1. Legal, Ethical & Professional Issues
CC3020N
Fundamentals of
Security Management
Lecture 7
Legal, Ethical & Professional Issues

2. Learning Objectives Differentiate between law and ethics
Identify some of the major national and international laws that relate to the practice of information security
Understand the role of culture as it applies to ethics in information security
Current laws, regulations, and relevant professional organizations' code of conduct/ethics
Learning Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a successful information security program
Know the three major types of information security policy often used and what goes into each type.
Develop, implement, and maintain various types various types of information security policies
Slide 2 2

3. Introduction
As a future IS professional, you must understand the scope of an organization’s legal and ethical responsibilities.
To minimize liabilities/reduce risks, the information security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 3 3

4. Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal behavior (formally adopted rules).
Ethics: define socially acceptable behavior based on cultural mores (some are universal).
Cultural mores: relatively fixed moral attitudes or customs of a particular group (ethics based on these).
Difference: laws carry sanctions (enforcement) of a governing authority (ethics do not based on these).
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 4 4

5. The Legal Environment
The IS professional and managers must possess a rudimentary grasp of the legal framework within which their organizations operate.
This legal environment can influence the organization to a greater or lesser extent, depending on the nature of the organization and the scale on which it operates.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 5 5

6. Legislative Lag
A longer period of time elapse between innovations in criminal enterprise and the response of the state and law enforcement agencies
Illusion - digital crime develops and changes very rapidly, but it may take years for legislation to be enacted, by which time the crime may well be mutated or developed to assume a different form

7. Types of Law
Civil law: - represents a wide variety of laws that govern a nation/state.
Criminal law: - addresses violations harmful to society and is actively enforced and prosecuted by the state.
Tort law: - a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. ( (
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 7 7

8. Types of Law Private law
regulates the relationships among individuals and between individuals and organizations, and encompasses family law, commercial law, and labor law.
Public law
regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, and includes criminal, administrative, and constitutional law.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 8 8

9. Relevant US Laws (General)
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act of 1996 (CDA)
Computer Security Act of 1987
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 9 9

10. Relevant US Laws Slide 10 Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 10 10

11. Rele-vant US Laws Slide 11 Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 11 11

12. Relevant US Laws Slide 12 Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 12 12

13. Relevant UK Laws (General)
Data Protection Act (1998)
Computer Misuse Act (1990)
Copyright, Designs and Patent Act (1988)
Regulation of Investigatory Powers Act (2000)
Human Rights Act (1998)
Others
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 13 13

14. Data Protection Act (1998) (http://www. opsi. gov
Received Royal Assent on 16 July 1998; came into force early 1999
Followed EC Directive 95/46/EC rectified on 24 Oct 1995 which requires:
“Member States to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data.”
UK decided to introduce domestic legislation to satisfy the requirements of the Directive
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 14 14

15. Data Protection Act (1998) Definitions Personal Data Processing
means data that relate to a living individual who can be identified from those data and includes any expression of opinion about the individual
Processing
means obtaining, recording or holding the data including organisation, adaptation or alteration and disclosure of the information contained in the data
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 15 15

16. Data Protection Act (1998) Principles of Data Protection Act
Information shall be obtained and processed ‘fairly and lawfully’
Information shall be held only for one or more specific and lawful purposes
Companies should not hold information that is excessive or not relevant to the purposes the company has registered under the Act.
Information held on individuals should be accurate and up-to-date
Information should not be held for longer than necessary
Individuals have the right to see the data held on them and have corrections made where necessary
Companies must take measures to protest information from unauthorised access.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 16 16

17. Data Protection Act (1998) Individuals' Rights Right of subject access
Entitled to be told of the logic involved
If the data subject believes that a data controller has failed to comply with subject access request they may apply for a Court order.
Right to prevent processing likely to cause damage or distress
Right to prevent processing for the purposes of direct marketing
Rights in relation to automated decision-taking
Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller
Right to take action to rectify, block, erase or destroy inaccurate data
Right to make a request to the Commissioner for an assessment to be made as to whether any Provision of the Act has been contravened.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 17 17

