legal, ethical & professional issues

Transforming Lives. Inventing the Future. www.iit.edu

I ELLINOIS T UINS TI TOF TECHNOLOGY

ITM 478/578 1

Legal, Ethical & Professional Issues

Ray TrygstadITM 478 / IT 478 / ITM 578 Spring 2005Information Technology & Management ProgramsCenter for Professional Development

Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003

Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu

ITM 478/578 2

ILLINOIS INSTITUTE OF TECHNOLOGY

Objectives Upon completion of this lesson

students should be able to:– Differentiate between laws and ethics– Identify major national laws that relate

to the practice of information security– Discuss the role of culture as it applies

to ethics in information security


ITM 478/578 3


Law and Ethics in Information Security

Laws - rules adopted for determining expected behavior – Laws drawn from ethics

Ethics define socially acceptable behaviors

Ethics based on cultural mores: fixed moral attitudes or customs of a particular group


ITM 478/578 4


Types of Law

Civil law Criminal law Tort law Private law Public law


ITM 478/578 5


Relevant U.S. Laws - General Computer Fraud and Abuse Act of 1986 National Information Infrastructure

Protection Act of 1996 USA Patriot Act of 2001 Telecommunications Deregulation and

Competition Act of 1996 Communications Decency Act (CDA) Computer Security Act of 1987 Digital Millennium Copyright Act of 1998 Sarbanes-Oxley Act of 2002


ITM 478/578 6


Privacy Privacy: one of the hottest topics in

information Ability to collect information, combine facts

from separate sources, and merge with other information results in collections of information previously impossible to create

Aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities


ITM 478/578 7


Privacy in the U.S. Not a Constitutional right but has been

construed by the courts– “Reasonable expectation” of privacy

Working definition:– right not to be disturbed– right to be anonymous– right not to be monitored– right not to have one’s identifying information

exploited Construed Constitutional guarantees of

privacy apply only to the Federal Government


ITM 478/578 8


Privacy of Customer Information Privacy of Customer Information Section of

Common Carrier Regulations Federal Privacy Act of 1974 The Electronic Communications Privacy Act

of 1986 The Health Insurance Portability &

Accountability Act Of 1996 (HIPAA) also known as the Kennedy-Kassebaum Act

The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999


ITM 478/578 9


Freedom of Information Act of 1966 (FOIA)

The Freedom of Information Act provides any person with the right to request access to federal agency records or information, not determined to be in the interest of national security– US Government agencies required to

disclose requested information on receipt of a written request


ITM 478/578 10


Freedom of Information Act of 1966 (FOIA)

Exceptions for information protected from disclosure

Act does not apply to – Congress or Federal courts– state or local government agencies – private businesses or individuals

Many states have their own version of the FOIA


ITM 478/578 11


Freedom of Information Act of 2000 (UK)

In 2000, the United Kingdom passed their Freedom of Information Act– Very similar in all respects to U.S. law– More exceptions


ITM 478/578 12


European Union Model European Union Directive 95/46/EC effective

October 1998 increases protection of individuals in processing of personal data & limits free movement of such data – Strong consumer protection – Only allows gathering of information necessary for

transaction– Personal data cannot be transferred to another

company without permission United Kingdom had implemented a version

of this directive called the Database Right


ITM 478/578 13


EU Law PortalFigure 3-4

European UnionLaw Web sitehttp://europa.eu.int/eur-lex/en/

http://europa.eu.int/eur-lex/en/

http://europa.eu.int/eur-lex/en/


ITM 478/578 14


International Laws and Legal Bodies

Council of Europe: European Council Cyber-Crime Convention– Creates an international task force to

oversee a range of security functions associated with Internet activities,

– Standardizes technology laws across international borders


ITM 478/578 15


International Laws and Legal Bodies

European Council Cyber-Crime Convention – Also attempts to improve effectiveness of

international investigations into breaches of technology law

Well received by advocates of intellectual property rights with emphasis on copyright infringement prosecution


ITM 478/578 16


UN International LawFigure 3-46

United NationsInternationalLaw Web sitehttp://www.un.org/law/

http://www.un.org/law/


ITM 478/578 17


Export and Espionage Laws

Economic Espionage Act (EEA) of 1996

Security and Freedom Through Encryption Act of 1997 (SAFE)


ITM 478/578 18


What is a Copyright?Set of exclusive legal rights authors

have over their works for a limited period of time; these rights include– copying the works (including parts of the

works) – making derivative works– distributing the works– performing the works (showing a movie or

playing an audio recording, as well as performing a dramatic work)


ITM 478/578 19


What is a Copyright?

Copyright exists upon creation– Author’s rights begin when an original

work of authorship is fixed in a tangible medium

A work does not have to bear a copyright notice or be registered to be copyrighted


ITM 478/578 20


US Copyright Law

Intellectual property is recognized as a protected asset in the US

US copyright law extends this right to the published word, including electronic formats


ITM 478/578 21


US Copyright Law: Fair Use Fair use of copyrighted materials

includes– the use to support news reporting,

teaching, scholarship, and a number of other related permissions

– the purpose of the use has to be for educational or library purposes, not for profit, and should not be excessive

DMCA (more on this in a minute)


ITM 478/578 22


What is Fair Use?

Allow for limited copying or distribution of published works without author’s permission– Examples:

• Quotation of excerpts in a review or critique• copying of a small part of a work by a teacher

or student to illustrate a lesson


ITM 478/578 23


What is Fair Use?Determination of fair use based on:

– Purpose and nature of the use– Nature of the copyrighted work– Nature and substantiality of the material

used– Effect of use on the potential market for or

value of the work


ITM 478/578 24


What is Fair Use?

As Kerry Konrad, co-lead litigation counsel for Lotus Development Corporation, succinctly said, “if your use is private, limited, and for the purpose of reference and illustration only, it’s likely to be fair.”


ITM 478/578 25


Licensing of Copyrights

If fair use does not apply, using another’s intellectual property requires a license

A license is not a given—the owner does not have to grant a license nor give any explanation when they don’t


ITM 478/578 26


Licensing of Copyrights

Placing materials on the Web does NOT place them in the Public Domain unless such assignment is specifically made– Some Web sites contain content such as clipart,

buttons, bars, backgrounds, photos, where either the items have been placed in the public domain or a license for their use is clearly granted

– Otherwise all works online—graphic arts as well as text—are protected by copyright, and your reuse requires a license


ITM 478/578 27


US Copyright OfficeFigure 3-3

U.S. Copyright Office Web sitehttp://www.loc.gov/copyright/

http://www.loc.gov/copyright/




ITM 478/578 28


Digital Millennium Copyright Act (DMCA)

The Digital Millennium Copyright Act (DMCA) is the US version of an international effort to reduce the impact of copyright, trademark, and privacy infringement

Many legal experts feel DMCA illegally infringes on Fair Use and has other adverse effects


ITM 478/578 29


Impact of DMCA

Critics claim DCMA has had the following impacts (among others):– DMCA is being used to silence researchers,

computer scientists and critics– Corporations are using it against the

public– Public/College radio stations can no longer

afford to webcast


ITM 478/578 30


Impact of DMCA

Also has had a stifling effect on computer security research as prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights– In doing so it treats publishing of security

vulnerabilities as a violation of the law


ITM 478/578 31


Sarbanes-Oxley ActCreated to address accounting

“irregularities” (Enron, etc.)Requires internal controls & internal

controls reporting– As part of this, general computer controls

must be implemented and documentedInformation security controls are a key

component of general computer controls


ITM 478/578 32


Sarbanes-Oxley Act Section 404 -- Management Assessment

of Internal Controls Rules Required. The [Securities and

Exchange] Commission shall prescribe rules requiring each annual report…to contain an internal control report, which shall--– state the responsibility of management for

establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

– contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting


ITM 478/578 33


Sarbanes-Oxley ActAccess controls, authorization,

auditability, data integrity and availability (disaster recovery) are key elements of controls to ensure compliance with section 404

Because there is external financial auditor involvement in assuring rules compliance, this draws audit firms into IT security auditing or at least verification of IT security audits


ITM 478/578 34


State & Local Regulations

Each state or locality may have laws and regulations that impact the use of computer technology

Information security professionals have a responsibility to understand state laws and regulations and insure organization’s security policies and procedures comply


ITM 478/578 35


United Nations CharterTo some degree the United Nations

Charter provides provisions for information security during Information Warfare

Information Warfare (IW) involves use of information technology to conduct offensive operations as part of an organized and lawful military operation by a sovereign state


ITM 478/578 36


Information Warfare

IW is a relatively new application of warfare, although the military has been conducting electronic warfare and counter-warfare operations for decades, jamming, intercepting, and spoofing enemy communications


ITM 478/578 37


Policy Versus LawMost organizations develop and formalize

a body of expectations called policyPolicies function in an organization like

lawsFor a policy to become enforceable, it

must meet certain standardsOnly when all conditions are met, does

the organization have a reasonable expectation of effective policy


ITM 478/578 38


Standards for Enforceable Policy

Enforceable policy must be:– Distributed to all individuals who are

expected to comply – Readily available for employee reference– Easily understood with multi-language

translations and translations for visually impaired, or literacy-impaired employees

– Acknowledged by the employee, usually by means of a signed consent form


ITM 478/578 39


Content of Corporate Use Policies Rights Responsibilities Privileges Prohibitions

– Activities– Uses

• “business only” (strict) or “business and reasonable personal use” (loose)

• Similar to telephone use policies

– Harassment– Overloading resources

Tracking– What tracking will be

done– Who will do it– What circumstances– How will the information

will be stored– Who will have access to it

Communicating information

Virus detection Export restrictions Waiver of Privacy Disclaimers


ITM 478/578 40


Ethical Concepts in Information Security10 Commandments of Computer Ethics

from The Computer Ethics Institute 1. Thou shalt not use a computer to harm other

people. 2. Thou shalt not interfere with other people’s

computer work. 3. Thou shalt not snoop around in other

people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false

witness [lie].


