chapter 12 “law and ethics” benjamin barry lori blair chuck fell david kidd sri vuyyuru...
TRANSCRIPT
Chapter 12 “Law and Ethics”
Benjamin BarryLori BlairChuck FellDavid KiddSri Vuyyuru
Management of Information Security, 3rd ed. 1Spring 2012 / CIS 8080 / Dr. Phillips
Agenda
2
Name Section(s) Slides
David
IntroductionObjectivesTypes of LawKey U.S. Laws
1 – 11
Lori Relevant US Laws 12-30
Chuck
INTL Laws and Legal BodiesState and Local RegulationsPolicy vs. LawEthics in Information SecurityEthics & EducationDeterring Unethical and Illegal Behavior
31-43
Benjamin Professional Organizations 44-58
SriKey Law Enforcement AgenciesManaging Investigations in an Organization
59-71
David
Affidavits & Search Warrants / SummaryDigital Forensics MethodologyEvidentiary ProceduresSummary
72-79
Objectives• Upon completion of this chapter, you
should be able to:– Differentiate between law and ethics– Describe the ethical foundations and approaches that
underlie modern codes of ethics– Identify major national and international laws that relate
to the practice of information security– Describe the role of culture as it applies to ethics in
information security– Identify current information on laws, regulations, and
relevant professional organizations
Management of Information Security, 3rd ed. 4
Introduction• All information security professionals must
understand the scope of an organization’s legal and ethical responsibilities
• Understand the current legal environment – Keep apprised of new laws, regulations, and
ethical issues as they emerge– To minimize the organization’s liabilities
• Educate employees and management about their legal and ethical obligations – And proper use of information technology
Management of Information Security, 3rd ed. 5
Law and Ethics in Information Security
• Laws– Rules adopted and enforced by governments
to codify expected behavior in modern society
• The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
• Ethics are based on cultural mores– Relatively fixed moral attitudes or customs of a
societal group
Management of Information Security, 3rd ed. 6
Information Security and the Law
• InfoSec professionals and managers must understand the legal framework within which their organizations operate– Can influence the organization to a greater or
lesser extent, depending on the nature of the organization and the scale on which it operates
Management of Information Security, 3rd ed. 7
Types of Law
• Civil law– Pertains to relationships between and among
individuals and organizations
• Criminal law – Addresses violations harmful to society– Actively enforced and prosecuted by the state
• Tort law – A subset of civil law that allows individuals to
seek redress in the event of personal, physical, or financial injury
Management of Information Security, 3rd ed. 8
Types of Law (cont.)
• Private law – Regulates the relationships among individuals
and among individuals and organizations• Family law, commercial law, and labor law
• Public law – Regulates the structure and administration of
government agencies and their relationships with citizens, employees, and other governments
• Criminal, administrative, and constitutional law
Management of Information Security, 3rd ed. 9
Table 12-1a: Key U.S. laws of interest to information security professionals
Management of Information Security, 3rd ed. 10
Table 12-1b: Key U.S. laws of interest to information security professionals
Management of Information Security, 3rd ed. 11
Relevant U.S. Laws
• The Computer Fraud and Abuse Act of 1986 (CFA Act)– Cornerstone of computer-related federal laws
and enforcement efforts – Amended in October 1996 by the National
Information Infrastructure Protection Act• Modified several sections of the previous act, and
increased the penalties for select crimes
Management of Information Security, 3rd ed.
• CFA Act (cont)– Further modified by the USA Patriot Act of
2001• Gave law enforcement agencies broader latitude to
combat activities related to terrorism• The USA Patriot Improvement and Reauthorization
Act of 2005 updated and extended the USA Patriot Act
Management of Information Security, 3rd ed.
Relevant U.S. Laws
Relevant U.S. Laws (cont.)