18. Data Protection Act (1998) Exemptions Primary Exemptions
National Security, Crime, Taxation, Health, Education and Social Work.
Special Purpose Exemptions
Publication of journalistic, literary or artistic material if in the public interest; could also include research, historical and statistical studies.
Miscellaneous Exemptions
Personal data concerning the armed forces, judicial and ministerial appointments, even candidates' examination scripts are all exempt from subject information provisions.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 18 18

19. Data Protection Act (1998) Check List for Business Make sure that:
Manual records treated same as automated records especially regarding providing subject access.
Any processing of personal data is solely on the basis of one of the specified criteria, including those for sensitive data.
Procedures meet all requirements for informing individuals when obtaining or disclosing data.
Subject access procedures are modified to provide additional material required.
Data sent outside the European Economic Area (EEA) will get adequate protection or that one of the exceptions applies.
Registered entries are brought up-to-date, and rationalised and consolidated as far as possible.
Advice from government and the Commissioner is heeded especially on transitional arrangements.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 19 19

20. Computer Misuse Act (1990) (http://www. opsi. gov
An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes
unauthorised access to computer material
unauthorised access with the intention of carrying out or assisting others with the commission of further offences
unauthorised modification of computer material
impairing the operation of a program or the reliability of the data
preventing or hindering access to any program or data
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 20 20

21. Copyright, Designs and Patent Act (1988) (http://www. opsi. gov
The Act is the chief defense to protect organisations and software developers from the unauthorised copying of designs, software, printed materials and any other works.
It allows a company to safeguard its intellectual property rights (IPR) against competitors and others who might wish to profit from the company’s research and investment.
Intellectual property
A generic term used to describe designs, ideas and inventions.
In general, IP covers the areas of patents, trademarks, designs and copyright.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 21 21

22. Copyright, Designs and Patent Act (1988)
Significant issues are:
Ownership of bespoke software developed for the company by a consultant.
Employees taking software to another company.
Software theft.
Potential problems:
ownership of work
rights to any materials produced
number of licenses
How to deal with these potential problems
Companies should establish ownership of materials by recording their details.
All contracts should include clauses dealing with copyright ownership.
Regular software audits are essential.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 22 22

23. Other Legislation Regulation of Investigatory Powers (RIP) Act (2000)
allows electronic communications to be monitored by government agencies.
Human Rights Act (1998)
provides UK citizens with a set of fundamental rights, including a right to privacy - applies to whole of EU.
Freedom of Information Act (2000)
extends the Data Protection Act 1998 provisions about subject access and data accuracy to all personal information held by public authorities.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 23 23

24. International Laws and Legal Bodies
Many domestic laws and customs do not apply to international trade, which is governed by international treaties and trade agreements.
Because of the political complexities of the relationships among nations and cultural differences, there are currently few international laws relating to privacy and information security.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 24 24

25. European Convention on Cybercrime
A legally binding text since 2004
Ratified by 21 countries and 22 remains as signatories (including the UK)

26. European Convention on Cybercrime (cont.)
European Council Cyber-Crime Convention: (
Establishes international task force overseeing Internet security functions for standardized international technology laws.
Attempts to improve effectiveness of international investigations into breaches of technology law.
The overall goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process.
Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution.
Lacks realistic provisions for enforcement.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 26 26

27. Digital Millennium Copyright Act (DMCA)(
U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement.
A response to European Union Directive 95/46/EC, which adds protection to individuals with regard to processing and free movement of personal data.
UK has already implemented a version of this directive.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 27 27

28. The Digital Millennium Copyright Act (DMCA) is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998 by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of on-line services for copyright infringement by their users.
On May 22, 2001, the European Union passed the Copyright Directive or EUCD, which addresses some of the same issues as the DMCA. But the DMCA's principal innovation in the field of copyright, the exemption from direct and indirect liability of internet service providers and other intermediaries (Title II of the DMCA), was separately addressed, and largely followed, in Europe by means of the separate Electronic Commerce Directive. (Unlike U.S. federal laws and regulations, the execution of European Union directives usually requires separate legislation by or within each of the Union's member states.)

29. United Nations Charter(
Makes provisions, to a degree, for information security during information warfare (IW).
IW involves use of information technology to conduct organized and lawful military operations.
IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 29 29

30. International Laws and Legal Bodies
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 30 30

31. Policy Versus Law
Most organizations develop and formalize a body of expectations called policy.
Policies serve as organizational laws. Unlike law however, ignorance is an acceptable defense.
To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 31 31

32. Ethical and Information Security
The Ten Commandments (Decalogue) of Computer Ethics (from the Computer Ethics Institute)
Thou shalt not:
Use a computer to harm other people
Interfere with other people's computer work
Snoop around in other people's computer files
Use a computer to steal
Use a computer to bear false witness
Copy or use proprietary software for which you have not paid
Use other people's computer resources without authorization or proper compensation
Appropriate other people's intellectual output.
think about the social consequences of the program you are writing or the system you are designing
always use a computer in ways that ensure consideration and respect for your fellow humans
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 32 32

33. Ethical Differences across Cultures
Cultural differences create difficulty in determining what is and is not ethical.
Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group.
Individuals of different nationalities may have different perspectives on the ethics of computer use.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 33 33

34. Ethical Differences across Cultures (cont.)
Differences in computer use ethics are not exclusively cultural.
Differences are found among individuals within the same country, same social class, and same company.
Overriding factor in leveling the ethical perceptions within a small population is education.
Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 34 34

35. Deterrence to Unethical and Illegal Behavior
Deterrence is the best method for preventing an illegal or unethical activity.
Examples of deterrents include laws, policies, and technical controls.
However, laws and policies and their associated penalties only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 35 35

36. Ethical and Professional Issues
Professionalism (professional standard)
Ethics (common belief)
Morality (personal belief)
Profession and Society and Public
code of conduct safety
IS professional
State and Personal
Legislation values
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 36 36

37. Codes of Ethics & Professional Organizations
Several professional organizations have established codes of conduct/ethics.
Codes of conduct can have positive effect on an individual’s judgment regarding computer use. Unfortunately, many employers do not encourage joining of these professional organizations.
Responsibility of IS professionals to act ethically and according to policies of employer, professional organization, and laws of society.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 37 37

38. British Computer Society (http://www.bcs.org/)
BCS Code of Conduct (
Rules which are grouped into the principal duties that all members should endeavour to discharge in pursuing their professional lives.
The Public Interest
Duty to Employers and Clients
Duty to the Profession
Professional Competence and Integrity
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 38 38

39. Association of Computing Machinery (ACM)
ACM established in 1947 as “the world's first educational and scientific computing society”.
One of the few organizations that strongly promotes education and provides discounted membership for students.
Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property. ( of-ethics-and-professional- conduct/comments?searchterm=code+of+conduct)
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 39 39

40. International Information Systems Security Certification Consortium, Inc. (ISC)2 (
Non-profit organization focusing on development and implementation of information security certifications and credentials.
Code primarily designed for information security professionals who have certification from (ISC)2.
Code of ethics focuses on four mandatory canons
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 40 40

41. System Administration, Networking, and Security Institute (SANS) (http://www.sans.org/)
Founded in 1989, SANS is a professional organization with over 156,000 security professionals, auditors, system and network administrators.
SANS offers set of certifications called Global Information Assurance Certification (GIAC), whose Code of Ethics requires:
Respect for the public
Respect for the certification
Respect for my employer
Respect for myself
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 41 41

42. Information Systems Audit and Control Association (ISACA) (http://www
Professional association with focus on auditing, control, and security.
The membership comprises both technical and managerial professionals.
Concentrates on providing IT control practices and standards.
ISACA has code of ethics for its professionals.
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 42 42

43. Information Systems Audit and Control Association (ISACA) (cont.)
Nonprofit society of information security professionals.
Primary mission to bring together qualified IS practitioners for information exchange and educational development.
Promotes code of ethics similar to (ISC)2, ISACA and ACM, “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.”
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 43 43

44. Organizational Liability and the Need for Counsel
What if an organization does not support or encourage strong ethical conduct on the part of its employees?
What if an organization does not behave ethically?
If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action.
An organization increases its liability (legal obligation) if it refuses to take measures known as due care, to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions
Due diligence requires that an organization make a valid and ongoing effort to protect others
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 44 44

45. Summary Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics.
Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)
Professional Organizations’ Codes of Conduct/Ethics
Organizational Liability and the Need for Counsel
Introduction
This chapter focuses on information security policy:
what it is,
how to write it,
how to implement it, and
how to maintain it.
Policy is the essential foundation of an effective information security program.
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”
Slide 45 45