Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | agatha-clarke |
View: | 227 times |
Download: | 1 times |
CC3020N Fundamentals of Security Management
CC3020N Fundamentals of
Security Management
Lecture 7
Legal, Ethical & Professional Issues
CC3020N Fundamentals of Security Management Slide 2
Learning Objectives
– Differentiate between law and ethics– Identify some of the major national and
international laws that relate to the practice of information security
– Understand the role of culture as it applies to ethics in information security
– Current laws, regulations, and relevant professional organizations' code of conduct/ethics
CC3020N Fundamentals of Security Management Slide 3
Introduction
• As a future IS professional, you must understand the scope of an organization’s legal and ethical responsibilities.
• To minimize liabilities/reduce risks, the information security practitioner must:
– Understand current legal environment
– Stay current with laws and regulations
– Watch for new issues that emerge
CC3020N Fundamentals of Security Management Slide 4
Law and Ethics in Information Security
• Laws: rules that mandate or prohibit certain societal behavior (formally adopted rules).
• Ethics: define socially acceptable behavior based on cultural mores (some are universal).
• Cultural mores: relatively fixed moral attitudes or customs of a particular group (ethics based on these).
• Difference: laws carry sanctions (enforcement) of a governing authority (ethics do not based on these).
CC3020N Fundamentals of Security Management Slide 5
The Legal Environment• The IS professional and managers must
possess a rudimentary grasp of the legal framework within which their organizations operate.
• This legal environment can influence the organization to a greater or lesser extent, depending on the nature of the organization and the scale on which it operates.
CC3020N Fundamentals of Security Management
Legislative Lag
• A longer period of time elapse between innovations in criminal enterprise and the response of the state and law enforcement agencies
• Illusion - digital crime develops and changes very rapidly, but it may take years for legislation to be enacted, by which time the crime may well be mutated or developed to assume a different form
CC3020N Fundamentals of Security Management Slide 7
Types of Law
• Civil law: - represents a wide variety of laws that govern a nation/state.
• Criminal law: - addresses violations harmful to society and is actively enforced and prosecuted by the state.
• Tort law: - a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury.(http://video.google.co.uk/videosearch?hl=en&q=Tort+law&um=1&ie=UTF8&ei=DVzOSYmhAYiQjAfRmo3WCQ&sa=X&oi=video_result_group&resnum=4&ct=title#)(http://sixthsense.osfc.ac.uk/law/negligence.asp)
CC3020N Fundamentals of Security Management Slide 8
Types of Law
• Private law regulates the relationships among individuals and between individuals and organizations, and encompasses family law, commercial law, and labor law.
• Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, and includes criminal, administrative, and constitutional law.
CC3020N Fundamentals of Security Management Slide 9
Relevant US Laws (General)
• Computer Fraud and Abuse Act of 1986 (CFA Act)
• National Information Infrastructure Protection Act of 1996
• USA Patriot Act of 2001
• Telecommunications Deregulation and Competition Act of 1996
• Communications Decency Act of 1996 (CDA)
• Computer Security Act of 1987
CC3020N Fundamentals of Security Management Slide 10
Relevant US Laws
CC3020N Fundamentals of Security Management Slide 11
Rele-vant US
Laws
CC3020N Fundamentals of Security Management Slide 12
Relevant US Laws
CC3020N Fundamentals of Security Management Slide 13
Relevant UK Laws (General)
• Data Protection Act (1998)
• Computer Misuse Act (1990)
• Copyright, Designs and Patent Act (1988)
• Regulation of Investigatory Powers Act (2000)
• Human Rights Act (1998)
• Others
CC3020N Fundamentals of Security Management Slide 14
Data Protection Act (1998) (http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1)
• Received Royal Assent on 16 July 1998; came into force early 1999
• Followed EC Directive 95/46/EC rectified on 24 Oct 1995 which requires: “Member States to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data.”
