MgmtOfInfoSec 6e-Ch02 PR

Management of Information Security, 6th ed.
- Whitman & Mattord
© 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
1
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Management of Information Security, 6th ed. - Whitman & Mattord
Learning Objectives
• Upon completion of this material, you should be able to:

• Differentiate between law and ethics
• Describe the ethical foundations and approaches that underlie
modern codes of ethics
• Discuss relevant professional security organizations and their role
and relationship to organizational InfoSec
• Describe why ethical codes of conduct are important to InfoSec
professionals and their organizations
• Identify significant national and international laws that relate to
the practice of InfoSec
• Explain the challenges and methods associated with the
management of digital forensics in an organization
2
Introduction
• As a future information security professional, you will be required

to understand the scope of an organization’s legal and ethical
responsibilities
• To minimize the organization’s liabilities, the information security
practitioner must understand the current legal environment and
keep apprised of new laws, regulations, and ethical issues as they
emerge
• By educating employees and management about their legal and
ethical obligations and the proper use of information technology
and information security, security professionals can keep an
organization focused on their primary mission
3
Introduction (Continued)
• The InfoSec professional has a unique position within the

organization, entrusted with the organization
information
• Not only are they responsible for protecting the
information, they are privy to the secrets and structures
of the systems that store, transmit, use, and protect that
information
• Thus, they must be beyond reproach, with the highest
ethical and moral standards
4
Ethics in InfoSec
Chapter 02: Compliance: Law and Ethics
Ethics in InfoSec
• Some define ethics as the organized study of how

humans ought to act
• Others define it as a set of rules we should live by
• An InfoSec student is not expected to study the topic of
ethics in a vacuum, but within a larger ethical framework
• However, those employed in the area of information
security may be expected to be more articulate about
the topic than others in the organization, and often must
withstand a higher degree of scrutiny
6
Ethics in InfoSec (Continued)
• The foundations and frameworks of ethics include the

following:
• Normative ethics
• Meta-ethics
• Descriptive ethics
• Applied ethics
• Deontological ethics
7
Ethics in InfoSec (Continued)
• From these fairly well-defined and agreed-upon ethical

frameworks come a series of ethical standards as
follows:
• Utilitarian approach
• Rights approach
• Fairness or justice approach
• Common good approach
• Virtue approach
8 8
The Ten Commandments of Computer Ethics

(Computer Ethics Institute)
1. Thou shalt not use a computer to harm other people
2. Thou shalt not interfere with other people's computer work
3. Thou shalt not snoop around in other people's computer files
4. Thou shalt not use a computer to steal
5. Thou shalt not use a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not
paid
7. Thou shalt not use other people's computer resources without
authorization or proper compensation
8. Thou shalt not appropriate other people's intellectual output
9. Thou shalt think about the social consequences of the program you are
writing or the system you are designing
10. Thou shalt always use a computer in ways that ensure consideration and
respect for your fellow humans
(Source: Computer Professionals for Social Responsibility)
9
Ethics and Education
• Key studies reveal that the overriding factor in leveling

the ethical perceptions within a small population is
education
• Employees must be trained and kept up-to-date on
InfoSec topics, including the expected behaviors of an
ethical employee
• Proper ethical and legal education, training and
awareness are vital to creating an informed, well-
prepared, and low-risk system user
10
Deterring Unethical and Illegal Behavior
• It is the responsibility of InfoSec personnel to deter

unethical and illegal acts, using policy, education and
training, and technology as controls or safeguards, in
order to protect the organization’s information and
systems
• There are three general categories of unethical behavior
that organizations and society should seek to eliminate:
• Ignorance
• Accident
• Intent
11
Deterring Unethical and Illegal Behavior

(Continued)
• Deterrence is the best method for preventing an illegal

or unethical activity
• Laws, policies, and technical controls are all examples of
deterrents
• However, laws and policies and their associated penalties
only deter if three conditions are present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered
12
Professional Organizations
and Their Codes of Conduct
Professional Organizations and Their Codes of

