Presentation is loading. Please wait.

Presentation is loading. Please wait.

Law and Ethics INFORMATION SECURITY MANAGEMENT

Published byMarion Whitehead Modified over 7 years ago

Similar presentations

Presentation on theme: "Law and Ethics INFORMATION SECURITY MANAGEMENT"— Presentation transcript:

1 Law and Ethics INFORMATION SECURITY MANAGEMENT
You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Introduction All information security professionals must understand the scope of an organization’s legal and ethical responsibilities Educate employees and management about their legal and ethical obligations concerning proper use of information technology

3 Law and Ethics Laws vs. Ethics Types of Law Civil law Criminal law
Tort law Private law Public law

4 Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organizations operate What are some of the challenges?

5 Relevant U.S. Laws The Computer Fraud and Abuse Act of 1986 (CFA Act)
The Computer Security Act of 1987 Freedom of Information Act of 1966 Sarbanes-Oxley Act of 2002 Industry Specific Healthcare Health Insurance Portability & Accountability Act Of 1996 (HIPAA) Financial Financial Services Modernization Act(Gramm-Leach-Billey Act) Telecommunications Communications Act

6 Relevant U.S. Laws (cont’d.)
Privacy Laws Privacy of Customer Information Section The Federal Privacy Act of 1974 regulates the government’s use of private information Electronic Communications Privacy Act of 1986 These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution

7 Relevant U.S. Laws (cont’d.)
Export and Espionage Laws Economic Espionage Act (EEA) of 1996 The Security and Freedom through Encryption Act of 1997

8 Recent Laws within past few years
National Cybersecurity Protection Act (NCPA) Cybersecurity Enhancement Act of 2014 (CEA) Federal Information System Modernization Act of 2014 (FISMA 2014); Cybersecurity Workforce Assessment Act (CWWA) Cybersecurity Act of 2015

9 International Laws and Legal Bodies
There are currently few international laws relating to privacy and information security European Council Cyber-Crime Convention The Digital Millennium Copyright Act EU Network and Information Security Directive Database Right Chinese Cybersecurity Law

10 State and Local Regulations
Information security professionals must understand state laws and regulations Example: Georgia Computer Systems Protection Act

11 Policy Versus Law Difference between policy and law Policies must be:
Distributed to all individuals who are expected to comply with them Readily available for employee reference Easily understood, with multilingual, visually impaired and low-literacy translations Acknowledged by employee with consent form Uniformly enforced for all employees

12 How do you define ethics?

13 Ethics and Education Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education Employees must be trained on the expected behaviors of an ethical employee

14 Unethical and Illegal Behavior
InfoSec personnel should do everything in their power to deter unethical and illegal acts Categories of unethical behavior Ignorance Accident Intent Best Approach?

15 Professional Organizations and their Codes of Ethics
Some professional organizations have established codes of conduct and/or codes of ethics Other Sources of Ethics Codes: ACM SANS ISC2 ISACA ISSA

16 Ethics Rules, not laws that are minimum standards for professional behavior ISC2 Code of Ethics Protect society, the commonwealth and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide dilligent and competent service to principals Advance and protect the profession

17 Key Law Enforcement Agencies
Federal Bureau of Investigation InfraGard Program National Security Agency Information Assurance Directorate (IAD) U.S. Secret Service Department of Homeland Security

18 Managing Investigations in the Organization
It’s not a matter of “if” but “when” Investigation Steps Documentation is key Digital Forensics

19 Managing Investigations: Digital Forensics
The investigation of what happened and how Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis Evidentiary material (EM) Any information that could potentially support the organizations legal- or policy-based case against a suspect

20 Managing Investigations: Digital Forensics
Two key purposes: Investigate allegations of digital malfeasance Perform root cause analysis Approaches: Protect and forget (patch and proceed) Apprehend and prosecute (pursue and prosecute)

21 Affidavits and Search Warrants
Investigations begin with an allegation or an indication of an incident Forensics team requests permission to examine digital media for potential EM Affidavit Search warrant

22 Digital Forensics Methodology
Steps in the digital forensics methodology Identify relevant items of evidentiary value Acquire (seize) the evidence without alteration or damage Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized Analyze the data without risking modification or unauthorized access Report the findings to the proper authority

23 Digital Forensics Methodology
Figure 12-2: Digital forensics process Source: Course Technology/Cengage Learning

24 Evidentiary Procedures
Organizations should develop specific procedures and guidance for their use

Download ppt "Law and Ethics INFORMATION SECURITY MANAGEMENT"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Principles of Information Security, 3rd Edition2  Use this chapter as a guide for future reference on laws, regulations, and professional organizations.

Principles of Information Security, 3rd Edition2  Use this chapter as a guide for future reference on laws, regulations, and professional organizations.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
In civilized life, law floats in a sea of ethics.

In civilized life, law floats in a sea of ethics.
Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.

Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.
School Law Boot Camp – Part 1.  LEGAL ONE Video LEGAL ONE Video  SMALL GROUP ACTIVITY  ALL GROUPS – ◦ Analyze the Cyberbullying Video Scenario Questions.

School Law Boot Camp – Part 1.  LEGAL ONE Video LEGAL ONE Video  SMALL GROUP ACTIVITY  ALL GROUPS – ◦ Analyze the Cyberbullying Video Scenario Questions.
Legal, Ethical, and Professional Issues in Information Security

Legal, Ethical, and Professional Issues in Information Security
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.
Legal, Ethical, and Professional Issues In Information Security.

Legal, Ethical, and Professional Issues In Information Security.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Management of Information Security Chapter 11 Law And Ethics

Management of Information Security Chapter 11 Law And Ethics
Principles of Information Security, Fifth Edition

Principles of Information Security, Fifth Edition
Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
CORPORATE COMPLIANCE PROGRAM The Office of Corporate Integrity

CORPORATE COMPLIANCE PROGRAM The Office of Corporate Integrity

Similar presentations

Ads by Google