Legal and Professional Issues In Information Security

Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To minimize liabilities/reduce risks, the information security practitioner must:  Understand current legal environment  Stay current with laws and regulations  Watch for new issues that emerge

Life for Computer Professionals  Binary  Problem solutions either work or not. Little room for gray areas.  Physical and mathematical laws ultimate authority when disputes arise  Guiding Philosophy - “Tell me what you need and I will create a system with appropriate trade-offs at least cost to solve your problem.”

When Worlds Collide...  Legal community always behind the technology curve  As a result, analogies often made between new technological paradigms and old world systems - some more easily defended than others.  Different interpretations would result in different laws

Patents  Competing products must use different method for achieving same task to avoid payments  Definite lifespan beyond which patent information freely available for use by the public

Copyright  Specific work  Automatically held when work is created, but easier to defend if it is registered  Definite lifetime beyond which the work is freely available to the public

Trademark  Specific name or phrase  Generic terms cannot be trademarked  Trademarks can be lost if they are not defended  Lost trademarks: aspirin, kleenex  Held Trademarks: Coke, Pepsi

ISP Liability  What is an Internet Service Provider Like?  Phone Company: Route information flows between individuals  Newspaper: Package content for distribution in a public forum  Answer determines ISP’s legal liability  The rules have been in a constant state of flux in recent years

Modern Era Communications Decency Act  ISP may monitor user activity (according to policy)  If statement to the effect that ISP does not take responsibility for user traffic in place then no ISP liability, BUT  Area for complaints must be available  Complaint response must happen in a timely fashion

DMCA  Digital Millennium Copyright Act  If a copyright infringement is claimed a web site must be taken down (however tenuous the claim may be)  Web site can only be reinstated after an appeals process.

Near Future?...  ISP’s may be required to monitor user traffic with a 40 day data-log.  ISP’s not explicitly exempt from liability  Hacker/Security Tools Illegal  Citizens must provide passwords for data seized by police

Privacy in the Workplace  Test for employers/employees - “Do you have a reasonable expectation of privacy?”  A case can be made that private on business machines still private, but this is not the law  Work-related material on business machines is definitely not private

Privacy in  Legally, is like a postal letter  Expectation of privacy in transit  Mail loses its special protected status once it leaves the letter carrier's grasp  For ,  Expectation of privacy while signal travels over Internet  loses its protected status at the mail server whether you have read it or not

Business  Electronic Communications Privacy Act (1986) says all business communication belongs to that business  Deleting can be ruled spoliation (intentionally destroying company records)  Archive worthless if it cannot be indexed effectively (in effect, saving everything can be equivalent to saving nothing)

What about Privacy at Home?  A lot of public information is considered private.  An increasing amount of public information available on the Internet  Reverse phone lookups  Campaign Contributions  Housing prices  Driver’s license information and photographs

Data Collection  Data collection has few boundaries

Jurisdiction  “The Internet has no boundaries”  Is that really true?  If you break a law in Finland, but you were on the Internet in the United States, what happens to you?  What if you are in California and you break a law in Japan?

E-Commerce Big Questions  Did you sell an illegal item to a resident of community X?  Did you try to stop the flow of illegal sales into X?

Law and Ethics in Information Security  Laws: rules that mandate or prohibit certain societal behavior  Ethics: define socially acceptable behavior  Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these  Laws carry sanctions of a governing authority; ethics do not

Types of Law  Civil  Criminal  Tort (Wrongful)  Private  Public

Policy Versus Law  Most organizations develop and formalize a body of expectations called policy  Policies serve as organizational laws  To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees

Association of Computing Machinery (ACM)  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property

International Information Systems Security Certification Consortium, Inc. (ISC) 2  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from (ISC) 2  Code of ethics focuses on four mandatory canons

System Administration, Networking, and Security Institute (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC)

Information Systems Audit and Control Association (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals

Computer Security Institute (CSI)  Provides information and training to support computer, networking, and information security professionals  Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals

Information Systems Security Association (ISSA)  Nonprofit society of information security (IS) professionals  Primary mission to bring together qualified IS practitioners for information exchange and educational development  Promotes code of ethics similar to (ISC) 2, ISACA and ACM

Other Security Organizations  Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet  Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals

Other Security Organizations (continued)  CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University  Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society

Organizational Liability and the Need for Counsel  Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort

Summary  Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics  Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)  Types of law: civil, criminal, tort law, private, public

Summary  Many organizations have codes of conduct and/or codes of ethics  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that organization make valid effort to protect others and continually maintain that effort