Advertisement
xdxdxd123

Untitled

May 27th, 2017
156
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 66.71 KB | None | 0 0
  1. General prohibition on pen register
  2. and trap and trace device use;
  3. exception (18 USC 3121 et seq.)
  4. 1993 Prohibits the use of electronic pen registers
  5. and trap and trace devices without a court
  6. order
  7. Criminal intent National Information Infrastructure
  8. Protection Act of 1996 (update to 18
  9. USC 1030)
  10. 1996 Categorizes crimes based on criminal intent
  11. and a defendant’s authority to access a
  12. protected computer system
  13. Trade secrets Economic Espionage Act of 1996 1996 Prevents abuse of information gained while
  14. employed elsewhere
  15. Personal health
  16. information
  17. protection
  18. Health Insurance Portability and
  19. Accountability Act of 1996 (HIPAA)
  20. 1996 Requires medical practices to ensure the
  21. privacy of personal medical information
  22. Intellectual
  23. property
  24. No Electronic Theft Act amends 17 USC
  25. 506(a)—copyright infringement, and 18
  26. USC 2319—criminal (Public Law 105-
  27. 147) infringement of copyright
  28. 1997 Amends copyright and criminal statutes to
  29. provide greater copyright protection and
  30. penalties for electronic copyright
  31. infringement
  32. Copy protection Digital Millennium Copyright Act
  33. (update to 17 USC 101)
  34. 1998 Provides specific penalties for removing
  35. copyright protection from media
  36. Table 3-1 Key U.S. Laws of Interest to Information Security Professionals (continues)
  37. Relevant U.S. Laws 119
  38. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  39. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  40. Area Act Date Description
  41. Identity theft Identity Theft and Assumption
  42. Deterrence Act of 1998 (18 USC 1028)
  43. 1998 Attemptstoinstigatepenaltiesforidentitytheft
  44. byrecognizingpeoplewholosetheiridentityas
  45. the true victims, not just the commercial and
  46. financial credit entities that suffered losses
  47. Children’s
  48. privacy
  49. Children’s Online Privacy Protection
  50. Act of 1998 (COPPA)
  51. 1998 ProtectschildrenonlinebyrequiringWebsites
  52. with users under the age of 13 to post privacy
  53. policies that specify clear guidance and
  54. restrictions on information collection
  55. Encryption and
  56. digital
  57. signatures
  58. Security and Freedom Through
  59. Encryption Act of 1999
  60. 1999 AffirmstherightsofpeopleintheUnitedStates
  61. to use and sell products that include encryption
  62. and to relax export controls on such products
  63. Banking Gramm-Leach-Bliley Act of 1999 (GLB)
  64. or the Financial Services Modernization
  65. Act
  66. 1999 Repeals the restrictions on banks affiliating
  67. with insurance and securities firms; has
  68. significant impact on the privacy of personal
  69. information used by these industries
  70. Children’s online
  71. protection
  72. Children’s Internet Protection Act 2000 Requires K-12 schools and libraries to use
  73. Internet filters to protect children online
  74. Terrorism USA PATRIOT Act of 2001 (update to
  75. 18 USC 1030)
  76. 2001 Defines stiffer penalties for prosecution of
  77. terrorist crimes
  78. Accountability Sarbanes-Oxley Act of 2002 (SOX) or
  79. Public Company Accounting Reform
  80. and Investor Protection Act
  81. 2002 Enforces accountability for executives at
  82. publicly traded companies;thislawhas created
  83. ripple effects throughout the accounting, IT,
  84. and related units of many organizations
  85. Federal
  86. information
  87. security
  88. Federal Information Security
  89. Management Act (FISMA)
  90. 2002 Specifies the requirement for federal agencies
  91. to establish information security programs to
  92. protect their information assets
  93. Spam Controlling the Assault of Non-Solicited
  94. PornographyandMarketingActof2003
  95. CAN-SPAM Act (15 USC 7701 et seq.)
  96. 2003 Sets the first national standards for
  97. regulating the distribution of commercial
  98. e-mail, including mobile phone spam
  99. Fraud with
  100. access devices
  101. Fraud and Related Activity in
  102. Connection with Access Devices (18
  103. USC 1029)
  104. 2004 Defines and formalizes law to counter threats
  105. fromcounterfeitaccessdevicessuchasIDcards,
  106. credit cards, telecom equipment, mobile or
  107. electronic serial numbers, and the equipment
  108. that creates them
  109. Terrorism Customs-Trade Partnership Against
  110. Terrorism (C-TPAT)
  111. 2004 Organizations that conduct international
  112. business may voluntarily comply with this
  113. initiative by U.S. Customs and Border
  114. Protection to facilitate security and
  115. shipments processing
  116. Terrorism and
  117. extreme drug
  118. trafficking
  119. USA PATRIOT Improvement and
  120. Reauthorization Act of 2005 (update to
  121. 18 USC 1030)
  122. 2006 Renews critical sections of the USA PATRIOT
  123. Act
  124. Identity theft Identity Theft Enforcement and
  125. Restitution Act
  126. 2008 Imposes criminal liability on people who
  127. commit identity theft, but does not regulate
  128. the technology
  129. Terrorism PATRIOT Sunsets Extension Act of 2011
  130. (update to 18 USC 1030)
  131. 2011 Renews critical sections of the USA PATRIOT
  132. Act
  133. Table 3-1 Key U.S. Laws of Interest to Information Security Professionals
  134. © Cengage Learning 2015
  135. 120 Chapter 3
  136. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  137. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  138. 3
  139. To learn more about laws that are not specifically discussed in this chapter, visit CSO Magazine’s
  140. directory of security laws, regulations, and guidelines at www.csoonline.com/article/632218/the
  141. -security-laws-regulations-and-guidelines-directory.
  142. Identity Theft
  143. Key Terms
  144. identity theft The unauthorized taking of personally identifiable information with the intent of
  145. committing fraud and abuse of a person’s financial and personal reputation, purchasing goods
  146. and services without authorization, and generally impersonating the victim for illegal or
  147. unethical purposes.
  148. personally identifiable information (PII) Information about a person’s history, background,
  149. and attributes that can be used to commit identity theft. This information typically includes a
  150. person’s name, address, Social Security number, family information, employment history, and
  151. financial information.
  152. Related to privacy legislation is the growing body of law on identity theft. Identity theft can
  153. occur when someone steals a victim’s personally identifiable information (PII) and uses it to
  154. purchase goods and services, or conduct other actions while posing as the victim. According
  155. to a report from the U.S. Department of Justice, “approximately 16.6 million persons or 7%
  156. of all U.S. residents age 16 or older, were victims of one or more incidents of identity theft
  157. in 2012.” 11 As shown in Figure 3-3, the bulk of this theft occurred with payment card
  158. accounts. Organizations can also be victims of identity theft by means of URL manipulation
  159. or DNS redirection, as described in Chapter 2.