• UK decided to introduce domestic legislation to satisfy the requirements of the Directive
CC3020N Fundamentals of Security Management Slide 15
Data Protection Act (1998)
Definitions
Personal Data means data that relate to a living individual who can be identified from those data and includes any expression of opinion about the individual
Processing means obtaining, recording or holding the data including organisation, adaptation or alteration and disclosure of the information contained in the data
CC3020N Fundamentals of Security Management Slide 16
Data Protection Act (1998)
Principles of Data Protection Act• Information shall be obtained and processed ‘fairly and lawfully’
• Information shall be held only for one or more specific and lawful purposes
• Companies should not hold information that is excessive or not relevant to the purposes the company has registered under the Act.
• Information held on individuals should be accurate and up-to-date
• Information should not be held for longer than necessary
• Individuals have the right to see the data held on them and have corrections made where necessary
• Companies must take measures to protest information from unauthorised access.
CC3020N Fundamentals of Security Management Slide 17
Data Protection Act (1998)Individuals' Rights
• Right of subject access • Entitled to be told of the logic involved• If the data subject believes that a data controller has failed to
comply with subject access request they may apply for a Court order.
• Right to prevent processing likely to cause damage or distress• Right to prevent processing for the purposes of direct
marketing • Rights in relation to automated decision-taking • Right to take action for compensation if the individual suffers
damage by any contravention of the Act by the data controller • Right to take action to rectify, block, erase or destroy
inaccurate data• Right to make a request to the Commissioner for an
assessment to be made as to whether any Provision of the Act has been contravened.
CC3020N Fundamentals of Security Management Slide 18
Data Protection Act (1998)
Exemptions
• Primary ExemptionsNational Security, Crime, Taxation, Health, Education and Social Work.
• Special Purpose ExemptionsPublication of journalistic, literary or artistic material if in the public interest; could also include research, historical and statistical studies.
• Miscellaneous ExemptionsPersonal data concerning the armed forces, judicial and ministerial appointments, even candidates' examination scripts are all exempt from subject information provisions.
CC3020N Fundamentals of Security Management Slide 19
Data Protection Act (1998)Check List for BusinessMake sure that:
• Manual records treated same as automated records especially regarding providing subject access.
• Any processing of personal data is solely on the basis of one of the specified criteria, including those for sensitive data.
• Procedures meet all requirements for informing individuals when obtaining or disclosing data.
• Subject access procedures are modified to provide additional material required.
• Data sent outside the European Economic Area (EEA) will get adequate protection or that one of the exceptions applies.
• Registered entries are brought up-to-date, and rationalised and consolidated as far as possible.
• Advice from government and the Commissioner is heeded especially on transitional arrangements.
CC3020N Fundamentals of Security Management Slide 20
Computer Misuse Act (1990)(http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm)
An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes
• unauthorised access to computer material• unauthorised access with the intention of carrying out
or assisting others with the commission of further offences
• unauthorised modification of computer material• impairing the operation of a program or the reliability
of the data• preventing or hindering access to any program or
data
CC3020N Fundamentals of Security Management Slide 21
Copyright, Designs and Patent Act (1988)(http://www.opsi.gov.uk/acts/acts1988/UKpga_19880048_en_1.htm)
• The Act is the chief defense to protect organisations and software developers from the unauthorised copying of designs, software, printed materials and any other works.
• It allows a company to safeguard its intellectual property rights (IPR) against competitors and others who might wish to profit from the company’s research and investment.
Intellectual property
• A generic term used to describe designs, ideas and inventions.
• In general, IP covers the areas of patents, trademarks, designs and copyright.
CC3020N Fundamentals of Security Management Slide 22
Copyright, Designs and Patent Act (1988)Significant issues are:
• Ownership of bespoke software developed for the company by a consultant.
• Employees taking software to another company. • Software theft.
Potential problems:• ownership of work • rights to any materials produced• number of licenses
How to deal with these potential problems• Companies should establish ownership of materials by
recording their details. • All contracts should include clauses dealing with
copyright ownership. • Regular software audits are essential.