Ethics
• A number of professional organizations have established

codes of conduct and/or codes of ethics that members
are expected to follow
• Codes of ethics can have a positive effect on an
individual’s judgment regarding computer use
• It remains the individual responsibility of security
professionals to act ethically and according to the
policies and procedures of their employers, their
professional organizations, and the laws of society
14
Association of Computing Machinery
• The ACM is a respected professional society, originally

established in 1947, as the world's first educational and
scientific computing society
• ACM is one of the few organizations that strongly
promotes education and provides discounted
membership for students
• The ACM’s code of ethics requires members to perform
their duties in a manner befitting an ethical computing
professional
15
International Information Systems Security

Certification Consortium, Inc. (ISC)2
• The code of ethics put forth by (ISC)2 is primarily

designed for information security professionals who have
earned one of their certifications
• This code includes four mandatory canons:
• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
16
SANS
• Founded in 1989, SANS is a professional research and

education cooperative organization with a large
membership, dedicated to the protection of information
and systems
• The SANS GIAC Code of Ethics requires:
• Respect for the public
• Respect for the certification
• Respect for my employer
• Respect for myself
17
ISACA
• ISACA is a professional association with a focus on

auditing, control, and security
• The membership comprises both technical and
managerial professionals
• ISACA also has a code of ethics for its professionals and
requires many of the same high standards for ethical
performance as the other organizations and
certifications
18
Information Systems Security Association (ISSA)
• ISSA is a nonprofit society of information security professionals

• Its primary mission is to bring together qualified practitioners of
information security for information exchange and educational
development
• ISSA provides conferences, meetings, publications, and
information resources to promote information security awareness
and education
• ISSA also promotes a code of ethics, similar to those of (ISC)2,
ISACA, and the ACM, “promoting management practices that will
ensure the confidentiality, integrity, and availability of
organizational information resources”
19
Information Security and Law
Types of Law
• Types of laws can be categorized based on their origins:

• Constitutional law
• Statutory law
• Regulatory or administrative law
• Common law, case law, and precedent
• Within statutory law, laws can be further divided into
their association with individuals, groups, and the state:
• Civil law—including contract law, employment law, family law
and tort law
• Criminal law
21
Types of Law (Continued)
• Yet another distinction addresses how legislation affects

individuals in society and is categorized as:
• Private law—a subset of civil law that encompasses family law,
commercial law, and labor law
• Public law—includes criminal law, administrative law, and
constitutional law
22
23
24
25
General Computer Crime Laws
• The Computer Fraud and Abuse (CFA) Act of 1986 is the

cornerstone of many computer-related federal laws
• It was amended by the National Information
Infrastructure Protection Act of 1996
• Punishment for offenses include fines and/or
imprisonment for up to 20 years and depends on the
value of the information obtained and whether the
offense is judged to have been committed for:
• purposes of commercial advantage;
• private financial gain; or
• in furtherance of a criminal act
26
General Computer Crime Laws (Continued)
• The CFA Act was further modified by the USA PATRIOT

Act of 2001—“Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act” providing law enforcement
agencies with broader latitude to combat terrorism-
related activities after the 9/11 attacks on the New York
World Trade Center
• The USA PATRIOT Act of 2001 was updated and
extended, in many cases permanently, through the USA
PATRIOT Improvement and Reauthorization Act of 2005
27
• In May 2015, the U.S. Senate failed to extend the USA

PATRIOT Act, resulting in the expiration of many of its
components on June 1, 2015
• The controversy over a section that allowed the National
Security Agency (NSA) to collect metadata, resulted in
modification and incorporation of those components in
the USA FREEDOM Act (Uniting and Strengthening
America by Fulfilling Rights and Ending Eavesdropping,
Dragnet-collection and Online Monitoring Act), which
was signed into law in June 2015
28
• The Computer Security Act (CSA) of 1987 was one of the

first attempts to protect federal computer systems by
establishing minimum acceptable security practices
• The Computer Security Act established a Computer
System Security and Privacy Advisory Board within the
Department of Commerce
• Another provision requires mandatory periodic training
in computer security awareness and accepted computer
security practice for all users of federal computer
systems
29
• The CSA charged the National Bureau of Standards (now NIST) and
the National Security Agency with the development of:
• Standards, guidelines, and associated methods and techniques for computer
systems
• Uniform standards and guidelines for most federal computer systems
• Technical, management, physical, and administrative standards and
guidelines for the cost-effective security and privacy of sensitive information
in federal computer systems
• Guidelines for use by operators of federal computer systems that contain
sensitive information in training their employees in security awareness and
accepted security practice
• Validation procedures for, and evaluation of the effectiveness of, standards
and guidelines through research and liaison with other government and
private agencies
30
Privacy Laws
• Many organizations collect, trade, and sell personal

