MANAGEMENT of INFORMATION SECURITY Third Edition

Similar documents
Legal, Ethical, and Professional Issues in Information Security

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Motorola Mobility Binding Corporate Rules (BCRs)

SECURITY & PRIVACY DOCUMENTATION

RMU-IT-SEC-01 Acceptable Use Policy

Employee Security Awareness Training Program

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Information Security Policy

Checklist: Credit Union Information Security and Privacy Policies

Red Flags/Identity Theft Prevention Policy: Purpose

HPE DATA PRIVACY AND SECURITY

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Incident Handling. Week 4: Incidents, Evidence and the Law

Glenwood Telecommunications, Inc. Acceptable Use Policy (AUP)

EXAM PREPARATION GUIDE

Regulation P & GLBA Training

Data Compromise Notice Procedure Summary and Guide

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Incident Handling. Road Map. Week 4: Incidents, Evidence and the Law. Types of Evidence. Digital Evidence. Characteristics of Evidence

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Acceptable Use Policy

ESTABLISHMENT OF AN OFFICE OF FORENSIC SCIENCES AND A FORENSIC SCIENCE BOARD WITHIN THE DEPARTMENT OF JUSTICE

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Putting It All Together:

Privacy Policy on the Responsibilities of Third Party Service Providers

Subject: University Information Technology Resource Security Policy: OUTDATED

ecare Vault, Inc. Privacy Policy

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

TEL2813/IS2820 Security Management

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Security Policies and Procedures Principles and Practices

University Policies and Procedures ELECTRONIC MAIL POLICY

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

CCISO Blueprint v1. EC-Council

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Breckenridge Financial Supplies Website Use Policy

DATA PROTECTION POLICY THE HOLST GROUP

What Why Value Methods

Subject: Kier Group plc Data Protection Policy

716 West Ave Austin, TX USA

Data Processing Agreement

EXAM PREPARATION GUIDE

The Honest Advantage

Acceptable Use Policy (AUP)

G7 Bar Associations and Councils

UWC International Data Protection Policy

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Professional Training Course - Cybercrime Investigation Body of Knowledge -

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Computer Forensics US-CERT

This Policy applies to all staff and other authorised users in St Therese School.

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

ΚΕΝΤΡΟ ΜΕΛΕΤΩΝ ΑΣΦΑΛΕΙΑΣ CENTER FOR SECURITY STUDIES

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

You may contact The Translation Network by at You may also call The Translation Network at

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

Securing Information Systems

Privacy Policy GENERAL

Oracle Data Cloud ( ODC ) Inbound Security Policies

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Policy. Policy Information. Purpose. Scope. Background

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Acceptable Use Policy

Legal notice and Privacy policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Privacy Policy Effective May 25 th 2018

Emsi Privacy Shield Policy

Draft Resolution for Committee Consideration and Recommendation

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

HIPAA Security and Privacy Policies & Procedures

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Information technology security and system integrity policy.

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Cellular Site Simulator Usage and Privacy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

ITU Model Cybercrime Law: Project Overview

Open Data Policy City of Irving

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

1 Privacy Statement INDEX

EXAM PREPARATION GUIDE

Cybersecurity in Higher Ed

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

COMPUTER FORENSICS (CFRS)

Application for Certification

region16.net Acceptable Use Policy ( AUP )

Data Processing Agreement for Oracle Cloud Services

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Security Management Models And Practices Feb 5, 2008

Critical Information Infrastructure Protection Law

The Role of the Data Protection Officer

Information for entity management. April 2018

Transcription:

MANAGEMENT of INFORMATION SECURITY Third Edition CHAPTER AW AND THICS In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks of doing so. Immanuel Kant

Upon completion of this chapter, you should be able to: Differentiate between law and ethics Describe the ethical foundations and approaches that underlie modern codes of ethics Identify major national and international laws that relate to the practice of information security

Upon completion of this chapter, you should be able to: (cont d.) Describe the role of culture as it applies to ethics in information security Identify current information on laws, regulations, and relevant professional organizations

All information security professionals must understand the scope of an organization s legal and ethical responsibilities Understand the current legal environment Keep apprised of new laws, regulations, and ethical issues as they emerge To minimize the organization s liabilities Educate employees and management about their legal and ethical obligations And proper use of information technology

Laws Rules adopted and enforced by governments to codify expected behavior in modern society The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not Ethics are based on cultural mores Relatively fixed moral attitudes or customs of a societal group