CC3020N Fundamentals of Security Management Slide 23
Other Legislation
Regulation of Investigatory Powers (RIP) Act (2000) • allows electronic communications to be
monitored by government agencies.
Human Rights Act (1998) • provides UK citizens with a set of fundamental
rights, including a right to privacy - applies to whole of EU.
Freedom of Information Act (2000)• extends the Data Protection Act 1998 provisions
about subject access and data accuracy to all personal information held by public authorities.
CC3020N Fundamentals of Security Management Slide 24
International Laws and Legal Bodies
• Many domestic laws and customs do not apply to international trade, which is governed by international treaties and trade agreements.
• Because of the political complexities of the relationships among nations and cultural differences, there are currently few international laws relating to privacy and information security.
CC3020N Fundamentals of Security Management
European Convention on Cybercrime
• http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
• A legally binding text since 2004
• Ratified by 21 countries and 22 remains as signatories (including the UK)
CC3020N Fundamentals of Security Management Slide 26
European Convention on Cybercrime (cont.)
European Council Cyber-Crime Convention:(http://epic.org/privacy/intl/ccc.html)
• Establishes international task force overseeing Internet security functions for standardized international technology laws.
• Attempts to improve effectiveness of international investigations into breaches of technology law.
• The overall goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process.
• Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution.
• Lacks realistic provisions for enforcement.
CC3020N Fundamentals of Security Management Slide 27
Digital Millennium Copyright Act (DMCA)
Digital Millennium Copyright Act (DMCA):(http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act)
• U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement.
• A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data.
• UK has already implemented a version of this directive.
CC3020N Fundamentals of Security Management
The Digital Millennium Copyright Act (DMCA) is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998 by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of on-line services for copyright infringement by their users.On May 22, 2001, the European Union passed the Copyright Directive or EUCD, which addresses some of the same issues as the DMCA. But the DMCA's principal innovation in the field of copyright, the exemption from direct and indirect liability of internet service providers and other intermediaries (Title II of the DMCA), was separately addressed, and largely followed, in Europe by means of the separate Electronic Commerce Directive. (Unlike U.S. federal laws and regulations, the execution of European Union directives usually requires separate legislation by or within each of the Union's member states.)
CC3020N Fundamentals of Security Management Slide 29
United Nations Charter
United Nations Charter(http://en.wikipedia.org/wiki/United_Nations_Charter)
• Makes provisions, to a degree, for information security during information warfare (IW).
• IW involves use of information technology to conduct organized and lawful military operations.
• IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades.
CC3020N Fundamentals of Security Management Slide 30
International Laws and Legal Bodies
CC3020N Fundamentals of Security Management Slide 31
Policy Versus Law
• Most organizations develop and formalize a body of expectations called policy.
• Policies serve as organizational laws. Unlike law however, ignorance is an acceptable defense.
• To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees.
CC3020N Fundamentals of Security Management Slide 32
Ethical and Information SecurityThe Ten Commandments (Decalogue) of Computer Ethics (from the Computer Ethics Institute)Thou shalt not: • Use a computer to harm other people • Interfere with other people's computer work • Snoop around in other people's computer files • Use a computer to steal• Use a computer to bear false witness • Copy or use proprietary software for which you have not paid• Use other people's computer resources without authorization or
proper compensation • Appropriate other people's intellectual output.
• think about the social consequences of the program you are writing or the system you are designing
• always use a computer in ways that ensure consideration and respect for your fellow humans
CC3020N Fundamentals of Security Management Slide 33
Ethical Differences across Cultures
• Cultural differences create difficulty in determining what is and is not ethical.
• Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group.
• Individuals of different nationalities may have different perspectives on the ethics of computer use.
CC3020N Fundamentals of Security Management Slide 34
Ethical Differences across Cultures (cont.)
• Differences in computer use ethics are not exclusively cultural.
• Differences are found among individuals within the same country, same social class, and same company.
• Overriding factor in leveling the ethical perceptions within a small population is education.
• Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security.