  160. Persons age 16 or older who experienced at least one identity theft incident in the past 12 months, by type of theft, 2012
  161. Type of identity theft
  162. Total
  163. Existing account
  164. Credit card
  165. Bank
  166. Other
  167. New account
  168. Personal information
  169. Multiple types
  170. Existing account b
  171. Other c
  172. 16,580,500
  173. 14,022,100
  174. 6,676,300
  175. 6,191,500
  176. 1,154,300
  177. 683,400
  178. 622,900
  179. 1,252,000
  180. 824,700
  181. 427,400
  182. 6.7%
  183. 6.2%
  184. 3.1%
  185. 3.0%
  186. 0.7%
  187. 0.5%
  188. 0.3%
  189. ~
  190. ~
  191. ~
  192. 6.7%
  193. 5.7%
  194. 2.7%
  195. 2.5%
  196. 0.5%
  197. 0.3%
  198. 0.3%
  199. 0.5%
  200. 0.3%
  201. 0.2%
  202. 100%
  203. 84.6%
  204. 40.3%
  205. 37.3%
  206. 7.0%
  207. 4.1%
  208. 3.8%
  209. 7.6%
  210. 5.0%
  211. 2.6%
  212. 16,580,500
  213. 15,323,500
  214. 7,698,500
  215. 7,470,700
  216. 1,696,400
  217. 1,125,100
  218. 833,600
  219. ~
  220. ~
  221. ~
  222. Number of victims Number of victims Percent of all persons Percent of all persons Percent of all victims
  223. Most recent incident b Anytime during the past 12 months a
  224. Note: Detail may not sum to total due to victims who reported multiple incidents of identity theft and rounding.
  225. ~Not applicable.
  226. a ldentity theft classified as a single type.
  227. b lncludes victims who experienced two or more of the following: unauthorized use of a credit card, bank account, or other existing account.
  228. c lncludes victims who experienced two or more of the following: unauthorized use of an existing account, misuse of personal information to open a new account, or misuse of
  229. personal information for other fraudulent purposes.
  230. Source: Bureau of Justice Statistics, National Crime Victimization Survey, Identity Theft Supplement, 2012.
  231. Figure 3-3 U.S. Department of Justice report on victims of identity theft in 2012
  232. Source: U.S. Federal Trade Commission.
  233. Relevant U.S. Laws 121
  234. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  235. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  236. In May 2006, President Bush signed an executive order creating the Identity Theft Task
  237. Force. On April 27, 2007, it issued a strategic plan to improve efforts by the government,
  238. private organizations, and individuals in combating identity theft. The U.S. Federal Trade
  239. Commission (FTC) now oversees efforts to foster coordination among groups, more effec-
  240. tive prosecution of criminals engaged in identify theft, and methods to increase restitution
  241. made to victims. 12
  242. While numerous states have passed identity theft laws, the primary legislation at the federal
  243. level is Fraud and Related Activity in Connection with Identification Documents, Authenti-
  244. cation Features, and Information (Title 18, U.S.C. § 1028), which criminalizes the creation,
  245. reproduction, transfer, possession, or use of unauthorized or false identification documents
  246. or document-making equipment. The penalties for such offenses range from 1 to 25 years
  247. in prison and fines as determined by the courts.
  248. The FTC recommends that people take the following four steps when they suspect they are
  249. victims of identity theft:
  250. 1. Place an initial fraud alert: Report to one of the three national credit reporting compa-
  251. nies and ask for an initial fraud alert on your credit report. This makes it harder for an
  252. identity thief to open more accounts in your name.
  253. 2. Order your credit reports: Filing an initial fraud alert entitles you to a free credit report
  254. from each of the three credit reporting companies. Examine the reports for fraud activ-
  255. ity and contact the fraud department in the organization that holds the suspect account.
  256. 3. Create an identity theft report: Filing a complaint with the FTC will generate an identity
  257. theft affidavit, which can be used to file a police report and create an identity theft
  258. report. This report helps when dealing with credit reporting companies, debt collectors,
  259. and any businesses with whom the identity thief has interacted.
  260. 4. Monitor your progress: Document all calls, letters, and communications during the
  261. process. 13
  262. In 2008, Congress passed another update to the CFAA titled the Identity Theft Enforcement
  263. and Restitution Act of 2008, which specifically addressed the malicious use of spyware or
  264. keyloggers to steal PII. This act also created a new designation of a level of identity theft
  265. that provided much stronger penalties for violators who used 10 or more computers to com-
  266. mit theft. The new law also created a mechanism by which victims of identity theft may
  267. receive restitution from criminals convicted under the act. The penalties that may be levied
  268. under this act include substantial fines, from which the restitution is paid, and prison terms
  269. of up to 10 or 20 years, depending on the severity of the crime. 14 Increasingly, consumers
  270. who recognize the increased threat of identity theft elect to buy credit protection insurance
  271. products that offset the expenses associated with such theft.
  272. For more information on privacy and identity theft, visit the FTC’s Web site at www.consumer.ftc
  273. .gov/topics/privacy-identity and the U.S. Department of Justice Web site at www.justice.gov
  274. /criminal/fraud/websites/idtheft.html.
  275. ‡ Export and Espionage Laws
  276. To meet national security needs and to protect trade secrets and other state and private
  277. assets, several laws restrict which information, information management resources, and
  278. 122 Chapter 3
  279. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  280. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  281. 3
  282. security resources may be exported from the United States. These laws attempt to stem the
  283. theft of information by establishing strong penalties for such crimes. Such laws have limited
  284. effectiveness in many cases because the theft is initiated from offshore and the ability to
  285. apply the law is reduced when perpetrators are from another jurisdiction.
  286. To protect American ingenuity, intellectual property, and competitive advantage, Congress
  287. passed the Economic Espionage Act in 1996. This law attempts to prevent trade secrets
  288. from being illegally shared.
  289. The Security and Freedom through Encryption Act of 1999 provides guidance for the use of
  290. encryption and provides protection from government intervention. The acts include provi-
  291. sions that:
  292. Reinforce a person’s right to use or sell encryption algorithms without concern for
  293. regulations requiring some form of key registration. Key registration is the storage of a
  294. cryptographic key (or its text equivalent) with another party for breaking the encryp-
  295. tion of data. This is often called “key escrow.”
  296. Prohibit the federal government from requiring the use of encryption for contracts,
  297. grants, and other official documents and correspondence.
  298. State that the use of encryption is not probable cause to suspect criminal activity.
  299. Relax export restrictions by amending the Export Administration Act of 1979.
  300. Provide additional penalties for the use of encryption in the commission of a criminal act.
  301. As illustrated in Figure 3-4, the distribution of many software packages is restricted to
  302. approved organizations, governments, and countries.
