Legal, Ethical, and Professional Issues in Information Security Sunil Paudel sunilpaudel@gmail.com
Outline Types of Law Relevant Laws ( Computer Crime, IP, Licensing, Privacy) International Laws and Legal Bodies Ethical Concepts in Information Security Codes of Ethics, Certifications, and Professional Organizations
Introduction You must understand scope of an organization’s legal and ethical responsibilities To minimize liabilities/reduce risks, the information security practitioner must: Understand current legal environment Stay current with laws and regulations Watch for new issues that emerge
Law and Ethics in Information Security Laws: rules that mandate or prohibit certain societal behavior Ethics: define socially acceptable behavior Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these Laws carry sanctions of a governing authority; ethics do not
Ethical Issues Ethical 1. pertaining to or dealing with morals or the principles of morality; pertaining to right and wrong in conduct. 2. in accordance with the rules or standards for right conduct or practice, esp., the standards of a profession. Examples: Should companies collect and/or sell customer data? Should IT specialists monitor and report employee computer use?
Types of Law Civil law represents a wide variety of laws that are recorded in volumes of legal “code Criminal law addresses violations harmful to society and is actively enforced through prosecution by the state. Tort law allows individuals to seek recourse against others in the event of personal, physical, or financial injury. Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.
Relevant Nepalese Laws Types of law: civil, criminal, tort law, private, public Relevant Nepalese Acts/Regulation/Policies: Electronic Transaction Act 2063 B.S. Telecommunication Act 2053 B.S. National Broadcasting Act 2049 B.S. Copyright Act 2059 B.S. Patent Design and Trademark Act 2022 B.S. IT Policy 2067
Electronic Transaction Act-2063 Date of Authentication and Publication: 22 Mansir 2063 ( December 8, 2006) Consider as landmark law for the development of Nepalese IT sector. Provision for any person to authenticate to any electronic record by his/her personal digital signature. Provision of IT tribunal consisting of one member each of law (Chairman), Information Technology and Commerce
Computer Related Offences To Pirate, Destroy or Alter computer source code Unauthorized Access in Computer Materials Damage to any Computer and Information System Publication of illegal materials in electronic form Confidentiality to Divulge (disclose) To commit computer fraud Punishment in an offence committed outside Nepal
Privacy One of the hottest topics in information security Is a “state of being free from unsanctioned intrusion” Ability to aggregate data from multiple sources allows creation of information databases previously unheard of
International Laws and Legal Bodies European Council Cyber-Crime Convention: Establishes international task force overseeing Internet security functions for standardized international technology laws Attempts to improve effectiveness of international investigations into breaches of technology law Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution Lacks realistic provisions for enforcement International Laws And Legal Bodies Recently the Council of Europe drafted the European Council Cyber-Crime Convention, designed to create an international task force to oversee a range of security functions associated with Internet activities, and to standardize technology laws across international borders. It also attempts to improve the effectiveness of international investigations into breaches of technology law. This convention is well received by advocates of intellectual property rights with its emphasis on copyright infringement prosecution.
Digital Millennium Copyright Act (DMCA) U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data The United Kingdom has already implemented a version of this directive called the Database Right.
United Nations Charter Makes provisions, to a degree, for information security during information warfare (IW) IW involves use of information technology to conduct organized and lawful military operations IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
Policy Versus Law Most organizations develop and formalize a body of expectations called policy Policies serve as organizational laws To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees Policy Versus Law Most organizations develop and formalize a body of expectations that describe acceptable and unacceptable behaviors of the employee within the workplace. This body of expectations is called policy. Properly executed policies function in an organization like laws, complete with penalties, judicial practices, and sanctions to require compliance. For a policy to become enforceable, it must be: Distributed to all individuals who are expected to comply with it. Readily available for employee reference. Easily understood with multi-language translations and translations for visually impaired, or literacy-impaired employees. Acknowledged by the employee, usually by means of a signed consent form. Only when all of these conditions are met, does the organization have the reasonable expectation that should an employee violate policy, they may be appropriately penalized without fear of legal retribution.
Ethics and Information Security “The Ten Commandments of Computer Ethics from The Computer Ethics Institute 1) Thou shalt not use a computer to harm other people: If it is unethical to harm people by making a bomb, for example, it is equally bad to write a program that handles the timing of the bomb. Or, to put it more simply, if it is bad to steal and destroy other people’s books and notebooks, it is equally bad to access and destroy their files. 2) Thou shalt not interfere with other people's computer work: Computer viruses are small programs that disrupt other people’s computer work by destroying their files, taking huge amounts of computer time or memory, or by simply displaying annoying messages. Generating and consciously spreading computer viruses is unethical. Ethical Concepts In Information Security “The Ten Commandments of Computer Ethics from The Computer Ethics Institute 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people's computer work. 3. Thou shalt not snoop around in other people's computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people's computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people's intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.”
3) Thou shalt not snoop around in other people's files: Reading other people’s e-mail messages is as bad as opening and reading their letters: This is invading their privacy. Obtaining other people’s non-public files should be judged the same way as breaking into their rooms and stealing their documents. Text documents on the Internet may be protected by encryption. 4) Thou shalt not use a computer to steal: Using a computer to break into the accounts of a company or a bank and transferring money should be judged the same way as robbery. It is illegal and there are strict laws against it.
5) Thou shalt not use a computer to bear false witness: The Internet can spread untruth as fast as it can spread truth. Putting out false "information" to the world is bad. For instance, spreading false rumors about a person or false propaganda about historical events is wrong. 6) Thou shalt not use or copy software for which you have not paid: Software is an intellectual product. In that way, it is like a book: Obtaining illegal copies of copyrighted software is as bad as photocopying a copyrighted book. There are laws against both. Information about the copyright owner can be embedded by a process called watermarking into pictures in the digital format.
7) Thou shalt not use other people's computer resources without authorization: Multiuser systems use user id’s and passwords to enforce their memory and time allocations, and to safeguard information. You should not try to bypass this authorization system. Hacking a system to break and bypass the authorization is unethical. 8) Thou shalt not appropriate other people's intellectual output: For example, the programs you write for the projects assigned in this course are your own intellectual output. Copying somebody else’s program without proper authorization is software piracy and is unethical. Intellectual property is a form of ownership, and may be protected by copyright laws.
9) Thou shalt think about the social consequences of the program you write: You have to think about computer issues in a more general social framework: Can the program you write be used in a way that is harmful to society? For example, if you are working for an animation house, and are producing animated films for children, you are responsible for their contents. 10) Thou shalt use a computer in ways that show consideration and respect: Just like public buses or banks, people using computer communications systems may find themselves in situations where there is some form of queuing and you have to wait for your turn and generally be nice to other people in the environment. The fact that you cannot see the people you are interacting with does not mean that you can be rude to them.
Ethical Differences Across Cultures Cultural differences create difficulty in determining what is and is not ethical Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group
Ethics and Education Overriding factor in leveling ethical perceptions within a small population is education Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security Proper ethical training vital to creating informed, well prepared, and low-risk system user Ethics And Education Employees must be trained and kept aware in a number of topics related to information security, not the least of which is the expected behaviors of an ethical employee. This is especially important in areas of information security, as many employees may not have the formal technical training to understand that their behavior is unethical or even illegal. Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user.
Deterrence to Unethical and Illegal Behavior Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls Laws and policies only deter if three conditions are present: Fear of penalty Probability of being caught Probability of penalty being administered
Codes of Ethics and Professional Organizations Several professional organizations have established codes of conduct/ethics Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society
Association of Computing Machinery (ACM) ACM established in 1947 as “the world's first educational and scientific computing society” Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
International Information Systems Security Certification Consortium, Inc. (ISC)2 Non-profit organization focusing on development and implementation of information security certifications and credentials Code primarily designed for information security professionals who have certification from (ISC)2 Code of ethics focuses on four mandatory canons International Information Systems Security Certification Consortium: The (ISC)2 (www.isc2.org) is a non-profit organization that focuses on the development and implementation of information security certifications and credentials. The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2. This code focuses on four mandatory canons: Protect society, the commonwealth, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; and Advance and protect the profession.
System Administration, Networking, and Security Institute (SANS) Professional organization with a large membership dedicated to protection of information and systems SANS offers set of certifications called Global Information Assurance Certification (GIAC)
Information Systems Audit and Control Association (ISACA) Professional association with focus on auditing, control, and security Concentrates on providing IT control practices and standards ISACA has code of ethics for its professionals
Computer Security Institute (CSI) Provides information and training to support computer, networking, and information security professionals Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
Information Systems Security Association (ISSA) Nonprofit society of information security (IS) professionals Primary mission to bring together qualified IS practitioners for information exchange and educational development Promotes code of ethics similar to (ISC)2, ISACA and ACM
Other Security Organizations Internet Society (ISOC): promotes development and implementation of education, standards, policy and education to promote the Internet Computer Security Division (CSD): division of National Institute for Standards and Technology (NIST); promotes industry best practices and is important reference for information security professionals
Other Security Organizations (continued) CERT Coordination Center (CERT/CC): center of Internet security expertise operated by Carnegie Mellon University Computer Professionals for Social Responsibility (CPSR): public organization for anyone concerned with impact of computer technology on society
Organizational Liability and the Need for Counsel Liability is legal obligation of an entity; includes legal obligation to make restitution for wrongs committed Organization increases liability if it refuses to take measures known as due care Due diligence requires that an organization make valid effort to protect others and continually maintain that level of effort
Summary Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group) Many organizations have codes of conduct and/or codes of ethics Organization increases liability if it refuses to take measures known as due care Due diligence requires that organization make valid effort to protect others and continually maintain that effort