Legal,Ethical,and Professional Issues in Information Security

1 87 legal , ethical , andProfessional Issues inInformation Security3In civilized life, law floats in a sea of WARREN, CHIEF JUSTICE, SUPREMECOURT, 12 NOVEMBER 1962 HENRY MAGRUDER MADE A MISTAKE he left a CD at the coffee station. Later, IrisMajwubu was at the coffee station, topping off her mug with fresh tea, hoping to wrap up herwork on the current SQL code module before it was time to go home. As she turned to leave,she saw the unlabeled CD on the counter. Being the helpful sort, she picked it up, intending toreturn it to the person who d left it to find perhaps the latest device drivers, or someone s work from the develop-ment team s office, Iris slipped the disk into the drive of her computer and ran a virus scanagainst its contents.

2 She then opened the file explorer program. She had been correct inassuming the CD contained data files, lots of them. She opened a file at random: names,addresses, and Social Security numbers scrolled down her screen. These were not the testrecords she expected; instead they looked more like critical payroll data. Concerned, she founda file and opened it. It read:Jill, see files on this disc. Hope they meet your expecta-tions. Wire money to account as arranged. Rest of data senton realized that someone was selling sensitive company data to an outside informationbroker. She looked back at the directory listing and saw that the files spanned the range ofevery department at Sequential Label and Supply everything from customer lists to shippinginvoices.

3 She saw one file that she knew contained the credit card numbers for every Webcustomer the company supplied. She opened another file and saw that it stopped abouthalfway through the data. Whoever did this had split the data into two parts. That madesense: payment on delivery of the first , who did this belong to? She opened up the file properties option on the The file owner was listed as hmagruder. That must be Henry Magruder, the developertwo cubes over in the next aisle. Iris pondered her next OBJECTIVES:Upon completion of this material, you should be able to do the following: Use this chapter as a guide for future reference on laws, regulations, and professionalorganizations Differentiate between laws and ethics Identify major national laws that relate to the practice of Information Security Understand the role of culture as it applies to ethics in Information securityIntroductionThe first part of this chapter focuses on the legislation and regulations that affect themanagement of Information in an organization.

4 The second part of the chapter presentsethical Issues related to Information Security as well as a summary of Professional organi-zations with established ethical codes. Use this chapter as both a reference to the legalaspects of Information Security and as an aide in planning your Professional a future Information Security Professional , you must understand the scope of anorganization s legal and ethical responsibilities. The Information Security Professional playsan important role in an organization s approach to controlling liability for privacy andsecurity risks. In the modern litigious societies of the world, sometimes laws are enforced incivil courts where large damages are awarded to plaintiffs who bring suits against organiza-tions.

5 Sometimes these damages are punitive assessed as a deterrent. To minimize liabilityand reduce risks from electronic and physical threats, and to reduce all losses from legalaction, Information Security practitioners must thoroughly understand the currentlegal environment, stay current with laws and regulations, and watch for new Issues as theyemerge. By educating the management and employees of an organization on their legal andethical obligations and the proper use of Information technology and Information Security , Security professionals can help keep an organization focused on its primary and Ethics in Information SecurityIn general people elect to trade some aspects of personal freedom for social order.

6 AsJean-Jacques Rousseau explains in The Social Contract Or Principles Of Political Right1(1762), the rules the members of a society create to balance the right of the individual to88 CHAPTER 3self-determination with the needs of the society as a whole are called rulesthat mandate or prohibit certain behavior in society; they are drawn from ethics, whichdefine socially acceptable behaviors. The key difference between laws and ethics is thatlaws carry the sanctions of a governing authority and ethics do not. Ethics in turn arebased on cultural mores: the fixed moral attitudes or customs of a particular group.

7 Someethics are recognized as universal. For example, murder, theft, assault, and arson are com-monly accepted as actions that deviate from ethical and legal codes in the civilized Liability and the Need for CounselWhat if an organization does not demand or even encourage strong ethical behavior fromits employees? What if an organization does not behave ethically? Even if there is nobreach of criminal law, there can still be the legal obligation of an entitythat extends beyond criminal or contract law; it includes the legal obligation to makerestitution, or to compensate for wrongs committed by an organization or its bottom line is that if an employee, acting with or without the authorization of theorganization, performs an illegal or unethical act that causes some degree of harm, theorganization can be held financially liable for that action.

8 An organization increases its lia-bility if it refuses to take measures known as due care has been taken when anorganization makes sure that every employee knows what is acceptable or unacceptablebehavior, and knows the consequences of illegal or unethical diligencerequires that an organization make a valid effort to protect others and continually main-tain this level of effort. Given the Internet s global reach, those who could be injured orwronged by an organization s members could be anywhere, in any state, any countryaround the world. Under the legal system, any court can impose its authority over anindividual or organization if it can establish jurisdiction that is, the court s right to hear acase if the wrong was committed in its territory or involving its citizenry.

9 This is some-times referred to as long arm jurisdiction the long arm of the law reaching across thecountry or around the world to pull an accused individual into its court systems. Trying acase in the injured party s home area is usually favorable to the injured versus LawWithin an organization, Information Security professionals help maintain Security via theestablishment and enforcement of policies. These policies a body of expectations thatdescribe acceptable and unacceptable employee behaviors in the workplace function asorganizational laws, complete with penalties, judicial practices, and sanctions to require com-pliance.

10 Because these policies function as laws, they must be crafted with the same care, toensure that they are complete, appropriate, and fairly applied to everyone in the difference between a policy and a law, however, is that ignorance of a policy is an accept-able defense. Thus, for a policy to become enforceable, it must meet the following five criteria: Dissemination (distribution) The organization must be able to demonstrate thatthe relevant policy has been made readily available for review by the dissemination techniques include hard copy and electronic distribution. Review (reading) The organization must be able to demonstrate that it dissemi-nated the document in an intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees.