Transforming Lives. Inventing the Future. www.iit.edu
I ELLINOIS T UINS TI TOF TECHNOLOGY
ITM 478/578 1
Legal, Ethical & Professional Issues
Ray TrygstadITM 478 / IT 478 / ITM 578 Spring 2005Information Technology & Management ProgramsCenter for Professional Development
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Objectives Upon completion of this lesson
students should be able to:– Differentiate between laws and ethics– Identify major national laws that relate
to the practice of information security– Discuss the role of culture as it applies
to ethics in information security
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Law and Ethics in Information Security
Laws - rules adopted for determining expected behavior – Laws drawn from ethics
Ethics define socially acceptable behaviors
Ethics based on cultural mores: fixed moral attitudes or customs of a particular group
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Types of Law
Civil law Criminal law Tort law Private law Public law
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Relevant U.S. Laws - General Computer Fraud and Abuse Act of 1986 National Information Infrastructure
Protection Act of 1996 USA Patriot Act of 2001 Telecommunications Deregulation and
Competition Act of 1996 Communications Decency Act (CDA) Computer Security Act of 1987 Digital Millennium Copyright Act of 1998 Sarbanes-Oxley Act of 2002
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy Privacy: one of the hottest topics in
information Ability to collect information, combine facts
from separate sources, and merge with other information results in collections of information previously impossible to create
Aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy in the U.S. Not a Constitutional right but has been
construed by the courts– “Reasonable expectation” of privacy
Working definition:– right not to be disturbed– right to be anonymous– right not to be monitored– right not to have one’s identifying information
exploited Construed Constitutional guarantees of
privacy apply only to the Federal Government
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy of Customer Information Privacy of Customer Information Section of
Common Carrier Regulations Federal Privacy Act of 1974 The Electronic Communications Privacy Act
of 1986 The Health Insurance Portability &
Accountability Act Of 1996 (HIPAA) also known as the Kennedy-Kassebaum Act
The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Freedom of Information Act of 1966 (FOIA)
The Freedom of Information Act provides any person with the right to request access to federal agency records or information, not determined to be in the interest of national security– US Government agencies required to
disclose requested information on receipt of a written request
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Freedom of Information Act of 1966 (FOIA)
Exceptions for information protected from disclosure
Act does not apply to – Congress or Federal courts– state or local government agencies – private businesses or individuals
Many states have their own version of the FOIA
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Freedom of Information Act of 2000 (UK)
In 2000, the United Kingdom passed their Freedom of Information Act– Very similar in all respects to U.S. law– More exceptions
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
European Union Model European Union Directive 95/46/EC effective
October 1998 increases protection of individuals in processing of personal data & limits free movement of such data – Strong consumer protection – Only allows gathering of information necessary for
transaction– Personal data cannot be transferred to another
company without permission United Kingdom had implemented a version
of this directive called the Database Right
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
EU Law PortalFigure 3-4
European UnionLaw Web sitehttp://europa.eu.int/eur-lex/en/
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
International Laws and Legal Bodies
Council of Europe: European Council Cyber-Crime Convention– Creates an international task force to
oversee a range of security functions associated with Internet activities,
– Standardizes technology laws across international borders
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
International Laws and Legal Bodies
European Council Cyber-Crime Convention – Also attempts to improve effectiveness of
international investigations into breaches of technology law
Well received by advocates of intellectual property rights with emphasis on copyright infringement prosecution
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
UN International LawFigure 3-46
United NationsInternationalLaw Web sitehttp://www.un.org/law/
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Export and Espionage Laws
Economic Espionage Act (EEA) of 1996
Security and Freedom Through Encryption Act of 1997 (SAFE)
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
What is a Copyright?Set of exclusive legal rights authors
have over their works for a limited period of time; these rights include– copying the works (including parts of the
works) – making derivative works– distributing the works– performing the works (showing a movie or
playing an audio recording, as well as performing a dramatic work)
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
What is a Copyright?
Copyright exists upon creation– Author’s rights begin when an original
work of authorship is fixed in a tangible medium
A work does not have to bear a copyright notice or be registered to be copyrighted
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
US Copyright Law
Intellectual property is recognized as a protected asset in the US
US copyright law extends this right to the published word, including electronic formats
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
US Copyright Law: Fair Use Fair use of copyrighted materials
includes– the use to support news reporting,
teaching, scholarship, and a number of other related permissions
– the purpose of the use has to be for educational or library purposes, not for profit, and should not be excessive
DMCA (more on this in a minute)
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
What is Fair Use?
