Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- General prohibition on pen register
- and trap and trace device use;
- exception (18 USC 3121 et seq.)
- 1993 Prohibits the use of electronic pen registers
- and trap and trace devices without a court
- order
- Criminal intent National Information Infrastructure
- Protection Act of 1996 (update to 18
- USC 1030)
- 1996 Categorizes crimes based on criminal intent
- and a defendant’s authority to access a
- protected computer system
- Trade secrets Economic Espionage Act of 1996 1996 Prevents abuse of information gained while
- employed elsewhere
- Personal health
- information
- protection
- Health Insurance Portability and
- Accountability Act of 1996 (HIPAA)
- 1996 Requires medical practices to ensure the
- privacy of personal medical information
- Intellectual
- property
- No Electronic Theft Act amends 17 USC
- 506(a)—copyright infringement, and 18
- USC 2319—criminal (Public Law 105-
- 147) infringement of copyright
- 1997 Amends copyright and criminal statutes to
- provide greater copyright protection and
- penalties for electronic copyright
- infringement
- Copy protection Digital Millennium Copyright Act
- (update to 17 USC 101)
- 1998 Provides specific penalties for removing
- copyright protection from media
- Table 3-1 Key U.S. Laws of Interest to Information Security Professionals (continues)
- Relevant U.S. Laws 119
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Area Act Date Description
- Identity theft Identity Theft and Assumption
- Deterrence Act of 1998 (18 USC 1028)
- 1998 Attemptstoinstigatepenaltiesforidentitytheft
- byrecognizingpeoplewholosetheiridentityas
- the true victims, not just the commercial and
- financial credit entities that suffered losses
- Children’s
- privacy
- Children’s Online Privacy Protection
- Act of 1998 (COPPA)
- 1998 ProtectschildrenonlinebyrequiringWebsites
- with users under the age of 13 to post privacy
- policies that specify clear guidance and
- restrictions on information collection
- Encryption and
- digital
- signatures
- Security and Freedom Through
- Encryption Act of 1999
- 1999 AffirmstherightsofpeopleintheUnitedStates
- to use and sell products that include encryption
- and to relax export controls on such products
- Banking Gramm-Leach-Bliley Act of 1999 (GLB)
- or the Financial Services Modernization
- Act
- 1999 Repeals the restrictions on banks affiliating
- with insurance and securities firms; has
- significant impact on the privacy of personal
- information used by these industries
- Children’s online
- protection
- Children’s Internet Protection Act 2000 Requires K-12 schools and libraries to use
- Internet filters to protect children online
- Terrorism USA PATRIOT Act of 2001 (update to
- 18 USC 1030)
- 2001 Defines stiffer penalties for prosecution of
- terrorist crimes
- Accountability Sarbanes-Oxley Act of 2002 (SOX) or
- Public Company Accounting Reform
- and Investor Protection Act
- 2002 Enforces accountability for executives at
- publicly traded companies;thislawhas created
- ripple effects throughout the accounting, IT,
- and related units of many organizations
- Federal
- information
- security
- Federal Information Security
- Management Act (FISMA)
- 2002 Specifies the requirement for federal agencies
- to establish information security programs to
- protect their information assets
- Spam Controlling the Assault of Non-Solicited
- PornographyandMarketingActof2003
- CAN-SPAM Act (15 USC 7701 et seq.)
- 2003 Sets the first national standards for
- regulating the distribution of commercial
- e-mail, including mobile phone spam
- Fraud with
- access devices
- Fraud and Related Activity in
- Connection with Access Devices (18
- USC 1029)
- 2004 Defines and formalizes law to counter threats
- fromcounterfeitaccessdevicessuchasIDcards,
- credit cards, telecom equipment, mobile or
- electronic serial numbers, and the equipment
- that creates them
- Terrorism Customs-Trade Partnership Against
- Terrorism (C-TPAT)
- 2004 Organizations that conduct international
- business may voluntarily comply with this
- initiative by U.S. Customs and Border
- Protection to facilitate security and
- shipments processing
- Terrorism and
- extreme drug
- trafficking
- USA PATRIOT Improvement and
- Reauthorization Act of 2005 (update to
- 18 USC 1030)
- 2006 Renews critical sections of the USA PATRIOT
- Act
- Identity theft Identity Theft Enforcement and
- Restitution Act
- 2008 Imposes criminal liability on people who
- commit identity theft, but does not regulate
- the technology
- Terrorism PATRIOT Sunsets Extension Act of 2011
- (update to 18 USC 1030)
- 2011 Renews critical sections of the USA PATRIOT
- Act
- Table 3-1 Key U.S. Laws of Interest to Information Security Professionals
- © Cengage Learning 2015
- 120 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- To learn more about laws that are not specifically discussed in this chapter, visit CSO Magazine’s
- directory of security laws, regulations, and guidelines at www.csoonline.com/article/632218/the
- -security-laws-regulations-and-guidelines-directory.
- Identity Theft
- Key Terms
- identity theft The unauthorized taking of personally identifiable information with the intent of
- committing fraud and abuse of a person’s financial and personal reputation, purchasing goods
- and services without authorization, and generally impersonating the victim for illegal or
- unethical purposes.
- personally identifiable information (PII) Information about a person’s history, background,
- and attributes that can be used to commit identity theft. This information typically includes a
- person’s name, address, Social Security number, family information, employment history, and
- financial information.
- Related to privacy legislation is the growing body of law on identity theft. Identity theft can
- occur when someone steals a victim’s personally identifiable information (PII) and uses it to
- purchase goods and services, or conduct other actions while posing as the victim. According
- to a report from the U.S. Department of Justice, “approximately 16.6 million persons or 7%
- of all U.S. residents age 16 or older, were victims of one or more incidents of identity theft
- in 2012.” 11 As shown in Figure 3-3, the bulk of this theft occurred with payment card
- accounts. Organizations can also be victims of identity theft by means of URL manipulation
- or DNS redirection, as described in Chapter 2.