  303. For distribution
  304. in the U.S. and
  305. Canada only.
  306. Figure 3-4 Export and espionage
  307. © Cengage Learning 2015
  308. Relevant U.S. Laws 123
  309. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  310. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  311. ‡ U.S. Copyright Law
  312. Intellectual property is a protected asset in the United States. The U.S. Copyright Law
  313. extends this privilege to published works, including electronic formats. Fair use allows copy-
  314. righted materials to be used to support news reporting, teaching, scholarship, and similar activi-
  315. ties, as long as the use is for educational or library purposes, is not for profit, and is not exces-
  316. sive. As long as proper acknowledgment is provided to the original author of such works,
  317. including a proper citation of the location of source materials, and the work is not represented
  318. as one’s own, it is entirely permissible to include portions of someone else’s work as reference.
  319. For more information on the U.S. Copyright Law, visit the U.S. Copyright Office’s Web site at
  320. www.copyright.gov/. You can view the law in its entirety at www.copyright.gov/title17/.
  321. ‡ Financial Reporting
  322. The Sarbanes-Oxley Act of 2002, also known as SOX or the Corporate and Auditing
  323. Accountability and Responsibility Act, is a critical piece of legislation that affects the execu-
  324. tive management of publicly traded corporations and public accounting firms. The law seeks
  325. to improve the reliability and accuracy of financial reporting, as well as increase the account-
  326. ability of corporate governance, in publicly traded companies. Penalties for noncompliance
  327. range from fines to jail terms. Executives in firms covered by this law seek assurance for the
  328. reliability and quality of information systems from senior information technology managers.
  329. In turn, IT managers will likely ask information security managers to verify the confidential-
  330. ity and integrity of the information systems in a process known as subcertification.
  331. The two sections of SOX that most affect information security are Section 302 and Section
  332. 404. Section 302 of SOX requires an organization’s executives to personally certify the accu-
  333. racy and completeness of their financial reports as well as assess and report on the effective-
  334. ness of internal controls for their financial reporting. Section 404 complements the require-
  335. ment to assess and report on internal controls, mandating that these assessment reports must
  336. be audited by an outside firm. Because SOX does not delineate IT from non-IT internal con-
  337. trols, and because most modern financial systems and their controls are based on IT and
  338. information security technologies, the expectation of effective controls trickles through the
  339. organization to the Information Security department.
  340. ‡ Freedom of Information Act of 1966
  341. The Freedom of Information Act (FOIA) allows any person to request access to federal
  342. agency records or information not determined to be a matter of national security. Agencies
  343. of the federal government are required to disclose requested information upon receipt of a
  344. written request. This requirement is enforceable in court. However, some information is pro-
  345. tected from disclosure, and the act does not apply to state or local government agencies or to
  346. private businesses or individuals, although many states have their own version of the FOIA.
  347. Figure 3-5 illustrates the number of FOIA requests received by the U.S. government between
  348. 2008 and 2012, and their disposition.
  349. ‡ Payment Card Industry Data Security Standards (PCI DSS)
  350. For organizations that process payment cards, such as credit cards, debit cards, ATM cards,
  351. store-value cards, gift cards, or other related items, the Payment Card Industry (PCI) Security
  352. 124 Chapter 3
  353. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  354. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  355. 3
  356. Standards Council offers a standard of performance to which participating organizations
  357. must comply. While not a law, per se, this standard has proven to be very effective in
  358. improving industry practices. The PCI Standards Council was founded in 2006 by a group
  359. of industry businesses that include American Express, Visa, Discover Financial Services, JCB,
  360. and MasterCard Worldwide. The Security Standards Council established a set of regulatory
  361. mandates with which organizations must comply to be certified by the PCI Council. These
  362. regulations, the Payment Card Industry Data Security Standards (PCI DSS), are designed to
  363. enhance the security of customers’ account data. The regulations include requirements for
  364. information security policies, procedures, and management, as well as technical software
  365. and networking specifications.
  366. PCI DSS “was developed to encourage and enhance cardholder data security and facilitate
  367. the broad adoption of consistent data security measures globally. PCI DSS provides a base-
  368. line of technical and operational requirements designed to protect cardholder data. PCI DSS
  369. applies to all entities involved in payment card processing—including merchants, processors,
  370. acquirers, issuers, and service providers, as well as all other entities that store, process or
  371. transmit cardholder data (CHD) and/or sensitive authentication data (SAD).” 15
  372. PCI DSS addresses the following six areas with 12 requirements:
  373. Area 1: “Build and maintain a secure network and systems.
  374. 1. Install and maintain a firewall configuration to protect cardholder data.
  375. 2. Do not use vendor-supplied defaults for system passwords and other security
  376. parameters.”
  377. FY 2008 FY 2009 FY 2010 FY 2011 FY 2012
  378. 605,491
  379. 557,825
  380. 597,415
  381. 644,165
  382. 651,254
  383. Requests Received
  384. FOIA DATA AT A GLANCE - FY 2008 through FY 2012
  385. Disposition of Requests Backlog
  386. FY 2008 FY 2009 FY 2010 FY 2011 FY 2012
  387. 130,419
  388. 234,049
  389. 30,727
  390. 200,209
  391. Released in Full FY 2012
  392. 75,594
  393. 69,526
  394. 83,490
  395. 71,790
  396. Released in Part FY 2012
  397. Denied in Full FY 2012
  398. Figure 3-5 U.S. government FOIA requests and processing
  399. Source: www.foia.gov.
  400. Relevant U.S. Laws 125
  401. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  402. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  403. Area 2: “Protect cardholder data.
  404. 3. Protect stored cardholder data.
  405. 4. Encrypt transmission of cardholder data across open, public networks.”
  406. Area 3: “Maintain a vulnerability management program.
  407. 5. Protect all systems against malware and regularly update antivirus software or
  408. programs.
  409. 6. Develop and maintain secure systems and applications.”
  410. Area 4: “Implement strong access control measures.
  411. 7. Restrict access to cardholder data by a business’s need to know.
  412. 8. Identify and authenticate access to system components.
  413. 9. Restrict physical access to cardholder data.”
  414. Area 5: “Regularly monitor and test networks.
  415. 10. Track and monitor all access to network resources and cardholder data.
  416. 11. Regularly test security systems and processes.”
  417. Area 6: “Maintain an information security policy.
  418. 12. Maintain a policy that addresses information security for all personnel.” 16
  419. The Council has also issued requirements called the Payment Application Data Security
  420. Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS), which provide additional
  421. specifications for components of payment card processing.
  422. For more information on PCI DSS, visit www.pcisecuritystandards.org/.
  423. ‡ State and Local Regulations
  424. A critical fact to keep in mind when reading federal computer laws is that the majority of
  425. them are written specifically to protect federal information systems. The laws have little
  426. applicability to private organizations. Thus, such organizations must be cognizant of the
  427. state and local laws that protect and apply to them. Information security professionals must
  428. understand state laws and regulations and ensure that their organizations’ security policies
  429. and procedures are in compliance.
