Legal Ethical and Professional Issues in Information Security

  • Slides: 33
Download presentation
Legal, Ethical, and Professional Issues in Information Security Sunil Paudel sunilpaudel@gmail. com

Legal, Ethical, and Professional Issues in Information Security Sunil Paudel sunilpaudel@gmail. com

Outline • Types of Law • Relevant Laws ( Computer Crime, IP, Licensing, Privacy)

Outline • Types of Law • Relevant Laws ( Computer Crime, IP, Licensing, Privacy) • International Laws and Legal Bodies • Ethical Concepts in Information Security • Codes of Ethics, Certifications, and Professional Organizations

Introduction • You must understand scope of an organization’s legal and ethical responsibilities •

Introduction • You must understand scope of an organization’s legal and ethical responsibilities • To minimize liabilities/reduce risks, the information security practitioner must: – Understand current legal environment – Stay current with laws and regulations – Watch for new issues that emerge

Law and Ethics in Information Security • Laws: rules that mandate or prohibit certain

Law and Ethics in Information Security • Laws: rules that mandate or prohibit certain societal behavior • Ethics: define socially acceptable behavior • Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these • Laws carry sanctions of a governing authority; ethics do not

Ethical Issues • Ethical 1. pertaining to or dealing with morals or the principles

Ethical Issues • Ethical 1. pertaining to or dealing with morals or the principles of morality; pertaining to right and wrong in conduct. 2. in accordance with the rules or standards for right conduct or practice, esp. , the standards of a profession. • Examples: – Should companies collect and/or sell customer data? – Should IT specialists monitor and report employee computer use? 5

Types of Law • Civil law represents a wide variety of laws that are

Types of Law • Civil law represents a wide variety of laws that are recorded in volumes of legal “code • Criminal law addresses violations harmful to society and is actively enforced through prosecution by the state. • Tort law allows individuals to seek recourse against others in the event of personal, physical, or financial injury. • Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. • Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.

Relevant Nepalese Laws • Types of law: civil, criminal, tort law, private, public •

Relevant Nepalese Laws • Types of law: civil, criminal, tort law, private, public • Relevant Nepalese Acts/Regulation/Policies: – Electronic Transaction Act 2063 B. S. – Telecommunication Act 2053 B. S. – National Broadcasting Act 2049 B. S. – Copyright Act 2059 B. S. – Patent Design and Trademark Act 2022 B. S. – IT Policy 2067

Electronic Transaction Act-2063 • Date of Authentication and Publication: 22 Mansir 2063 ( December

Electronic Transaction Act-2063 • Date of Authentication and Publication: 22 Mansir 2063 ( December 8, 2006) • Consider as landmark law for the development of Nepalese IT sector. • Provision for any person to authenticate to any electronic record by his/her personal digital signature. • Provision of IT tribunal – consisting of one member each of law (Chairman), Information Technology and Commerce

Computer Related Offences • To Pirate, Destroy or Alter computer source code • Unauthorized

Computer Related Offences • To Pirate, Destroy or Alter computer source code • Unauthorized Access in Computer Materials • Damage to any Computer and Information System • Publication of illegal materials in electronic form • Confidentiality to Divulge (disclose) • To commit computer fraud • Punishment in an offence committed outside Nepal

Privacy • One of the hottest topics in information security • Is a “state

Privacy • One of the hottest topics in information security • Is a “state of being free from unsanctioned intrusion” • Ability to aggregate data from multiple sources allows creation of information databases previously unheard of

International Laws and Legal Bodies • European Council Cyber-Crime Convention: – Establishes international task

International Laws and Legal Bodies • European Council Cyber-Crime Convention: – Establishes international task force overseeing Internet security functions for standardized international technology laws – Attempts to improve effectiveness of international investigations into breaches of technology law – Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution – Lacks realistic provisions for enforcement

Digital Millennium Copyright Act (DMCA) • U. S. contribution to international effort to reduce

Digital Millennium Copyright Act (DMCA) • U. S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement • A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data • The United Kingdom has already implemented a version of this directive called the Database Right.

United Nations Charter • Makes provisions, to a degree, for information security during information

United Nations Charter • Makes provisions, to a degree, for information security during information warfare (IW) • IW involves use of information technology to conduct organized and lawful military operations • IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades

Policy Versus Law • Most organizations develop and formalize a body of expectations called

Policy Versus Law • Most organizations develop and formalize a body of expectations called policy • Policies serve as organizational laws • To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees

Ethics and Information Security “The Ten Commandments of Computer Ethics from The Computer Ethics

Ethics and Information Security “The Ten Commandments of Computer Ethics from The Computer Ethics Institute • 1) Thou shalt not use a computer to harm other people: If it is unethical to harm people by making a bomb, for example, it is equally bad to write a program that handles the timing of the bomb. Or, to put it more simply, if it is bad to steal and destroy other people’s books and notebooks, it is equally bad to access and destroy their files. • 2) Thou shalt not interfere with other people's computer work: Computer viruses are small programs that disrupt other people’s computer work by destroying their files, taking huge amounts of computer time or memory, or by simply displaying annoying messages. Generating and consciously spreading computer viruses is unethical.

 • 3) Thou shalt not snoop around in other people's files: Reading other

• 3) Thou shalt not snoop around in other people's files: Reading other people’s e-mail messages is as bad as opening and reading their letters: This is invading their privacy. Obtaining other people’s non-public files should be judged the same way as breaking into their rooms and stealing their documents. Text documents on the Internet may be protected by encryption. • 4) Thou shalt not use a computer to steal: Using a computer to break into the accounts of a company or a bank and transferring money should be judged the same way as robbery. It is illegal and there are strict laws against it.

 • 5) Thou shalt not use a computer to bear false witness: The

• 5) Thou shalt not use a computer to bear false witness: The Internet can spread untruth as fast as it can spread truth. Putting out false "information" to the world is bad. For instance, spreading false rumors about a person or false propaganda about historical events is wrong. • 6) Thou shalt not use or copy software for which you have not paid: Software is an intellectual product. In that way, it is like a book: Obtaining illegal copies of copyrighted software is as bad as photocopying a copyrighted book. There are laws against both. Information about the copyright owner can be embedded by a process called watermarking into pictures in the digital format.

 • 7) Thou shalt not use other people's computer resources without authorization: Multiuser

• 7) Thou shalt not use other people's computer resources without authorization: Multiuser systems user id’s and passwords to enforce their memory and time allocations, and to safeguard information. You should not try to bypass this authorization system. Hacking a system to break and bypass the authorization is unethical. • 8) Thou shalt not appropriate other people's intellectual output: For example, the programs you write for the projects assigned in this course are your own intellectual output. Copying somebody else’s program without proper authorization is software piracy and is unethical. Intellectual property is a form of ownership, and may be protected by copyright laws.

 • 9) Thou shalt think about the social consequences of the program you

• 9) Thou shalt think about the social consequences of the program you write: You have to think about computer issues in a more general social framework: Can the program you write be used in a way that is harmful to society? For example, if you are working for an animation house, and are producing animated films for children, you are responsible for their contents. • 10) Thou shalt use a computer in ways that show consideration and respect: Just like public buses or banks, people using computer communications systems may find themselves in situations where there is some form of queuing and you have to wait for your turn and generally be nice to other people in the environment. The fact that you cannot see the people you are interacting with does not mean that you can be rude to them.

Ethical Differences Across Cultures • Cultural differences create difficulty in determining what is and

Ethical Differences Across Cultures • Cultural differences create difficulty in determining what is and is not ethical • Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group

Ethics and Education • Overriding factor in leveling ethical perceptions within a small population

Ethics and Education • Overriding factor in leveling ethical perceptions within a small population is education • Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security • Proper ethical training vital to creating informed, well prepared, and low-risk system user

Deterrence to Unethical and Illegal Behavior • Deterrence: best method for preventing an illegal

Deterrence to Unethical and Illegal Behavior • Deterrence: best method for preventing an illegal or unethical activity; e. g. , laws, policies, technical controls • Laws and policies only deter if three conditions are present: – Fear of penalty – Probability of being caught – Probability of penalty being administered

Codes of Ethics and Professional Organizations • Several professional organizations have established codes of

Codes of Ethics and Professional Organizations • Several professional organizations have established codes of conduct/ethics • Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations • Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society

Association of Computing Machinery (ACM) • ACM established in 1947 as “the world's first

Association of Computing Machinery (ACM) • ACM established in 1947 as “the world's first educational and scientific computing society” • Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property

International Information Systems Security Certification Consortium, Inc. (ISC)2 • Non-profit organization focusing on development

International Information Systems Security Certification Consortium, Inc. (ISC)2 • Non-profit organization focusing on development and implementation of information security certifications and credentials • Code primarily designed for information security professionals who have certification from (ISC)2 • Code of ethics focuses on four mandatory canons

System Administration, Networking, and Security Institute (SANS) • Professional organization with a large membership

System Administration, Networking, and Security Institute (SANS) • Professional organization with a large membership dedicated to protection of information and systems • SANS offers set of certifications called Global Information Assurance Certification (GIAC)

Information Systems Audit and Control Association (ISACA) • Professional association with focus on auditing,

Information Systems Audit and Control Association (ISACA) • Professional association with focus on auditing, control, and security • Concentrates on providing IT control practices and standards • ISACA has code of ethics for its professionals

Computer Security Institute (CSI) • Provides information and training to support computer, networking, and

Computer Security Institute (CSI) • Provides information and training to support computer, networking, and information security professionals • Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals

Information Systems Security Association (ISSA) • Nonprofit society of information security (IS) professionals •

Information Systems Security Association (ISSA) • Nonprofit society of information security (IS) professionals • Primary mission to bring together qualified IS practitioners for information exchange and educational development • Promotes code of ethics similar to (ISC)2, ISACA and ACM

Other Security Organizations • Internet Society (ISOC): promotes development and implementation of education, standards,

Other Security Organizations • Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet • Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals

Other Security Organizations (continued) • CERT Coordination Center (CERT/CC): center of Internet security expertise

Other Security Organizations (continued) • CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University • Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society

Organizational Liability and the Need for Counsel • Liability is legal obligation of an

Organizational Liability and the Need for Counsel • Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed • Organization increases liability if it refuses to take measures known as due care • Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort

Summary • Laws: rules that mandate or prohibit certain behavior in society; drawn from

Summary • Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics • Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group) • Many organizations have codes of conduct and/or codes of ethics • Organization increases liability if it refuses to take measures known as due care • Due diligence requires that organization make valid effort to protect others and continually maintain that effort