InfoSec professionals and managers must understand the legal framework within which their organizations operate Can influence the organization to a greater or lesser extent, depending on the nature of the organization and the scale on which it operates

Civil law Pertains to relationships between and among individuals and organizations Criminal law Addresses violations harmful to society Actively enforced and prosecuted by the state Tort law A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury

Private law Regulates the relationships among individuals and among individuals and organizations Family law, commercial law, and labor law Public law Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments Criminal, administrative, and constitutional law

Table 12-1a: Key U.S. laws of interest to information security professionals

Table 12-1b: Key U.S. laws of interest to information security professionals

The Computer Fraud and Abuse Act of 1986 (CFA Act) The cornerstone of many computer-related federal laws and enforcement efforts Amended in October 1996 by the National Information Infrastructure Protection Act Modified several sections of the previous act, and increased the penalties for select crimes

The Computer Fraud and Abuse Act of 1986 (cont d.) Further modified by the USA Patriot Act of 2001 Provides law enforcement agencies with broader latitude to combat terrorism-related activities The USA Patriot Act was updated and extended, in many cases permanently Through the USA Patriot Improvement and Reauthorization Act of 2005

The Computer Security Act of 1987 One of the first attempts to protect federal computer systems Established minimum acceptable security practices Established a Computer System Security and Privacy Advisory Board within the Department of Commerce Requires mandatory periodic training in computer security awareness and accepted computer security practice for all users of Federal computer systems

The Computer Security Act of 1987 (cont d.) Charged the National Bureau of Standards and the NSA (now NIST) with the development of: Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the costeffective security and privacy of sensitive information in federal computer systems

The Computer Security Act of 1987 (cont d.) Charged the National Bureau of Standards and the NSA ( now NIST) with the development of: (cont d.) Guidelines for operators of federal computer systems containing sensitive information in training their employees in security awareness Validation procedures for, and evaluation of the effectiveness of, standards and guidelines Through research and liaison with other government and private agencies

Privacy Laws Many organizations collect, trade, and sell personal information as a commodity Individuals are becoming aware of these practices and looking to governments to protect their privacy Aggregation of data from multiple sources permits unethical organizations to build databases with alarming quantities of personal information

Privacy Laws (cont d.) The Privacy of Customer Information Section of the section of regulations covering common carriers Specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes The Federal Privacy Act of 1974 regulates the government s use of private information Ensure that government agencies protect the privacy of individuals and businesses information

Privacy Laws (cont d.) The Electronic Communications Privacy Act of 1986 A collection of statutes that regulates the interception of wire, electronic, and oral communications These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution Prohibits search and seizure without a warrant

Health Insurance Portability & Accountability Act Of 1996 (HIPAA) An attempt to protect the confidentiality and security of health care data Establishes and enforces standards Standardizes electronic data interchange Requires organizations that retain health care information to use information security mechanisms to protect this information Also requires an assessment of the organization's InfoSec systems, policies, and procedures

HIPAA (cont d.) Provides guidelines for the use of electronic signatures Based on security standards ensuring message integrity, user authentication, and nonrepudiation Fundamental privacy principles: Consumer control of medical information Boundaries on the use of medical information Accountability for the privacy of private information

HIPAA (cont d.) Fundamental privacy principles: (cont d.) Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual Security of health information

The Financial Services Modernization Act Also called Gramm-Leach-Bliley Act of 1999 Applies to banks, securities firms, and insurance companies Requires all financial institutions to disclose their privacy policies Describing how they share nonpublic personal information Describing how customers can request that their information not be shared with third parties

The Financial Services Modernization Act (cont d.) Ensures that the privacy policies in effect in an organization are fully disclosed when a customer initiates a business relationship Distributed at least annually for the duration of the professional association

Export and Espionage Laws Economic Espionage Act (EEA) of 1996 An attempt to protect intellectual property and competitive advantage Attempts to protect trade secrets from the foreign government that uses its classic espionage apparatus to spy on a company Also between two companies Or a disgruntled former employee

Export and Espionage Laws The Security and Freedom through Encryption Act of 1997 Provides guidance on the use of encryption Institutes measures of public protection from government intervention Reinforces an individual s right to use or sell encryption algorithms Prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence

Figure 12-1: Export restrictions Source: Course Technology/Cengage Learning

U.S. Copyright Law Extends protection to intellectual property, including words published in electronic formats Fair use allows material to be quoted so long as the purpose is educational and not for profit, and the usage is not excessive Proper acknowledgement must be provided to the author and/or copyright holder of such works Including a description of the location of source materials, using a recognized form of citation