• Computer Security Act of 1987– One of the first attempts to protect federal
computer systems by establishing minimum acceptable security practices
– Established the Computer System Security and Privacy Advisory Board within the Department of Commerce
– Mandated periodic training in accepted computer security awareness and practices for all users of Federal computer systems
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Computer Security Act of 1987 (cont.)– Charged what is now called the NIST with the
development of:• Standards, guidelines, and associated methods and
techniques for computer systems• Uniform standards and guidelines for most Federal
computer systems• Technical, management, physical, and
administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Computer Security Act of 1987 (cont.)– Charged the NIST with the development of:
• Security awareness training guidelines for employees of operators of federal computer systems containing sensitive information
• Validation procedures for standards and guidelines, and evaluation of their effectiveness, through research and liaison with other government and private agencies
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Privacy Laws– Many organizations collect, trade, and sell
personal information as a commodity– Aggregation of data from multiple sources
permits organizations to build databases with alarming quantities of personal information
– Individuals are looking to governments to protect their privacy
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Privacy Laws (cont.)– The Privacy of Customer Information Section
of USC Title 47 covering common carriers • Specifies that proprietary information shall be used
only for providing services, and not for marketing
– The Federal Privacy Act of 1974 regulates the government’s use of private information
• Ensure sthat government agencies protect the privacy of individuals’ and businesses’ information
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Privacy Laws (cont.)– Electronic Communications Privacy Act of
1986 • A collection of statutes that regulates the
interception of wire, electronic, and oral communications
– These statutes work in tandem with the 4th Amendment of the Constitution which prohibits search and seizure without a warrant
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Health Insurance Portability & Accountability Act Of 1996 (HIPAA)– Attempts to protect the confidentiality and security
of healthcare data• Establishes and enforces standards
• Standardizes electronic data interchange (EDI)
– Requires organizations that retain healthcare information to use information security mechanisms
– Also requires the assessment of the organization's InfoSec systems, policies, and procedures
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• HIPAA (cont.)– Provides guidelines for the use of electronic
signatures• Based on security standards that ensure message
integrity, user authentication, and nonrepudiation
– Fundamental privacy principles: • Consumer control of medical information• Boundaries on the use of medical information• Accountability for the privacy of information
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• HIPAA (cont.)– Fundamental privacy principles:
• Balance between the public responsibility to use medical information for the greater good measured against impact on the individual
• Overall security of health information
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• The Financial Services Modernization Act– Also called Gramm-Leach-Bliley Act of 1999– Applies to banks, securities firms, and
insurance companies– Requires all financial institutions to disclose
their privacy policies and must describe:• How they share nonpublic personal information• How customers can request that their information
not be shared with third parties
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• The Financial Services Modernization Act (cont.)– Ensures that the privacy policies in effect are
fully disclosed when a customer initiates a business relationship with an organization
– They must be distributed at least annually for the duration of the professional association
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Export and Espionage Laws– Economic Espionage Act (EEA) of 1996
• Attempts to protect U.S. intellectual property and competitive advantage
• Attempts to protect a company’s trade secrets from espionage initiated by:
– A foreign government
– Another company
– Or a disgruntled former employee
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Export and Espionage Laws – The Security and Freedom through Encryption
Act of 1997 • Provides guidance on the use of encryption• Institutes measures to protect the public from
government intervention • Reinforces an individual’s right to use or sell
encryption algorithms• Prohibits the federal government from requiring the
use of encryption for: contracts, grants, and other official documents, or correspondence
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• U.S. Copyright Law– Extends protection of intellectual property,
including words published in electronic formats– ‘Fair use’ allows material to be quoted so long
as the purpose is educational and not for profit, and that usage is not excessive
– Proper acknowledgement must be provided to the author and/or copyright holder of such works by including a description of the location of source materials, using a recognized form of citation
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Freedom of Information Act of 1966– All Federal agencies are required to disclose
records, requested in writing, by any person – Applies only to Federal agencies and not
records held by Congress, the courts, or by state or local government agencies
• Sarbanes-Oxley Act of 2002 (SOX)– Enforces accountability for the financial record
keeping and reporting of publicly traded corporations
Management of Information Security, 3rd ed.
Relevant U.S. Laws (cont.)
• Sarbanes-Oxley Act of 2002 (cont.)– Requires that the CEO and CFO assume direct
and personal accountability for the completeness and accuracy of a publicly traded company’s financial reporting and record-keeping systems and their internal controls
– Availability and confidentiality are also emphasized as executives attempt to ensure that the systems used to record and report are sound
Management of Information Security, 3rd ed.
