management and info security
1
ITC358 ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for select crimes
Further modified by the USA Patriot Act of 2001
Provides law enforcement agencies with broader latitude to combat terrorism-related activities
The USA Patriot Act was updated and extended, in many cases permanently
Through the USA Patriot Improvement and Reauthorisation Act of 2005
10
Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987
One of the first attempts to protect federal computer systems
Established minimum acceptable security practices
Established a Computer System Security and Privacy Advisory Board within the Department of Commerce
Requires mandatory periodic training in computer security awareness and accepted computer security practice for all users of Federal computer systems
11
Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987 (cont’d.)
Charged the National Bureau of Standards and the NSA (now NIST) with the development of:
Standards, guidelines, and associated methods and techniques for computer systems
Uniform standards and guidelines for most federal computer systems
Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems
Guidelines for operators of federal computer systems containing sensitive information in training their employees in security awareness
Validation procedures for, and evaluation of the effectiveness of, standards and guidelines
Through research and liaison with other government and private agencies
12
Relevant U.S. Laws (cont’d.)
Privacy Laws
Many organisations collect, trade, and sell personal information as a commodity
Individuals are becoming aware of these practices and looking to governments to protect their privacy
Aggregation of data from multiple sources permits unethical organisations to build databases with alarming quantities of personal information
13
Relevant U.S. Laws (cont’d.)
Privacy Laws (cont’d.)
The Privacy of Customer Information Section of the section of regulations covering common carriers
Specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes
The Federal Privacy Act of 1974 regulates the government’s use of private information
Ensure that government agencies protect the privacy of individuals’ and businesses’ information
14
Relevant U.S. Laws (cont’d.)
Privacy Laws (cont’d.)
The Electronic Communications Privacy Act of 1986
A collection of statutes that regulates the interception of wire, electronic, and oral communications
These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution
Prohibits search and seizure without a warrant
15
Relevant U.S. Laws (cont’d.)
Health Insurance Portability & Accountability Act Of 1996 (HIPAA)
An attempt to protect the confidentiality and security of health care data
Establishes and enforces standards
Standardises electronic data interchange
Requires organisations that retain health care information to use information security mechanisms to protect this information
Also requires an assessment of the organisation's InfoSec systems, policies, and procedures
16
Relevant U.S. Laws (cont’d.)
HIPAA (cont’d.)
Provides guidelines for the use of electronic signatures
Based on security standards ensuring message integrity, user authentication, and nonrepudiation
Fundamental privacy principles:
Consumer control of medical information
Boundaries on the use of medical information
Accountability for the privacy of private information
Fundamental privacy principles: (cont’d.)
Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual
Security of health information
17
Relevant U.S. Laws (cont’d.)
The Financial Services Modernisation Act
Also called Gramm-Leach-Bliley Act of 1999
Applies to banks, securities firms, and insurance companies
Requires all financial institutions to disclose their privacy policies
Describing how they share nonpublic personal information
Describing how customers can request that their information not be shared with third parties
Ensures that the privacy policies in effect in an organisation are fully disclosed when a customer initiates a business relationship
Distributed at least annually for the duration of the professional association
18
Relevant U.S. Laws (cont’d.)
Export and Espionage Laws
Economic Espionage Act (EEA) of 1996
An attempt to protect intellectual property and competitive advantage
Attempts to protect trade secrets from the foreign government that uses its classic espionage apparatus to spy on a company
Also between two companies
Or a disgruntled former employee
19
Relevant U.S. Laws (cont’d.)
Export and Espionage Laws
The Security and Freedom through Encryption Act of 1997
Provides guidance on the use of encryption
Institutes measures of public protection from government intervention
Reinforces an individual’s right to use or sell encryption algorithms
Prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence
20
Relevant U.S. Laws (cont’d.)
Figure 12-1: Export restrictions
Source: Course Technology/Cengage Learning
21
Relevant U.S. Laws (cont’d.)
U.S. Copyright Law
Extends protection to intellectual property, including words published in electronic formats
‘Fair use’ allows material to be quoted so long as the purpose is educational and not for profit, and the usage is not excessive
Proper acknowledgement must be provided to the author and/or copyright holder of such works
Including a description of the location of source materials, using a recognised form of citation
22
Relevant U.S. Laws (cont’d.)
Freedom of Information Act of 1966
All Federal agencies are required to disclose records requested in writing by any person
Applies only to Federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies
Sarbanes-Oxley Act of 2002
Enforces accountability for the financial record keeping and reporting at publicly traded corporations
23
Relevant U.S. Laws (cont’d.)
Sarbanes-Oxley Act of 2002 (cont’d.)
Requires that the CEO and chief financial officer (CFO) assume direct and personal accountability for the completeness and accuracy of a publicly traded organisation’s financial reporting and record-keeping systems
As these executives attempt to ensure that the systems used to record and report are sound, the related areas of availability and confidentiality are also emphasised
24
International Laws and Legal Bodies
International trade is governed by international treaties and trade agreements
Many domestic laws and customs do not apply
There are currently few international laws relating to privacy and information security
Because of cultural differences and political complexities of the relationships among nations
25
International Laws and Legal Bodies (cont’d.)