information as a commodity, and many individuals are
becoming aware of these practices and looking to the
governments to protect their privacy
• Today, information aggregation from multiple sources
permits unethical organizations to build databases with
alarming quantities of personal information
• Privacy in this context is not absolute freedom from
observation; rather, it is defined as the “state of being
free from unsanctioned intrusion”
31
Privacy Laws (Continued)
• The Federal Privacy Act of 1974 regulates the government’s use of

private information and was created to ensure that government
agencies protect the privacy of individuals’ and businesses’
information and makes them responsible if any portion of this
information is released without permission
• The Electronic Communications Privacy Act (ECPA) of 1986 is a
collection of statutes that regulates the interception of wire,
electronic, and oral communications and is commonly referred to
as the “wiretapping act”
• The ECPA works in cooperation with the Fourth Amendment of the
U.S. Constitution, which prohibits search and seizure without a
warrant
32
• The Health Insurance Portability and Accountability Act (HIPAA) of

1996, also known as the Kennedy-Kassebaum Act, attempts to
protect the confidentiality and security of health care data by
establishing and enforcing standards and by standardizing
electronic data interchange
• HIPAA requires organizations that retain health care information to
use information security mechanisms to protect this information,
as well as policies and procedures to maintain them
• It also requires a comprehensive assessment of the organization's
information security systems, policies, and procedures
33
• HIPAA provides guidelines for the use of electronic

signatures based on security standards ensuring message
integrity, user authentication, and nonrepudiation
• HIPAA has five fundamental privacy principles:
• Consumer control of medical information
• Boundaries on the use of medical information
• Accountability for the privacy of private information
• Balance of public responsibility for the use of medical
information for the greater good measured against impact to the
individual
• Security of health information
34
ARRA and HITECH
• Enacted in 2009, the American Recovery and

Reinvestment Act (ARRA) was designed to provide a
response to the economic crisis in the United States
• The act was specifically focused on providing tax cuts
and funding for programs, federal contracts, grants, and
loans
• The Health Information Technology for Economic and
Clinical Health (HITECH) Act, enacted as part of ARRA,
and in cooperation with HIPAA, also requires that
covered entities notify information owners of breaches
35
Gramm-Leach-Bliley (GLB) Act of 1999
• The Financial Services Modernization Act or Gramm-Leach-Bliley

(GLB) Act of 1999 contains a number of provisions that affect
banks, securities firms, and insurance companies
• The act requires all financial institutions to disclose their privacy
policies, describing how they share nonpublic personal
information, and describing how customers can request that their
information not be shared with third parties
• The act also ensures that the privacy policies in effect in an
organization are fully disclosed when a customer initiates a
business relationship and distributed at least annually for the
duration of the professional association
36
Export and Espionage Laws
• In an attempt to protect intellectual property and

competitive advantage, Congress passed the Economic
Espionage Act (EEA) in 1996
• This law attempts to protect trade secrets
• “from the foreign government that uses its classic espionage
apparatus to spy on a company, to the two American companies
that are attempting to uncover each other's bid proposals, or to
the disgruntled former employee who walks out of his former
company with a computer diskette full of engineering
schematics”
37
Export and Espionage Laws (Continued)
• The Security and Freedom through Encryption Act of

1997 provides guidance on the use of encryption, and
institutes measures of public protection from
government intervention
• Specifically, the act reinforces an individual’s right to use
or sell encryption algorithms, without concern for the
impact of other regulations requiring some form of key
registration
• The act prohibits the federal government from requiring
the use of encryption for contracts, grants, and other
official documents, and correspondence
38
U.S. Copyright Law
• Extends protection to intellectual property, which

includes words published in electronic formats
• The doctrine of fair use allows material to be quoted for
the purpose of news reporting, teaching, scholarship,
and a number of other related activities, so long as the
purpose is educational and not for profit and the usage is
not excessive
• Proper acknowledgement must be provided to the
author and/or copyright holder of such works, including
a description of the location of source materials by using
a recognized form of citation
39
Freedom of Information Act (FOIA)

of 1966
• All federal agencies are required under the Freedom of

Information Act (FOIA) to disclose records requested in
writing by any person
• The FOIA applies only to federal agencies and does not
create a right of access to records held by Congress, the
courts, or by state or local government agencies
• Each state has its own public access laws that should be
consulted for access to state and local records
40
Sarbanes-Oxley (SOX) Act of 2002
• Designed to enforce accountability for financial record

keeping and reporting at publicly traded corporations
• The law requires that the CEO and CFO assume direct
and personal accountability for the completeness and
accuracy of a publicly traded organization’s financial
reporting and record-keeping systems
• As these executives attempt to ensure that the integrity
of recording and reporting systems is sound—often
relying upon the expertise of CIOs and CISOs to do so—
they must also maintain the availability and
confidentiality of information
41
Breach Laws
• A breach law specifies a requirement for organizations to

notify affected parties when they have experienced a
specified type of loss of information
• Most of these laws also require some form of after-
breach support from the organization, such as free or
discounted credit monitoring, progress reports, and a
description of actions taken to rectify the incident and
prevent reoccurrence
• Although the United States currently does not have a
national breach law, several bills and proposals are being
reviewed by the U.S. Congress
42
International Laws and Legal Bodies
• Many domestic laws and customs do not apply to

international trade, which is governed by international
treaties and trade agreements
• Because of the political complexities of the relationships
among nations and cultural differences, there are
currently few international laws relating to privacy and
information security
43
European Council Cybercrime Convention
• Empowers an international task force to oversee a range

of Internet security functions and to standardize
technology laws internationally
• It also attempts to improve the effectiveness of
international investigations into breaches of technology
law
• The overall goal of the convention is to simplify the
acquisition of information for law enforcement agents in
certain types of international crimes as well as the
extradition process
44
Digital Millennium Copyright Act (DMCA)
• The Digital Millennium Copyright Act (DMCA) is a U.S.-

based international effort to reduce the impact of
copyright, trademark, and privacy infringement,
especially via the removal of technological copyright
protection measures
• The European Union created Directive 95/46/EC that
increases individual rights to process and freely move
personal data
• The United Kingdom has already implemented a version
of this directive called the Database Right
45
Australian High Tech Crime
• High tech crimes are defined and prosecuted in Australia

under its Commonwealth legislation Part 10.7—
Computer Offences of the Criminal Code Act 1995
• That law specifically includes:
• data system intrusions (such as hacking);
• unauthorized destruction or modification of data;
• actions intended to deny service of computer systems to
intended users, such as denial of-service (DoS) attacks and
distributed denial of service (DDoS) attacks using botnets; and
• the creation and distribution of malicious software
46
State and Local Regulations
• It is the responsibility of information security professionals to

understand state laws and regulations and ensure that their
organization’s security policies and procedures comply with the
laws and regulations
• The Georgia Computer Systems Protection Act has various
computer security provisions and establishes specific penalties for
use of information technology to attack or exploit information
systems in organizations
• The Georgia Identity Theft Law requires that a business may not
discard a record containing personal information unless it shreds,
erases, modifies, or otherwise makes the information irretrievable
47
Standards Versus Law
• A variety of groups have created standards that offer

guidance on how information security could or should be
applied to industry segments or geographic areas
• Some industries have security requirements defined at
least in part by government regulations; banking, health
care, and education come to mind
• Other industries impose binding requirements on
themselves that include significant enforcement
mechanisms—for example, the credit card processing
requirements from the Payment Card Industry Security
Standards Council
48
PCI DSS
• The Payment Card Industry Data Security Standard (PCI

DSS) is a set of industry standards that are mandated for
any organization that handles credit, debit, and specialty
payment cards in an effort to reduce credit card fraud
• The current standard (3.2) is presented by the PCI
Security Standards Council as focusing on 12
requirements in six areas
49
PCI DSS (Continued)
• Secure Network and Systems Development and Maintenance

