Presentation is loading. Please wait.

Presentation is loading. Please wait.

Legal and Professional Issues In Information Security.

Published byBarrie Mathews Modified over 8 years ago

Similar presentations

Presentation on theme: "Legal and Professional Issues In Information Security."— Presentation transcript:

1 Legal and Professional Issues In Information Security

2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To minimize liabilities/reduce risks, the information security practitioner must:  Understand current legal environment  Stay current with laws and regulations  Watch for new issues that emerge

3 Life for Computer Professionals  Binary  Problem solutions either work or not. Little room for gray areas.  Physical and mathematical laws ultimate authority when disputes arise  Guiding Philosophy - “Tell me what you need and I will create a system with appropriate trade-offs at least cost to solve your problem.”

4 When Worlds Collide...  Legal community always behind the technology curve  As a result, analogies often made between new technological paradigms and old world systems - some more easily defended than others.  Different interpretations would result in different laws

5 Patents  Competing products must use different method for achieving same task to avoid payments  Definite lifespan beyond which patent information freely available for use by the public

6 Copyright  Specific work  Automatically held when work is created, but easier to defend if it is registered  Definite lifetime beyond which the work is freely available to the public

7 Trademark  Specific name or phrase  Generic terms cannot be trademarked  Trademarks can be lost if they are not defended  Lost trademarks: aspirin, kleenex  Held Trademarks: Coke, Pepsi

8 ISP Liability  What is an Internet Service Provider Like?  Phone Company: Route information flows between individuals  Newspaper: Package content for distribution in a public forum  Answer determines ISP’s legal liability  The rules have been in a constant state of flux in recent years

9 Modern Era Communications Decency Act  ISP may monitor user activity (according to policy)  If statement to the effect that ISP does not take responsibility for user traffic in place then no ISP liability, BUT  Area for complaints must be available  Complaint response must happen in a timely fashion

10 DMCA  Digital Millennium Copyright Act  If a copyright infringement is claimed a web site must be taken down (however tenuous the claim may be)  Web site can only be reinstated after an appeals process.

11 Near Future?...  ISP’s may be required to monitor user traffic with a 40 day data-log.  ISP’s not explicitly exempt from liability  Hacker/Security Tools Illegal  Citizens must provide passwords for data seized by police

12 Privacy in the Workplace  Test for employers/employees - “Do you have a reasonable expectation of privacy?”  A case can be made that private e-mail on business machines still private, but this is not the law  Work-related material on business machines is definitely not private

13 Privacy in E-mail  Legally, e-mail is like a postal letter  Expectation of privacy in transit  Mail loses its special protected status once it leaves the letter carrier's grasp  For e-mail,  Expectation of privacy while signal travels over Internet  E-mail loses its protected status at the mail server whether you have read it or not

14 Business E-mail  Electronic Communications Privacy Act (1986) says all business communication belongs to that business  Deleting e-mail can be ruled spoliation (intentionally destroying company records)  Archive worthless if it cannot be indexed effectively (in effect, saving everything can be equivalent to saving nothing)

15 What about Privacy at Home?  A lot of public information is considered private.  An increasing amount of public information available on the Internet  Reverse phone lookups  Campaign Contributions  Housing prices  Driver’s license information and photographs

16 Data Collection  Data collection has few boundaries

17 Jurisdiction  “The Internet has no boundaries”  Is that really true?  If you break a law in Finland, but you were on the Internet in the United States, what happens to you?  What if you are in California and you break a law in Japan?

18 E-Commerce Big Questions  Did you sell an illegal item to a resident of community X?  Did you try to stop the flow of illegal sales into X?

19 Law and Ethics in Information Security  Laws: rules that mandate or prohibit certain societal behavior  Ethics: define socially acceptable behavior  Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these  Laws carry sanctions of a governing authority; ethics do not

20 Types of Law  Civil  Criminal  Tort (Wrongful)  Private  Public

21 Policy Versus Law  Most organizations develop and formalize a body of expectations called policy  Policies serve as organizational laws  To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees

22 Association of Computing Machinery (ACM)  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property

23 International Information Systems Security Certification Consortium, Inc. (ISC) 2  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from (ISC) 2  Code of ethics focuses on four mandatory canons

24 System Administration, Networking, and Security Institute (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC)

25 Information Systems Audit and Control Association (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals

26 Computer Security Institute (CSI)  Provides information and training to support computer, networking, and information security professionals  Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals

27 Information Systems Security Association (ISSA)  Nonprofit society of information security (IS) professionals  Primary mission to bring together qualified IS practitioners for information exchange and educational development  Promotes code of ethics similar to (ISC) 2, ISACA and ACM

28 Other Security Organizations  Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet  Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals

29 Other Security Organizations (continued)  CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University  Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society

30 Organizational Liability and the Need for Counsel  Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort

31 Summary  Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics  Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)  Types of law: civil, criminal, tort law, private, public

32 Summary  Many organizations have codes of conduct and/or codes of ethics  Organization increases liability if it refuses to take measures known as due care  Due diligence requires that organization make valid effort to protect others and continually maintain that effort

Download ppt "Legal and Professional Issues In Information Security."

Similar presentations

Law & Ethics, Policies & Guidelines, and Security Awareness

Law & Ethics, Policies & Guidelines, and Security Awareness
WRSU Customer Service The Beauty of Change. Privacy and Confidentiality.

WRSU Customer Service The Beauty of Change. Privacy and Confidentiality.
Information Technology as a Profession

Information Technology as a Profession
PHARMACIST CODE OF ETHICS

PHARMACIST CODE OF ETHICS
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
1 CS 501 Spring 2003 CS 501: Software Engineering Lecture 6 Legal Aspects of Software Engineering II.

1 CS 501 Spring 2003 CS 501: Software Engineering Lecture 6 Legal Aspects of Software Engineering II.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICT Ethics 2 ICT 139.

ICT Ethics 2 ICT 139.
Legal and Ethical Issues: Privacy and Security Chapter Five.

Legal and Ethical Issues: Privacy and Security Chapter Five.
In civilized life, law floats in a sea of ethics.

In civilized life, law floats in a sea of ethics.
Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.

Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.
Ethics CS-480b Network Security Dick Steflik. ACM Code of Ethics This Code, consisting of 24 imperatives formulated as statements of personal responsibility,

Ethics CS-480b Network Security Dick Steflik. ACM Code of Ethics This Code, consisting of 24 imperatives formulated as statements of personal responsibility,
Staying Out of Prison in the Information Economy.

Staying Out of Prison in the Information Economy.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
5/21/2015 (1) Complying with P2P Mandates in the HEOA of 2008 EDUCAUSE Live! 23 November 2009

5/21/2015 (1) Complying with P2P Mandates in the HEOA of 2008 EDUCAUSE Live! 23 November 2009
Legal, Ethical, and Professional Issues in Information Security

Legal, Ethical, and Professional Issues in Information Security
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
CS 5150 1 CS 5150: Software Engineering Lecture 5 Legal Aspects of Software Engineering 1.

CS CS 5150: Software Engineering Lecture 5 Legal Aspects of Software Engineering 1.
Legal, Ethical, and Professional Issues In Information Security.

Legal, Ethical, and Professional Issues In Information Security.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Similar presentations

Ads by Google