European Council Cyber-Crime Convention
Empowers an international task force to oversee a range of Internet security functions
Standardises technology laws internationally
Attempts to improve the effectiveness of international investigations into breaches of technology law
Goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process
26
International Laws and Legal Bodies (cont’d.)
The Digital Millennium Copyright Act
A U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures
European Union Directive 95/46/EC
Increases individual rights to process and freely move personal data
Database Right
U.K. version of this directive
27
State and Local Regulations
Information security professionals must understand state laws and regulations
Ensure that their organisation’s security policies and procedures comply
Georgia Computer Systems Protection Act
Has various computer security provisions
Establishes specific penalties for use of information technology to attack or exploit information systems in organisations
Requires that a business may not discard a record containing personal information unless it shreds, erases, modifies, or otherwise makes the information irretrievable
28
Policy Versus Law
Difference between policy and law
Ignorance of policy is an acceptable defense
Policies must be:
Distributed to all individuals who are expected to comply with them
Readily available for employee reference
Easily understood, with multilingual, visually impaired and low-literacy translations
Acknowledged by employee with consent form
Uniformly enforced for all employees
29
Ethics in Information Security
The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework
Information security professionals may be expected to be more articulate about the topic than others in the organisation
Often must withstand a higher degree of scrutiny
30
Ethics in Information Security (cont’d.)
The Ten Commandments of Computer Ethics
From the Computer Ethics Institute
Thou shalt not:
Use a computer to harm other people
Interfere with other people's computer work
Snoop around in other people's computer files
Use a computer to steal
Use a computer to bear false witness
Copy or use proprietary software for which you have not paid
31
Ethics in Information Security (cont’d.)
The Ten Commandments of Computer Ethics (cont’d.)
Thou shalt not: (cont’d.)
Use other people's computer resources without authorisation or proper compensation
Appropriate other people's intellectual output
Think about the social consequences of the program you are writing or the system you are designing
Always use a computer in ways that ensure consideration and respect for fellow humans
32
Ethics and Education
Differences in computer use ethics
Not exclusively cultural
Found among individuals within the same country, within the same social class, and within the same company
Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education
Employees must be trained on the expected behaviours of an ethical employee
33
Deterring Unethical and Illegal Behaviour
InfoSec personnel should do everything in their power to deter unethical and illegal acts
Using policy, education and training, and technology as controls to protect information
Categories of unethical behaviour
Ignorance
Accident
Intent
34
Deterring Unethical and Illegal Behavior (cont’d.)
Deterrence
Best method for preventing an illegal or unethical activity
Examples: laws, policies, and technical controls
Laws and policies and their associated penalties only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
35
Professional Organisations and their Codes of Ethics
Some professional organisations have established codes of conduct and/or codes of ethics
Members are expected to follow
Codes of ethics can have a positive effect on an individual’s judgment regarding computer use
Security professionals must act ethically
According to the policies and procedures of their employers, their professional organisations, and the laws of society
36
Association of Computing Machinery
A respected professional society
Originally established in 1947 as “the world's first educational and scientific computing society”
One of the few organisations that strongly promotes education and provides discounted membership for students
Code of ethics requires members to perform their duties in a manner befitting an ethical computing professional
37
International Information Systems Security Certification Consortium, Inc. (ISC)2
Code of ethics applies to information security professionals who have earned one of their certifications
Includes four mandatory canons:
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
38
System Administration, Networking, and Security Institute (SANS)
Professional research and education cooperative organisation
Over 156,000 security professionals, auditors, system and network administrators
SANS GIAC code of ethics requires:
Respect for the public
Respect for the certification
Respect for my employer
Respect for myself
39
Information Systems Audit and Control Association (ISACA)
A professional association with a focus on auditing, control, and security
Membership comprises both technical and managerial professionals
Has a code of ethics for its professionals
Requires many of the same high standards for ethical performance as the other organisations and certifications
40
Information Systems Audit and Control Association (cont’d.)
Code of ethics tenets
Support the implementation of, and encourage compliance with, appropriate standards, procedures, and information systems controls
Perform duties with objectivity, due diligence and professional care, using professional standards and best practices
Serve in the interest of stakeholders in a lawful and honest manner, maintain high standards of conduct and character, and not engage in acts discreditable to the profession
41
Information Systems Audit and Control Association (cont.)
Code of ethics tenets (cont’d.)
Maintain the privacy and confidentiality of information obtained in the course of their duties
Unless disclosure is required by legal authority
Such information shall not be used for personal benefit or released to inappropriate parties
Maintain competency in their respective fields, and agree to undertake only those activities that they can reasonably expect to complete with professional competence
42
Information Systems Audit and Control Association (cont’d.)
Code of ethics tenets (cont’d.)
Inform appropriate parties of the results of work performed, revealing all significant facts known to them
Support the professional education of stakeholders in enhancing their understanding of information systems security and control
43
Information Systems Security Association
Nonprofit society of information security professionals
Mission is to bring together qualified practitioners of information security for information exchange and educational development
Provides conferences, meetings, publications, and information resources to promote information security awareness and education
Promotes a code of ethics
Similar to that of other organisations
“Promoting management practices that will ensure the confidentiality, integrity, and availability of organisational information resources.”
44
Organisational Liability and the Need for Counsel
What if an organisation does not support or encourage strong ethical conduct by its employees?
What if an organisation does not behave ethically?
If an employee, acting with or without the authorisation, performs an illegal or unethical act, causing some degree of harm, the organisation can be held financially liable for that action
45
Organisational Liability and the Need for Counsel (cont’d.)
An organisation increases its liability if it refuses to take measures (due care) to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions
Due diligence requires that an organisation make a valid and ongoing effort to protect others
46
Key Law Enforcement Agencies
Federal Bureau of Investigation’s InfraGard Program
Promotes efforts to educate, train, inform, and involve the business and public sector in information security
Every FBI field office has established an InfraGard chapter and collaborates with public and private organisations and the academic community to share information about attacks, vulnerabilities, and threats
InfraGard’s dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources
47
Key Law Enforcement Agencies (cont’d.)
National Security Agency (NSA)
The nation's cryptologic organisation
Coordinates, directs, and performs highly-specialised activities to protect U.S. information systems and produce foreign intelligence information
Responsible for signal intelligence and information system security
48
Key Law Enforcement Agencies (cont’d.)
National Security Agency (cont’d.)
Information Assurance Directorate (IAD) provides information security “solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine, and support activities needed to implement the protect, detect and report, and respond elements of cyber defense.”
49
Key Law Enforcement Agencies (cont’d.)
U.S. Secret Service is a department within the Department of the Treasury
In addition to its well-known mission to protect key members of the U.S. government
Also charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes
Department of Homeland Security
Formed when U.S. Secret Service was transferred to it from the Department of the Treasury
50
Managing Investigations in the Organisation
When (not if) an organisation finds itself dealing with a suspected policy or law violation
Must appoint an individual to investigate it
How the internal investigation proceeds
Dictates whether or not the organisation has the ability to take action against the perpetrator if in fact evidence is found that substantiates the charge
In order to protect the organisation, and to possibly assist law enforcement in the conduct of an investigation
The investigator (CISO, InfoSec Manager or other appointed individual) must document what happened and how
51
Managing Investigations in the Organisation (cont’d.)
Forensics
The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting
Digital forensics
The investigation of what happened and how
Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis
52
Managing Investigations in the Organisation (cont’d.)
Digital forensics (cont’d.)
Like traditional forensics, it follows clear, well-defined methodologies, but still tends to be as much art as science
Evidentiary material (EM)
Also called item of potential evidentiary value
Any information that could potentially support the organisations legal- or policy-based case against a suspect
An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official
53
Digital forensics can be used for two key purposes:
Investigate allegations of digital malfeasance
A crime against or using digital media, computer technology or related components
Perform root cause analysis
If an incident occurs and the organisation suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorised access, as well as to determine how pervasive and successful the attack was
Managing Investigations in the Organisation (cont’d.)
54
Managing Investigations in the Organisation (cont’d.)
Digital forensics approaches
Protect and forget (a.k.a. patch and proceed)
Focuses on the defense of the data and the systems that house, use, and transmit it
Apprehend and prosecute (a.k.a. pursue and prosecute)
Focuses on the identification and apprehension of responsible individuals, with additional attention on the collection and preservation of potential EM that might support administrative or criminal prosecution
55
Affidavits and Search Warrants
Investigations begin with an allegation or an indication of an incident
Forensics team requests permission to examine digital media for potential EM
An affidavit is sworn testimony
That the investigating officer has certain facts they feel warrant the examination of specific items located at a specific place
Search warrant
Permission to search for EM at the specified location and/or to seize items to return to the investigator’s lab for examination
Created when an approving authority signs the affidavit or creates a synopsis form based on it
56
Digital Forensics Methodology
Steps in the digital forensics methodology
Identify relevant items of evidentiary value
Acquire (seize) the evidence without alteration or damage
Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized
Analyse the data without risking modification or unauthorised access
Report the findings to the proper authority
57
Digital Forensics Methodology
Figure 12-2: Digital forensics process
Source: Course Technology/Cengage Learning
58
Evidentiary Procedures
Organisations should develop specific procedures and guidance for their use
Who may conduct an investigation
Who may authorise an investigation
What affidavit-related documents are required
What search warrant-related documents are required
What digital media may be seized or taken offline
What methodology should be followed
What methods are required for chain of custody or chain of evidence
What format the final report should take, and to whom it should it be given
59
Summary
Introduction
Law and ethics in information security
The legal environment
Ethical concepts in information security
Professional organisations’ codes of ethics
Organisational liability and the need for counsel
Key U.S. Federal agencies
Managing investigations in the organisation
Management of Information Security, 3rd ed.
60