information security management l ecture 11: l aw and e thics you got to be careful if you don’t...
TRANSCRIPT
![Page 1: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/1.jpg)
INFORMATION SECURITY MANAGEMENT
LECTURE 11: LAW AND ETHICS
You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
![Page 2: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/2.jpg)
Introduction
• All information security professionals must understand the scope of an organization’s legal and ethical responsibilities
• Educate employees and management about their legal and ethical obligations concerning proper use of information technology
![Page 3: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/3.jpg)
Law and Ethics
• Laws vs. Ethics
• Types of Law• Civil law• Criminal law • Tort law • Private law • Public law
![Page 4: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/4.jpg)
Information Security and the Law
• InfoSec professionals and managers must understand the legal framework within which their organizations operate
![Page 5: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/5.jpg)
Relevant U.S. Laws
• The Computer Fraud and Abuse Act of 1986 (CFA Act)
• The Computer Security Act of 1987• Health Insurance Portability & Accountability
Act Of 1996 (HIPAA)• Financial Services Modernization Act• Freedom of Information Act of 1966• Sarbanes-Oxley Act of 2002
![Page 6: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/6.jpg)
Relevant U.S. Laws (cont’d.)
• Privacy Laws • Privacy of Customer Information Section • The Federal Privacy Act of 1974
• regulates the government’s use of private information
• Electronic Communications Privacy Act of 1986
These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution
![Page 7: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/7.jpg)
Relevant U.S. Laws (cont’d.)
• Export and Espionage Laws– Economic Espionage Act (EEA) of 1996– The Security and Freedom through Encryption
Act of 1997
![Page 8: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/8.jpg)
International Laws and Legal Bodies
• There are currently few international laws relating to privacy and information security
• European Council Cyber-Crime Convention
• The Digital Millennium Copyright Act
• European Union Directive 95/46/EC• Database Right
![Page 9: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/9.jpg)
State and Local Regulations
• Information security professionals must understand state laws and regulations
Example:
Georgia Computer Systems Protection Act
![Page 10: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/10.jpg)
Policy Versus Law
• Difference between policy and law
• Policies must be:–Distributed to all individuals who are expected to comply with them–Readily available for employee reference–Easily understood, with multilingual, visually impaired and low-literacy translations–Acknowledged by employee with consent form–Uniformly enforced for all employees
![Page 11: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/11.jpg)
Ethics and Education
• Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education
• Employees must be trained on the expected behaviors of an ethical employee
![Page 12: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/12.jpg)
Deterring Unethical and Illegal Behavior• InfoSec personnel should do everything in
their power to deter unethical and illegal acts
• Categories of unethical behavior– Ignorance– Accident– Intent
Best Approach: Deterrence
![Page 13: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/13.jpg)
Professional Organizations and their Codes of Ethics• Some professional organizations have
established codes of conduct and/or codes of ethics
• Other Sources of Ethics Codes:• ACM• SANS• ISC2
• ISACA• ISSA
![Page 14: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/14.jpg)
Ethics
• Rules, not laws that are minimum standards for professional behavior
• ISC2 Code of Ethics • Protect society, the commonwealth and the
infrastructure• Act honorably, honestly, justly, responsibly, and
legally• Provide dilligent and competent service to
principals• Advance and protect the profession
![Page 15: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/15.jpg)
Key Law Enforcement Agencies
• Federal Bureau of Investigation • InfraGard Program
• National Security Agency • Information Assurance Directorate (IAD)
• U.S. Secret Service
• Department of Homeland Security
![Page 16: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/16.jpg)
Managing Investigations in the Organization
It’s not a matter of “if” but “when”
•Investigation Steps• Documentation is key• Digital Forensics
![Page 17: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/17.jpg)
Managing Investigations:Digital Forensics
The investigation of what happened and how– Involves the preservation, identification,
extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis
•Evidentiary material (EM)– Any information that could potentially support
the organizations legal- or policy-based case against a suspect
![Page 18: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/18.jpg)
Two key purposes: Investigate allegations of digital malfeasance Perform root cause analysis
Approaches: Protect and forget (patch and proceed) Apprehend and prosecute (pursue and prosecute)
Managing Investigations:Digital Forensics
![Page 19: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/19.jpg)
Affidavits and Search Warrants
• Investigations begin with an allegation or an indication of an incident
• Forensics team requests permission to examine digital media for potential EM • Affidavit• Search warrant
![Page 20: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/20.jpg)
Digital Forensics Methodology
Steps in the digital forensics methodology1. Identify relevant items of evidentiary value
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized
4. Analyze the data without risking modification or unauthorized access
5. Report the findings to the proper authority
![Page 21: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/21.jpg)
Digital Forensics Methodology
Figure 12-2: Digital forensics process
Source: Course Technology/Cengage Learning
![Page 22: INFORMATION SECURITY MANAGEMENT L ECTURE 11: L AW AND E THICS You got to be careful if you don’t know where you’re going, because you might not get there](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ec55503460f94bd0985/html5/thumbnails/22.jpg)
Evidentiary Procedures
• Organizations should develop specific procedures and guidance for their use