- Persons age 16 or older who experienced at least one identity theft incident in the past 12 months, by type of theft, 2012
- Type of identity theft
- Total
- Existing account
- Credit card
- Bank
- Other
- New account
- Personal information
- Multiple types
- Existing account b
- Other c
- 16,580,500
- 14,022,100
- 6,676,300
- 6,191,500
- 1,154,300
- 683,400
- 622,900
- 1,252,000
- 824,700
- 427,400
- 6.7%
- 6.2%
- 3.1%
- 3.0%
- 0.7%
- 0.5%
- 0.3%
- ~
- ~
- ~
- 6.7%
- 5.7%
- 2.7%
- 2.5%
- 0.5%
- 0.3%
- 0.3%
- 0.5%
- 0.3%
- 0.2%
- 100%
- 84.6%
- 40.3%
- 37.3%
- 7.0%
- 4.1%
- 3.8%
- 7.6%
- 5.0%
- 2.6%
- 16,580,500
- 15,323,500
- 7,698,500
- 7,470,700
- 1,696,400
- 1,125,100
- 833,600
- ~
- ~
- ~
- Number of victims Number of victims Percent of all persons Percent of all persons Percent of all victims
- Most recent incident b Anytime during the past 12 months a
- Note: Detail may not sum to total due to victims who reported multiple incidents of identity theft and rounding.
- ~Not applicable.
- a ldentity theft classified as a single type.
- b lncludes victims who experienced two or more of the following: unauthorized use of a credit card, bank account, or other existing account.
- c lncludes victims who experienced two or more of the following: unauthorized use of an existing account, misuse of personal information to open a new account, or misuse of
- personal information for other fraudulent purposes.
- Source: Bureau of Justice Statistics, National Crime Victimization Survey, Identity Theft Supplement, 2012.
- Figure 3-3 U.S. Department of Justice report on victims of identity theft in 2012
- Source: U.S. Federal Trade Commission.
- Relevant U.S. Laws 121
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- In May 2006, President Bush signed an executive order creating the Identity Theft Task
- Force. On April 27, 2007, it issued a strategic plan to improve efforts by the government,
- private organizations, and individuals in combating identity theft. The U.S. Federal Trade
- Commission (FTC) now oversees efforts to foster coordination among groups, more effec-
- tive prosecution of criminals engaged in identify theft, and methods to increase restitution
- made to victims. 12
- While numerous states have passed identity theft laws, the primary legislation at the federal
- level is Fraud and Related Activity in Connection with Identification Documents, Authenti-
- cation Features, and Information (Title 18, U.S.C. § 1028), which criminalizes the creation,
- reproduction, transfer, possession, or use of unauthorized or false identification documents
- or document-making equipment. The penalties for such offenses range from 1 to 25 years
- in prison and fines as determined by the courts.
- The FTC recommends that people take the following four steps when they suspect they are
- victims of identity theft:
- 1. Place an initial fraud alert: Report to one of the three national credit reporting compa-
- nies and ask for an initial fraud alert on your credit report. This makes it harder for an
- identity thief to open more accounts in your name.
- 2. Order your credit reports: Filing an initial fraud alert entitles you to a free credit report
- from each of the three credit reporting companies. Examine the reports for fraud activ-
- ity and contact the fraud department in the organization that holds the suspect account.
- 3. Create an identity theft report: Filing a complaint with the FTC will generate an identity
- theft affidavit, which can be used to file a police report and create an identity theft
- report. This report helps when dealing with credit reporting companies, debt collectors,
- and any businesses with whom the identity thief has interacted.
- 4. Monitor your progress: Document all calls, letters, and communications during the
- process. 13
- In 2008, Congress passed another update to the CFAA titled the Identity Theft Enforcement
- and Restitution Act of 2008, which specifically addressed the malicious use of spyware or
- keyloggers to steal PII. This act also created a new designation of a level of identity theft
- that provided much stronger penalties for violators who used 10 or more computers to com-
- mit theft. The new law also created a mechanism by which victims of identity theft may
- receive restitution from criminals convicted under the act. The penalties that may be levied
- under this act include substantial fines, from which the restitution is paid, and prison terms
- of up to 10 or 20 years, depending on the severity of the crime. 14 Increasingly, consumers
- who recognize the increased threat of identity theft elect to buy credit protection insurance
- products that offset the expenses associated with such theft.
- For more information on privacy and identity theft, visit the FTC’s Web site at www.consumer.ftc
- .gov/topics/privacy-identity and the U.S. Department of Justice Web site at www.justice.gov
- /criminal/fraud/websites/idtheft.html.
- Export and Espionage Laws
- To meet national security needs and to protect trade secrets and other state and private
- assets, several laws restrict which information, information management resources, and
- 122 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- security resources may be exported from the United States. These laws attempt to stem the
- theft of information by establishing strong penalties for such crimes. Such laws have limited
- effectiveness in many cases because the theft is initiated from offshore and the ability to
- apply the law is reduced when perpetrators are from another jurisdiction.
- To protect American ingenuity, intellectual property, and competitive advantage, Congress
- passed the Economic Espionage Act in 1996. This law attempts to prevent trade secrets
- from being illegally shared.
- The Security and Freedom through Encryption Act of 1999 provides guidance for the use of
- encryption and provides protection from government intervention. The acts include provi-
- sions that:
- ●
- Reinforce a person’s right to use or sell encryption algorithms without concern for
- regulations requiring some form of key registration. Key registration is the storage of a
- cryptographic key (or its text equivalent) with another party for breaking the encryp-
- tion of data. This is often called “key escrow.”
- ●
- Prohibit the federal government from requiring the use of encryption for contracts,
- grants, and other official documents and correspondence.
- ●
- State that the use of encryption is not probable cause to suspect criminal activity.
- Relax export restrictions by amending the Export Administration Act of 1979.
- ●
- Provide additional penalties for the use of encryption in the commission of a criminal act.
- As illustrated in Figure 3-4, the distribution of many software packages is restricted to
- approved organizations, governments, and countries.
- For distribution
- in the U.S. and
- Canada only.