1. Firewall installation and operation (protection of cardholder data)
2. Modification of default system passwords and configurations
• Cardholder Data Protection
3. General protection of cardholder data storage
4. Use of encryption when transmitting cardholder data across open, public
networks
• Vulnerability Management Program Maintenance
5. Use of maintained and updated malware and anti-virus protection
6. Secure systems and application development and maintenance
50
PCI DSS (Continued)
• Strong Access Control Measure Implementation

7. Use of need-to-know access controls for cardholder data
8. Formal access controls for system components emphasizing effective
identification and authentication procedures
9. Management of physical security for cardholder data access
• Network Monitoring and Testing
10. Network resources and cardholder data monitored, tracked, and audited
11. Security systems and processes periodically tested
• Information Security Policy Maintenance
12. Effective and comprehensive information security policy developed and
implemented for all personnel
51
PCI DSS (Continued)
• The benefits of PCI DSS compliance, as promoted by the

PCI Security Standards Council, include:
• An assertion that systems processing payment cards are secure,
promoting trust in customers
• Improved reputation with payment card issue and payment
processing organizations
• Prevention of security breaches
• Assistance in complying with other security standards, such as
HIPAA, SOX, and GLB
• Support for organizational security strategies
• Increased efficiency of the information infrastructure
52
Policy Versus Law
• Because policies function like laws, they must be crafted with the
same care as laws to ensure that the policies are complete,
appropriate, and fairly applied to everyone in the workplace
• The key difference between policy and law is that while ignorance
of the law is not an excuse (ignorantia juris non excusat),
ignorance of policy is a viable defense, thus policies must be:
• Distributed to all individuals who are expected to comply with them
• Read by all employees
• Understood by all employees, with multilingual translations and translations
for visually impaired or low-literacy employees
• Acknowledged by the employee, usually by means of a signed consent form
• Uniformly enforced, with no special treatment for any group (e.g., executives)
53
Organizational Liability and the
Management of Digital Forensics
Organizational Liability and the Need for Counsel
• If an employee, acting with or without authorization,

performs an illegal or unethical act, causing some degree
of harm, the organization can be held financially liable
for that action
• An organization increases its liability if it refuses to take
measures—due care—to make sure that every employee
knows what is acceptable, what is not acceptable, and
the consequences of illegal or unethical actions
• Due diligence requires that an organization make a valid
and ongoing effort to protect others
55
Key Law Enforcement Agencies
• The Federal Bureau of Investigation’s InfraGard Program

promotes efforts to educate, train, inform, and involve
the business and public sector in information security
• Every FBI field office has established an InfraGard
chapter and collaborates with public and private
organizations and the academic community to share
information about attacks, vulnerabilities, and threats
• InfraGard’s dominant contribution is the free exchange
of information to and from the private sector in the
subject areas of threats and attacks on information
resources
56
Key Law Enforcement Agencies (Continued)
• The National Security Agency (NSA) coordinates, directs, and

performs highly-specialized activities to protect U.S. information
systems and produce foreign intelligence information, and it is also
responsible for the security of communications and information
systems at many federal government agencies associated with
national security
• The NSA’s Information Assurance Directorate (IAD) provides
information security “solutions including the technologies,
specifications and criteria, products, product configurations, tools,
standards, operational doctrine, and support activities needed to
implement the protect, detect and report, and respond elements
of cyber defense”
57
Key Law Enforcement Agencies (Continued)
• In addition to its well-known mission to protect key

members of the U.S. government, the U.S. Secret Service
is also charged with the detection and arrest of any
person committing a U.S. federal offense relating to
computer fraud as well as false identification crimes
• The Secret Service was transferred from the Department
of the Treasury to the Department of Homeland Security
in March 2003
• Since that time, the DHS has added to its critical
infrastructure defense strategies the protection of the
nation’s cyber infrastructures
58
Managing Digital Forensics
• When—not if—an organization finds itself having to deal

with a suspected policy or law violation, it must appoint
an individual to investigate it
• How the internal investigation proceeds will dictate
whether or not the organization has the ability to take
action against the perpetrator if in fact evidence is found
that substantiates the accusation
• In order to protect the organization, and to possibly
assist law enforcement in the conduct of an
investigation, the investigator (CISO or other individual)
must act to document what happened and how
59
Digital Forensics
• Forensics is the coherent application of methodical

investigatory techniques to present evidence of crimes in
a court or court-like setting
• Digital forensics involves the preservation, identification,
extraction, documentation, and interpretation of digital
media for evidentiary and/or root cause analysis
• Like traditional forensics, it follows clear, well-defined
methodologies, but still tends to be as much art as
science
60
Digital Forensics (Continued)
• Evidentiary material (EM), also known as an item of

potential evidentiary value, is any information that could
potentially support the organization’s legal- or policy-
based case against a suspect
• An item does not become evidence until it is formally
admitted to evidence by a judge or other ruling official
61
Digital Forensics (Continued)
• Digital forensics can be used for two key purposes:

• To investigate allegations of digital malfeasance—a crime against
or using digital media, computer technology, or related
components
• To perform root cause analysis—if an incident occurs and the
organization suspects an attack was successful, digital forensics
can be used to examine the path and methodology used to gain
unauthorized access as well as to determine how pervasive and
successful the attack was
62
Digital Forensics Team
• Most organizations cannot sustain a permanent digital

forensics team
• Even so, there should be people in the InfoSec group
trained to understand and manage the forensics process
• This expertise can be obtained by sending employees to
a regional or national InfoSec conference with a digital
forensics track or to dedicated digital forensics training
63
Affidavits and Search Warrants
• Many investigations begin with an allegation or an

indication of an incident
• In law enforcement, the investigating agent would create
an affidavit, which when signed by an approving
authority becomes a search warrant and grants
permission to search the specified location and to seize
items to return to the investigator’s lab for examination
• In corporate environments, the names of these
documents may change and in many cases may be verbal
in nature, but the process should be the same
64
Digital Forensics Methodology
• In digital forensics, all investigations follow the same

basic methodology:
1. Identify relevant items of evidentiary value (EM)
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step
verifiably authentic and is unchanged from the time it was
seized
4. Analyze the data without risking modification or unauthorized
access
5. Report the findings to the proper authority
65
66
Evidentiary Policy and Procedures
• Organizations should develop specific digital forensics procedures,

along with policy providing guidance on the use of these
procedures
• EM policy should specify:
• Who may conduct an investigation
• Who may authorize an investigation
• What affidavit-related documents are required
• What search warrant-related documents are required
• What digital media may be seized or taken offline
• What methodology should be followed
• What methods are required for chain of custody or chain of evidence
• What format the final report should take and to whom it should it be given
67
Law Enforcement Involvement
• When an incident or disaster violates civil or criminal law, it is the

organization’s responsibility to notify the proper authorities.
Selecting the appropriate law enforcement agency depends on the
type of crime committed. As described earlier, the Federal Bureau
of Investigation (FBI), for example, handles computer crimes that
cross state lines and investigates terrorism and cyberterrorism,
which can include attacks against businesses and other
organizations. The U.S. Secret Service examines crimes involving
U.S. currency, counterfeiting, credit cards, and identity theft. The
U.S. Treasury Department has a bank fraud investigation unit, and
the Securities and Exchange Commission has investigation and
fraud control units as well. Each state, county, and city in the
United States has its own law enforcement agencies
68
Law Enforcement Involvement (Continued)
• Involving law enforcement agencies has both advantages

and disadvantages:
• Such agencies are usually much better equipped to process
evidence than a business and are also prepared to handle the
warrants and subpoenas necessary when documenting a case
• The disadvantages of law enforcement involvement include
possible loss of control over the chain of events following an
incident—for example, the collection of information and
evidence and the prosecution of suspects
• A very real issue is the confiscation of vital equipment as
evidence
69
Summary
• Deterrence can prevent an illegal or unethical activity from

occurring. Successful deterrence requires the institution of severe
penalties, the probability of apprehension, and an expectation
that penalties will be enforced
• As part of an effort to sponsor positive ethics, a number of
professional organizations have established codes of conduct
and/or codes of ethics that their members are expected to follow
• Laws are formally adopted rules for acceptable behavior in
modern society. Ethics are socially acceptable behaviors. The key
difference between laws and ethics is that laws bear the sanction
of a governing authority and ethics do not
70
Summary (Continued)
• Organizations formalize desired behaviors in documents called policies.

