CC7178

Cyber Security Management

Lecture 7

Legal, Ethical & Professional

Issues

CC7178 Cyber Security Management

 Learning Objectives
– Differentiate between law and ethics
– Identify some of the major national and
international laws that relate to the practice of
information security
– Understand the role of culture as it applies to
ethics in information security
– Current laws, regulations, and relevant
professional organizations' code of
conduct/ethics

CC7178 Cyber Security Management Slide 2

 Introduction
• As a future IS professional, you must
understand the scope of an organization‟s
legal and ethical responsibilities.

• To minimize liabilities/reduce risks, the

information security practitioner must:
– Understand current legal environment
– Stay current with laws and regulations
– Watch for new issues that emerge

CC7178 Cyber Security Management Slide 3

Law and Ethics in Information Security
• Laws: rules that mandate or prohibit certain
societal behavior (formally adopted rules).
• Ethics: define socially acceptable behavior
based on cultural mores (some are universal).
• Cultural mores: relatively fixed moral attitudes
or customs of a particular group (ethics based
on these).
• Difference: laws carry sanctions (enforcement)
of a governing authority (ethics do not based
on these).

CC7178 Cyber Security Management Slide 4

 The Legal Environment
• The IS professional and managers must
possess a rudimentary grasp of the legal
framework within which their organizations
operate.
• This legal environment can influence the
organization to a greater or lesser extent,
depending on the nature of the organization
and the scale on which it operates.

CC7178 Cyber Security Management Slide 5

 Legislative Lag
• A longer period of time elapse between
innovations in criminal enterprise and the
response of the state and law enforcement
agencies
• Illusion - digital crime develops and changes
very rapidly, but it may take years for legislation
to be enacted, by which time the crime may well
be mutated or developed to assume a different
form

CC7178 Cyber Security Management

 Types of Law
• Civil law: - represents a wide variety of laws that
govern a nation/state.
• Criminal law: - addresses violations harmful to
society and is actively enforced and prosecuted by
the state.
• Tort law: - a subset of civil law that allows
individuals to seek recourse against others in the
event of personal, physical, or financial injury.

CC7178 Cyber Security Management Slide 7

 Types of Law
• Private law
regulates the relationships among individuals and
between individuals and organizations, and
encompasses family law, commercial law, and labor
law.

• Public law
regulates the structure and administration of
government agencies and their relationships with
citizens, employees, and other governments, and
includes criminal, administrative, and constitutional
law.

CC7178 Cyber Security Management Slide 8

 Relevant US Laws (General)
• Computer Fraud and Abuse Act of 1986 (CFA Act)
• Computer Security Act of 1987
• Telecommunications Deregulation and Competition
Act of 1996
• National Information Infrastructure Protection Act of
1996
• Communications Decency Act of 1996 (CDA)
• USA Patriot Act of 2001

CC7178 Cyber Security Management Slide 9

 Relevant US Laws

CC7178 Cyber Security Management Slide 10

Rele-
vant
US
Laws

CC7178 Cyber Security Management Slide 11

 Relevant US Laws

CC7178 Cyber Security Management Slide 12

 Relevant UK Laws (General)
• Copyright, Designs and Patent Act (1988)
• Computer Misuse Act (1990)
• Human Rights Act (1998)
• Data Protection Act (1998)
• Regulation of Investigatory Powers Act (2000)
• ….. Others

CC7178 Cyber Security Management Slide 13

 Data Protection Act (1998)
(http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1)

• Received Royal Assent on 16 July 1998; came into

force early 1999

• Followed EC Directive 95/46/EC rectified on 24 Oct

1995 which requires:
“Member States to protect the fundamental rights
and freedoms of natural persons, in particular their
right to privacy with respect to the processing of
personal data.”

• UK decided to introduce domestic legislation to

satisfy the requirements of the Directive

CC7178 Cyber Security Management Slide 14

 Data Protection Act (1998)
Definitions
Personal Data
means data that relate to a living individual who can be
identified from those data and includes any expression of
opinion about the individual

Processing
means obtaining, recording or holding the data including
organisation, adaptation or alteration and disclosure of
the information contained in the data

CC7178 Cyber Security Management Slide 15

 Data Protection Act (1998)
Principles of Data Protection Act
• Information shall be obtained and processed „fairly and lawfully‟
• Information shall be held only for one or more specific and lawful
purposes
• Companies should not hold information that is excessive or not
relevant to the purposes the company has registered under the
Act.
• Information held on individuals should be accurate and up-to-
date
• Information should not be held for longer than necessary
• Individuals have the right to see the data held on them and have
corrections made where necessary
• Companies must take measures to protest information from
unauthorised access.