Agenda
31
Name Section(s) Slides
Chuck
INTL Laws and Legal BodiesState and Local RegulationsPolicy vs. LawEthics in Information SecurityEthics & EducationDeterring Unethical and Illegal Behavior
31-43
International Laws and Legal Bodies
• International trade is governed by international treaties and trade agreements– Many domestic laws and customs do not apply
• There are currently few international laws relating to privacy and information security– Because of cultural differences and political
complexities of the relationships among nations
Management of Information Security, 3rd ed.
International Laws and Legal Bodies (cont.)
• European Council Cyber-Crime Convention– Empowers an international task force to
oversee a range of Internet security functions• Standardizes technology laws internationally
– Attempts to improve the effectiveness of international investigations into breaches of technology law
– Goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process
Management of Information Security, 3rd ed.
International Laws and Legal Bodies (cont.)
• The Digital Millennium Copyright Act– A U.S.-based international effort to reduce the
impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures
• European Union Directive 95/46/EC – Increases individual rights to process and
freely move personal data
• Database Right– U.K. version of this directive
Management of Information Security, 3rd ed.
State and Local Regulations
• Information security professionals must understand state laws and regulations– Ensure that their organization’s security
policies and procedures comply
• Georgia Computer Systems Protection Act – Has various computer security provisions– Establishes specific penalties for use of
information technology to attack or exploit information systems in organizations
Management of Information Security, 3rd ed.
State and Local Regulations (cont.)
• The Georgia Identity Theft Law– Requires that a business may not discard a
record containing personal information unless it shreds, erases, modifies, or otherwise makes the information irretrievable
Management of Information Security, 3rd ed.
Policy Versus Law
• Difference between policy and law – Ignorance of policy is an acceptable defense
• Policies must be:– Distributed to all individuals who are expected
to comply with them– Readily available for employee reference– Easily understood, with multilingual, visually
impaired and low-literacy translations– Acknowledged by employee with consent form– Uniformly enforced for all employees
Management of Information Security, 3rd ed.
Ethics in Information Security
• The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework – Information security professionals may be
expected to be more articulate about the topic than others in the organization
• Often must withstand a higher degree of scrutiny
Management of Information Security, 3rd ed.
Ethics in Information Security (cont.)
• The Ten Commandments of Computer Ethics – From the Computer Ethics Institute– Thou shalt not:
• Use a computer to harm other people • Interfere with other people's computer work • Snoop around in other people's computer files • Use a computer to steal• Use a computer to bear false witness • Copy or use proprietary software for which you have
not paidManagement of Information Security, 3rd ed.
Ethics in Information Security (cont.)
• The Ten Commandments of Computer Ethics (cont.)– Thou shalt not: (cont.)
• Use other people's computer resources without authorization or proper compensation
• Appropriate other people's intellectual output
– Think about the social consequences of the program you are writing or the system you are designing
– Always use a computer in ways that ensure consideration and respect for fellow humans
Management of Information Security, 3rd ed.
Ethics and Education
• Differences in computer use ethics– Not exclusively cultural – Found among individuals within the same
country, within the same social class, and within the same company
• Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education
• Employees must be trained on the expected behaviors of an ethical employee
Management of Information Security, 3rd ed.
Deterring Unethical and Illegal Behavior
• InfoSec personnel should do everything in their power to deter unethical and illegal acts– Using policy, education and training, and
technology as controls to protect information
• Categories of unethical behavior– Ignorance– Accident– Intent
Management of Information Security, 3rd ed.
Deterring Unethical and Illegal Behavior (cont.)
• Deterrence– Best method for preventing an illegal or
unethical activity– Examples: laws, policies, and technical
controls– Laws and policies and their associated
penalties only deter if three conditions are present:
• Fear of penalty• Probability of being caught• Probability of penalty being administered
Management of Information Security, 3rd ed.
What is the purpose?
• Establish codes of ethics
• Has more effect
• Responsibility of the organization
ACM
• www.acm.org
• World’s first educational and scientific computing society
• Strongly promotes education
• Publishes Communications of the ACM
• Code of ethics
• Respect confidentiality of information
• Cause no harm to systems (i.e. viruses)
• Protect others' privacy
• Respect others' copyrights
ISC
• www.isc2.org
• Nonprofit organization that focuses on the development of information security certifications and credentials.
• Evaluates examinations for information security certifications.
• Their code focuses on "trustworthiness".
• Protect the infrastructure
• Act responsibly and legally
• Provide competent service to principals
• Advance and protect the profession
SANS
• www.sans.org
• Dedicated to the protection of information and systems.
• Has a large professional membership
• Respect for the Public
• Respect for the Certification
• Respect for My Employer
• Respect for Myself
ISACA
• Focuses on auditing, control, and security.
• Membership is comprised of both technical and managerial professionals.
• Offers the CISA certification which does not focus exclusively on information security but does contain many information security components.
• Comply with controls for information systems• Perform duties with objectivity• Serve the interest of stakeholders in a lawful and
honest manner• Main privacy and confidentiality• Only perform tasks in which you are competent at• Inform relevant parties of the results of work
performed• Enhance the understanding of stakeholders in
regards to information systems and control
ISSA
• www.issa.org
• A nonprofit society of information security professionals.
• Primary mission
• Similar code of ethics to those of ISC, ISACA, and the ACM
• Perform professional activities and duties in accordance with highest ethical principles
• Promote best practices and standards
• Main confidentiality
• Carry out responsibilities with honesty
• Abstain from "conflicts of interest"
• Do not intentionally injure the reputation of colleagues, clients, or employers
Organizational Liability
• Extremely important for people and companies to follow ethical guidelines
• Liability - can still be held responsible even if no law has been broken providing that some degree of harm has been caused.
• Long arm jurisdiction
Agenda
59
Name Section(s) Slides
SriKey Law Enforcement AgenciesManaging Investigations in an Organization
59-71
Key Law Enforcement Agencies
• Federal Bureau of Investigation’s InfraGard Program (48,355 Members)– Bridge between the FBI and the Private sector.– InfraGard collaborates with public and private
organizations and the academic community to share information about attacks, vulnerabilities, and threats
– Every FBI field office has established an InfraGard chapter with FBI special agent coordinator, who works closely with the FBI headquarters
Management of Information Security, 3rd ed.
Key Law Enforcement Agencies (cont.)
• Goals & Objectives of InfraGard– Timely communication between the members and
the FBI
– To increase Information sharing and interaction among InfraGard members and FBI about cybercrime and counter terrorism
– To provide InfraGard members value-added alerts, threat advisories and warnings
– To provide a forum for training to all members about counter terrorism and potential cyber crimes
• InfraGard secure website for all membersManagement of Information Security, 3rd ed.
Key Law Enforcement Agencies (cont.)
• National Security Agency (NSA)– The nation's cryptologic organization– Coordinates, directs, and performs highly-
specialized activities to protect U.S. information systems and produce foreign intelligence information
– Mission: Signals Intelligence(SIGINT) and Information Assurance(IA)
– Vision: Global Cryptologic Dominance through Responsive Presence and Network Advantage
– Values: Lawfulness, honesty, integrity, fairness, accountability, loyalty, collaboration, innovation and learning.
Management of Information Security, 3rd ed.
Key Law Enforcement Agencies (cont.)
• Department of Homeland Security– Formed when U.S. Secret Service was
transferred to it from the Department of the Treasury
• Who is responsible for securing nation’s critical infrastructure? DHS or NSA?
• DHS, Not NSA, Should Lead Cyber security - Pentagon Official
Management of Information Security, 3rd ed.
Key Law Enforcement Agencies (cont.)
• U.S. Secret Service is a department within the Department of the Treasury– In addition to its well-known mission to protect
key members of the U.S. government• Also charged with the detection and arrest of any
person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes
• Secret Service’s role in the case of JotForm.com
Management of Information Security, 3rd ed.
Managing Investigations in the Organization
• When (not if) an organization finds itself dealing with a suspected policy or law violation– Must appoint an individual to investigate it – How the internal investigation proceeds
• Dictates whether or not the organization has the ability to take action against the perpetrator if in fact evidence is found that substantiates the charge
Management of Information Security, 3rd ed.
Managing Investigations in the Organization (cont.)
• In order to protect the organization, and to possibly assist law enforcement in the conduct of an investigation – The investigator (CISO, InfoSec Manager or
other appointed individual) must document what happened and how
Management of Information Security, 3rd ed.
Managing Investigations in the Organization (cont.)
• Forensics – The coherent application of methodical investigatory
techniques to present evidence of crimes in a court or court-like setting
– Duties include:1. Seizing and collecting digital evidence at a crime
scene2. Conducting an impartial examination of submitted computer evidence3. Testifying as required.
• Digital forensics– Involves the preservation, identification, extraction,
documentation, and interpretation of computer media for evidentiary and/or root cause analysis
Management of Information Security, 3rd ed.
Managing Investigations in the Organization (cont.)
• Digital forensics (cont.)– The investigation of what happened and how– Examiners capable of locating deleted,
encrypted and damaged information that may serve as evidence in any sort of criminal or terrorism investigation
– Use of skills on a variety of software programs, different operating systems, varying hard drives sizes, and specific technologies
• Controversies surrounding Forensic Analysis
Management of Information Security, 3rd ed.
Managing Investigations in the Organization (cont.)
• Evidentiary material (EM)– Also called item of potential evidentiary value– Any information that could potentially support
the organizations legal- or policy-based case against a suspect
– An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official
– Example of EM
Management of Information Security, 3rd ed.
• Digital forensics can be used for two key purposes:– Investigate allegations of digital malfeasance
• A crime against or using digital media, computer technology or related components
– Perform root cause analysis• If an incident occurs and the organization suspects
an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access, as well as to determine how pervasive and successful the attack was
Management of Information Security, 3rd ed.
Managing Investigations in the Organization (cont.)
Managing Investigations in the Organization (cont.)
• Digital forensics approaches– Protect and forget (a.k.a. patch and proceed)
• Focuses on the defense of the data and the systems that house, use, and transmit it
– Apprehend and prosecute (a.k.a. pursue and prosecute)
• Focuses on the identification and apprehension of responsible individuals, with additional attention on the collection and preservation of potential EM that might support administrative or criminal prosecution
Management of Information Security, 3rd ed.
Agenda
72
Name Section(s) Slides
David
Affidavits & Search Warrants / SummaryDigital Forensics MethodologyEvidentiary ProceduresSummary
72-79
Affidavits and Search Warrants
• Investigations begin with an allegation or an indication of an incident
• Forensics team requests permission to examine digital media for potential EM
• An affidavit is sworn testimony– That the investigating officer has certain facts
they feel warrant the examination of specific items located at a specific place
Management of Information Security, 3rd ed. 73
Affidavits and Search Warrants (cont.)
• Search warrant– Permission to search for EM at the specified
location and/or to seize items to return to the investigator’s lab for examination
– Created when an approving authority signs the affidavit or creates a synopsis form based on it
Management of Information Security, 3rd ed. 74
Digital Forensics Methodology
• Steps in the digital forensics methodology1. Identify relevant items of evidentiary value
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized
4. Analyze the data without risking modification or unauthorized access
5. Report the findings to the proper authority
Management of Information Security, 3rd ed. 75
Management of Information Security, 3rd ed.
Digital Forensics Methodology
Figure 12-2: Digital forensics process
Source: Course Technology/Cengage Learning76
Evidentiary Procedures
• Organizations should develop specific procedures and guidance for their use– Who may conduct an investigation– Who may authorize an investigation– What affidavit-related documents are required– What search warrant-related documents are
required– What digital media may be seized or taken
offline
Management of Information Security, 3rd ed. 77
Evidentiary Procedures (cont.)
• Organizations should develop specific procedures and guidance for their use (cont.)– What methodology should be followed– What methods are required for chain of
custody or chain of evidence– What format the final report should take, and
to whom it should it be given
Management of Information Security, 3rd ed. 78
Summary
• Introduction
• Law and ethics in information security
• The legal environment
• Ethical concepts in information security
• Professional organizations’ codes of ethics
• Organizational liability and the need for counsel
• Key U.S. Federal agencies
• Managing investigations in the organizationManagement of Information Security, 3rd ed. 79