Download presentation
Presentation is loading. Please wait.
Published byErkki Nieminen Modified over 5 years ago
1
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
2
Management of Information Security, 5th Edition, © Cengage Learning
Policy and Ethics Management of Information Security, 5th Edition, © Cengage Learning
3
Management of Information Security, 5th Edition, © Cengage Learning
Policy versus Law The key difference between policy and law is that ignorance of policy is an acceptable defense; therefore, policies must be: Distributed to all individuals who are expected to comply with them Readily available for employee reference Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced for all employees Management of Information Security, 5th Edition, © Cengage Learning
4
Management of Information Security, 5th Edition, © Cengage Learning
Ethics in InfoSec Some define ethics as the organized study of how humans ought to act Others define it as a set of rules we should live by An InfoSec student is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework However, those employed in the area of information security may be expected to be more articulate about the topic than others in the organization, and often must withstand a higher degree of scrutiny Management of Information Security, 5th Edition, © Cengage Learning
5
Ethics in InfoSec The foundations and frameworks of ethics include the following: Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act? Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person’s ethical duty. Management of Information Security, 5th Edition, © Cengage Learning
6
Ethics in InfoSec From these fairly well-defined and agreed-upon ethical frameworks come a series of ethical standards as follows: Utilitarian approach—Emphasizes that an ethical action is one that results in the most good, or the least harm; this approach seeks to link consequences to choices. Rights approach—Suggests that the ethical action is the one that best protects and respects the moral rights of those affected by that action; it begins with a belief that humans have an innate dignity based on their ability to make choices. Fairness or justice approach—Founded on the work of Aristotle and other Greek philosophers who contributed the idea that all persons who are equal should be treated equally Common good approach—Based on the work of the Greek philosophers, a notion that life in community yields a positive outcome for the individual, and therefore each individual should contribute to that community. Virtue approach—A very ancient ethical model postulating that ethical actions ought to be consistent with so-called ideal virtues—that is, those virtues that all of humanity finds most worthy and that, when present, indicate a fully developed humanity. Management of Information Security, 5th Edition, © Cengage Learning
7
The Ten Commandments of Computer Ethics (Computer Ethics Institute)
Thou shalt not: Use a computer to harm other people Interfere with other people's computer work Snoop around in other people's computer files Use a computer to steal Use a computer to bear false witness Copy or use proprietary software for which you have not paid Use other people's computer resources without authorization or proper compensation Appropriate other people's intellectual output Management of Information Security, 5th Edition, © Cengage Learning
8
Management of Information Security, 5th Edition, © Cengage Learning
The Ten Commandments of Computer Ethics (Computer Ethics Institute cont.) Thou shalt think about the social consequences of the program you are writing or the system you are designing Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans Management of Information Security, 5th Edition, © Cengage Learning
9
Management of Information Security, 5th Edition, © Cengage Learning
Ethics and Education Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education Employees must be trained and kept up to date on information security topics, including the expected behaviors of an ethical employee Proper ethical and legal training is vital to creating an informed, well-prepared, and low-risk system user Management of Information Security, 5th Edition, © Cengage Learning
10
Deterring Unethical and Illegal Behavior
It is the responsibility of InfoSec personnel to do everything in their power to deter unethical and illegal acts, using policy, education and training, and technology as controls to protect information There are three general categories of unethical behavior that organizations and society should seek to eliminate: Ignorance - Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education Accident - Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident Intent - Criminal or unethical intent refers to the state of mind of the individual committing the infraction Management of Information Security, 5th Edition, © Cengage Learning
11
Deterring Unethical and Illegal Behavior
Deterrence is the best method for preventing an illegal or unethical activity Laws, policies, and technical controls are all examples of deterrents However, it is generally agreed that laws and policies and their associated penalties only deter if three conditions are present Fear of penalty Probability of being caught Probability of penalty being administered Management of Information Security, 5th Edition, © Cengage Learning
12
Professional Organizations and Their Codes of Ethics
A number of professional organizations have established codes of conduct and/or codes of ethics that members are expected to follow Codes of ethics can have a positive effect on an individual’s judgment regarding computer use It remains the individual responsibility of security professionals to act ethically and according to the policies and procedures of their employers, their professional organizations, and the laws of society Management of Information Security, 5th Edition, © Cengage Learning
13
Association of Computing Machinery
The ACM is a respected professional society, originally established in 1947, as “the world's first educational and scientific computing society” One of the few organizations that strongly promotes education and provides discounted membership for students The ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional Management of Information Security, 5th Edition, © Cengage Learning
14
Management of Information Security, 5th Edition, © Cengage Learning
International Information Systems Security Certification Consortium, Inc. The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned one of their certifications This code includes four mandatory canons: Protect society, the commonwealth, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession Management of Information Security, 5th Edition, © Cengage Learning
15
Management of Information Security, 5th Edition, © Cengage Learning
SANS Founded in 1989, SANS is a professional research and education cooperative organization with over 156,000 security professionals, auditors, system and network administrators The SANS GIAC Code of Ethics requires: Respect for the public Respect for the certification Respect for my employer Respect for myself Management of Information Security, 5th Edition, © Cengage Learning
16
Management of Information Security, 5th Edition, © Cengage Learning
ISACA ISACA is a professional association with a focus on auditing, control, and security The membership comprises both technical and managerial professionals ISACA also has a code of ethics for its professionals It requires many of the same high standards for ethical performance as the other organizations and certifications Management of Information Security, 5th Edition, © Cengage Learning
17
Management of Information Security, 5th Edition, © Cengage Learning
ISACA Members and ISACA certification holders shall: 1. Support the implementation of, and encourage compliance with, appropriate standards, procedures, and controls for information systems 2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices 3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession Management of Information Security, 5th Edition, © Cengage Learning
18
Management of Information Security, 5th Edition, © Cengage Learning
ISACA Members and ISACA certification holders shall (continued): 4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority Such information shall not be used for personal benefit or released to inappropriate parties 5. Maintain competency in their respective fields, and agree to undertake only those activities that they can reasonably expect to complete with professional competence Management of Information Security, 5th Edition, © Cengage Learning
19
Management of Information Security, 5th Edition, © Cengage Learning
ISACA Members and ISACA certification holders shall (continued): 6. Inform appropriate parties of the results of work performed, revealing all significant facts known to them 7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control Management of Information Security, 5th Edition, © Cengage Learning
20
Information Systems Security Association (ISSA)
The Information Systems Security Association (ISSA) ( is a nonprofit society of information security professionals As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development ISSA provides conferences, meetings, publications, and information resources to promote information security awareness and education ISSA also promotes a code of ethics, similar to those of (ISC)2, ISACA, and the ACM, “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.” Management of Information Security, 5th Edition, © Cengage Learning
21
Organizational Liability and the Need for Counsel
What if an organization does not support or even encourage strong ethical conduct on the part of its employees? What if an organization does not behave ethically? If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action An organization increases its liability if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions Due diligence requires that an organization make a valid and ongoing effort to protect others Management of Information Security, 5th Edition, © Cengage Learning
22
Key Law Enforcement Agencies
The Federal Bureau of Investigation’s InfraGard Program promotes efforts to educate, train, inform, and involve the business and public sector in information security Every FBI field office has established an InfraGard chapter and collaborates with public and private organizations and the academic community to share information about attacks, vulnerabilities, and threats InfraGard’s dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources Management of Information Security, 5th Edition, © Cengage Learning
23
Key Law Enforcement Agencies
The National Security Agency (NSA) is the nation's cryptologic organization It coordinates, directs, and performs highly-specialized activities to protect U.S. information systems and produce foreign intelligence information The NSA is responsible for signal intelligence and information system security The NSA’s Information Assurance Directorate (IAD) provides information security “solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine, and support activities needed to implement the protect, detect and report, and respond elements of cyber defense” Management of Information Security, 5th Edition, © Cengage Learning
24
Key Law Enforcement Agencies
The U.S. Secret Service is a department within the Department of the Treasury In addition to its well-known mission to protect key members of the U.S. government, the Secret Service is also charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes The Department of Homeland Security was established with the passage of Public Law , which in part, transferred the United States Secret Service from the Department of the Treasury, to the Department of Homeland Security Management of Information Security, 5th Edition, © Cengage Learning
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.