  430. For example, in 1991, the state of Georgia passed the Georgia Computer Systems Protection
  431. Act, which protects information and established penalties for the use of information technol-
  432. ogy to attack or exploit information systems. In 1998, Georgia passed its Identity Fraud Act
  433. (updated in 2002), which established strong penalties for identity theft and the inappropriate
  434. disposal of customer confidential information.
  435. For more information on state security laws, visit the National Conference of State Legislatures
  436. Web site at www.ncsl.org. Use the search box to find your state’s security breach notification
  437. laws, data disposal laws, and identity theft statutes.
  438. 126 Chapter 3
  439. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  440. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  441. 3
  442. International Laws and Legal Bodies
  443. IT professionals and information security practitioners must realize that when their organizations
  444. do business on the Internet, they do business globally. As a result, these professionals must be sensi-
  445. tive to the lawsand ethical valuesof many different cultures, societies, andcountries. When it comes
  446. to certain ethical values, you may be unable to please all of the people all of the time, but the laws of
  447. other nations is one area in which it is certainly not easier to ask for forgiveness than for permission.
  448. Several security bodies and laws are described in this section. Because of the political complex-
  449. ities of relationships among nations and differences in culture, few current international laws
  450. cover privacy and information security. The laws discussed in this section are important, but
  451. they are limited in their enforceability. The American Society of International Law is one
  452. example of an American institution that deals with international law (see www.asil.org).
  453. ‡ U.K. Computer Security Laws
  454. The following laws are in force in the United Kingdom (U.K.) and are similar to those
  455. described earlier for the United States:
  456. Computer Misuse Act 1990: Defined three “computer misuse offenses”:
  457. 1. Unauthorized access to computer material.
  458. 2. Unauthorized access with intent to commit or facilitate commission of further
  459. offenses.
  460. 3. Unauthorized acts with intent to impair, or with recklessness as to impairing, oper-
  461. ation of computer, etc. 17
  462. Privacy and Electronic Communications (EC Directive) Regulations 2003: Revoked
  463. the Data Protection and Privacy Regulations of 1999, and focuses on protection
  464. against unwanted or harassing phone, e-mail, and SMS messages.
  465. Police and Justice Act 2006: Updated the Computer Misuse Act, modified the penal-
  466. ties, and created new crimes defined as the “unauthorized acts with intent to impair
  467. operation of computer, etc.,” 18 and the manufacture or provision of materials used in
  468. computer misuse offenses.
  469. Personal Internet Safety 2007: A report published by the House of Lords Science and
  470. Technology Committee provided a public service, and criticized the U.K. government’s
  471. lack of action in protecting personal Internet safety.
  472. ‡ Australian Computer Security Laws
  473. The following laws are in force in Australia and its territories, and are similar to those
  474. described earlier for the United States:
  475. Privacy Act 1988: Regulates the collection, storage, use, and disclosure of personal infor-
  476. mation. Applies both to private and public sectors. Contains 11 information privacy prin-
  477. ciples for handling personal information by most public sector agencies, and 10 national
  478. privacy principles for handling of personal information by nongovernment agencies. 19
  479. Telecommunications Act 1997: Updated as of October 2013; contains regulation
  480. related to the collection and storage of privacy data held by telecommunications
  481. service providers.
  482. International Laws and Legal Bodies 127
  483. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  484. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  485. Corporations Act 2001: Updated by the Corporations Regulations of 2001 and 2002;
  486. focuses on business relationships, but similar to SOX, contains provisions related to
  487. financial reporting and audits.
  488. Spam Act 2003: Legislation designed to regulate the amount of unwanted commercial
  489. marketing materials, especially via e-mail. Requires businesses to obtain consent of
  490. recipients, ensure that businesses accurately identify the recipients, and provide a
  491. mechanism by which the recipients may unsubscribe from commercial messages.
  492. Cybercrime Legislation Amendment Bill 2011: Designed to align Australian laws with
  493. the European Convention on Cybercrime (see next section); the bill specifies informa-
  494. tion that communications carriers and Internet service providers must retain and
  495. surrender when requested by law enforcement.
  496. ‡ Council of Europe Convention on Cybercrime
  497. The Council of Europe adopted the Convention on Cybercrime in 2001. It created an inter-
  498. national task force to oversee a range of security functions associated with Internet activities
  499. and standardized technology laws across international borders. It also attempts to improve
  500. the effectiveness of international investigations into breaches of technology law. This conven-
  501. tion has been well received by advocates of intellectual property rights because it emphasizes
  502. prosecution for copyright infringement. However, many supporters of individual rights
  503. oppose the convention because they think it unduly infringes on freedom of speech and
  504. threatens the civil liberties of U.S. residents.
  505. Thirty-four countries attended the convention signing in November 2001, and 41 nations,
  506. including the United States and the United Kingdom, have ratified the convention as of
  507. January 2014. 20 The United States is technically not a member state of the Council of Europe,
  508. but it does participate in the convention.
  509. As with much complex international legislation, the Convention on Cybercrime lacks any
  510. realistic provisions for enforcement. The overall goal of the convention is to simplify the
  511. acquisition of information for law enforcement agencies in certain types of international
  512. crimes. It also simplifies the extradition process. The convention has more than its share of
  513. skeptics, who see it as an overly simplistic attempt to control a complex problem.
  514. For more information on the Council of Europe Convention on Cybercrime, visit its Web site at
  515. www.coe.int/cybercrime.
  516. ‡ World Trade Organization and the Agreement on Trade-Related
  517. Aspects of Intellectual Property Rights
  518. The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by
  519. the World Trade Organization (WTO) and negotiated from 1986 to 1994, introduced intel-
  520. lectual property rules into the multilateral trade system. It is the first significant international
  521. effort to protect intellectual property rights. It outlines requirements for governmental over-
  522. sight and legislation of WTO member countries to provide minimum levels of protection for
  523. intellectual property. The WTO TRIPS agreement covers five issues:
  524. How basic principles of the trading system and other international intellectual
  525. property agreements should be applied
  526. 128 Chapter 3
  527. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  528. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  529. 3
  530. How to give adequate protection to intellectual property rights
  531. How countries should enforce those rights adequately within their own borders
  532. How to settle disputes on intellectual property between members of the WTO
  533. Special transitional arrangements during the period when the new system is being
  534. introduced 21
  535. ‡ Digital Millennium Copyright Act
  536. The Digital Millennium Copyright Act (DMCA) is the American contribution to an interna-
  537. tional effort by the World Intellectual Properties Organization (WIPO) to reduce the impact
  538. of copyright, trademark, and privacy infringement, especially when accomplished via the
  539. removal of technological copyright protection measures. This law was created in response to
  540. the 1995 adoption of Directive 95/46/EC by the European Union, which added protection
  541. for individual citizens with regard to the processing of personal data and its use and move-
  542. ment. The United Kingdom has implemented a version of this law called the Database Right
  543. to comply with Directive 95/46/EC.