Allow for limited copying or distribution of published works without author’s permission– Examples:
• Quotation of excerpts in a review or critique• copying of a small part of a work by a teacher
or student to illustrate a lesson
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
What is Fair Use?Determination of fair use based on:
– Purpose and nature of the use– Nature of the copyrighted work– Nature and substantiality of the material
used– Effect of use on the potential market for or
value of the work
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
What is Fair Use?
As Kerry Konrad, co-lead litigation counsel for Lotus Development Corporation, succinctly said, “if your use is private, limited, and for the purpose of reference and illustration only, it’s likely to be fair.”
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Licensing of Copyrights
If fair use does not apply, using another’s intellectual property requires a license
A license is not a given—the owner does not have to grant a license nor give any explanation when they don’t
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Licensing of Copyrights
Placing materials on the Web does NOT place them in the Public Domain unless such assignment is specifically made– Some Web sites contain content such as clipart,
buttons, bars, backgrounds, photos, where either the items have been placed in the public domain or a license for their use is clearly granted
– Otherwise all works online—graphic arts as well as text—are protected by copyright, and your reuse requires a license
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
US Copyright OfficeFigure 3-3
U.S. Copyright Office Web sitehttp://www.loc.gov/copyright/
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is the US version of an international effort to reduce the impact of copyright, trademark, and privacy infringement
Many legal experts feel DMCA illegally infringes on Fair Use and has other adverse effects
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Impact of DMCA
Critics claim DCMA has had the following impacts (among others):– DMCA is being used to silence researchers,
computer scientists and critics– Corporations are using it against the
public– Public/College radio stations can no longer
afford to webcast
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Impact of DMCA
Also has had a stifling effect on computer security research as prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights– In doing so it treats publishing of security
vulnerabilities as a violation of the law
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Sarbanes-Oxley ActCreated to address accounting
“irregularities” (Enron, etc.)Requires internal controls & internal
controls reporting– As part of this, general computer controls
must be implemented and documentedInformation security controls are a key
component of general computer controls
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Sarbanes-Oxley Act Section 404 -- Management Assessment
of Internal Controls Rules Required. The [Securities and
Exchange] Commission shall prescribe rules requiring each annual report…to contain an internal control report, which shall--– state the responsibility of management for
establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
– contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Sarbanes-Oxley ActAccess controls, authorization,
auditability, data integrity and availability (disaster recovery) are key elements of controls to ensure compliance with section 404
Because there is external financial auditor involvement in assuring rules compliance, this draws audit firms into IT security auditing or at least verification of IT security audits
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
State & Local Regulations
Each state or locality may have laws and regulations that impact the use of computer technology
Information security professionals have a responsibility to understand state laws and regulations and insure organization’s security policies and procedures comply
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
United Nations CharterTo some degree the United Nations
Charter provides provisions for information security during Information Warfare
Information Warfare (IW) involves use of information technology to conduct offensive operations as part of an organized and lawful military operation by a sovereign state
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Warfare
IW is a relatively new application of warfare, although the military has been conducting electronic warfare and counter-warfare operations for decades, jamming, intercepting, and spoofing enemy communications
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy Versus LawMost organizations develop and formalize
a body of expectations called policyPolicies function in an organization like
lawsFor a policy to become enforceable, it
must meet certain standardsOnly when all conditions are met, does
the organization have a reasonable expectation of effective policy
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Enforceable Policy
Enforceable policy must be:– Distributed to all individuals who are
expected to comply – Readily available for employee reference– Easily understood with multi-language
translations and translations for visually impaired, or literacy-impaired employees
– Acknowledged by the employee, usually by means of a signed consent form
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Content of Corporate Use Policies Rights Responsibilities Privileges Prohibitions
– Activities– Uses
• “business only” (strict) or “business and reasonable personal use” (loose)
• Similar to telephone use policies
– Harassment– Overloading resources
Tracking– What tracking will be
done– Who will do it– What circumstances– How will the information
will be stored– Who will have access to it
Communicating information
Virus detection Export restrictions Waiver of Privacy Disclaimers
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Ethical Concepts in Information Security10 Commandments of Computer Ethics
from The Computer Ethics Institute 1. Thou shalt not use a computer to harm other
people. 2. Thou shalt not interfere with other people’s
computer work. 3. Thou shalt not snoop around in other
people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false
witness [lie].
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Ethical Concepts in Information Security
10 Commandments of Computer Ethics from The Computer Ethics Institute
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Cultural Differences in Ethical Concepts
Differences in cultures cause problems in determining what is ethical and what is not ethical
Studies of ethical sensitivity to computer use reveal different nationalities have different perspectives
Difficulties arise when one nationality’s ethical behavior contradicts that of another national group
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Ethics and Education Employees must be trained in topics related
to information security, including expected behaviors of an ethical employee
Especially important in areas of information security; many employees may not have the formal technical training to understand what behavior is unethical or illegal
Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Deterrence to Unethical and Illegal Behavior
Deterrence - preventing an illegal or unethical activity– Examples of deterrents: Laws, policies,
technical controlsLaws and policies only deter if three
conditions are present:– Fear of penalty– Probability of being caught– Probability of penalty being administered
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Codes of Ethics, Certifications, and Professional Organizations
Many organizations have codes of conduct and/or codes of ethics – Codes of ethics can have a positive effect– Unfortunately, having a code of ethics is not
enough Security professionals must act ethically
and according to the policies and procedures of their employer, their professional organization, and the laws of society
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Association of Computing Machinery
The ACM (www.acm.org) is a respected professional society– originally established in 1947 as “the
world’s first educational and scientific computing society”
Their code of ethics requires members to perform their duties in a manner befitting an ethical computing professional
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Association of Computing Machinery
The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
International Information Systems Security Certification Consortium
The (ISC)2 (www.isc2.org) is a non-profit organization– focuses on the development and
implementation of information security certifications and credentials
The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
(ISC)2 Code
(ISC)2 code focuses on four mandatory canons: – Protect society, the commonwealth, and
the infrastructure– Act honorably, honestly, justly,
responsibly, and legally– Provide diligent and competent service to
principals– Advance and protect the profession
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
System Administration, Networking, and Security Institute
The System Administration, Networking, and Security Institute, or SANS (www.sans.org), is a professional organization with a large membership dedicated to the protection of information and systems
SANS offers a certifications called the Global Information Assurance Certification or GIAC
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Systems Audit and Control Association
The Information Systems Audit and Control Association or ISACA (www.isaca.org) is a professional association with a focus on auditing, control, and security
Although it does not focus exclusively on information security, the Certified Information Systems Auditor or CISA certification does contain many information security components
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Systems Audit and Control Association
The ISACA also has a code of ethics for professionals
Requires many of the same high standards for ethical performance as the other organizations and certifications
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
CSI - Computer Security Institute The Computer Security Institute
(www.gocsi.com) provides information and certification to support the computer, networking, and information security professional
While CSI does not promote a single certification certificate like the CISSP or GISO, it does provide a range of technical training classes in the areas of Internet Security, Intrusion Management, Network Security, Forensics, as well as technical networking
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Other Security Organizations Information Systems Security Association
(ISSA)® (www.issa.org) Internet Society or ISOC (www.isoc.org) Computer Security Division (CSD) of the
National Institute for Standards and Technology (NIST)– contains a resource center known as the Computer
Security Resource Center (csrc.nist.gov) housing one of the most comprehensive sets of publicly available information on the entire suite of information security topics
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Other Security Organizations
CERT® Coordination Center or CERT/CC (www.cert.org) is a center of Internet security expertise operated by Carnegie Mellon University
Computer Professionals for Social Responsibility (CPSR) promotes the development of ethical computing
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Key U.S. Federal AgenciesThe Department of Homeland
Security’s National Infrastructure Protection Center (NIPC) (www.nipc.gov) – National InfraGard Program
National Security Agency (NSA)– The NSA is “the Nation’s cryptologic
organization”– NSA Information Assurance Directorate
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Other Key Federal Agencies
Figure 3-14
U.S. Secret Service Web sitehttp://www.secretservice.gov/
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Liability and the Need for Counsel
Liability is the legal obligation of an entity– Liability extends beyond legal obligation or
contract to include liability for a wrongful act and the legal obligation to make restitution
– An organization increases its liability if it refuses to take strong measures known as due care
Due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Our Private Directory for this Course
Answers to chapter review questionsInfoSec Library as self-extracting .zip
file (distributed on CD to live students)Can only be accessed from Blackboard
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 478/578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?