Law and Ethics in Information Security

avatar
Created by
Llorente, Jose

Cards (32)

  • Laws - are rules that mandate or prohibit certain behavior; they are
    drawn from ethics, which define socially acceptable behaviors.
  • Laws - are formally adopted rules for acceptable behavior in modern
    society.
  • Ethics - are socially acceptable behaviors.
  • The key difference between laws and ethics is that laws carry the authority of a governing body, and ethics do not.
    Ethics in turn are based on cultural mores: the fixed moral attitudes or customs of a particular group. Some ethical standards are universal.
    For example, murder, theft, assault, and arson are actions that deviate from ethical and legal codes throughout the world.
  • Liability - is the legal obligation of an entity that extends beyond criminal or contract law; it includes the legal obligation to make restitution, or to compensate for wrongs committed.
  • Due care – Organization makes sure that every employee knows what is acceptable or unacceptable
  • Laws are set standards, principles, and procedures that must be followed in society. Law is mainly made for implementing justice in the society.
    A policy is that which outlines what a government is going to do and what it can achieve for the society as a whole.
  • While a law is framed for bringing justice to the society, a policy is framed for achieving certain goals.
  • Laws are for the people, and policies are made in the name of the people. Policies can be called a set of rules that guide any government or any organization. Laws are administered through the courts. Laws are
    enforceable in which the policies comply.
  • Dissemination (distribution) — The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Common dissemination techniques
    include hard copy and electronic distribution.
  • Review (reading) — The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees. Common techniques include recordings of the policy in English and alternate languages.
  • Comprehension (understanding) — The organization must be able to
    demonstrate that the employee understood the requirements and
    content of the policy. Common techniques include quizzes and
    other assessments.
  • Compliance (agreement) — The organization must be able to demonstrate that the employee agreed to comply with the policy through act or affirmation. Common techniques include logon banners, which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.
  • Uniform enforcement — The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
  • Types of Law

    Civil law - comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people.
  • Civil law - comprises a wide variety of laws that are used to govern a nation or state.
  • Criminal law addresses activities and conduct harmful to society, and is actively enforced by the state. Law can also be categorized as private or public.
  • Criminal law addresses violations that harm society and are enforced by agents of the state or nation.
  • Private law encompasses family law, commercial law, and labor law, and regulates the relationship between individuals and organizations.
  • Private law focuses on individual relationships between individuals and organizations.
  • Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.
  • The Council of Europe adopted the Convention on Cybercrime
    in 2001.
  • Property Rights
    The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World Trade Organization (WTO) and negotiated over the years 1986–1994, introduced intellectual property rules into the multilateral trade system. It is the first significant international effort to protect intellectual property rights. It outlines requirements for governmental oversight and legislation of WTO member countries to provide minimum levels of protection for intellectual property.
  • The WTO TRIPS agreement
    covers five issues:
    ❑ How basic principles of the trading system and other international intellectual property agreements
    should be applied
    ❑ How to give adequate protection to intellectual property rights
    ❑ How countries should enforce those rights adequately in their own territories
    ❑ How to settle disputes on intellectual property between members of the WTO
    ❑ Special transitional arrangements during the period when the new system is being introduced
  • The Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort by the World Intellectual Properties Organization (WIPO) to reduce the impact of copyright, trademark, and
    privacy infringement, especially when accomplished via the removal of technological copyright protection measures.
  • Ethics and Education - This is important in information security, as
    many employees may not have the formal technical training to understand that their behavior is unethical or even illegal. Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user.
  • Ignorance — Ignorance of the law is no excuse; however, ignorance of policy and procedures is. The first method of deterrence is education. This is accomplished by means of designing, publishing, and disseminating organization policies and relevant laws, and also obtaining agreement to comply with these policies and laws from all members of the organization. Reminders, training, and awareness programs keep the policy information in front of the individual and thus better support retention and compliance.
  • Accident — Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. Careful planning and control helps prevent accidental modification to systems and data.
  • Intent — Criminal or unethical intent goes to the state of mind of the person performing the act; it is often necessary to establish criminal intent to successfully prosecute offenders. Protecting a system against those with intent to cause harm or damage is best accomplished by means of technical controls, and vigorous litigation or prosecution if these controls fail.
  • Fear of penalty — Potential offenders must fear the penalty. Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.
  • Probability of being caught — Potential offenders must believe there is a strong possibility of being caught. Penalties will not deter illegal or unethical behavior unless there is reasonable fear of being caught.
  • Probability of penalty being administered — Potential offenders must believe that the penalty will in fact be administered.