  544. The DMCA includes the following provisions:
  545. Prohibits the circumvention of protections and countermeasures implemented by copyright
  546. owners to control access to protected content
  547. Prohibits the manufacture of devices to circumvent protections and countermeasures
  548. that control access to protected content
  549. Bans trafficking in devices manufactured to circumvent protections and countermea-
  550. sures that control access to protected content
  551. Prohibits the altering of information attached or embedded into copyrighted material
  552. Excludes Internet service providers from certain forms of contributory copyright
  553. infringement
  554. Ethics and Information Security
  555. Many professionally regulated disciplines have explicit rules that govern the ethical behavior
  556. of their members. For example, doctors and lawyers who commit egregious violations of
  557. their professions’ canons of conduct can have their legal ability to practice revoked. Unlike
  558. the medical and legal fields, however, the information technology and information security
  559. fields do not have binding codes of ethics. Instead, professional associations such as the
  560. ACM and ISSA, and certification agencies such as (ISC) 2 and ISACA, work to maintain ethi-
  561. cal codes of conduct for their respective memberships. While these professional organizations
  562. can prescribe ethical conduct, they do not have the authority to banish violators from practic-
  563. ing their trade. To begin exploring some of the ethical issues of information security, take a
  564. look at the Ten Commandments of Computer Ethics in the nearby Offline feature.
  565. ‡ Ethical Differences Across Cultures
  566. Cultural differences can make it difficult to determine what is ethical and what is not—especially
  567. when it comes to the use of computers. Studies on ethics and computer use reveal that people of
  568. Ethics and Information Security 129
  569. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  570. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  571. different nationalities have different perspectives; difficulties arise when one nationality’s ethical
  572. behavior violates the ethics of another national group. For example, to Western cultures, many
  573. of the ways in which Asian cultures use computer technology amount to software piracy. This
  574. ethical conflict arises out of Asian traditions of collective ownership, which clash with the pro-
  575. tection of intellectual property.
  576. Approximately 90 percent of all software is created in the United States. The Business
  577. Software Alliance’s 2011 piracy study found that the global software piracy rate was 42 per-
  578. cent. Figure 3-6 shows an international comparison between the average cost of a PC in a
  579. country and the amount typically spent there on legal software.
  580. Table 3-2 shows the estimated rate of losses from piracy as a percentage of legal sales rates
  581. and losses due to piracy internationally.
  582. Some countries are more relaxed than others when dealing with intellectual property copy
  583. restrictions. A study published in 1999 examined the computer-use ethics in several nations,
  584. including Singapore, Hong Kong, the United States, England, Australia, Sweden, Wales, and
  585. the Netherlands. 23 This study selected various computer-use vignettes (see the Offline feature
  586. titled “The Use of Scenarios in Computer Ethics Studies”) and presented them to university
  587. students in the various nations. The study did not categorize or classify the responses as ethi-
  588. cal or unethical. Instead, the responses only indicated a degree of ethical sensitivity or knowl-
  589. edge about the performance of the characters in the short case studies. The scenarios were
  590. grouped into three categories of ethical computer use: software license infringement, illicit
  591. use, and misuse of corporate resources.
  592. The Ten Commandments of Computer Ethics 22
  593. from the Computer Ethics Institute
  594. 1. Thou shalt not use a computer to harm other people.
  595. 2. Thou shalt not interfere with other people’s computer work.
  596. 3. Thou shalt not snoop around in other people’s computer files.
  597. 4. Thou shalt not use a computer to steal.
  598. 5. Thou shalt not use a computer to bear false witness.
  599. 6. Thou shalt not copy or use proprietary software for which you have not paid.
  600. 7. Thou shalt not use other people’s computer resources without authorization or
  601. proper compensation.
  602. 8. Thou shalt not appropriate other people’s intellectual output.
  603. 9. Thou shalt think about the social consequences of the program you are
  604. writing or the system you are designing.
  605. 10. Thou shalt always use a computer in ways that ensure consideration
  606. and respect for your fellow humans.
  607. OFFLINE
  608. 130 Chapter 3
  609. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  610. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  611. 3
  612. Software License Infringement The topic of software license infringement, or
  613. piracy, is routinely covered by the popular press. Among study participants, attitudes
  614. toward piracy were generally similar; however, participants from the United States and the
  615. Netherlands showed statistically significant differences in attitudes from those of the overall
  616. group. Participants from the United States were significantly less tolerant of piracy, while
  617. $-
  618. $100.00
  619. Brazil USA
  620. $200.00
  621. $300.00
  622. $400.00
  623. $500.00
  624. $600.00
  625. $700.00
  626. $800.00
  627. Russia
  628. 2011 Hardware & Software Expenditures
  629. India China
  630. PC Price Legal Software Sales
  631. Figure 3-6 Legal international hardware and software sales
  632. Source: Business Software Alliance (BSA), 2012. 24
  633. Country Pirated value ($M) Legal sales ($M) Piracy rate
  634. U.S. 9,773 41,664 19%
  635. Japan 1,875 7,054 21%
  636. U.K. 1,943 5,530 26%
  637. South Korea 815 1,223 40%
  638. Brazil 2,848 2,526 53%
  639. Malaysia 657 538 55%
  640. Mexico 1,249 942 57%
  641. Russia 3,227 1,895 63%
  642. India 2,930 1,721 63%
  643. Thailand 852 331 72%
  644. China 8,902 2,659 77%
  645. Indonesia 1,467 239 86%
  646. Table 3-2 International Piracy Rates
  647. Source: BSA, 2012. 25
  648. Ethics and Information Security 131
  649. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  650. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  651. those from the Netherlands were significantly more permissive. Although other studies have
  652. reported that the Pacific Rim countries of Singapore and Hong Kong are hotbeds of soft-
  653. ware piracy, this study found tolerance for copyright infringement in those countries to be
  654. moderate, as were attitudes in England, Wales, Australia, and Sweden. This could mean
  655. that the people surveyed understood what software license infringement was, but felt either
  656. that certain use was not piracy or that their society permitted this piracy in some way. Peer
  657. pressure, the lack of legal disincentives, the lack of punitive measures, and other reasons
  658. could explain why users in these alleged piracy centers disregarded intellectual property
  659. laws despite their professed attitudes toward them. Even though participants from the
  660. Netherlands displayed a more permissive attitude toward piracy, that country only ranked
  661. third in piracy rates of the nations surveyed in the study.
  662. Illicit Use The study respondents unilaterally condemned viruses, hacking, and other
  663. forms of system abuse. There were, however, different degrees of tolerance for such activities
  664. among the groups. Students from Singapore and Hong Kong proved to be significantly more
  665. tolerant than those from the United States, Wales, England, and Australia. Students from
  666. Sweden and the Netherlands were also significantly more tolerant than those from Wales
  667. and Australia, but significantly less tolerant than those from Hong Kong. The low overall
  668. degree of tolerance for illicit system use may be a function of the easy correspondence
  669. between the common crimes of breaking and entering, trespassing, theft, destruction of
  670. property, and their computer-related counterparts.
  671. Misuse of Corporate Resources The scenarios examined levels of tolerance for
  672. misuse of corporate resources, and each presented a different situation in which corporate
  673. assets were used for nonbusiness purposes without specifying the company’s policy on per-
  674. sonal use of its resources. In general, participants displayed a rather lenient view of personal
  675. use of company equipment. Only students from Singapore and Hong Kong viewed this per-
  676. sonal use as unethical. There were several substantial differences in this category, with stu-
  677. dents from the Netherlands revealing the most lenient views. With the exceptions of students
  678. from Singapore and Hong Kong, many people from many cultural backgrounds indicated
  679. that unless an organization explicitly forbids personal use of its computing resources, such
  680. use is acceptable. 26
  681. Larger organizations, especially those that operate in international markets, are
  682. faced with cultural differences in ethical perceptions and decision making. For exam-
  683. ple, the Boeing Company has a clear and well-developed Ethics and Business Conduct
  684. program. It seeks to communicate company standards of ethical business conduct to
  685. all employees, inform all stakeholders of the policy and procedure that governs ethical
  686. conduct, identify company processes that help stakeholders comply with corporate
  687. standards of conduct, and promote an ongoing awareness of ethical conduct within
  688. the company. Like other large organizations, Boeing takes its business values and cor-
  689. porate conduct program very seriously. The approach is best summarized as “Commu-
  690. nicate, Educate, and Execute,” in which Boeing seeks to inform all corporate stake-
  691. holders about ethically motivated actions and then implement programs to achieve its
  692. stated values in practice.
  693. To learn more about the Boeing ethics program, visit the Boeing Web site at www.boeing.com
  694. /boeing/companyoffices/aboutus/ethics/hotline.page.
  695. 132 Chapter 3
  696. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  697. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  698. 3
  699. The Use of Scenarios in Computer Ethics Studies 27
  700. The following vignettes can be used in an open and frank discussion of computer
  701. ethics. Review each scenario carefully and respond to each question using a form
  702. of the following statement, choosing the description you consider most appropri-
  703. ate: I feel the actions of this person were (very ethical/ethical/neither ethical nor
  704. unethical/unethical/very unethical). Then, justify your response.
  705. 1. A scientist developed a theory that required proof through the construction of
  706. a computer model. He hired a computer programmer to build the model, and
  707. the theory was shown to be correct. The scientist won several awards for the
  708. development of the theory, but he never acknowledged the contribution of
  709. the computer programmer.
  710. The scientist’s failure to acknowledge the computer programmer was:
  711. 2. The owner of a small business needed a computer-based accounting system. He
  712. identified the various inputs and outputs he felt were required to satisfy his needs.
  713. Then he showed his design to a computer programmer and asked if she could
  714. implement such a system. The programmer knew she could because she had devel-
  715. oped much more sophisticated systems in the past. In fact, she thought the design
  716. was rather crude and would soon need several major revisions. But she didn’t voice
  717. her thoughts because the business owner didn’t ask, and she wanted to be hired to
  718. implement the needed revisions.
  719. The programmer’s decision not to point out the design flaws was:
  720. 3. A student found a loophole in his university’s computer system that allowed
  721. him access to other students’ records. He told the system administrator about
  722. the loophole, but continued to access student records until the problem was
  723. corrected two weeks later.
  724. The student’s action in searching for the loophole was:
  725. The student’s action in continuing to access others’ records for two weeks was:
  726. The system administrator’s failure to correct the problem sooner was:
  727. 4. A computer user ordered an accounting system from a popular software ven-
  728. dor’s Web site. When he received his order, he found that the store had acci-
  729. dentally sent him a very expensive word-processing program as well as the
  730. accounting package he had ordered. The invoice listed only the accounting
  731. package. The user decided to keep the word-processing program.
  732. The customer’s decision to keep the word-processing program was:
  733. OFFLINE
  734. (continues)
  735. Ethics and Information Security 133
  736. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  737. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  738. 5. A programmer at a bank realized that she had accidentally overdrawn her check-
  739. ing account. She made a small adjustment in the bank’s accounting system so that
  740. her account would not incur a service charge. As soon as she deposited funds that
  741. made her balance positive again, she corrected the bank’s accounting system.
  742. The programmer’s modification of the accounting system was:
  743. 6. A computer programmer built and sold small computer applications to supple-
  744. ment his income. He worked for a moderately sized computer vendor, and
  745. would frequently go to his office on Saturdays when no one was working and
  746. use his employer’s computer to develop the applications. He did not hide the
  747. fact that he was entering the building; he had to sign a register at a security
  748. desk each time he entered.
  749. The programmer’s weekend use of the company computer was:
  750. 7. A student in a computer class was also employed at a local business part-time.
  751. Frequently her class homework required using popular word-processing and
  752. spreadsheet packages. Occasionally she did her homework on the office com-
  753. puter at her part-time job during coffee or meal breaks.
  754. The student’s use of the company computer was:
  755. If the student had done her homework during “company time” (not during a
  756. break), her use of the company computer would have been:
  757. 8. A university student learned to use an expensive accounting program in her
  758. accounting class. The student would go to the university computer lab and use
  759. the software to complete her assignment. Signs were posted in the lab indicat-
  760. ing that copying software was forbidden. One day, she decided to copy the
  761. software anyway to complete her work assignments at home.
  762. If the student destroyed her copy of the software at the end of the term, her
  763. action in copying the software was:
  764. If the student forgot to destroy her copy of the software at the end of the
  765. term, her action in copying the software was:
  766. If the student never intended to destroy her copy of the software at the end of
  767. the term, her action in copying the software was:
  768. 9. A university student found out that a fellow student’s personal Web site con-
  769. tained a “pirate” section of illegally copied software programs. He accessed
  770. the Web site and proceeded to download several games and professional pro-
  771. grams, which he then distributed to several of his friends.
  772. The student’s actions in downloading the games were:
  773. The student’s actions in downloading the programs were:
  774. The student’s actions in sharing the programs and games with his friends were:
  775. 134 Chapter 3
  776. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  777. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  778. 3
  779. Inanutshell,Boeingpromotesthegoalthatallstakeholderswillconductbusinessdealingsfairly,
  780. impartially, and in an ethical and proper manner consistent with its code of conduct.