Freedom of Information Act of 1966 All Federal agencies are required to disclose records requested in writing by any person Applies only to Federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies Sarbanes-Oxley Act of 2002 Enforces accountability for the financial record keeping and reporting at publicly traded corporations

Sarbanes-Oxley Act of 2002 (cont d.) Requires that the CEO and chief financial officer (CFO) assume direct and personal accountability for the completeness and accuracy of a publicly traded organization s financial reporting and record-keeping systems As these executives attempt to ensure that the systems used to record and report are sound, the related areas of availability and confidentiality are also emphasized

International trade is governed by international treaties and trade agreements Many domestic laws and customs do not apply There are currently few international laws relating to privacy and information security Because of cultural differences and political complexities of the relationships among nations

European Council Cyber-Crime Convention Empowers an international task force to oversee a range of Internet security functions Standardizes technology laws internationally Attempts to improve the effectiveness of international investigations into breaches of technology law Goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process

The Digital Millennium Copyright Act A U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures European Union Directive 95/46/EC Increases individual rights to process and freely move personal data Database Right U.K. version of this directive

Information security professionals must understand state laws and regulations Ensure that their organization s security policies and procedures comply Georgia Computer Systems Protection Act Has various computer security provisions Establishes specific penalties for use of information technology to attack or exploit information systems in organizations

The Georgia Identity Theft Law Requires that a business may not discard a record containing personal information unless it shreds, erases, modifies, or otherwise makes the information irretrievable

Difference between policy and law Ignorance of policy is an acceptable defense Policies must be: Distributed to all individuals who are expected to comply with them Readily available for employee reference Easily understood, with multilingual, visually impaired and low-literacy translations Acknowledged by employee with consent form Uniformly enforced for all employees

The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework Information security professionals may be expected to be more articulate about the topic than others in the organization Often must withstand a higher degree of scrutiny

The Ten Commandments of Computer Ethics From the Computer Ethics Institute Thou shalt not: Use a computer to harm other people Interfere with other people's computer work Snoop around in other people's computer files Use a computer to steal Use a computer to bear false witness Copy or use proprietary software for which you have not paid

The Ten Commandments of Computer Ethics (cont d.) Thou shalt not: (cont d.) Use other people's computer resources without authorization or proper compensation Appropriate other people's intellectual output Think about the social consequences of the program you are writing or the system you are designing Always use a computer in ways that ensure consideration and respect for fellow humans

Differences in computer use ethics Not exclusively cultural Found among individuals within the same country, within the same social class, and within the same company Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education Employees must be trained on the expected behaviors of an ethical employee

InfoSec personnel should do everything in their power to deter unethical and illegal acts Using policy, education and training, and technology as controls to protect information Categories of unethical behavior Ignorance Accident Intent

Deterrence Best method for preventing an illegal or unethical activity Examples: laws, policies, and technical controls Laws and policies and their associated penalties only deter if three conditions are present: Fear of penalty Probability of being caught Probability of penalty being administered

Some professional organizations have established codes of conduct and/or codes of ethics Members are expected to follow Codes of ethics can have a positive effect on an individual s judgment regarding computer use

Security professionals must act ethically According to the policies and procedures of their employers, their professional organizations, and the laws of society

A respected professional society Originally established in 1947 as the world's first educational and scientific computing society One of the few organizations that strongly promotes education and provides discounted membership for students Code of ethics requires members to perform their duties in a manner befitting an ethical computing professional

Code of ethics applies to information security professionals who have earned one of their certifications Includes four mandatory canons: Protect society, the commonwealth, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession

Professional research and education cooperative organization Over 156,000 security professionals, auditors, system and network administrators SANS GIAC code of ethics requires: Respect for the public Respect for the certification Respect for my employer Respect for myself

A professional association with a focus on auditing, control, and security Membership comprises both technical and managerial professionals Has a code of ethics for its professionals Requires many of the same high standards for ethical performance as the other organizations and certifications

Code of ethics tenets Support the implementation of, and encourage compliance with, appropriate standards, procedures, and information systems controls Perform duties with objectivity, due diligence and professional care, using professional standards and best practices Serve in the interest of stakeholders in a lawful and honest manner, maintain high standards of conduct and character, and not engage in acts discreditable to the profession

