MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Slides:



Advertisements
Similar presentations
Information Technology as a Profession
Advertisements

What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
ICT Ethics 2 ICT 139.
In civilized life, law floats in a sea of ethics.
Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.
ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.
Ethics CS-480b Network Security Dick Steflik. ACM Code of Ethics This Code, consisting of 24 imperatives formulated as statements of personal responsibility,
The AMA Code of Ethics Could Egyptian Marketing Professionals Agree on a List of Rules, Perhaps Similar to This? The IMI Journal. Members of the AMA are.
Legal, Ethical, and Professional Issues in Information Security
Ethical Issues.
Understanding Business Ethics
(computer) Ethics CMPT Ethics and Morality Morality and ethics have same roots and meaning: Mores means manner and customs in Latin Ethos (ΗΘ0Σ)
Software Engineering Code Of Ethics And Professional Practice
1 Pertemuan 3 Auditing Standards and Responsibilities Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Legal, Ethical, and Professional Issues In Information Security.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Professional Ethics Chapter 4.
Spring 2010 Marco Valtorta CSCE 390 Professional Issues in Computer Science and Engineering Privacy Concerns (Chapters [B]) Spring.
Ethics and Security ISSA International Ethics Committee V2.1 4/27/07.
Professional Codes of Ethics Professionalism and Codes of Ethics.
Management of Information Security Chapter 11 Law And Ethics
Computer Ethics for Computer Users
Management of Information Security, 4th Edition
S OFTWARE E NGINEERING C ODE O F E THICS A ND P ROFESSIONAL P RACTICE Software Engineering Ethics and Professional Practices © 1999 by the Institute of.
Ethics Presented by: Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas.
Laws, Investigations & Ethical Issues in Security (CIM3562)
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Why the Office of Compliance and Ethics was Created
Principles of Information Security, 2nd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.
Chapter 7: IT Ethcs Courtney Littlejohn CSCI 101 Thursday 3:30.
Lecture 11: Law and Ethics
Principles of Information Security, 2nd Edition2  Use this chapter as a guide for future reference on laws, regulations, and professional organizations.
Business Ethics Why should business ethics concern you?
The Ten Commandments of Computer Ethics. The 1st Commandment Thou shalt not use a computer to harm Thou shalt not use a computer to harm other people.
8/16/08Computer Ethics Institute Mae Thomas The Ten Commandments of Computer Ethics by the Computer Ethics Institute.
COMPUTER ETHICS. Computer Ethics n What is ethical behavior? n How do we make ethical decisions? n Matherial from Ethical Decision Making and Information.
Ethics Business Law Sunny Hills High School Mrs. Larsen.
ICS131 – Ethics 11/17/03. IEEE-CS and ACM 1.PUBLIC - Software engineers shall act consistently with the public.
1 Gordana Dodig-Crnkovic Department of Computer Science and Engineering Mälardalen University 2004 PROFESSIONAL ETHICS IN SCIENCE AND ENGINEERING CD5590.
Ethics.
Developing Ethical Systems Barbara W. Scofield, PhD, CPA For Institute of Internal Auditors November 3,
MANAGEMENT of INFORMATION SECURITY Second Edition.
Chapter 2 - Ethics for IT Professionals and IT Users1 Ethics for IT Professionals and IT Users 2 Chapter.
Basic Principles: Ethics and Business
1 The Nature of Ethics Ethics is generally concerned with rules or guidelines for morals and/or socially approved conduct Ethical standards generally apply.
Karly Stinedurf.  What is Ethics?  The Ten Commandments of Computer Ethics  Frameworks/Standards of Ethics  Ethics and Education  Deterring Unethical.
ETHICAL ISSUES IN HEALTH AND NURSING PRACTICE CODE OF ETHICS, STANDARDS OF CONDUCT, PERFORMANCE AND ETHICS FOR NURSES AND MIDWIVES.
Chap (3)1 Chapter 3 Professional Codes of Ethics Almost every professional organization dealing with the field of computing has published its own code.
Law and Ethics INFORMATION SECURITY MANAGEMENT
Ethics: Guides for Professional Engagement
Legal, Ethical, and Professional Issues in Information Security
Ethics Topic 3.
Computers Are Your Future Twelfth Edition
IS4680 Security Auditing for Compliance
ISSA International Ethics Committee
Auditing & Investigations I

First Impressions and an Ethical Foundation
The Legal System and Ethics in Information Security
Professional Codes of Ethics
Politics & ethics in governance
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
Computer Ethics.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.
ACM Code of Ethics CSCI 362: Data Structures.
CS-480b Network Security Dick Steflik
Presentation transcript:

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Management of Information Security, 5th Edition, © Cengage Learning Policy and Ethics Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Policy versus Law The key difference between policy and law is that ignorance of policy is an acceptable defense; therefore, policies must be: Distributed to all individuals who are expected to comply with them Readily available for employee reference Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced for all employees Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Ethics in InfoSec Some define ethics as the organized study of how humans ought to act Others define it as a set of rules we should live by An InfoSec student is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework However, those employed in the area of information security may be expected to be more articulate about the topic than others in the organization, and often must withstand a higher degree of scrutiny Management of Information Security, 5th Edition, © Cengage Learning

Ethics in InfoSec The foundations and frameworks of ethics include the following: Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act? Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person’s ethical duty. Management of Information Security, 5th Edition, © Cengage Learning

Ethics in InfoSec From these fairly well-defined and agreed-upon ethical frameworks come a series of ethical standards as follows: Utilitarian approach—Emphasizes that an ethical action is one that results in the most good, or the least harm; this approach seeks to link consequences to choices. Rights approach—Suggests that the ethical action is the one that best protects and respects the moral rights of those affected by that action; it begins with a belief that humans have an innate dignity based on their ability to make choices. Fairness or justice approach—Founded on the work of Aristotle and other Greek philosophers who contributed the idea that all persons who are equal should be treated equally Common good approach—Based on the work of the Greek philosophers, a notion that life in community yields a positive outcome for the individual, and therefore each individual should contribute to that community. Virtue approach—A very ancient ethical model postulating that ethical actions ought to be consistent with so-called ideal virtues—that is, those virtues that all of humanity finds most worthy and that, when present, indicate a fully developed humanity. Management of Information Security, 5th Edition, © Cengage Learning

The Ten Commandments of Computer Ethics (Computer Ethics Institute) Thou shalt not: Use a computer to harm other people Interfere with other people's computer work Snoop around in other people's computer files Use a computer to steal Use a computer to bear false witness Copy or use proprietary software for which you have not paid Use other people's computer resources without authorization or proper compensation Appropriate other people's intellectual output Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning The Ten Commandments of Computer Ethics (Computer Ethics Institute cont.) Thou shalt think about the social consequences of the program you are writing or the system you are designing Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Ethics and Education Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education Employees must be trained and kept up to date on information security topics, including the expected behaviors of an ethical employee Proper ethical and legal training is vital to creating an informed, well-prepared, and low-risk system user Management of Information Security, 5th Edition, © Cengage Learning

Deterring Unethical and Illegal Behavior It is the responsibility of InfoSec personnel to do everything in their power to deter unethical and illegal acts, using policy, education and training, and technology as controls to protect information There are three general categories of unethical behavior that organizations and society should seek to eliminate: Ignorance - Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education Accident - Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident Intent - Criminal or unethical intent refers to the state of mind of the individual committing the infraction Management of Information Security, 5th Edition, © Cengage Learning

Deterring Unethical and Illegal Behavior Deterrence is the best method for preventing an illegal or unethical activity Laws, policies, and technical controls are all examples of deterrents However, it is generally agreed that laws and policies and their associated penalties only deter if three conditions are present Fear of penalty Probability of being caught Probability of penalty being administered Management of Information Security, 5th Edition, © Cengage Learning

Professional Organizations and Their Codes of Ethics A number of professional organizations have established codes of conduct and/or codes of ethics that members are expected to follow Codes of ethics can have a positive effect on an individual’s judgment regarding computer use It remains the individual responsibility of security professionals to act ethically and according to the policies and procedures of their employers, their professional organizations, and the laws of society Management of Information Security, 5th Edition, © Cengage Learning

Association of Computing Machinery The ACM is a respected professional society, originally established in 1947, as “the world's first educational and scientific computing society” One of the few organizations that strongly promotes education and provides discounted membership for students The ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning International Information Systems Security Certification Consortium, Inc. The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned one of their certifications This code includes four mandatory canons: Protect society, the commonwealth, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning SANS Founded in 1989, SANS is a professional research and education cooperative organization with over 156,000 security professionals, auditors, system and network administrators The SANS GIAC Code of Ethics requires: Respect for the public Respect for the certification Respect for my employer Respect for myself Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning ISACA ISACA is a professional association with a focus on auditing, control, and security The membership comprises both technical and managerial professionals ISACA also has a code of ethics for its professionals It requires many of the same high standards for ethical performance as the other organizations and certifications Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning ISACA Members and ISACA certification holders shall: 1. Support the implementation of, and encourage compliance with, appropriate standards, procedures, and controls for information systems 2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices 3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning ISACA Members and ISACA certification holders shall (continued): 4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority Such information shall not be used for personal benefit or released to inappropriate parties 5. Maintain competency in their respective fields, and agree to undertake only those activities that they can reasonably expect to complete with professional competence Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning ISACA Members and ISACA certification holders shall (continued): 6. Inform appropriate parties of the results of work performed, revealing all significant facts known to them 7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control Management of Information Security, 5th Edition, © Cengage Learning

Information Systems Security Association (ISSA) The Information Systems Security Association (ISSA) (www.issa.org) is a nonprofit society of information security professionals As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development ISSA provides conferences, meetings, publications, and information resources to promote information security awareness and education ISSA also promotes a code of ethics, similar to those of (ISC)2, ISACA, and the ACM, “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.” Management of Information Security, 5th Edition, © Cengage Learning

Organizational Liability and the Need for Counsel What if an organization does not support or even encourage strong ethical conduct on the part of its employees? What if an organization does not behave ethically? If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action An organization increases its liability if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions Due diligence requires that an organization make a valid and ongoing effort to protect others Management of Information Security, 5th Edition, © Cengage Learning

Key Law Enforcement Agencies The Federal Bureau of Investigation’s InfraGard Program promotes efforts to educate, train, inform, and involve the business and public sector in information security Every FBI field office has established an InfraGard chapter and collaborates with public and private organizations and the academic community to share information about attacks, vulnerabilities, and threats InfraGard’s dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources Management of Information Security, 5th Edition, © Cengage Learning

Key Law Enforcement Agencies The National Security Agency (NSA) is the nation's cryptologic organization It coordinates, directs, and performs highly-specialized activities to protect U.S. information systems and produce foreign intelligence information The NSA is responsible for signal intelligence and information system security The NSA’s Information Assurance Directorate (IAD) provides information security “solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine, and support activities needed to implement the protect, detect and report, and respond elements of cyber defense” Management of Information Security, 5th Edition, © Cengage Learning

Key Law Enforcement Agencies The U.S. Secret Service is a department within the Department of the Treasury In addition to its well-known mission to protect key members of the U.S. government, the Secret Service is also charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes The Department of Homeland Security was established with the passage of Public Law 107-296, which in part, transferred the United States Secret Service from the Department of the Treasury, to the Department of Homeland Security Management of Information Security, 5th Edition, © Cengage Learning

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.