- Figure 3-4 Export and espionage
- © Cengage Learning 2015
- Relevant U.S. Laws 123
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- U.S. Copyright Law
- Intellectual property is a protected asset in the United States. The U.S. Copyright Law
- extends this privilege to published works, including electronic formats. Fair use allows copy-
- righted materials to be used to support news reporting, teaching, scholarship, and similar activi-
- ties, as long as the use is for educational or library purposes, is not for profit, and is not exces-
- sive. As long as proper acknowledgment is provided to the original author of such works,
- including a proper citation of the location of source materials, and the work is not represented
- as one’s own, it is entirely permissible to include portions of someone else’s work as reference.
- For more information on the U.S. Copyright Law, visit the U.S. Copyright Office’s Web site at
- www.copyright.gov/. You can view the law in its entirety at www.copyright.gov/title17/.
- Financial Reporting
- The Sarbanes-Oxley Act of 2002, also known as SOX or the Corporate and Auditing
- Accountability and Responsibility Act, is a critical piece of legislation that affects the execu-
- tive management of publicly traded corporations and public accounting firms. The law seeks
- to improve the reliability and accuracy of financial reporting, as well as increase the account-
- ability of corporate governance, in publicly traded companies. Penalties for noncompliance
- range from fines to jail terms. Executives in firms covered by this law seek assurance for the
- reliability and quality of information systems from senior information technology managers.
- In turn, IT managers will likely ask information security managers to verify the confidential-
- ity and integrity of the information systems in a process known as subcertification.
- The two sections of SOX that most affect information security are Section 302 and Section
- 404. Section 302 of SOX requires an organization’s executives to personally certify the accu-
- racy and completeness of their financial reports as well as assess and report on the effective-
- ness of internal controls for their financial reporting. Section 404 complements the require-
- ment to assess and report on internal controls, mandating that these assessment reports must
- be audited by an outside firm. Because SOX does not delineate IT from non-IT internal con-
- trols, and because most modern financial systems and their controls are based on IT and
- information security technologies, the expectation of effective controls trickles through the
- organization to the Information Security department.
- Freedom of Information Act of 1966
- The Freedom of Information Act (FOIA) allows any person to request access to federal
- agency records or information not determined to be a matter of national security. Agencies
- of the federal government are required to disclose requested information upon receipt of a
- written request. This requirement is enforceable in court. However, some information is pro-
- tected from disclosure, and the act does not apply to state or local government agencies or to
- private businesses or individuals, although many states have their own version of the FOIA.
- Figure 3-5 illustrates the number of FOIA requests received by the U.S. government between
- 2008 and 2012, and their disposition.
- Payment Card Industry Data Security Standards (PCI DSS)
- For organizations that process payment cards, such as credit cards, debit cards, ATM cards,
- store-value cards, gift cards, or other related items, the Payment Card Industry (PCI) Security
- 124 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- Standards Council offers a standard of performance to which participating organizations
- must comply. While not a law, per se, this standard has proven to be very effective in
- improving industry practices. The PCI Standards Council was founded in 2006 by a group
- of industry businesses that include American Express, Visa, Discover Financial Services, JCB,
- and MasterCard Worldwide. The Security Standards Council established a set of regulatory
- mandates with which organizations must comply to be certified by the PCI Council. These
- regulations, the Payment Card Industry Data Security Standards (PCI DSS), are designed to
- enhance the security of customers’ account data. The regulations include requirements for
- information security policies, procedures, and management, as well as technical software
- and networking specifications.
- PCI DSS “was developed to encourage and enhance cardholder data security and facilitate
- the broad adoption of consistent data security measures globally. PCI DSS provides a base-
- line of technical and operational requirements designed to protect cardholder data. PCI DSS
- applies to all entities involved in payment card processing—including merchants, processors,
- acquirers, issuers, and service providers, as well as all other entities that store, process or
- transmit cardholder data (CHD) and/or sensitive authentication data (SAD).” 15
- PCI DSS addresses the following six areas with 12 requirements:
- Area 1: “Build and maintain a secure network and systems.
- 1. Install and maintain a firewall configuration to protect cardholder data.
- 2. Do not use vendor-supplied defaults for system passwords and other security
- parameters.”
- FY 2008 FY 2009 FY 2010 FY 2011 FY 2012
- 605,491
- 557,825
- 597,415
- 644,165
- 651,254
- Requests Received
- FOIA DATA AT A GLANCE - FY 2008 through FY 2012
- Disposition of Requests Backlog
- FY 2008 FY 2009 FY 2010 FY 2011 FY 2012
- 130,419
- 234,049
- 30,727
- 200,209
- Released in Full FY 2012
- 75,594
- 69,526
- 83,490
- 71,790
- Released in Part FY 2012
- Denied in Full FY 2012
- Figure 3-5 U.S. government FOIA requests and processing
- Source: www.foia.gov.
- Relevant U.S. Laws 125
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Area 2: “Protect cardholder data.
- 3. Protect stored cardholder data.
- 4. Encrypt transmission of cardholder data across open, public networks.”
- Area 3: “Maintain a vulnerability management program.
- 5. Protect all systems against malware and regularly update antivirus software or
- programs.
- 6. Develop and maintain secure systems and applications.”
- Area 4: “Implement strong access control measures.
- 7. Restrict access to cardholder data by a business’s need to know.
- 8. Identify and authenticate access to system components.
- 9. Restrict physical access to cardholder data.”
- Area 5: “Regularly monitor and test networks.
- 10. Track and monitor all access to network resources and cardholder data.
- 11. Regularly test security systems and processes.”
- Area 6: “Maintain an information security policy.
- 12. Maintain a policy that addresses information security for all personnel.” 16
- The Council has also issued requirements called the Payment Application Data Security
- Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS), which provide additional
- specifications for components of payment card processing.
- For more information on PCI DSS, visit www.pcisecuritystandards.org/.
- State and Local Regulations
- A critical fact to keep in mind when reading federal computer laws is that the majority of
- them are written specifically to protect federal information systems. The laws have little
- applicability to private organizations. Thus, such organizations must be cognizant of the
- state and local laws that protect and apply to them. Information security professionals must
- understand state laws and regulations and ensure that their organizations’ security policies
- and procedures are in compliance.
- For example, in 1991, the state of Georgia passed the Georgia Computer Systems Protection
- Act, which protects information and established penalties for the use of information technol-
- ogy to attack or exploit information systems. In 1998, Georgia passed its Identity Fraud Act
- (updated in 2002), which established strong penalties for identity theft and the inappropriate
- disposal of customer confidential information.
- For more information on state security laws, visit the National Conference of State Legislatures
- Web site at www.ncsl.org. Use the search box to find your state’s security breach notification
- laws, data disposal laws, and identity theft statutes.
- 126 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- International Laws and Legal Bodies
- IT professionals and information security practitioners must realize that when their organizations
- do business on the Internet, they do business globally. As a result, these professionals must be sensi-
- tive to the lawsand ethical valuesof many different cultures, societies, andcountries. When it comes
- to certain ethical values, you may be unable to please all of the people all of the time, but the laws of
- other nations is one area in which it is certainly not easier to ask for forgiveness than for permission.
- Several security bodies and laws are described in this section. Because of the political complex-
- ities of relationships among nations and differences in culture, few current international laws
- cover privacy and information security. The laws discussed in this section are important, but
- they are limited in their enforceability. The American Society of International Law is one
- example of an American institution that deals with international law (see www.asil.org).
- U.K. Computer Security Laws
- The following laws are in force in the United Kingdom (U.K.) and are similar to those
- described earlier for the United States:
- ●
- Computer Misuse Act 1990: Defined three “computer misuse offenses”:
- 1. Unauthorized access to computer material.
- 2. Unauthorized access with intent to commit or facilitate commission of further
- offenses.
- 3. Unauthorized acts with intent to impair, or with recklessness as to impairing, oper-
- ation of computer, etc. 17
- ●
- Privacy and Electronic Communications (EC Directive) Regulations 2003: Revoked
- the Data Protection and Privacy Regulations of 1999, and focuses on protection
- against unwanted or harassing phone, e-mail, and SMS messages.
- ●
- Police and Justice Act 2006: Updated the Computer Misuse Act, modified the penal-
- ties, and created new crimes defined as the “unauthorized acts with intent to impair
- operation of computer, etc.,” 18 and the manufacture or provision of materials used in
- computer misuse offenses.
- ●
- Personal Internet Safety 2007: A report published by the House of Lords Science and
- Technology Committee provided a public service, and criticized the U.K. government’s
- lack of action in protecting personal Internet safety.
- Australian Computer Security Laws
- The following laws are in force in Australia and its territories, and are similar to those
- described earlier for the United States:
- ●
- Privacy Act 1988: Regulates the collection, storage, use, and disclosure of personal infor-
- mation. Applies both to private and public sectors. Contains 11 information privacy prin-
- ciples for handling personal information by most public sector agencies, and 10 national
- privacy principles for handling of personal information by nongovernment agencies. 19
- ●
- Telecommunications Act 1997: Updated as of October 2013; contains regulation
- related to the collection and storage of privacy data held by telecommunications
- service providers.
- International Laws and Legal Bodies 127
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- ●
- Corporations Act 2001: Updated by the Corporations Regulations of 2001 and 2002;
- focuses on business relationships, but similar to SOX, contains provisions related to
- financial reporting and audits.
- ●
- Spam Act 2003: Legislation designed to regulate the amount of unwanted commercial
- marketing materials, especially via e-mail. Requires businesses to obtain consent of
- recipients, ensure that businesses accurately identify the recipients, and provide a
- mechanism by which the recipients may unsubscribe from commercial messages.
- ●
- Cybercrime Legislation Amendment Bill 2011: Designed to align Australian laws with
- the European Convention on Cybercrime (see next section); the bill specifies informa-
- tion that communications carriers and Internet service providers must retain and
- surrender when requested by law enforcement.
- Council of Europe Convention on Cybercrime
- The Council of Europe adopted the Convention on Cybercrime in 2001. It created an inter-
- national task force to oversee a range of security functions associated with Internet activities
- and standardized technology laws across international borders. It also attempts to improve
- the effectiveness of international investigations into breaches of technology law. This conven-
- tion has been well received by advocates of intellectual property rights because it emphasizes
- prosecution for copyright infringement. However, many supporters of individual rights
- oppose the convention because they think it unduly infringes on freedom of speech and
- threatens the civil liberties of U.S. residents.
- Thirty-four countries attended the convention signing in November 2001, and 41 nations,
- including the United States and the United Kingdom, have ratified the convention as of
- January 2014. 20 The United States is technically not a member state of the Council of Europe,
- but it does participate in the convention.
- As with much complex international legislation, the Convention on Cybercrime lacks any
- realistic provisions for enforcement. The overall goal of the convention is to simplify the
- acquisition of information for law enforcement agencies in certain types of international
- crimes. It also simplifies the extradition process. The convention has more than its share of
- skeptics, who see it as an overly simplistic attempt to control a complex problem.
- For more information on the Council of Europe Convention on Cybercrime, visit its Web site at
- www.coe.int/cybercrime.
- World Trade Organization and the Agreement on Trade-Related
- Aspects of Intellectual Property Rights
- The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by
- the World Trade Organization (WTO) and negotiated from 1986 to 1994, introduced intel-
- lectual property rules into the multilateral trade system. It is the first significant international
- effort to protect intellectual property rights. It outlines requirements for governmental over-
- sight and legislation of WTO member countries to provide minimum levels of protection for
- intellectual property. The WTO TRIPS agreement covers five issues:
- ●
- How basic principles of the trading system and other international intellectual
- property agreements should be applied
- 128 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- ●
- How to give adequate protection to intellectual property rights
- ●
- How countries should enforce those rights adequately within their own borders
- ●
- How to settle disputes on intellectual property between members of the WTO
- ●
- Special transitional arrangements during the period when the new system is being
- introduced 21
- Digital Millennium Copyright Act
- The Digital Millennium Copyright Act (DMCA) is the American contribution to an interna-
- tional effort by the World Intellectual Properties Organization (WIPO) to reduce the impact
- of copyright, trademark, and privacy infringement, especially when accomplished via the
- removal of technological copyright protection measures. This law was created in response to
- the 1995 adoption of Directive 95/46/EC by the European Union, which added protection
- for individual citizens with regard to the processing of personal data and its use and move-
- ment. The United Kingdom has implemented a version of this law called the Database Right
- to comply with Directive 95/46/EC.
