Principles of Information Security: Legal, Ethical, and Professional Issues

Learning Objectives

• On completion, you will be able to:
  • Describe the functions and relationships among laws, regulations, and professional organizations in information security.
  • Explain the differences between laws and ethics.

Introduction

• Understanding the scope of an organization’s legal and ethical responsibilities is critical.
• To minimize liabilities and reduce risks, information security practitioners must:
  • Understand the current legal environment
  • Stay updated on laws and regulations
  • Watch for new and emerging issues.

Law and Ethics in Information Security

• Laws:
  • Defined as rules enforced by the state that mandate or prohibit certain behaviors.
• Ethics:
  • Concern socially acceptable behaviors; they are not enforced by any government authority.
• Cultural Mores:
  • Fixed moral attitudes or customs particular to a group.
• Key Distinction: Laws have authoritative power, while ethics do not.

Organizational Liability and the Need for Counsel

• Liability:
  • A legal obligation that extends beyond criminal or contract law, including the need for restitution.
• Restitution:
  • Obligation to compensate for wrongs committed against others.
• Due Care:
  • Legal standard requiring organizations to act both legally and ethically while understanding consequences.
• Due Diligence:
  • Standard requiring maintenance of due care and effective action by organizations.
• Jurisdiction:
  • Right of a court to hear a case based on territorial jurisdiction or citizenship.
• Long-arm Jurisdiction:
  • Laws applied to persons residing outside a court’s normal jurisdiction when they act illegally.

Policy Versus Law

• Policies:
  • Managerial directives detailing acceptable and unacceptable behavior in the workplace, functioning similarly to laws.
  • Must be crafted carefully to ensure completeness, appropriateness, and fair application.
• Key Difference: Ignorance of a policy can sometimes be an acceptable defense.

Criteria for Policy Enforcement

• Dissemination: Distribution of the policy.
• Review: Requirement for individuals to read the policy.
• Comprehension: Ensuring understanding of the policy.
• Compliance: Individuals must agree to follow the policy.
• Uniform Enforcement: Policies must be enforced consistently across the organization.

Types of Law

• Civil Law: Governs personal and organizational relationships.
• Criminal Law: Addresses harmful conduct to society, enforced by the state.
• Private Law: Covers family, commercial, and labor laws regulating interpersonal relationships.
• Public Law: Regulates the structure and administration of government agencies.

Relevant U.S. Laws

• The U.S. leads in the development of information security legislation.
• Benefits: Contributes to a reliable business environment and stable economy; specifies penalties for breaches of law.

General Computer Crime Laws

• Computer Fraud and Abuse Act of 1986 (CFA Act):
  • A cornerstone of federal computer-related laws.
• National Information Infrastructure Protection Act of 1996:
  • Modified the CFA Act, increasing penalties based on information value and purpose (e.g., for financial gain).
• USA PATRIOT Act of 2001:
  • Expands law enforcement powers for anti-terrorism activities.
• Computer Security Act of 1987:
  • One of the first laws to protect federal computer systems by requiring minimum security practices.

Privacy

• A crucial topic in information security regarding individuals' rights to protect personal data from unauthorized access.
• Regulations:
  • Increased statutes addressing personal privacy rights.
  • Significant regulations include:
  • Privacy of Customer Information section of common carrier regulation.
  • Federal Privacy Act of 1974.
  • Electronic Communications Privacy Act of 1986.
  • Health Insurance Portability and Accountability Act (HIPAA) of 1996.
  • Financial Services Modernization Act (Gramm-Leach-Bliley Act) of 1999.