Code of ethics tenets (cont d.) Maintain the privacy and confidentiality of information obtained in the course of their duties Unless disclosure is required by legal authority Such information shall not be used for personal benefit or released to inappropriate parties Maintain competency in their respective fields, and agree to undertake only those activities that they can reasonably expect to complete with professional competence

Code of ethics tenets (cont d.) Inform appropriate parties of the results of work performed, revealing all significant facts known to them Support the professional education of stakeholders in enhancing their understanding of information systems security and control

Nonprofit society of information security professionals Mission is to bring together qualified practitioners of information security for information exchange and educational development Provides conferences, meetings, publications, and information resources to promote information security awareness and education

Promotes a code of ethics Similar to that of other organizations Promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.

What if an organization does not support or encourage strong ethical conduct by its employees? What if an organization does not behave ethically? If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action

An organization increases its liability if it refuses to take measures (due care) to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions Due diligence requires that an organization make a valid and ongoing effort to protect others

Federal Bureau of Investigation s InfraGard Program Promotes efforts to educate, train, inform, and involve the business and public sector in information security Every FBI field office has established an InfraGard chapter and collaborates with public and private organizations and the academic community to share information about attacks, vulnerabilities, and threats

Federal Bureau of Investigation s InfraGard Program (cont d.) InfraGard s dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources

National Security Agency (NSA) The nation's cryptologic organization Coordinates, directs, and performs highlyspecialized activities to protect U.S. information systems and produce foreign intelligence information Responsible for signal intelligence and information system security

National Security Agency (cont d.) Information Assurance Directorate (IAD) provides information security solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine, and support activities needed to implement the protect, detect and report, and respond elements of cyber defense.

U.S. Secret Service is a department within the Department of the Treasury In addition to its well-known mission to protect key members of the U.S. government Also charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes Department of Homeland Security Formed when U.S. Secret Service was transferred to it from the Department of the Treasury

When (not if) an organization finds itself dealing with a suspected policy or law violation Must appoint an individual to investigate it How the internal investigation proceeds Dictates whether or not the organization has the ability to take action against the perpetrator if in fact evidence is found that substantiates the charge

In order to protect the organization, and to possibly assist law enforcement in the conduct of an investigation The investigator (CISO, InfoSec Manager or other appointed individual) must document what happened and how

Forensics The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting Digital forensics The investigation of what happened and how Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis

Digital forensics (cont d.) Like traditional forensics, it follows clear, welldefined methodologies, but still tends to be as much art as science

Evidentiary material (EM) Also called item of potential evidentiary value Any information that could potentially support the organizations legal- or policy-based case against a suspect An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official

Digital forensics can be used for two key purposes: Investigate allegations of digital malfeasance A crime against or using digital media, computer technology or related components Perform root cause analysis If an incident occurs and the organization suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access, as well as to determine how pervasive and successful the attack was

Digital forensics approaches Protect and forget (a.k.a. patch and proceed) Focuses on the defense of the data and the systems that house, use, and transmit it Apprehend and prosecute (a.k.a. pursue and prosecute) Focuses on the identification and apprehension of responsible individuals, with additional attention on the collection and preservation of potential EM that might support administrative or criminal prosecution

Investigations begin with an allegation or an indication of an incident Forensics team requests permission to examine digital media for potential EM An affidavit is sworn testimony That the investigating officer has certain facts they feel warrant the examination of specific items located at a specific place

Search warrant Permission to search for EM at the specified location and/or to seize items to return to the investigator s lab for examination Created when an approving authority signs the affidavit or creates a synopsis form based on it

Steps in the digital forensics methodology 1. Identify relevant items of evidentiary value 2. Acquire (seize) the evidence without alteration or damage 3. Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized 4. Analyze the data without risking modification or unauthorized access 5. Report the findings to the proper authority

Figure 12-2: Digital forensics process Source: Course Technology/Cengage Learning

Organizations should develop specific procedures and guidance for their use Who may conduct an investigation Who may authorize an investigation What affidavit-related documents are required What search warrant-related documents are required What digital media may be seized or taken offline

Organizations should develop specific procedures and guidance for their use (cont d.) What methodology should be followed What methods are required for chain of custody or chain of evidence What format the final report should take, and to whom it should it be given

Introduction Law and ethics in information security The legal environment Ethical concepts in information security Professional organizations codes of ethics Organizational liability and the need for counsel Key U.S. Federal agencies Managing investigations in the organization

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback