1. Law & Ethics, Policies & Guidelines, and Security Awareness
THREATS TO INFORMATION SECURITY
To make sound decisions about information security, create policies, and enforce them, management must be informed of the various kinds of threats facing the organization, its applications, data and information systems.
A threat is an object, person, or other entity that represents a constant danger to an asset.
To better understand the numerous threats facing the organization, a categorization scheme has been developed allowing us to group threats by their respective activities.
By examining each threat category in turn, management can most effectively protect its information through policy, education and training, and technology controls.
Principles of Information Security, 2nd Edition

2. Learning Objectives Upon completion of this material, you should be able to:
Use this chapter as a guide for future reference on laws, regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the practice of information security
Understand the role of culture as it applies to ethics in information security
Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
Learning Objectives
Upon completion of this chapter the student should be able to:
Use this chapter as a guide for future reference on laws, regulations, and professional organizations.
Differentiate between laws and ethics.
Identify major national laws that relate to the practice of information security.
Understand the role of culture as it applies to ethics in information security.
Principles of Information Security, 2nd Edition

3. Introduction
You must understand scope of an organization’s legal and ethical responsibilities
To minimize liabilities/reduce risks, the information security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
Introduction
As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities.
To minimize liabilities and reduce risks from electronic, physical threats and reduce the losses from legal action, the information security practitioner must understand the current legal environment, stay current as new laws and regulations emerge, and watch for issues that need attention.
Principles of Information Security, 2nd Edition

4. Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics do not
Law And Ethics In Information Security
As individuals we elect to trade some aspects of personal freedom for social order.
Laws are rules adopted for determining expected behavior in modern society and are drawn from Ethics, which define socially acceptable behaviors.
Ethics in turn are based on cultural mores: fixed moral attitudes or customs of a particular group.
Some ethics are recognized as universal among cultures.
Principles of Information Security, 2nd Edition

5. Types of Law Civil Criminal Tort Private Public
Civil law represents a wide variety of laws that are recorded in volumes of legal “code” available for review by the average citizen.
Criminal law addresses violations harmful to society and is actively enforced through prosecution by the state.
Tort law allows individuals to seek recourse against others in the event of personal, physical, or financial injury.
Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law.
Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.
Principles of Information Security, 2nd Edition

6. Relevant U.S. Laws (General)
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act of 1996 (CDA)
Computer Security Act of 1987
Relevant U.S. Laws - General Computer Crime Laws:
The Computer Fraud and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.
It was amended in October 1996 with the National Information Infrastructure Protection Act of 1996, which modified several sections of the CFA, and increased the penalties for selected crimes.
The USA Patriot Act of 2001 modified a wide range of existing laws to provide law enforcement agencies with broader latitude of actions to combat terrorism-related activities.
The Communication Act of 1934 was revised by the Telecommunications Deregulation and Competition Act of 1996, which attempts to modernize the archaic terminology of the older act.
These much-needed updates of terminology were included as part of the Communications Decency Act (CDA).
The CDA was immediately ensnared in a thorny legal debate over the attempt to define indecency, and ultimately rejected by the Supreme Court.
Another key law that is of critical importance for the information security professions is the Computer Security Act of 1987.
It was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
The National Bureau of Standards, in cooperation with the National Security Agency, became responsible for developing these security standards and guidelines.
Principles of Information Security, 2nd Edition

7. U.S. Copyright Law
Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats
With proper acknowledgement, permissible to include portions of others’ work as reference
U.S. Copyright Office Web site:
US Copyright Law
Intellectual property is recognized as a protected asset in the US. US copyright law extends this right to the published word, including electronic formats.
Fair use of copyrighted materials includes the use to support news reporting, teaching, scholarship, and a number of other related permissions, so long as the purpose of the use is for educational or library purposes, not for profit, and is not excessive.
Principles of Information Security, 2nd Edition

8. State and Local Regulations
Restrictions on organizational computer technology use exist at international, national, state, local levels
Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
State & Local Regulations
In addition to the national and international restrictions placed on an organization in the use of computer technology, each state or locality may have a number of laws and regulations that impact operations.
It is the responsibility of the information security professional to understand state laws and regulations and insure the organization’s security policies and procedures comply with those laws and regulations.
Principles of Information Security, 2nd Edition

9. International Laws and Legal Bodies
European Council Cyber-Crime Convention:
Establishes international task force overseeing Internet security functions for standardized international technology laws
Attempts to improve effectiveness of international investigations into breaches of technology law
Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
International Laws And Legal Bodies
Recently the Council of Europe drafted the European Council Cyber-Crime Convention, designed to create an international task force to oversee a range of security functions associated with Internet activities, and to standardize technology laws across international borders.
It also attempts to improve the effectiveness of international investigations into breaches of technology law.
This convention is well received by advocates of intellectual property rights with its emphasis on copyright infringement prosecution.
Principles of Information Security, 2nd Edition

10. United Nations Charter
Makes provisions, to a degree, for information security during information warfare (IW)
IW involves use of information technology to conduct organized and lawful military operations
IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
United Nations Charter
To some degree the United Nations Charter provides provisions for information security during Information Warfare.
Information Warfare (IW) involves the use of information technology to conduct offensive operations as part of an organized and lawful military operation by a sovereign state. IW is a relatively new application of warfare, although the military has been conducting electronic warfare and counter-warfare operations for decades, jamming, intercepting, and spoofing enemy communications.
Principles of Information Security, 2nd Edition

11. Policy Versus Law
Most organizations develop and formalize a body of expectations called policy
Policies serve as organizational laws
To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
Policy Versus Law
Most organizations develop and formalize a body of expectations that describe acceptable and unacceptable behaviors of the employee within the workplace. This body of expectations is called policy.
Properly executed policies function in an organization like laws, complete with penalties, judicial practices, and sanctions to require compliance.
For a policy to become enforceable, it must be:
Distributed to all individuals who are expected to comply with it.
Readily available for employee reference.
Easily understood with multi-language translations and translations for visually impaired, or literacy-impaired employees.
Acknowledged by the employee, usually by means of a signed consent form.
Only when all of these conditions are met, does the organization have the reasonable expectation that should an employee violate policy, they may be appropriately penalized without fear of legal retribution.
Principles of Information Security, 2nd Edition

12. Ethics and Information Security
Ethical Concepts In Information Security
“The Ten Commandments of Computer Ethics from The Computer Ethics Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.”
Principles of Information Security, 2nd Edition

13. Ethical Differences Across Cultures
Cultural differences create difficulty in determining what is and is not ethical
Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group
Example: many of ways in which Asian cultures use computer technology is software piracy
Cultural Differences In Ethical Concepts
With regard to computer use, differences in cultures cause problems in determining what is ethical and what is not ethical.
Studies of ethical sensitivity to computer use reveal that individuals of different nationalities have different perspectives on ethics.
Difficulties arise when one nationality’s ethical behavior contradicts that of another national group.
Principles of Information Security, 2nd Edition

14. Ethics and Education
Overriding factor in leveling ethical perceptions within a small population is education
Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security
Proper ethical training vital to creating informed, well prepared, and low-risk system user
Ethics And Education
Employees must be trained and kept aware in a number of topics related to information security, not the least of which is the expected behaviors of an ethical employee.
This is especially important in areas of information security, as many employees may not have the formal technical training to understand that their behavior is unethical or even illegal. Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user.
Principles of Information Security, 2nd Edition

15. Association of Computing Machinery (ACM)
ACM established in 1947 as “the world's first educational and scientific computing society”
Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
Association of Computing Machinery.
The ACM ( is a respected professional society, originally established in 1947, as “the world's first educational and scientific computing society”.
The ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional.
The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others.
Principles of Information Security, 2nd Edition

16. Computer Security Institute (CSI)
Provides information and training to support computer, networking, and information security professionals
Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
CSI - Computer Security Institute
The Computer Security Institute ( provides information and certification to support the computer, networking, and information security professional.
While CSI does not promote a single certification certificate like the CISSP or GISO, it does provide a range of technical training classes in the areas of Internet Security, Intrusion Management, Network Security, Forensics, as well as technical networking.
Principles of Information Security, 2nd Edition

17. Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)
National Security Agency (NSA)
U.S. Secret Service
KEY U.S. FEDERAL AGENCIES
The Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC) ( was established in 1998 and serves as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against critical U.S. infrastructures.
A key part of the NIPC’s efforts to educate, train, inform and involve the business and public sector in information security is the National InfraGard Program.
Established in January of 2001, the National InfraGard Program began as a cooperative effort between the FBI’s Cleveland Field Office and local technology professionals.
Another key federal agency is the National Security Agency (NSA). The NSA is “the Nation's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information”
The NSA is responsible for signal intelligence and information system security.
The U.S. Secret Service is a department within the Department of the Treasury.
The Secret Service is also charged with the detection and arrest of any person committing a U.S. Federal offense relating to computer fraud and false identification crimes.
This represents an extension of the original mission of protecting U.S. currency-related issues to areas of communications fraud and abuse.
Principles of Information Security, 2nd Edition

18. Information Security Policy, Standards and Practices
Communities of interest must consider policies as basis for all information security efforts
Policies direct how issues should be addressed and technologies used
Security policies are least expensive controls to execute but most difficult to implement
Shaping policy is difficult
Information Security Policy, Standards and Practices
Management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.
In general, policies direct how issues should be addressed and technologies used, not cover the specifics on the proper operation of equipment or software.
Quality security programs begin and end with policy.
As information security is primarily a management rather than technical problem, policy guides personnel to function in a manner that will add to the security of its information assets.
Security policies are the least expensive control to execute, but the most difficult to implement.
Shaping policy is difficult because it must:
1) Never conflict with laws.
2) Stand up in court, if challenged.
3) Be properly administered, including thorough dissemination, and documentation from personnel showing they have read the policies.
Principles of Information Security, 2nd Edition

19. Definitions
Policy: course of action used by organization to convey instructions from management to those who perform duties
Policies are organizational laws
Standards: more detailed statements of what must be done to comply with policy
Practices, procedures and guidelines effectively explain how to comply with policy
For a policy to be effective, must be properly disseminated, read, understood and agreed to by all members of organization
A policy is
A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters
Policies are organizational laws
Policies must contain information on what is right, and what is not; what the penalties are for violating policy, and what the appeal process is
Standards, on the other hand, are more detailed statements of what must be done to comply with policy
Practices, procedures and guidelines effectively explain how to comply with policy
For a policy to be effective it must be properly disseminated, read, understood and agreed to by all members of the organization.
Principles of Information Security, 2nd Edition

20. Principles of Information Security, 2nd Edition
Types of Policy
Management defines three types of security policy:
1) General or security program policy
2) Issue-specific security policies
3) Systems-specific security policies
Principles of Information Security, 2nd Edition

21. Policy Management Policies must be managed as they constantly change
To remain viable, security policies must have:
Individual responsible for reviews
A schedule of reviews
Method for making recommendations for reviews
Specific policy issuance and revision date
Policy Management
Policies are living documents that must be managed and nurtured, and are constantly changing and growing. These documents must be properly disseminated and managed.
Special considerations should be made for organizations undergoing mergers, takeovers and partnerships.
In order to remain viable, these policies must have:
an individual responsible for reviews,
a schedule of reviews,
a method for making recommendations for reviews, and
an indication of policy and revision date.
Automated Policy Management
There is an emergence of a new category of software for managing information security policies. In recent years, this category has emerged in response to needs articulated by information security practitioners.
While there have been many software products that meet specific technical control needs, there is now a need for software to automate some of the busywork of policy management.
Principles of Information Security, 2nd Edition

22. Information Classification
Classification of information is an important aspect of policy
Policies are classified
A clean desk policy stipulates that at end of business day, classified information must be properly stored and secured
In today’s open office environments, may be beneficial to implement a clean desk policy
Information Classification
The classification of information is an important aspect of policy. The same protection scheme created to prevent production data from accidental release to the wrong party should be applied to policies in order to keep them freely available, but only within the organization.
In today’s open office environments, it may be beneficial to implement a clean desk policy. A clean desk policy stipulates that at the end of the business day, all classified information must be properly stored and secured.
Principles of Information Security, 2nd Edition

23. Security Education, Training, and Awareness Program
As soon as general security policy exist, policies to implement security education, training and awareness (SETA) program should follow
SETA is a control measure designed to reduce accidental security breaches
Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely
The SETA program consists of three elements: security education; security training; and security awareness
Security Education, Training, And Awareness Program
As soon as the policies have been drafted outlining the general security policy, policies to implement security education, training and awareness (SETA) programs in the organization should follow.
The SETA program is a control measure designed to reduce the incidences of accidental security breaches by employees.
SETA programs are designed to supplement the general education and training programs in place to educate staff on information security.
Security education and training is designed to build on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs, securely.
Principles of Information Security, 2nd Edition

24. Security Education
Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security
When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education
A number of universities have formal coursework in information security
Security Education
Everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security.
When formal education for appropriate individuals in security is needed, with the support of management, an employee can identify curriculum available from local institutions of higher learning or continuing education.
A number of universities have formal coursework in information security. (See for example
Principles of Information Security, 2nd Edition

25. Security Training
Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely
Management of information security can develop customized in-house training or outsource the training program
Security Training
Security training involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely.
Management of information security can develop customized in-house training or outsource the training program.
Principles of Information Security, 2nd Edition

26. Figure 5-15 – Spheres of Security
Figure 6-16, showing the sphere of security, is the foundation of the security framework.
Generally speaking, the sphere of security represents the fact that information is
under attack from a variety of sources. The sphere of use, at the left of the figure, illustrates
the ways in which people can directly access information: for example, people read
hard copies of documents; they also access information through systems, such as the
electronic storage of information. Information, as the most important asset to security,
is illustrated at the core of the sphere. Information is always at risk from attacks through
the people and computer systems that have direct access to the information. Networks
and the Internet represent indirect threats, as exemplified by the fact that a person
attempting to access information from the Internet must first go through the local
networks and then access systems that contain the information. The sphere of protection,
at the right of the figure, illustrates that between each layer of the sphere of use
there must exist a layer of protection to prevent access to the inner layer from the
outer layer. Each shaded band is a layer of protection and control. For example, the
layer labeled “policy education and training” is located between people and the information.
Controls are also implemented between systems and the information,
between networks and the computer systems, and between the Internet and internal
networks. This reinforces the concept of defense in depth.
As illustrated in the sphere of protection portion of Figure 6-16, a variety of controls can be used to protect the
information. The list in the figure is not intended to be comprehensive but illustrates
individual safeguards that protect the various systems that are located closer to the
center of the sphere. However, as people can directly access each ring as well as the
information at the core of the model, people require unique approaches to security.
In fact, the resource of people must become a layer of security, a human firewall that
protects the information from unauthorized access and use. The members of the
organization must become a safeguard, which is effectively trained, implemented,
and maintained, or else they, too, become a threat to the information.
Principles of Information Security, 2nd Edition

27. Design of Security Architecture
Defense in depth
Implementation of security in layers
Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls
Security perimeter
Point at which an organization’s security protection ends and outside world begins
Does not apply to internal attacks from employee threats or on-site physical threats
The Design Of Security Architecture
Defense in Depth – One of the foundations of security architectures is the requirement to implement security in layers. Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls.
Security Perimeter – The point at which an organization’s security protection ends, and the outside world begins, is referred to as the security perimeter. Unfortunately the perimeter does not apply to internal attacks from employee threats, or on-site physical threats.
Principles of Information Security, 2nd Edition

28. Key Technology Components
Firewall: device that selectively discriminates against information flowing into or out of organization
Demilitarized zone (DMZ): no-man’s land between inside and outside networks where some organizations place Web servers
Intrusion Detection Systems (IDSs): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS
Key Technology Components
A few other key technology components that are important to understand during the design phase of a security architecture are the firewall, proxy server, intrusion detection systems, and the DMZ.
A firewall is a device that selectively discriminates against information flowing into or out of the organization.
A firewall is usually a computing device, or specially configured computer that allows or prevents information from entering or exiting the defined area based on a set of predefined rules.
The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside networks, where some organizations place Web servers. These servers provide access to organizational Web pages, without allowing Web requests to enter the interior networks.
An alternative approach to this strategy is to use a proxy server or firewall. A proxy server performs actions on behalf of another system. When an outside client requests a particular Web page, the proxy server receives the request then asks for the same information from the true Web server.
In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDS.
Host-based IDS are usually installed on the machine the organization wishes to protect and to safeguard that particular system from unauthorized use by monitoring the status of various files stored on that system.
Network-based IDS look at patterns of network traffic and attempt to detect unusual activity based on previous baselines.
Principles of Information Security, 2nd Edition

29. Figure 5-18 – Key Components
Principles of Information Security, 2nd Edition

30. Summary
Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics
Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)
Types of law: civil, criminal, tort law, private, public
Management has essential role in development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
Principles of Information Security, 2nd Edition