- The DMCA includes the following provisions:
- ●
- Prohibits the circumvention of protections and countermeasures implemented by copyright
- owners to control access to protected content
- ●
- Prohibits the manufacture of devices to circumvent protections and countermeasures
- that control access to protected content
- ●
- Bans trafficking in devices manufactured to circumvent protections and countermea-
- sures that control access to protected content
- ●
- Prohibits the altering of information attached or embedded into copyrighted material
- ●
- Excludes Internet service providers from certain forms of contributory copyright
- infringement
- Ethics and Information Security
- Many professionally regulated disciplines have explicit rules that govern the ethical behavior
- of their members. For example, doctors and lawyers who commit egregious violations of
- their professions’ canons of conduct can have their legal ability to practice revoked. Unlike
- the medical and legal fields, however, the information technology and information security
- fields do not have binding codes of ethics. Instead, professional associations such as the
- ACM and ISSA, and certification agencies such as (ISC) 2 and ISACA, work to maintain ethi-
- cal codes of conduct for their respective memberships. While these professional organizations
- can prescribe ethical conduct, they do not have the authority to banish violators from practic-
- ing their trade. To begin exploring some of the ethical issues of information security, take a
- look at the Ten Commandments of Computer Ethics in the nearby Offline feature.
- Ethical Differences Across Cultures
- Cultural differences can make it difficult to determine what is ethical and what is not—especially
- when it comes to the use of computers. Studies on ethics and computer use reveal that people of
- Ethics and Information Security 129
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- different nationalities have different perspectives; difficulties arise when one nationality’s ethical
- behavior violates the ethics of another national group. For example, to Western cultures, many
- of the ways in which Asian cultures use computer technology amount to software piracy. This
- ethical conflict arises out of Asian traditions of collective ownership, which clash with the pro-
- tection of intellectual property.
- Approximately 90 percent of all software is created in the United States. The Business
- Software Alliance’s 2011 piracy study found that the global software piracy rate was 42 per-
- cent. Figure 3-6 shows an international comparison between the average cost of a PC in a
- country and the amount typically spent there on legal software.
- Table 3-2 shows the estimated rate of losses from piracy as a percentage of legal sales rates
- and losses due to piracy internationally.
- Some countries are more relaxed than others when dealing with intellectual property copy
- restrictions. A study published in 1999 examined the computer-use ethics in several nations,
- including Singapore, Hong Kong, the United States, England, Australia, Sweden, Wales, and
- the Netherlands. 23 This study selected various computer-use vignettes (see the Offline feature
- titled “The Use of Scenarios in Computer Ethics Studies”) and presented them to university
- students in the various nations. The study did not categorize or classify the responses as ethi-
- cal or unethical. Instead, the responses only indicated a degree of ethical sensitivity or knowl-
- edge about the performance of the characters in the short case studies. The scenarios were
- grouped into three categories of ethical computer use: software license infringement, illicit
- use, and misuse of corporate resources.
- The Ten Commandments of Computer Ethics 22
- from the Computer Ethics Institute
- 1. Thou shalt not use a computer to harm other people.
- 2. Thou shalt not interfere with other people’s computer work.
- 3. Thou shalt not snoop around in other people’s computer files.
- 4. Thou shalt not use a computer to steal.
- 5. Thou shalt not use a computer to bear false witness.
- 6. Thou shalt not copy or use proprietary software for which you have not paid.
- 7. Thou shalt not use other people’s computer resources without authorization or
- proper compensation.
- 8. Thou shalt not appropriate other people’s intellectual output.
- 9. Thou shalt think about the social consequences of the program you are
- writing or the system you are designing.
- 10. Thou shalt always use a computer in ways that ensure consideration
- and respect for your fellow humans.
- OFFLINE
- 130 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- Software License Infringement The topic of software license infringement, or
- piracy, is routinely covered by the popular press. Among study participants, attitudes
- toward piracy were generally similar; however, participants from the United States and the
- Netherlands showed statistically significant differences in attitudes from those of the overall
- group. Participants from the United States were significantly less tolerant of piracy, while
- $-
- $100.00
- Brazil USA
- $200.00
- $300.00
- $400.00
- $500.00
- $600.00
- $700.00
- $800.00
- Russia
- 2011 Hardware & Software Expenditures
- India China
- PC Price Legal Software Sales
- Figure 3-6 Legal international hardware and software sales
- Source: Business Software Alliance (BSA), 2012. 24
- Country Pirated value ($M) Legal sales ($M) Piracy rate
- U.S. 9,773 41,664 19%
- Japan 1,875 7,054 21%
- U.K. 1,943 5,530 26%
- South Korea 815 1,223 40%
- Brazil 2,848 2,526 53%
- Malaysia 657 538 55%
- Mexico 1,249 942 57%
- Russia 3,227 1,895 63%
- India 2,930 1,721 63%
- Thailand 852 331 72%
- China 8,902 2,659 77%
- Indonesia 1,467 239 86%
- Table 3-2 International Piracy Rates
- Source: BSA, 2012. 25
- Ethics and Information Security 131
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- those from the Netherlands were significantly more permissive. Although other studies have
- reported that the Pacific Rim countries of Singapore and Hong Kong are hotbeds of soft-
- ware piracy, this study found tolerance for copyright infringement in those countries to be
- moderate, as were attitudes in England, Wales, Australia, and Sweden. This could mean
- that the people surveyed understood what software license infringement was, but felt either
- that certain use was not piracy or that their society permitted this piracy in some way. Peer
- pressure, the lack of legal disincentives, the lack of punitive measures, and other reasons
- could explain why users in these alleged piracy centers disregarded intellectual property
- laws despite their professed attitudes toward them. Even though participants from the
- Netherlands displayed a more permissive attitude toward piracy, that country only ranked
- third in piracy rates of the nations surveyed in the study.
- Illicit Use The study respondents unilaterally condemned viruses, hacking, and other
- forms of system abuse. There were, however, different degrees of tolerance for such activities
- among the groups. Students from Singapore and Hong Kong proved to be significantly more
- tolerant than those from the United States, Wales, England, and Australia. Students from
- Sweden and the Netherlands were also significantly more tolerant than those from Wales
- and Australia, but significantly less tolerant than those from Hong Kong. The low overall
- degree of tolerance for illicit system use may be a function of the easy correspondence
- between the common crimes of breaking and entering, trespassing, theft, destruction of
- property, and their computer-related counterparts.
- Misuse of Corporate Resources The scenarios examined levels of tolerance for
- misuse of corporate resources, and each presented a different situation in which corporate
- assets were used for nonbusiness purposes without specifying the company’s policy on per-
- sonal use of its resources. In general, participants displayed a rather lenient view of personal
- use of company equipment. Only students from Singapore and Hong Kong viewed this per-
- sonal use as unethical. There were several substantial differences in this category, with stu-
- dents from the Netherlands revealing the most lenient views. With the exceptions of students
- from Singapore and Hong Kong, many people from many cultural backgrounds indicated
- that unless an organization explicitly forbids personal use of its computing resources, such
- use is acceptable. 26
- Larger organizations, especially those that operate in international markets, are
- faced with cultural differences in ethical perceptions and decision making. For exam-
- ple, the Boeing Company has a clear and well-developed Ethics and Business Conduct
- program. It seeks to communicate company standards of ethical business conduct to
- all employees, inform all stakeholders of the policy and procedure that governs ethical
- conduct, identify company processes that help stakeholders comply with corporate
- standards of conduct, and promote an ongoing awareness of ethical conduct within
- the company. Like other large organizations, Boeing takes its business values and cor-
- porate conduct program very seriously. The approach is best summarized as “Commu-
- nicate, Educate, and Execute,” in which Boeing seeks to inform all corporate stake-
- holders about ethically motivated actions and then implement programs to achieve its
- stated values in practice.
- To learn more about the Boeing ethics program, visit the Boeing Web site at www.boeing.com
- /boeing/companyoffices/aboutus/ethics/hotline.page.
- 132 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- The Use of Scenarios in Computer Ethics Studies 27
- The following vignettes can be used in an open and frank discussion of computer
- ethics. Review each scenario carefully and respond to each question using a form
- of the following statement, choosing the description you consider most appropri-
- ate: I feel the actions of this person were (very ethical/ethical/neither ethical nor
- unethical/unethical/very unethical). Then, justify your response.
- 1. A scientist developed a theory that required proof through the construction of
- a computer model. He hired a computer programmer to build the model, and
- the theory was shown to be correct. The scientist won several awards for the
- development of the theory, but he never acknowledged the contribution of
- the computer programmer.
- The scientist’s failure to acknowledge the computer programmer was:
- 2. The owner of a small business needed a computer-based accounting system. He
- identified the various inputs and outputs he felt were required to satisfy his needs.
- Then he showed his design to a computer programmer and asked if she could
- implement such a system. The programmer knew she could because she had devel-
- oped much more sophisticated systems in the past. In fact, she thought the design
- was rather crude and would soon need several major revisions. But she didn’t voice
- her thoughts because the business owner didn’t ask, and she wanted to be hired to
- implement the needed revisions.
- The programmer’s decision not to point out the design flaws was:
- 3. A student found a loophole in his university’s computer system that allowed
- him access to other students’ records. He told the system administrator about
- the loophole, but continued to access student records until the problem was
- corrected two weeks later.
- The student’s action in searching for the loophole was:
- The student’s action in continuing to access others’ records for two weeks was:
- The system administrator’s failure to correct the problem sooner was:
- 4. A computer user ordered an accounting system from a popular software ven-
- dor’s Web site. When he received his order, he found that the store had acci-
- dentally sent him a very expensive word-processing program as well as the
- accounting package he had ordered. The invoice listed only the accounting
- package. The user decided to keep the word-processing program.
- The customer’s decision to keep the word-processing program was:
- OFFLINE
- (continues)
- Ethics and Information Security 133
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 5. A programmer at a bank realized that she had accidentally overdrawn her check-
- ing account. She made a small adjustment in the bank’s accounting system so that
- her account would not incur a service charge. As soon as she deposited funds that
- made her balance positive again, she corrected the bank’s accounting system.
- The programmer’s modification of the accounting system was:
- 6. A computer programmer built and sold small computer applications to supple-
- ment his income. He worked for a moderately sized computer vendor, and
- would frequently go to his office on Saturdays when no one was working and
- use his employer’s computer to develop the applications. He did not hide the
- fact that he was entering the building; he had to sign a register at a security
- desk each time he entered.
- The programmer’s weekend use of the company computer was:
- 7. A student in a computer class was also employed at a local business part-time.
- Frequently her class homework required using popular word-processing and
- spreadsheet packages. Occasionally she did her homework on the office com-
- puter at her part-time job during coffee or meal breaks.
- The student’s use of the company computer was:
- If the student had done her homework during “company time” (not during a
- break), her use of the company computer would have been:
- 8. A university student learned to use an expensive accounting program in her
- accounting class. The student would go to the university computer lab and use
- the software to complete her assignment. Signs were posted in the lab indicat-
- ing that copying software was forbidden. One day, she decided to copy the
- software anyway to complete her work assignments at home.
- If the student destroyed her copy of the software at the end of the term, her
- action in copying the software was:
- If the student forgot to destroy her copy of the software at the end of the
- term, her action in copying the software was:
- If the student never intended to destroy her copy of the software at the end of
- the term, her action in copying the software was:
- 9. A university student found out that a fellow student’s personal Web site con-
- tained a “pirate” section of illegally copied software programs. He accessed
- the Web site and proceeded to download several games and professional pro-
- grams, which he then distributed to several of his friends.
- The student’s actions in downloading the games were:
- The student’s actions in downloading the programs were:
- The student’s actions in sharing the programs and games with his friends were:
- 134 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- Inanutshell,Boeingpromotesthegoalthatallstakeholderswillconductbusinessdealingsfairly,
- impartially, and in an ethical and proper manner consistent with its code of conduct.