Unlike laws, policies must be distributed, read, understood, explicitly
agreed to by employees and uniformly enforced before they are
enforceable
• Civil law encompasses a wide variety of laws that regulate relationships
between and among individuals and organizations. Criminal law
addresses violations that harm society and that are prosecuted by the
state. Tort law is a subset of civil law that deals with lawsuits by
individuals rather than criminal prosecution by the state
• U.S. copyright law extends intellectual property rights to the published
word, including electronic publication
• A number of key U.S. federal agencies are charged with the protection of
American information resources and the investigation of threats or
attacks against these resources
71
Summary (Continued)
• Digital forensics involves the preservation, identification, extraction,

documentation, and interpretation of computer media for evidentiary
and root cause analysis. E-discovery is the identification and
preservation of evidentiary materials related to a specific legal action
• Most organizations cannot sustain a permanent digital forensics team.
Even so, people in the InfoSec group should be trained to understand
and manage the forensics process
• In digital forensics, all investigations follow the same basic methodology:
identify relevant items of evidentiary value, acquire (seize) the evidence
without alteration or damage, take steps to assure that the evidence is
verifiably authentic at every stage and is unchanged from the time it was
seized, analyze the data without risking modification or unauthorized
access, and report the findings to the proper authority
72

MgmtOfInfoSec 6e-Ch02 PR

Uploaded by

Copyright:

Available Formats

MgmtOfInfoSec 6e-Ch02 PR

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MgmtOfInfoSec 6e-Ch02 PR

Uploaded by

Copyright:

Available Formats

Management of Information Security, 6th ed.

- Whitman & Mattord

• Upon completion of this material, you should be able to:

• As a future information security professional, you will be required

• The InfoSec professional has a unique position within the

• Some define ethics as the organized study of how

Ethics in InfoSec (Continued)

• The foundations and frameworks of ethics include the

Ethics in InfoSec (Continued)

• From these fairly well-defined and agreed-upon ethical

The Ten Commandments of Computer Ethics

Ethics and Education

• Key studies reveal that the overriding factor in leveling

Deterring Unethical and Illegal Behavior

• It is the responsibility of InfoSec personnel to deter

Deterring Unethical and Illegal Behavior

• Deterrence is the best method for preventing an illegal

Professional Organizations and Their Codes of

• A number of professional organizations have established

Association of Computing Machinery

• The ACM is a respected professional society, originally

International Information Systems Security

• The code of ethics put forth by (ISC)2 is primarily

• Founded in 1989, SANS is a professional research and

• ISACA is a professional association with a focus on

Information Systems Security Association (ISSA)

• ISSA is a nonprofit society of information security professionals

• Types of laws can be categorized based on their origins:

Types of Law (Continued)

• Yet another distinction addresses how legislation affects

General Computer Crime Laws

• The Computer Fraud and Abuse (CFA) Act of 1986 is the

General Computer Crime Laws (Continued)

• The CFA Act was further modified by the USA PATRIOT

General Computer Crime Laws (Continued)

• In May 2015, the U.S. Senate failed to extend the USA

General Computer Crime Laws (Continued)

• The Computer Security Act (CSA) of 1987 was one of the

General Computer Crime Laws (Continued)

• Many organizations collect, trade, and sell personal

Privacy Laws (Continued)

• The Federal Privacy Act of 1974 regulates the government’s use of

Privacy Laws (Continued)

• The Health Insurance Portability and Accountability Act (HIPAA) of

Privacy Laws (Continued)

• HIPAA provides guidelines for the use of electronic

ARRA and HITECH

• Enacted in 2009, the American Recovery and

Gramm-Leach-Bliley (GLB) Act of 1999

• The Financial Services Modernization Act or Gramm-Leach-Bliley

Export and Espionage Laws

• In an attempt to protect intellectual property and

Export and Espionage Laws (Continued)

• The Security and Freedom through Encryption Act of

U.S. Copyright Law

• Extends protection to intellectual property, which

Freedom of Information Act (FOIA)

• All federal agencies are required under the Freedom of

Sarbanes-Oxley (SOX) Act of 2002