CC3020N Fundamentals of Security Management Slide 35
Deterrence to Unethical and Illegal Behavior
• Deterrence is the best method for preventing an illegal or unethical activity.
• Examples of deterrents include laws, policies, and technical controls.
• However, laws and policies and their associated penalties only deter if three conditions are present:
• Fear of penalty• Probability of being caught• Probability of penalty being administered
CC3020N Fundamentals of Security Management Slide 36
Ethical and Professional Issues
• Professionalism (professional standard)• Ethics (common belief)• Morality (personal belief)
Profession and Society and Public code of conduct safety
IS professional
State and Personal Legislation values
CC3020N Fundamentals of Security Management Slide 37
Codes of Ethics & Professional Organizations
• Several professional organizations have established codes of conduct/ethics.
• Codes of conduct can have positive effect on an individual’s judgment regarding computer use. Unfortunately, many employers do not encourage joining of these professional organizations.
• Responsibility of IS professionals to act ethically and according to policies of employer, professional organization, and laws of society.
CC3020N Fundamentals of Security Management Slide 38
British Computer Society (http://www.bcs.org/)
BCS Code of Conduct (http://www.bcs.org/server.php?show=conWebDoc.1588)
Rules which are grouped into the principal duties that all members should endeavour to discharge in pursuing their professional lives.
• The Public Interest • Duty to Employers and Clients• Duty to the Profession• Professional Competence and Integrity
CC3020N Fundamentals of Security Management Slide 39
Association of Computing Machinery (ACM)
• ACM established in 1947 as “the world's first educational and scientific computing society”.
• One of the few organizations that strongly promotes education and provides discounted membership for students.
• Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property. (http://cacm.acm.org/magazines/1992/5/9355-acm-code-of-ethics-and-professional-conduct/comments?searchterm=code+of+conduct)
CC3020N Fundamentals of Security Management Slide 40
International Information Systems Security Certification Consortium, Inc. (ISC)2
(http://en.wikipedia.org/wiki/(ISC)%C2%B2)
• Non-profit organization focusing on development and implementation of information security certifications and credentials.
• Code primarily designed for information security professionals who have certification from (ISC)2.
• Code of ethics focuses on four mandatory canons
– Protect society, the commonwealth, and the infrastructure
– Act honorably, honestly, justly, responsibly, and legally
– Provide diligent and competent service to principals
– Advance and protect the profession
CC3020N Fundamentals of Security Management Slide 41
System Administration, Networking, and Security Institute (SANS)
(http://www.sans.org/)
• Founded in 1989, SANS is a professional organization with over 156,000 security professionals, auditors, system and network administrators.
• SANS offers set of certifications called Global Information Assurance Certification (GIAC), whose Code of Ethics requires:
– Respect for the public
– Respect for the certification
– Respect for my employer
– Respect for myself
CC3020N Fundamentals of Security Management Slide 42
Information Systems Audit and Control Association (ISACA)
(http://www.isaca.org/)
• Professional association with focus on auditing, control, and security.
• The membership comprises both technical and managerial professionals.
• Concentrates on providing IT control practices and standards.
• ISACA has code of ethics for its professionals.
CC3020N Fundamentals of Security Management Slide 43
Information Systems Audit and Control Association (ISACA) (cont.)
• Nonprofit society of information security professionals.
• Primary mission to bring together qualified IS practitioners for information exchange and educational development.
• Promotes code of ethics similar to (ISC)2, ISACA and ACM, “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.”
CC3020N Fundamentals of Security Management Slide 44
Organizational Liability and the Need for Counsel
• What if an organization does not support or encourage strong ethical conduct on the part of its employees?
• What if an organization does not behave ethically?
• If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action.
• An organization increases its liability (legal obligation) if it refuses to take measures known as due care, to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions
• Due diligence requires that an organization make a valid and ongoing effort to protect others
CC3020N Fundamentals of Security Management Slide 45
Summary• Law and Ethics in Information Security
– Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics.
– Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)
• Professional Organizations’ Codes of Conduct/Ethics
• Organizational Liability and the Need for Counsel