CC7178 Cyber Security Management Slide 16

 Data Protection Act (1998)
Individuals' Rights
• Right of subject access
• Entitled to be told of the logic involved
• If the data subject believes that a data controller has failed to
comply with subject access request they may apply for a Court
Order.
• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for the purposes of direct marketing
• Rights in relation to automated decision-taking
• Right to take action for compensation if the individual suffers
damage by any contravention of the Act by the data controller
• Right to take action to rectify, block, erase or destroy inaccurate
data
• Right to make a request to the Commissioner for an assessment
to be made as to whether any Provision of the Act has been
contravened.

CC7178 Cyber Security Management Slide 17

 Data Protection Act (1998)
Exemptions
• Primary Exemptions
National Security, Crime, Taxation, Health, Education and
Social Work.
• Special Purpose Exemptions
Publication of journalistic, literary or artistic material if in the
public interest; could also include research, historical and
statistical studies.
• Miscellaneous Exemptions
Personal data concerning the armed forces, judicial and
ministerial appointments, even candidates' examination
scripts are all exempt from subject information provisions.

CC7178 Cyber Security Management Slide 18

 Data Protection Act (1998)
Check List for Business
Make sure that:
• Manual records treated same as automated records
especially regarding providing subject access.
• Any processing of personal data is solely on the basis of one
of the specified criteria, including those for sensitive data.
• Procedures meet all requirements for informing individuals
when obtaining or disclosing data.
• Subject access procedures are modified to provide additional
material required.
• Data sent outside the European Economic Area (EEA) will
get adequate protection or that one of the exceptions applies.
• Registered entries are brought up-to-date, and rationalised
and consolidated as far as possible.
• Advice from government and the Commissioner is heeded
especially on transitional arrangements.

CC7178 Cyber Security Management Slide 19

 Computer Misuse Act (1990)
(http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm)

An Act to make provision for securing computer material

against unauthorised access or modification; and for
connected purposes
• unauthorised access to computer material
• unauthorised access with the intention of carrying out
or assisting others with the commission of further
offences
• unauthorised modification of computer material
• impairing the operation of a program or the reliability of
the data
• preventing or hindering access to any program or data

CC7178 Cyber Security Management Slide 20

Copyright, Designs and Patent Act (1988)
(http://www.opsi.gov.uk/acts/acts1988/UKpga_19880048_en_1.htm)

• The Act is the chief defense to protect organisations and software

developers from the unauthorised copying of designs, software,
printed materials and any other works.

• It allows a company to safeguard its intellectual property rights

(IPR) against competitors and others who might wish to profit from
the company‟s research and investment.

Intellectual property (IP)

• A generic term used to describe designs, ideas and inventions.
• In general, IP covers the areas of patents, trademarks, designs and
copyright.

CC7178 Cyber Security Management Slide 21

Copyright, Designs and Patent Act (1988)
Significant issues are:
• Ownership of bespoke software developed for the
company by a consultant
• Employees taking software to another company
• Software theft
Potential problems:
• ownership of work
• rights to any materials produced
• number of licenses
How to deal with these potential problems
• Companies should establish ownership of materials by
recording their details.
• All contracts should include clauses dealing with
copyright ownership.
• Regular software audits are essential.

CC7178 Cyber Security Management Slide 22

 Other Legislation
Regulation of Investigatory Powers (RIP) Act (2000)
• allows electronic communications to be monitored
by government agencies.
Human Rights Act (1998)
• provides UK citizens with a set of fundamental
rights, including a right to privacy - applies to whole
of EU.
Freedom of Information Act (2000)
• extends the Data Protection Act 1998 provisions
about subject access and data accuracy to all
personal information held by public authorities.

CC7178 Cyber Security Management Slide 23

International Laws and Legal Bodies
• Many domestic laws and customs do not apply
to international trade, which is governed by
international treaties and trade agreements.
• Because of the political complexities of the
relationships among nations and cultural
differences, there are currently few
international laws relating to privacy and
information security.

CC7178 Cyber Security Management Slide 24

 European Convention on
Cybercrime
• http://conventions.coe.int/Treaty/en/Treaties
/Html/185.htm
• A legally binding text since 2004
• Ratified by 21 countries and 22 remains as
signatories (including the UK)

CC7178 Cyber Security Management

 European Convention on
Cybercrime (cont.)
European Council Cyber-Crime Convention:
(http://epic.org/privacy/intl/ccc.html)
• Establishes international task force overseeing Internet security
functions for standardized international technology laws.
• Attempts to improve effectiveness of international investigations into
breaches of technology law.

• The overall goal is to simplify the acquisition of information for law

enforcement agents in certain types of international crimes, as well as
the extradition process.
• Well received by intellectual property rights advocates due to
emphasis on copyright infringement prosecution.
• Lacks realistic provisions for enforcement.

CC7178 Cyber Security Management Slide 26

 Digital Millennium Copyright Act
(DMCA)
Digital Millennium Copyright Act (DMCA):
(http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act)

• U.S. contribution to international effort to reduce impact of

copyright, trademark, and privacy infringement.
• A response to European Union Directive 95/46/EC, which
adds protection to individuals with regard to processing
and free movement of personal data.
• UK has already implemented a version of this directive.

CC7178 Cyber Security Management Slide 27

The Digital Millennium Copyright Act (DMCA) is a United States copyright law
that implements two 1996 treaties of the World Intellectual Property Organization
(WIPO). It criminalizes production and dissemination of technology, devices, or
services intended to circumvent measures (commonly known as digital rights
management or DRM) that control access to copyrighted works. It also criminalizes
the act of circumventing an access control, whether or not there is actual
infringement of copyright itself. In addition, the DMCA heightens the penalties for
copyright infringement on the Internet. Passed on October 12, 1998 by a
unanimous vote in the United States Senate and signed into law by President Bill
Clinton on October 28, 1998, the DMCA amended Title 17 of the United States
Code to extend the reach of copyright, while limiting the liability of the providers of
on-line services for copyright infringement by their users.
On May 22, 2001, the European Union passed the Copyright Directive or EUCD,
which addresses some of the same issues as the DMCA. But the DMCA's principal
innovation in the field of copyright, the exemption from direct and indirect liability of
internet service providers and other intermediaries (Title II of the DMCA), was
separately addressed, and largely followed, in Europe by means of the separate
Electronic Commerce Directive. (Unlike U.S. federal laws and regulations, the
execution of European Union directives usually requires separate legislation by or
within each of the Union's member states.)

CC7178 Cyber Security Management

 United Nations Charter
United Nations Charter
(http://en.wikipedia.org/wiki/United_Nations_Charter)

• Makes provisions, to a degree, for information security

during Information Warfare (IW).
• IW involves use of information technology to conduct
organized and lawful military operations.
• IW is relatively new type of warfare, although military
has been conducting electronic warfare operations for
decades.

CC7178 Cyber Security Management Slide 29

International Laws and Legal Bodies

CC7178 Cyber Security Management Slide 30

 Policy Versus Law
• Most organizations develop and formalize a body
of expectations called policy.
• Policies serve as organizational laws. Unlike law
however, ignorance is an acceptable defense.
• To be enforceable, policy must be distributed,
readily available, easily understood, and
acknowledged by employees.

CC7178 Cyber Security Management Slide 31

 Ethical and Information Security
The Ten Commandments of Computer Ethics (from the Computer
Ethics Institute)
Thou shalt not:
• Use a computer to harm other people
• Interfere with other people's computer work
• Snoop around in other people's computer files
• Use a computer to steal
• Use a computer to bear false witness
• Copy or use proprietary software for which you have not paid
• Use other people's computer resources without authorization or
proper compensation
• Appropriate other people's intellectual output.
• think about the social consequences of the program you are writing or
the system you are designing
• always use a computer in ways that ensure consideration and respect
for your fellow humans

CC7178 Cyber Security Management Slide 32

 Ethical Differences across Cultures
• Cultural differences create difficulty in
determining what is and is not ethical.
• Difficulties arise when one nationality‟s ethical
behavior conflicts with ethics of another national
group.
• Individuals of different nationalities may have
different perspectives on the ethics of computer
use.

CC7178 Cyber Security Management Slide 33

 Ethical Differences across
Cultures (cont.)
• Differences in computer use ethics are not exclusively
cultural.
• Differences are found among individuals within the same
country, same social class, and same company.
• Overriding factor in leveling the ethical perceptions within
a small population is education.
• Employees must be trained in expected behaviors of an
ethical employee, especially in areas of information
security.

CC7178 Cyber Security Management Slide 34

 Deterrence to Unethical and
Illegal Behavior
• Deterrence is the best method for preventing an
illegal or unethical activity.
• Examples of deterrents include laws, policies, and
technical controls.
• However, laws and policies and their associated
penalties only deter if three conditions are present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered

CC7178 Cyber Security Management Slide 35

Ethical and Professional Issues
• Professionalism (professional standard)
• Ethics (common belief)
• Morality (personal belief)

Profession and Society and Public

code of conduct safety

IS professional

State and Personal

Legislation values

CC7178 Cyber Security Management Slide 36

 Codes of Ethics & Professional
Organizations
• Several professional organizations have established
codes of conduct/ethics.
• Codes of conduct can have positive effect on an
individual‟s judgment regarding computer use.
Unfortunately, many employers do not encourage
joining of these professional organizations.
• Responsibility of IS professionals to act ethically and
according to policies of employer, professional
organization, and laws of society.

CC7178 Cyber Security Management Slide 37

 British Computer Society
(http://www.bcs.org/)

BCS Code of Conduct

(http://www.bcs.org/server.php?show=conWebDoc.1588)

Rules which are grouped into the principal duties that all
members should endeavour to discharge in pursuing their
professional lives.
• The Public Interest
• Duty to Employers and Clients
• Duty to the Profession
• Professional Competence and Integrity

CC7178 Cyber Security Management Slide 38

 Association of Computing
Machinery (ACM)
• ACM established in 1947 as “the world's first educational
and scientific computing society”.
• One of the few organizations that strongly promotes
education and provides discounted membership for
students.
• Code of ethics contains references to protecting
information confidentiality, causing no harm, protecting
others‟ privacy, and respecting others‟ intellectual
property. (http://cacm.acm.org/magazines/1992/5/9355-acm-code-
of-ethics-and-professional-
conduct/comments?searchterm=code+of+conduct)

CC7178 Cyber Security Management Slide 39

International Information Systems Security
Certification Consortium, Inc. (ISC)2
(http://en.wikipedia.org/wiki/(ISC)%C2%B2)

• Non-profit organization focusing on development and

implementation of information security certifications and
credentials.
• Code primarily designed for information security
professionals who have certification from (ISC)2.
• Code of ethics focuses on four mandatory canons
– Protect society, the commonwealth, and the infrastructure
– Act honorably, honestly, justly, responsibly, and legally
– Provide diligent and competent service to principals
– Advance and protect the profession

CC7178 Cyber Security Management Slide 40

 System Administration, Networking,
and Security Institute (SANS)
(http://www.sans.org/)
• Founded in 1989, SANS is a professional organization
with over 156,000 security professionals, auditors, system
and network administrators.
• SANS offers set of certifications called Global Information
Assurance Certification (GIAC), whose Code of Ethics
requires:
– Respect for the public
– Respect for the certification
– Respect for my employer
– Respect for myself

CC7178 Cyber Security Management Slide 41

 Information Systems Audit and Control
Association (ISACA)
(http://www.isaca.org/)

• Professional association with focus on auditing,

control, and security.
• The membership comprises both technical and
managerial professionals.
• Concentrates on providing IT control practices and
standards.
• ISACA has code of ethics for its professionals.

CC7178 Cyber Security Management Slide 42

 Information Systems Audit and Control
Association (ISACA) (cont.)
• Nonprofit society of information security professionals.
• Primary mission to bring together qualified IS
practitioners for information exchange and educational
development.
• Promotes code of ethics similar to (ISC)2, ISACA and
ACM, “promoting management practices that will ensure
the confidentiality, integrity, and availability of
organizational information resources.”

CC7178 Cyber Security Management Slide 43

 Organizational Liability
and the Need for Counsel
• What if an organization does not support or encourage strong
ethical conduct on the part of its employees?
• What if an organization does not behave ethically?
• If an employee, acting with or without the authorization, performs an
illegal or unethical act, causing some degree of harm, the
organization can be held financially liable for that action.
• An organization increases its liability (legal obligation) if it refuses
to take measures known as due care, to make sure that every
employee knows what is acceptable and what is not, and the
consequences of illegal or unethical actions
• Due diligence requires that an organization make a valid and
ongoing effort to protect others
CC7178 Cyber Security Management Slide 44
 Summary
• Law and Ethics in Information Security
– Laws: rules that mandate or prohibit certain
behavior in society; drawn from ethics.
– Ethics: define socially acceptable behaviors;
based on cultural mores (fixed moral attitudes
or customs of a particular group)
• Professional Organizations‟ Codes of
Conduct/Ethics
• Organizational Liability and the Need for Counsel

CC7178 Cyber Security Management Slide 45