Chapter 5: Compliance: Law and Ethics

Law

The system of rules recognized and enforced by a governing authority to regulate behavior and maintain order within society.

Ethics

The branch of philosophy that examines moral principles and what constitutes right and wrong conduct.

Difference between Law and Ethics

Laws carry government enforcement and penalties, while ethics rely on personal and societal values without legal enforcement.

Mores

Fixed moral attitudes or customs of a group that form the basis for ethical behavior in a society.

Cybersecurity Professional Ethics

The expectation that professionals act with integrity, maintain confidentiality, and uphold accountability due to their privileged access to sensitive information.

“Who will watch the watchmen?”

A reminder that cybersecurity professionals must maintain the highest ethical standards because they are trusted guardians of critical systems and data.

Ethics in Cybersecurity

The study and application of moral principles guiding the behavior of individuals responsible for protecting information and systems.

Normative Ethics

Studies what makes actions right or wrong; also known as moral theory.

Meta-Ethics

Examines the meaning of ethical judgments—what concepts like “good” or “right” truly mean.

Descriptive Ethics

Analyzes past ethical decisions and behaviors to understand what others have considered right.

Applied Ethics

Applies ethical theory to real-world scenarios and practical moral choices.

Deontological Ethics

Focuses on moral duty and intent rather than consequences—doing the right thing because it is right.

Utilitarian Approach

An action is ethical if it produces the greatest good or least harm for the greatest number of people.

Rights Approach

An action is ethical if it respects and protects the moral rights of all affected individuals.

Fairness/Justice Approach

Ethical actions treat everyone equally or based on fair, defendable standards.

Common-Good Approach

Focuses on actions that contribute to the welfare of the community and protect the vulnerable.

Virtue Approach

Ethical behavior reflects personal virtues such as honesty, integrity, courage, and compassion.

Ethics in Information Processing Professionals

IT professionals face added ethical duties due to access to sensitive data and control over automated systems that affect organizational conduct.

Slippery Slope Concept

The gradual justification of unethical actions based on small prior allowances; leads to moral compromise over time.

IBM and the Holocaust Example

A cautionary case showing how technology, when used unethically, can contribute to large-scale harm or injustice.

Ten Commandments of Computer Ethics

A list of ethical guidelines for computing professionals emphasizing respect, honesty, and responsibility in computer use.

Ethics and Education

Education is key in shaping ethical awareness and leveling ethical perceptions within organizations.

SETA Program (Security Education, Training, and Awareness)

Programs designed to prevent ignorance-based ethical or legal violations through consistent education and policy awareness.

Deterring Unethical Behavior

The use of policy, education, and technology controls to discourage unethical or illegal acts within organizations.

Three Causes of Unethical Behavior

Ignorance, Accidents, and Intent—each requiring specific prevention methods.

Three Conditions for Deterrence

Expectation of being caught, fear of penalty, and expectation that penalties will be applied.

Professional Organizations and Ethics

Groups that define codes of conduct for members to ensure professional and ethical behavior in cybersecurity fields.

ACM (Association for Computing Machinery)

Promotes ethical computing practices, confidentiality, privacy, and respect for intellectual property.

(ISC)² (International Information System Security Certification Consortium)

Publishes a four-canon code of ethics: protect society, act honorably, provide diligent service, and advance the profession.

SANS/GIAC

Code of ethics promoting respect for the public, employer, certification, and self; emphasizes responsibility and honesty.

ISACA

Focuses on auditing, control, and cybersecurity; requires professionalism, objectivity, privacy protection, and ongoing education.

ISSA (Information Systems Security Association)

Encourages ethical conduct in promoting security best practices and protecting the confidentiality, integrity, and availability of information.

Cybersecurity and Law

Cybersecurity professionals must understand and comply with legal frameworks when managing sensitive information such as PII and PHI.

Types of Law

Categories include Constitutional, Statutory, Regulatory, and Common Law—each derived from different branches of government.

Civil Law

Regulates relationships between individuals or organizations; includes torts, contracts, and family law.

Criminal Law

Addresses offenses against society; prosecuted by the state.

Private Law

Regulates relationships between individuals and organizations, including commercial and labor law.

Public Law

Governs the actions of government agencies and their interactions with citizens.

Computer Fraud and Abuse Act (CFAA)

Criminalizes unauthorized access to protected computers and information systems.

Computer Security Act (CSA) of 1987

Requires federal agencies to implement cybersecurity standards, training, and awareness.

HIPAA (Health Insurance Portability and Accountability Act)

Protects patient medical data and sets national standards for privacy and security of health information.

HITECH Act

Expands HIPAA by strengthening breach notification requirements and enforcement for electronic health information.

Gramm-Leach-Bliley Act (GLBA)

Requires financial institutions to disclose and protect customers’ personal financial information.

Sarbanes-Oxley Act (SOX)

Enforces corporate accountability by requiring accurate financial reporting and secure information systems.

Freedom of Information Act (FOIA)

Allows public access to federal government records with limited exemptions.

Economic Espionage Act

Protects trade secrets and punishes theft of proprietary business information.

Security and Freedom Through Encryption Act (SAFE)

Protects the right to use encryption and prohibits government key registration requirements.

Digital Millennium Copyright Act (DMCA)

Prohibits removal of copyright protections and sets penalties for digital piracy.

Privacy Act of 1974

Regulates how federal agencies collect and disclose personal information.

Children’s Online Privacy Protection Act (COPPA)

Requires parental consent before collecting data from children under 13 online.

Federal Information Security Management Act (FISMA)

Requires federal agencies to implement comprehensive cybersecurity programs.

PCI DSS (Payment Card Industry Data Security Standard)

Industry standard for protecting credit and debit card data; defines 12 security requirements across six key areas.

Policy vs. Law

Policies govern internal organizational behavior; laws govern society. Ignorance of law is no excuse, but ignorance of policy is a valid defense if not properly communicated.

Requirements for Effective Policy

Policies must be distributed, read, understood, acknowledged, and uniformly enforced to be legally defensible.

Organizational Liability

An organization may be legally responsible for employee misconduct; liability increases when due care and due diligence are neglected.

Due Care

Ensuring employees are aware of acceptable behavior and organizational policies.

Due Diligence

Taking ongoing, reasonable steps to comply with laws and protect others.

Jurisdiction

The legal authority of a court to hear a case; may extend globally through long-arm jurisdiction.

InfraGard

A public-private partnership between the FBI and private sector to share cybersecurity threat intelligence and protect critical infrastructure.

DHS (Department of Homeland Security)

Nation’s leading agency for coordinating protection of physical and digital infrastructure through its directorates.

NSA (National Security Agency)

Handles national cryptology, cybersecurity research, and information assurance for U.S. intelligence and defense.

NSA Centers of Academic Excellence (CAE)

Programs recognizing universities excelling in cybersecurity education, research, and operations.

U.S. Secret Service

Investigates computer fraud, identity theft, and electronic financial crimes; originally created to protect U.S. currency.

READY.gov

Citizen cybersecurity preparedness initiative promoting public awareness and response planning for cyber incidents.

European Council Cybercrime Convention (2001)

International treaty standardizing laws to combat global cybercrime.

GDPR (General Data Protection Regulation)

EU law governing data privacy and transfer; applies to organizations handling EU citizens’ data.

Australian High-Tech Crime Laws

Define offenses such as hacking, data destruction, denial-of-service, and malware creation under the Criminal Code Act 1995.

State-Level Cybersecurity Laws

Individual states regulate data privacy, disposal, and breach notification; e.g., Georgia Computer Systems Protection Act and Georgia Identity Theft Law.

Standards vs. Laws

Standards guide best practices (e.g., PCI DSS), while laws mandate compliance and impose penalties.

Deterrence

The prevention of unethical or illegal actions by creating an expectation of being caught, fear of penalty, and assurance penalties will be enforced.

Long-Arm Jurisdiction

Allows courts to assert authority beyond normal boundaries when an out-of-state or foreign entity causes local harm.

Due Care vs. Due Diligence

Due care is awareness and policy enforcement; due diligence is proactive risk management and compliance efforts.

Ethical Decision Making

Applying moral frameworks to resolve dilemmas, balancing duty, fairness, consequences, and integrity.

Cybersecurity Professional Responsibility

Professionals must protect systems, respect privacy, and act with accountability and honesty in all operations.