- Ethics and Education
- Attitudes toward the ethics of computer use are affected by many factors other than national-
- ity. Differences are found among people within the same country, within the same social
- class, and within the same company. Key studies reveal that education is the overriding factor
- in leveling ethical perceptions within a small population. Employees must be trained and kept
- aware of many topics related to information security, not the least of which is the expected
- behavior of an ethical employee. This education is especially important in information secu-
- rity, as many employees may not have the formal technical training to understand that their
- behavior is unethical or even illegal. Proper ethical and legal training is vital to creating an
- informed and well-prepared system user.
- 10. An engineer needed a program to perform a series of complicated calculations.
- He found a computer programmer who was capable of writing the program,
- but would only hire the programmer if he agreed to share any liability that
- may result from an error in the engineer’s calculations. The programmer was
- willing to assume any liability due to a program malfunction, but was unwilling
- to share liability due to an error in the engineer’s calculations.
- The programmer’s position in this situation is:
- The engineer’s position in this situation is:
- 11. A manager of a company that sells Web hosting services bought similar ser-
- vices from a competitor. She used her access to the competitor’s computer to
- try to break the security system, identify other customers, and cause the sys-
- tem to crash. She used the service for a year and always paid her bills
- promptly.
- The manager’s actions were:
- 12. A student programmer decided to write a virus program. Such programs usually
- spread automatically by making copies of themselves onto other users’ media
- (like flash drives). The student wrote a program that caused the computer to
- ignore every fifth command entered by a user. The student took his program
- to the university computing lab and installed it on one of the computers. Before
- long, the virus had spread to hundreds of users.
- The student’s action of infecting hundreds of users’ flash drives was:
- If the virus program output the message “Have a nice day,” then the student’s
- action of infecting hundreds of users’ flash drives would have been:
- If the virus erased files, then the student’s action of infecting hundreds of users’
- flash drives would have been:
- Ethics and Information Security 135
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Deterring Unethical and Illegal Behavior
- There are three general causes of unethical and illegal behavior:
- ●
- Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and pro-
- cedures is. The first method of deterrence is education, which is accomplished by
- designing, publishing, and disseminating an organization’s policies and relevant laws,
- and obtaining agreement to comply with these policies and laws from all members of
- the organization. Reminders, training, and awareness programs keep policy informa-
- tion in front of employees to support retention and compliance.
- ●
- Accident: People who have authorization and privileges to manage information
- within the organization are most likely to cause harm or damage by accident. Careful
- planning and control help prevent accidental modification to systems and data.
- ●
- Intent: Criminal or unethical intent goes to the state of mind of the person performing
- the act; it is often necessary to establish criminal intent to successfully prosecute offen-
- ders. Protecting a system against those with intent to cause harm or damage is best
- accomplished by means of technical controls, and vigorous litigation or prosecution if
- these controls fail.
- Whatever the cause of illegal, immoral, or unethical behavior, one thing is certain: informa-
- tion security personnel must do everything in their power to deter these acts and to use pol-
- icy, education and training, and technology to protect information and systems. Many secu-
- rity professionals understand the technology aspect of protection but underestimate the value
- of policy. However, laws, policies, and their associated penalties only provide deterrence if
- three conditions are present, as illustrated in Figure 3-7:
- ●
- Fear of penalty: Potential offenders must fear the penalty. Threats of informal repri-
- mand or verbal warnings do not have the same impact as the threat of imprisonment
- or forfeiture of pay.
- Penalty Apprehension
- Application
- Reserved parking
- for
- Dr. Whitman
- Violators will be
- shot
- P P P P
- Violators Will Be
- Shot
- Reserved Parking
- For
- Dr.Whitman
- Figure 3-7 Deterrents to illegal or unethical behavior
- © Cengage Learning 2015
- 136 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- ●
- Probability of being apprehended: Potential offenders must believe there is a strong
- possibility of being caught.
- ●
- Probability of penalty being applied: Potential offenders must believe that the penalty
- will be administered.
- Codes of Ethics at Professional Organizations
- Many professional organizations have established codes of conduct or codes of ethics that
- members are expected to follow. Codes of ethics can have a positive effect on people’s judg-
- ment regarding computer use. 28 Unfortunately, many employers do not encourage their
- employees to join these professional organizations. But, employees who have earned some
- level of certification or professional accreditation can be deterred from ethical lapses if they
- fear losing that accreditation or certification by violating a code of conduct. Loss of certifica-
- tion or accreditation can dramatically reduce their marketability and earning power.
- Security professionals have a responsibility to act ethically and according to the policies and
- procedures of their employers, their professional organizations, and the laws of society. Like-
- wise, it is the organization’s responsibility to develop, disseminate, and enforce its policies.
- The following discussion explains where professional organizations fit into the ethical land-
- scape. Table 3-3 provides an overview of these organizations. Many of them offer certification
- programs that require applicants to subscribe formally to the ethical codes. Professional certi-
- fication is discussed in Chapter 11.
- Professional
- organization
- Web resource
- location Description Focus
- Association of Computing
- Machinery
- www.acm.org Code of 24 imperatives of personal and
- ethical responsibilities for security
- professionals
- Ethics of security
- professionals
- Information Systems
- Audit and Control
- Association
- www.isaca
- .org
- Focus on auditing, information security,
- business process analysis, and IS
- planning through the CISA and CISM
- certifications
- Tasks and knowledge
- required of the
- information systems
- audit professional
- Information Systems
- Security Association
- www.issa.org Professional association of information
- systems security professionals; provides
- education forums, publications, and
- peer networking for members
- Professional security
- information sharing
- International Information
- Systems Security
- Certification Consortium
- (ISC) 2
- www.isc2.org International consortium dedicated to
- improving the quality of security
- professionals through SSCP and CISSP
- certifications
- Requires certificants to
- follow its published code
- of ethics
- SANS Institute’s Global
- Information Assurance
- Certification
- www.giac.org GIAC certifications focus on four security
- areas: security administration, security
- management, IT audits, and software
- security; these areas have standard,
- gold, and expert levels
- Requires certificants to
- follow its published code
- of ethics
- Table 3-3 Professional Organizations of Interest to Information Security Professionals
- © Cengage Learning 2015
- Codes of Ethics at Professional Organizations 137
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Major Information Security Professional Organizations
- Many of the major IT professional organizations maintain their own codes of ethics.
- Association of Computing Machinery (ACM) The ACM is a respected profes-
- sional society that was established in 1947 as “the world’s first educational and scientific
- computing society.” It is one of the few organizations that strongly promotes education and
- provides discounts for student members. The ACM’s code of ethics requires its more than
- 100,000 members to perform their duties in a manner befitting an ethical computing profes-
- sional. The code contains specific references to protecting the confidentiality of information,
- causing no harm (with specific references to viruses), protecting the privacy of others, and
- respecting the intellectual property and copyrights of others. The ACM (www.acm.org) also
- hosts more than 170 conferences annually and publishes a wide variety of professional com-
- puting publications, including the highly regarded Communications of the ACM.
- International Information Systems Security Certification Consortium,
- Inc. (ISC) 2 (ISC) 2 is a nonprofit organization that focuses on the development and imple-
- mentation of information security certifications and credentials. The organization manages a
- body of knowledge on information security and administers and evaluates examinations for
- information security certifications. The code of ethics put forth by (ISC) 2 is primarily designed
- for the more than 90,000 information security professionals who have earned an (ISC) 2 certifi-
- cation, and has four mandatory canons: “Protect society, the commonwealth, and the infrastruc-
- ture; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent
- service to principals; and advance and protect the profession.” 29 This code enables (ISC) 2 to pro-
- mote reliance on the ethicality and trustworthiness of information security professionals as the
- guardians of information and systems. For more information, visit www.isc2.org.
- SANS Formerly known as the System Administration, Networking, and Security Institute,
- SANS was founded in 1989 as a professional research and education cooperative organiza-
- tion and has awarded certifications to more than 55,000 information security professionals.
- SANS offers a set of certifications called the Global Information Assurance Certification
- (GIAC). All GIAC-certified professionals are required to acknowledge that certification, and
- its privileges carry a corresponding obligation to uphold the GIAC code of ethics. Certificate
- holders who do not conform to this code face censure and may lose GIAC certification. For
- more information, visit www.sans.org and www.giac.org.
- ISACA Originally known as the Information Systems Audit and Control Association,
- ISACA is a professional association that focuses on auditing, control, and security. The mem-
- bership comprises both technical and managerial professionals. ISACA (www.isaca.org) pro-
- vides IT control practices and standards, and includes many information security components
- within its areas of concentration, although it does not focus exclusively on information secu-
- rity. ISACA also has a code of ethics for its 110,000 constituents, and it requires many of the
- same high standards for ethical performance as the other organizations and certifications.
- Information Systems Security Association (ISSA) ISSA is a nonprofit society
- of more than 10,000 information security professionals in over 100 countries. As a profes-
- sional association, its primary mission is to bring together qualified information security
- practitioners for information exchange and educational development. ISSA (www.issa.org)
- 138 Chapter 3
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 3
- provides scheduled conferences, meetings, publications, and information resources to pro-
- mote information security awareness and education. ISSA also promotes a code of ethics,
- similar in content to those of (ISC) 2 , ISACA, and the ACM, whose focus is “promoting
- management practices that will ensure the confidentiality, integrity, and availability of orga-
- nizational information resources.” 30
- Key U.S. Federal Agencies
- Several key U.S. federal agencies are charged with the protection of American information
- resources and the investigation of threats or attacks against these resources. These organiza-
- tions include the Department of Homeland Security (DHS) and its subordinate agencies—the
- U.S. Secret Service (USSS) and US-CERT, the National Security Agency, the Federal Bureau
- of Investigation (FBI), and the FBI’s InfraGard program.
- Department of Homeland Security
- The Department of Homeland Security (DHS, at www.dhs.gov) was created in 2003 by the
- Homeland Security Act of 2002, which was passed in response to the events of September
- 11, 2001. DHS is made up of five directorates, or divisions, through which it carries out its
- mission of protecting American citizens as well as the physical and information assets of the
- United States. The Directorate of Information and Infrastructure creates and enhances
- resources used to discover and respond to attacks on national information systems and criti-
- cal infrastructure. The Science and Technology Directorate is responsible for research and
- development activities in support of domestic defense. This effort is guided by an ongoing
- examination of vulnerabilities throughout the national infrastructure; the directorate sponsors
- the emerging best practices developed to counter threats and weaknesses in the system.
- Table 3-4 describes the DHS departments and their functions.
- DHS works with academic campuses nationally, focusing on resilience, recruitment, interna-
- tionalization, growing academic maturity, and academic research. Resilience calls for aca-
- demic institutions to improve their own preparedness for unexpected events. Recruitment
- refers to the roles of academic organizations in preparing students and recent graduates to
- fill the increasing demand for workers and managers in the preparedness industry. Interna-
- tionalization recognizes that students around the world can help meet the increased demand.
- Recently, information security and preparedness has become more recognized as a discrete
- DHS department Function
- Federal Emergency Management
- Agency (FEMA)
- Supports U.S. citizens and first responders to ensure that people
- work together to build, sustain, and improve their capability to
- prepare for, protect against, respond to, recover from, and mitigate
- all hazards
- Federal Law
- Enforcement Training
- Center (FLETC)
- Provides career-long training to law enforcement professionals to help them
- fulfill their responsibilities safely and proficiently
- Transportation Security
- Administration (TSA)
- Protects the nation’s transportation systems to ensure freedom of movement
- for people and commerce
- Table 3-4 DHS Departments and Functions (continues)
- Key U.S. Federal Agencies 139
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- DHS department Function
- United States Citizenship and
- Immigration Services (USCIS)
- Secures America’s promise as a nation of immigrants by providing accurate and
- useful information to customers, granting immigration and citizenship benefits,
- promoting an awareness and understanding of citizenship, and ensuring the
- integrity of the immigration system
- United States Customs and
- Border Protection (CBP)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement