to deal with electronic technology.
The Communication Act of 1934 was revised by the Telecommunications Deregulation and Competition Act of 1996, which attempts to modernize the archaic terminology of the older act.
The Computer Security Act of 1987 was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
The Computer Security Act of 1987 charged the National Bureau of Standards, in cooperation with the National Security Agency, with the following tasks:
Developing standards, guidelines, and associated methods and techniques for computer systems
Developing uniform standards and guidelines for most federal computer systems
Developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems
Developing guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice
Developing validation procedures for, and evaluate the effectiveness of, standards and guidelines through research and liaison with other government and private agencies
The Computer Security Act also established a Computer System Security and Privacy Advisory Board within the Department of Commerce.
The Computer Security Act of 1987 also amended the Federal Property and Administrative Services Act of 1949, requiring the National Bureau of Standards to distribute standards and guidelines pertaining to federal computer systems, making such standards compulsory and binding to the extent to which the secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems.
Another provision of the Computer Security Act requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system.
Privacy Laws
Many organizations collect, trade, and sell personal information as a commodity, and many individuals are becoming aware of these practices and looking to the governments to protect their privacy.
In the past it was not possible to create databases that contained personal information collected from multiple sources.
Today, the aggregation of data from multiple sources permits unethical organizations to build databases with alarming quantities of personal information.
The Privacy of Customer Information Section of the section of regulations covering common carriers specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes.
The Federal Privacy Act of 1974 regulates the government’s use of private information. The Federal Privacy Act was created to ensure that government agencies protect the privacy of individuals’ and businesses’ information, and holds those agencies responsible if any portion of this information is released without permission.
The Electronic Communications Privacy Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications.
These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution, which prohibits search and seizure without a warrant.
The Health Insurance Portability & Accountability Act Of 1996 (HIPPA), also known as the Kennedy-Kassebaum Act, is an attempt to protect the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
HIPPA requires organizations that retain health care information to use information security mechanisms to protect this information, as well as policies and procedures to maintain them, and also requires a comprehensive assessment of the organization's information security systems, policies, and procedures. HIPPA provides guidelines for the use of electronic signatures based on security standards ensuring message integrity, user authentication, and nonrepudiation.
HIPPA has five fundamental privacy principles:
Consumer control of medical information
Boundaries on the use of medical information
Accountability for the privacy of private information
Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual
Security of health information
The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 contains a number of provisions that affect banks, securities firms, and insurance companies.
This act requires all financial institutions to disclose their privacy policies, describing how they share nonpublic personal information, and describing how customers can request that their information not be shared with third parties.
The act also ensures that the privacy policies in effect in an organization are fully disclosed when a customer initiates a business relationship, and distributed at least annually for the duration of the professional association.
Export and Espionage Laws
In an attempt to protect intellectual property and competitive advantage, Congress passed the Economic Espionage Act (EEA) in 1996.
This law attempts to protect trade secrets “from the foreign government that uses its classic espionage apparatus to spy on a company, to the two American companies that are attempting to uncover each other's bid proposals, or to the disgruntled former employee who walks out of his former company with a computer diskette full of engineering schematics.”
The Security and Freedom through Encryption Act of 1997 provides guidance on the use of encryption, and institutes measures of public protection from government intervention. Specifically, the Act reinforces an individual’s right to use or sell encryption algorithms, without concern for the impact of other regulations requiring some form of key registration and prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence.
U.S. Copyright Law
U.S. copyright law extends protection to intellectual property, which includes words published in electronic formats.
The doctrine of fair use allows material to be quoted for the purpose of news reporting, teaching, scholarship, and a number of other related activities, so long as the purpose is educational and not for profit, and the usage is not excessive.
Proper acknowledgement must be provided to the author and/or copyright holder of such works, including a description of the location of source materials by using a recognized form of citation.
Freedom of Information Act of 1966 (FOIA)
All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person.
The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies.
Sarbanes-Oxley Act of 2002
The U.S. Congress enacted the Sarbanes-Oxley Act of 2002 to enforce accountability for the financial record keeping and reporting at publicly traded corporations.
The law requires that the CEO and chief financial officer (CFO) assume direct and personal accountability for the completeness and accuracy of a publicly traded organization’s financial reporting and record-keeping systems.
As these executives attempt to ensure that the systems used to record and report are sound—often relying upon the expertise of CIOs and CISOs to do so—the related areas of availability and confidentiality are also emphasized.
INTERNATIONAL LAWS AND LEGAL BODIES
Many domestic laws and customs do not apply to international trade, which is governed by international treaties and trade agreements.
Because of the political complexities of the relationships among nations and cultural differences, there are currently few international laws relating to privacy and information security.
European Council Cyber-Crime Convention
Recently the Council of Europe drafted the European Council Cyber-Crime Convention, which empowers an international task force to oversee a range of Internet security functions, and to standardize technology laws across international borders.
It also attempts to improve the effectiveness of international investigations into breaches of technology law.
The overall goal of the convention is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process.
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is a U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement especially via the removal of technological copyright protection measures.
The European Union also put forward Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 that increases individual rights to process and freely move personal data.
The United Kingdom has already implemented a version of this directive called the Database Right.
State and Local Regulations
It is the responsibility of information security professionals to understand state laws and regulations and ensure that their organization’s security policies and procedures comply with the laws and regulations.
For example, the State of Georgia recently passed the Georgia Computer Systems Protection Act, which has various computer security provisions, and establishes specific penalties for use of information technology to attack or exploit information systems in organizations.
The Georgia legislature also passed the Georgia Identity Theft Law in 1998, which requires that a business may not discard a record containing personal information unless it, shreds, erases, modifies or otherwise makes the information irretrievable.
Policy versus Law
As an information security professional, you must be aware of the legal environment in which your organization operates, and of how information security is maintained by means of policy.
The key difference between policy and law is that ignorance is an acceptable defense, and therefore policies must be:
Distributed to all individuals who are expected to comply with them
Readily available for employee reference
Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees
Acknowledged by the employee, usually by means of a signed consent form
Quick Quiz
What is the Federal Privacy Act? ANSWER: The Federal Privacy Act of 1974 regulates the government’s use of private information. The Federal Privacy Act was created to ensure that government agencies protect the privacy of individuals’ and businesses’ information, and holds those agencies responsible if any portion of this information is released without permission.
Ethical Concepts in Information Security
The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework.
However, those employed in the area of information security may be expected to be more articulate about the topic than others in the organization, and often must withstand a higher degree of scrutiny.
The Ten Commandments of Computer Ethics
—from The Computer Ethics Institute
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people's computer resources without authorization or proper compensation.
Thou shalt not appropriate other people's intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Differences in Ethical Concepts
Studies reveal that individuals of different nationalities have different perspectives on the ethics of computer use.
Difficulties arise when one nationality’s ethical behavior does not correspond to that of another national group.
Ethics and Education
Differences in computer use ethics are not exclusively cultural.
Differences are found among individuals within the same country, within the same social class, and within the same company.
Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education.
Employees must be trained and kept up to date on information security topics, including the expected behaviors of an ethical employee.
Deterring Unethical and Illegal Behavior
It is the responsibility of information security personnel to do everything in their power to deter unethical and illegal acts, using policy, education and training, and technology as controls or safeguards to protect the information and systems.
Many security professionals understand technological means of protection, but many underestimate the value of policy.
There are three general categories of unethical behavior that organizations and society should seek to eliminate:
Ignorance
Accident
Intent
Deterrence is the best method for preventing an illegal or unethical activity. Laws, policies, and technical controls are all examples of deterrents. However, it is generally agreed that laws and policies and their associated penalties only deter if three conditions are present:
Fear of penalty:
Probability of being caught:.
Probability of penalty being administered
Quick Quiz
How can the information security professional deter unethical and illegal behavior of an employee? ANSWER: Information security personnel should do everything in their power to deter unethical and illegal acts, using policy, education and training, and technology as controls or safeguards to protect the information and systems.
Certifications and Professional Organizations
A number of professional organizations have established codes of conduct and/or codes of ethics that members are expected to follow.
Codes of ethics can have a positive effect on an individual’s judgment regarding computer use.
Unfortunately, many employers do not encourage their employees to join these professional organizations.
It remains the individual responsibility of security professionals to act ethically and according to the policies and procedures of their employers, their professional organizations, and the laws of society.
Association of Computing Machinery (ACM)
The ACM (www.acm.org) is a respected professional society, originally established in 1947, as “the world's first educational and scientific computing society.” It is one of the few organizations that strongly promotes education, and provides discounted membership for students.
The ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional.
International Information Systems Security Certification Consortium, Inc. (ISC)2
The (ISC)2 manages a body of knowledge on information security and administers and evaluates examinations for information security certifications.
Currently the (ISC)2 offers two professional certifications in the information security arena: the Certification for Information Systems Security Professionals (CISSP), and the Systems Security Certified Professional, or SSCP
The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned one of their certifications.
This code includes four mandatory canons:
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession.
System Administration, Networking, and Security Institute (SANS)
Founded in 1989, SANS is a professional research and education cooperative organization with currently over 156,000 security professionals, auditors, system administrators, and network administrators.
SANS certifications can be pursued independently or combined to earn the comprehensive certification called the GIAC Security Engineer (GSE). The newest GIAC certification, the Information Security Officer (GISO), is an overview certification that combines basic technical knowledge with understanding of threats, risks, and best practices.
Information Systems Audit and Control Association (ISACA)
The Information Systems Audit and Control Association, or ISACA (www.isaca.org), is a professional association with a focus on auditing, control, and security.
The membership comprises both technical and managerial professionals.
The ISACA also has a code of ethics for its professionals.
It requires many of the same high standards for ethical performance as the other organizations and certifications.
CSI - Computer Security Institute (CSI)
The Computer Security Institute (www.gocsi.com) provides information and certification to support the computer, networking, and information security professional.
CSI also publishes a newsletter and threat advisory, and is well known for its annual computer crime survey of threats developed in cooperation with the FBI.
Information Systems Security Association
The Information Systems Security Association (ISSA) (www.issa.org) is a nonprofit society of information security professionals.
As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development. ISSA provides conferences, meetings, publications, and information resources to promote information security awareness and education.
ISSA also promotes a code of ethics, similar to those of (ISC)2, ISACA, and the ACM, “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.”
Other Security Organizations
The Internet Society or ISOC (www.isoc.org) is a nonprofit, nongovernmental, international professional organization. It promotes the development and implementation of education, standards, policy, and education and training to promote the Internet.
The Internet Engineering Task Force (IETF) consists of individuals from the computing, networking, and telecommunications industries, and is responsible for developing the Internet’s technical foundations.
Standards developed by the IETF are then reviewed by the Internet Engineering Steering Group (IESG), with appeal to the Internet Architecture Board, and promulgated by the Internet Society as international standards.
The Computer Security Division (CSD) of the National Institute for Standards and Technology (NIST) runs the Computer Security Resource Center (CSRC)—an essential resource for any current or aspiring information security professional.
This Web site (csrc.nist.gov) houses one of the most comprehensive sets of publicly available information on the entire suite of information security topics.
The CSD is involved in five major research areas related to information security:
Cryptographic standards and applications
Security testing
Security research and emerging technologies
Security management and guidance
Outreach, awareness, and education
The CERT Coordination Center, or CERT/CC (www.cert.org), is a center of Internet security expertise which is part of the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
The CERT/CC studies security issues and provides publications and alerts to help educate the public to the threats facing information security.
The center also provides training and expertise in the handling of computer incidents. CERT/CC acts both as a research center and outside consultant in the areas of incident response, security practices, and programs development.
Computer Professionals for Social Responsibility (CPSR) is a public organization for technologists and anyone with a general concern about the impact of computer technology on society. CPSR promotes ethical and responsible development and use of computing, and seeks to inform public and private policy and lawmakers on this subject. It acts as an ethical watchdog for the development of ethical computing.
Quick Quiz
What is the most important responsibility of an information security professional? ANSWER: It remains the individual responsibility of security professionals to act ethically and according to the policies and procedures of their employers, their professional organizations, and the laws of society.
Key U.S. Federal Agencies
There are a number of key U.S. federal agencies charged with the protection of U.S. information resources, and the investigation of threats to, or attacks on, these resources.
The Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC) (www.nipc.gov) was established in 1998 and serves as the U.S. government's focal point for threat assessment and the warning, investigation, and response to threats or attacks against critical U.S. infrastructures.
A key part of the NIPC’s efforts to educate, train, inform, and involve the business and public sector in information security is the National InfraGard Program.
Every FBI field office has established an InfraGard chapter and collaborates with public and private organizations and the academic community to share information about attacks, vulnerabilities, and threats.
InfraGard’s dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources.
Another key federal agency is the National Security Agency (NSA). The NSA is the Nation's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information…. It is also one of the most important centers of foreign language analysis and research within the Government.
The NSA is responsible for signal intelligence and information system security.
The NSA’s Information Assurance Directorate (IAD) provides information security “solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine and support activities needed to implement the protect, detect and report, and respond elements of cyber defense.”
The U.S. Secret Service is a department within the Department of the Treasury. In addition to its well-known mission to protect key members of the U.S. government, the Secret Service is also charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connection with computers.
The Department of Homeland Security is established with the passage of Public Law 107-296 which in part, transfers the United States Secret Service from the Department of the Treasury, to the new department effective March 1, 2003.
Quick Quiz
What important information does the NSA’s Information Assurance Directorate provide? ANSWER: It provides the information security professional with “solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine and support activities needed to implement the protect, detect and report, and respond elements of cyber defense.”
Organizational Liability and the Need for Counsel
What if an organization does not support or even encourage strong ethical conduct on the part of its employees?
What if an organization does not behave ethically?
If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action.
An organization increases its liability if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions.
Due diligence requires that an organization make a valid and ongoing effort to protect others.
Quick Quiz
What is the organization’s responsibility regarding information security? ANSWER: s. An organization must take measures—due care—to make sure that every employee knows what is acceptable ethical and legal behavior, what is not, and the consequences for such illegal or unethical actions. Should an organization refuse to take such measures, it increases its liability and can be held financially liable for any unethical or illegal behavior of an employee.
Key Terms
CERT Coordination Center (CERT/CC)
Civil law
Computer Professional for Social Responsibility (CPSR)
Computer Security Division (CSD)
Criminal law
Cultural mores
Deterrence
Due Care
Due Diligence
Ethics
Information Systems Security Association (ISSA)
Information Warfare (IW)
Internet Engineering Task Force (IETF)
Internet Society (ISOC)
Jurisdiction
Laws
Liability
Long-arm jurisdiction
National InfraGard Program
National Infrastructure Protection Center (NIPC)
National Security Agency (NSA)
Privacy
Private law
Public law
Restitution
Tort law
U.S. Secret Service