ITM 478/578 41


Ethical Concepts in Information Security

10 Commandments of Computer Ethics from The Computer Ethics Institute

6. Thou shalt not copy or use proprietary software for which you have not paid.

7. Thou shalt not use other people’s computer resources without authorization or proper compensation.

8. Thou shalt not appropriate other people’s intellectual output.

9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.

10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.


ITM 478/578 42


Cultural Differences in Ethical Concepts

Differences in cultures cause problems in determining what is ethical and what is not ethical

Studies of ethical sensitivity to computer use reveal different nationalities have different perspectives

Difficulties arise when one nationality’s ethical behavior contradicts that of another national group


ITM 478/578 43


Ethics and Education Employees must be trained in topics related

to information security, including expected behaviors of an ethical employee

Especially important in areas of information security; many employees may not have the formal technical training to understand what behavior is unethical or illegal

Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user


ITM 478/578 44


Deterrence to Unethical and Illegal Behavior

Deterrence - preventing an illegal or unethical activity– Examples of deterrents: Laws, policies,

technical controlsLaws and policies only deter if three

conditions are present:– Fear of penalty– Probability of being caught– Probability of penalty being administered


ITM 478/578 45


Codes of Ethics, Certifications, and Professional Organizations

Many organizations have codes of conduct and/or codes of ethics – Codes of ethics can have a positive effect– Unfortunately, having a code of ethics is not

enough Security professionals must act ethically

and according to the policies and procedures of their employer, their professional organization, and the laws of society


ITM 478/578 46


Association of Computing Machinery

The ACM (www.acm.org) is a respected professional society– originally established in 1947 as “the

world’s first educational and scientific computing society”

Their code of ethics requires members to perform their duties in a manner befitting an ethical computing professional


ITM 478/578 47


Association of Computing Machinery

The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others


ITM 478/578 48


International Information Systems Security Certification Consortium

The (ISC)2 (www.isc2.org) is a non-profit organization– focuses on the development and

implementation of information security certifications and credentials

The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2


ITM 478/578 49


(ISC)2 Code

(ISC)2 code focuses on four mandatory canons: – Protect society, the commonwealth, and

the infrastructure– Act honorably, honestly, justly,

responsibly, and legally– Provide diligent and competent service to

principals– Advance and protect the profession


ITM 478/578 50


System Administration, Networking, and Security Institute

The System Administration, Networking, and Security Institute, or SANS (www.sans.org), is a professional organization with a large membership dedicated to the protection of information and systems

SANS offers a certifications called the Global Information Assurance Certification or GIAC


ITM 478/578 51


Information Systems Audit and Control Association

The Information Systems Audit and Control Association or ISACA (www.isaca.org) is a professional association with a focus on auditing, control, and security

Although it does not focus exclusively on information security, the Certified Information Systems Auditor or CISA certification does contain many information security components


ITM 478/578 52


Information Systems Audit and Control Association

The ISACA also has a code of ethics for professionals

Requires many of the same high standards for ethical performance as the other organizations and certifications


ITM 478/578 53


CSI - Computer Security Institute The Computer Security Institute

(www.gocsi.com) provides information and certification to support the computer, networking, and information security professional

While CSI does not promote a single certification certificate like the CISSP or GISO, it does provide a range of technical training classes in the areas of Internet Security, Intrusion Management, Network Security, Forensics, as well as technical networking


ITM 478/578 54


Other Security Organizations Information Systems Security Association

(ISSA)® (www.issa.org) Internet Society or ISOC (www.isoc.org) Computer Security Division (CSD) of the

National Institute for Standards and Technology (NIST)– contains a resource center known as the Computer

Security Resource Center (csrc.nist.gov) housing one of the most comprehensive sets of publicly available information on the entire suite of information security topics


ITM 478/578 55


Other Security Organizations

CERT® Coordination Center or CERT/CC (www.cert.org) is a center of Internet security expertise operated by Carnegie Mellon University

Computer Professionals for Social Responsibility (CPSR) promotes the development of ethical computing


ITM 478/578 56


Key U.S. Federal AgenciesThe Department of Homeland

Security’s National Infrastructure Protection Center (NIPC) (www.nipc.gov) – National InfraGard Program

National Security Agency (NSA)– The NSA is “the Nation’s cryptologic

organization”– NSA Information Assurance Directorate


ITM 478/578 57


Other Key Federal Agencies

Figure 3-14

U.S. Secret Service Web sitehttp://www.secretservice.gov/

http://www.secretservice.gov/




ITM 478/578 58


Organizational Liability and the Need for Counsel

Liability is the legal obligation of an entity– Liability extends beyond legal obligation or

contract to include liability for a wrongful act and the legal obligation to make restitution

– An organization increases its liability if it refuses to take strong measures known as due care

Due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort


ITM 478/578 59


Our Private Directory for this Course

Answers to chapter review questionsInfoSec Library as self-extracting .zip

file (distributed on CD to live students)Can only be accessed from Blackboard


ITM 478/578 60


The End…

Questions?

legal, ethical & professional issues

Internet

inve nting

abuse act

competition act

bliley act

information results

collections of information

information ability

usa patriot act