Chapter_2_Compliance (Law and Ethics)

Compliance: Law & Ethics

• Quote by Immanuel Kant: "In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks of doing so."

Objectives of Chapter 2

• Differentiate between law and ethics.

• Describe the ethical foundations and approaches underlying modern codes of ethics.

• Discuss relevant professional security organizations' roles and relationships to organizational InfoSec.

• Explain the importance of ethical codes of conduct for InfoSec professionals and their organizations.

• Identify significant national and international laws related to InfoSec practices.

• Explain challenges and methods associated with managing digital forensics in organizations.

Key Terms

• Ethics: The branch of philosophy governing moral judgment.

  • Examines nature, source, and validity of moral judgments.

• Deterrence: Preventing unwanted actions by threatening punishment.

• Computer Fraud and Abuse (CFA) Act: Core federal law for computer-related offenses.

• Computer Security Act (CSA): Legislation to improve federal information systems' security.

• Electronic Communications Privacy Act (ECPA) of 1986: Regulates interception of communications.

Additional Key Terms

• Health Insurance Portability and Accountability Act (HIPAA): Protects healthcare data privacy and security.

• Privacy Act of 1974: Regulates government's use of personal information.

• Due Care: Ensures employees understand acceptable conduct.

• Due Diligence: Steps taken to comply with laws/regulations.

• Jurisdiction: Legal authority to make decisions.

• Liability: Legal obligations of an entity.

• Digital Forensics: Investigations of computer media for evidence.

Ethics in InfoSec

• InfoSec professionals manage critical information and must uphold high ethical standards.

• Quotes Juvenal: "Quis custodiet ipsos custodies?" regarding the oversight of ethical behavior.

• It's not standard to hire directly into InfoSec positions without prior experience.

Foundations and Frameworks of Ethics

• Normative Ethics: What makes actions right or wrong?

• Meta-Ethics: Meaning of ethical judgments.

• Descriptive Ethics: Study of past ethical choices.

• Applied Ethics: Applying ethical codes practically.

• Deontological Ethics: Focuses on intentions and duties over consequences.

Ethical Standards in InfoSec

• Utilitarian Approach: Actions resulting in the greatest good.

• Rights Approach: Protects moral rights of individuals.

• Justice Approach: Equitable treatment for all.

• Common Good Approach: Emphasizes community benefits.

• Virtue Approach: Actions should reflect ideal virtues such as integrity and fairness.

Ten Commandments of Computer Ethics (Computer Ethics Institute)

• Do not harm others with computers.

• Do not interfere with others' computer work.

• Do not snoop in others' files.

• Do not steal or misrepresent proprietary software.

• Consider the social implications of your programming and systems design.

Education and Ethics

• Key findings show education is vital in aligning ethical perceptions in a workforce.

• Training necessary for expected ethical behaviors in employees.

Deterring Unethical Behavior

• InfoSec personnel should implement policies and training to deter unethical acts.

• Categories of Unethical Behavior:

  • Ignorance

  • Accident

  • Intent

• Deterrence: Effective when there is fear of penalty, high probability of being caught, and administration of penalties.

Professional Organizations' Codes of Ethics

• Association of Computing Machinery (ACM): Promotes education, ethical responsibilities in computing.

• ISC²: Focus on societal protection, competency, and legal compliance.

• SANS: Ethics emphasize respect for the public and self.

• ISACA: Focuses on ethical performance standards and confidentiality.

• ISSA: Promotes practices that ensure information resource security.

Organizational Liability and Counsel

• Organizations can be financially liable for employees' unethical actions.

• Compliance with due care and due diligence is critical.

Key Law Enforcement Agencies in InfoSec

• FBI: InfraGard program promotes education and resilience in InfoSec.

• NSA: Protects U.S. information systems; oversees signal intelligence.

• U.S. Secret Service: Handles computer fraud and identity crime offenses.

• Department of Homeland Security: Manages cybersecurity and information sharing.

Managing Investigations

• Organizations must appoint investigators for policy violations.

• Forensic methods must be documented and systematic.

• Digital Forensics includes preservation, documentation, and interpretation of evidence.

Evidence Procedures

• Establish procedures for investigations, including authorization, evidence collection, and reporting frameworks.

Summary of Key Topics

• Introduction

• Law and ethics in InfoSec

• Legal environment specifics

• Ethical concepts in relation to InfoSec

• Professional organizations’ ethical codes

• Organizational liability considerations

• Overview of key federal agencies in InfoSec

• Managing investigations within organizations.