  781. ‡ Ethics and Education
  782. Attitudes toward the ethics of computer use are affected by many factors other than national-
  783. ity. Differences are found among people within the same country, within the same social
  784. class, and within the same company. Key studies reveal that education is the overriding factor
  785. in leveling ethical perceptions within a small population. Employees must be trained and kept
  786. aware of many topics related to information security, not the least of which is the expected
  787. behavior of an ethical employee. This education is especially important in information secu-
  788. rity, as many employees may not have the formal technical training to understand that their
  789. behavior is unethical or even illegal. Proper ethical and legal training is vital to creating an
  790. informed and well-prepared system user.
  791. 10. An engineer needed a program to perform a series of complicated calculations.
  792. He found a computer programmer who was capable of writing the program,
  793. but would only hire the programmer if he agreed to share any liability that
  794. may result from an error in the engineer’s calculations. The programmer was
  795. willing to assume any liability due to a program malfunction, but was unwilling
  796. to share liability due to an error in the engineer’s calculations.
  797. The programmer’s position in this situation is:
  798. The engineer’s position in this situation is:
  799. 11. A manager of a company that sells Web hosting services bought similar ser-
  800. vices from a competitor. She used her access to the competitor’s computer to
  801. try to break the security system, identify other customers, and cause the sys-
  802. tem to crash. She used the service for a year and always paid her bills
  803. promptly.
  804. The manager’s actions were:
  805. 12. A student programmer decided to write a virus program. Such programs usually
  806. spread automatically by making copies of themselves onto other users’ media
  807. (like flash drives). The student wrote a program that caused the computer to
  808. ignore every fifth command entered by a user. The student took his program
  809. to the university computing lab and installed it on one of the computers. Before
  810. long, the virus had spread to hundreds of users.
  811. The student’s action of infecting hundreds of users’ flash drives was:
  812. If the virus program output the message “Have a nice day,” then the student’s
  813. action of infecting hundreds of users’ flash drives would have been:
  814. If the virus erased files, then the student’s action of infecting hundreds of users’
  815. flash drives would have been:
  816. Ethics and Information Security 135
  817. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  818. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  819. ‡ Deterring Unethical and Illegal Behavior
  820. There are three general causes of unethical and illegal behavior:
  821. Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and pro-
  822. cedures is. The first method of deterrence is education, which is accomplished by
  823. designing, publishing, and disseminating an organization’s policies and relevant laws,
  824. and obtaining agreement to comply with these policies and laws from all members of
  825. the organization. Reminders, training, and awareness programs keep policy informa-
  826. tion in front of employees to support retention and compliance.
  827. Accident: People who have authorization and privileges to manage information
  828. within the organization are most likely to cause harm or damage by accident. Careful
  829. planning and control help prevent accidental modification to systems and data.
  830. Intent: Criminal or unethical intent goes to the state of mind of the person performing
  831. the act; it is often necessary to establish criminal intent to successfully prosecute offen-
  832. ders. Protecting a system against those with intent to cause harm or damage is best
  833. accomplished by means of technical controls, and vigorous litigation or prosecution if
  834. these controls fail.
  835. Whatever the cause of illegal, immoral, or unethical behavior, one thing is certain: informa-
  836. tion security personnel must do everything in their power to deter these acts and to use pol-
  837. icy, education and training, and technology to protect information and systems. Many secu-
  838. rity professionals understand the technology aspect of protection but underestimate the value
  839. of policy. However, laws, policies, and their associated penalties only provide deterrence if
  840. three conditions are present, as illustrated in Figure 3-7:
  841. Fear of penalty: Potential offenders must fear the penalty. Threats of informal repri-
  842. mand or verbal warnings do not have the same impact as the threat of imprisonment
  843. or forfeiture of pay.
  844. Penalty Apprehension
  845. Application
  846. Reserved parking
  847. for
  848. Dr. Whitman
  849. Violators will be
  850. shot
  851. P P P P
  852. Violators Will Be
  853. Shot
  854. Reserved Parking
  855. For
  856. Dr.Whitman
  857. Figure 3-7 Deterrents to illegal or unethical behavior
  858. © Cengage Learning 2015
  859. 136 Chapter 3
  860. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  861. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  862. 3
  863. Probability of being apprehended: Potential offenders must believe there is a strong
  864. possibility of being caught.
  865. Probability of penalty being applied: Potential offenders must believe that the penalty
  866. will be administered.
  867. Codes of Ethics at Professional Organizations
  868. Many professional organizations have established codes of conduct or codes of ethics that
  869. members are expected to follow. Codes of ethics can have a positive effect on people’s judg-
  870. ment regarding computer use. 28 Unfortunately, many employers do not encourage their
  871. employees to join these professional organizations. But, employees who have earned some
  872. level of certification or professional accreditation can be deterred from ethical lapses if they
  873. fear losing that accreditation or certification by violating a code of conduct. Loss of certifica-
  874. tion or accreditation can dramatically reduce their marketability and earning power.
  875. Security professionals have a responsibility to act ethically and according to the policies and
  876. procedures of their employers, their professional organizations, and the laws of society. Like-
  877. wise, it is the organization’s responsibility to develop, disseminate, and enforce its policies.
  878. The following discussion explains where professional organizations fit into the ethical land-
  879. scape. Table 3-3 provides an overview of these organizations. Many of them offer certification
  880. programs that require applicants to subscribe formally to the ethical codes. Professional certi-
  881. fication is discussed in Chapter 11.
  882. Professional
  883. organization
  884. Web resource
  885. location Description Focus
  886. Association of Computing
  887. Machinery
  888. www.acm.org Code of 24 imperatives of personal and
  889. ethical responsibilities for security
  890. professionals
  891. Ethics of security
  892. professionals
  893. Information Systems
  894. Audit and Control
  895. Association
  896. www.isaca
  897. .org
  898. Focus on auditing, information security,
  899. business process analysis, and IS
  900. planning through the CISA and CISM
  901. certifications
  902. Tasks and knowledge
  903. required of the
  904. information systems
  905. audit professional
  906. Information Systems
  907. Security Association
  908. www.issa.org Professional association of information
  909. systems security professionals; provides
  910. education forums, publications, and
  911. peer networking for members
  912. Professional security
  913. information sharing
  914. International Information
  915. Systems Security
  916. Certification Consortium
  917. (ISC) 2
  918. www.isc2.org International consortium dedicated to
  919. improving the quality of security
  920. professionals through SSCP and CISSP
  921. certifications
  922. Requires certificants to
  923. follow its published code
  924. of ethics
  925. SANS Institute’s Global
  926. Information Assurance
  927. Certification
  928. www.giac.org GIAC certifications focus on four security
  929. areas: security administration, security
  930. management, IT audits, and software
  931. security; these areas have standard,
  932. gold, and expert levels
  933. Requires certificants to
  934. follow its published code
  935. of ethics
  936. Table 3-3 Professional Organizations of Interest to Information Security Professionals
  937. © Cengage Learning 2015
  938. Codes of Ethics at Professional Organizations 137
  939. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  940. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  941. ‡ Major Information Security Professional Organizations
  942. Many of the major IT professional organizations maintain their own codes of ethics.
  943. Association of Computing Machinery (ACM) The ACM is a respected profes-
  944. sional society that was established in 1947 as “the world’s first educational and scientific
  945. computing society.” It is one of the few organizations that strongly promotes education and
  946. provides discounts for student members. The ACM’s code of ethics requires its more than
  947. 100,000 members to perform their duties in a manner befitting an ethical computing profes-
  948. sional. The code contains specific references to protecting the confidentiality of information,
  949. causing no harm (with specific references to viruses), protecting the privacy of others, and
  950. respecting the intellectual property and copyrights of others. The ACM (www.acm.org) also
  951. hosts more than 170 conferences annually and publishes a wide variety of professional com-
  952. puting publications, including the highly regarded Communications of the ACM.
  953. International Information Systems Security Certification Consortium,
  954. Inc. (ISC) 2 (ISC) 2 is a nonprofit organization that focuses on the development and imple-
  955. mentation of information security certifications and credentials. The organization manages a
  956. body of knowledge on information security and administers and evaluates examinations for
  957. information security certifications. The code of ethics put forth by (ISC) 2 is primarily designed
  958. for the more than 90,000 information security professionals who have earned an (ISC) 2 certifi-
  959. cation, and has four mandatory canons: “Protect society, the commonwealth, and the infrastruc-
  960. ture; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent
  961. service to principals; and advance and protect the profession.” 29 This code enables (ISC) 2 to pro-
  962. mote reliance on the ethicality and trustworthiness of information security professionals as the
  963. guardians of information and systems. For more information, visit www.isc2.org.
  964. SANS Formerly known as the System Administration, Networking, and Security Institute,
  965. SANS was founded in 1989 as a professional research and education cooperative organiza-
  966. tion and has awarded certifications to more than 55,000 information security professionals.
  967. SANS offers a set of certifications called the Global Information Assurance Certification
  968. (GIAC). All GIAC-certified professionals are required to acknowledge that certification, and
  969. its privileges carry a corresponding obligation to uphold the GIAC code of ethics. Certificate
  970. holders who do not conform to this code face censure and may lose GIAC certification. For
  971. more information, visit www.sans.org and www.giac.org.
  972. ISACA Originally known as the Information Systems Audit and Control Association,
  973. ISACA is a professional association that focuses on auditing, control, and security. The mem-
  974. bership comprises both technical and managerial professionals. ISACA (www.isaca.org) pro-
  975. vides IT control practices and standards, and includes many information security components
  976. within its areas of concentration, although it does not focus exclusively on information secu-
  977. rity. ISACA also has a code of ethics for its 110,000 constituents, and it requires many of the
  978. same high standards for ethical performance as the other organizations and certifications.
  979. Information Systems Security Association (ISSA) ISSA is a nonprofit society
  980. of more than 10,000 information security professionals in over 100 countries. As a profes-
  981. sional association, its primary mission is to bring together qualified information security
  982. practitioners for information exchange and educational development. ISSA (www.issa.org)
  983. 138 Chapter 3
  984. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  985. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  986. 3
  987. provides scheduled conferences, meetings, publications, and information resources to pro-
  988. mote information security awareness and education. ISSA also promotes a code of ethics,
  989. similar in content to those of (ISC) 2 , ISACA, and the ACM, whose focus is “promoting
  990. management practices that will ensure the confidentiality, integrity, and availability of orga-
  991. nizational information resources.” 30
  992. Key U.S. Federal Agencies
  993. Several key U.S. federal agencies are charged with the protection of American information
  994. resources and the investigation of threats or attacks against these resources. These organiza-
  995. tions include the Department of Homeland Security (DHS) and its subordinate agencies—the
  996. U.S. Secret Service (USSS) and US-CERT, the National Security Agency, the Federal Bureau
  997. of Investigation (FBI), and the FBI’s InfraGard program.
  998. ‡ Department of Homeland Security
  999. The Department of Homeland Security (DHS, at www.dhs.gov) was created in 2003 by the
  1000. Homeland Security Act of 2002, which was passed in response to the events of September
  1001. 11, 2001. DHS is made up of five directorates, or divisions, through which it carries out its
  1002. mission of protecting American citizens as well as the physical and information assets of the
  1003. United States. The Directorate of Information and Infrastructure creates and enhances
  1004. resources used to discover and respond to attacks on national information systems and criti-
  1005. cal infrastructure. The Science and Technology Directorate is responsible for research and
  1006. development activities in support of domestic defense. This effort is guided by an ongoing
  1007. examination of vulnerabilities throughout the national infrastructure; the directorate sponsors
  1008. the emerging best practices developed to counter threats and weaknesses in the system.
  1009. Table 3-4 describes the DHS departments and their functions.
  1010. DHS works with academic campuses nationally, focusing on resilience, recruitment, interna-
  1011. tionalization, growing academic maturity, and academic research. Resilience calls for aca-
  1012. demic institutions to improve their own preparedness for unexpected events. Recruitment
  1013. refers to the roles of academic organizations in preparing students and recent graduates to
  1014. fill the increasing demand for workers and managers in the preparedness industry. Interna-
  1015. tionalization recognizes that students around the world can help meet the increased demand.
  1016. Recently, information security and preparedness has become more recognized as a discrete
  1017. DHS department Function
  1018. Federal Emergency Management
  1019. Agency (FEMA)
  1020. Supports U.S. citizens and first responders to ensure that people
  1021. work together to build, sustain, and improve their capability to
  1022. prepare for, protect against, respond to, recover from, and mitigate
  1023. all hazards
  1024. Federal Law
  1025. Enforcement Training
  1026. Center (FLETC)
  1027. Provides career-long training to law enforcement professionals to help them
  1028. fulfill their responsibilities safely and proficiently
  1029. Transportation Security
  1030. Administration (TSA)
  1031. Protects the nation’s transportation systems to ensure freedom of movement
  1032. for people and commerce
  1033. Table 3-4 DHS Departments and Functions (continues)
  1034. Key U.S. Federal Agencies 139
  1035. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1036. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1037. DHS department Function
  1038. United States Citizenship and
  1039. Immigration Services (USCIS)
  1040. Secures America’s promise as a nation of immigrants by providing accurate and
  1041. useful information to customers, granting immigration and citizenship benefits,
  1042. promoting an awareness and understanding of citizenship, and ensuring the
  1043. integrity of the immigration system
  1044. United States Customs and
  1045. Border Protection (CBP)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement