Principles of Security - 1911194 PDF

Principles of Security - 1911194 Topic 3:Ethical, and policy issues in Information Security And Risk assessment Learning Objectives LEARNING OBJECTIVES: Upon completion of this chapter, you should be able to: Describe the functions of and relationships among laws, regulations, and professional organizations in information security Explain the differences between laws and ethics Identify major national laws that affect the practice of information security Discuss the role of privacy as it applies to law and ethics in information security. Define risk management, risk identification, risk assessment, and risk control Describe how risk is identified and assessed Describe various options for a risk mitigation strategy Introduction The Information Security Professional must understand the scope/structure of an organization’s legal and ethical responsibilities. To minimize liabilities/reduce risks from electronic and physical threats, the information security professional must: 1. Understand current legal environment. 2. Stay current with laws and regulations. 3. Watch for new issues that emerge. In this chapter we will learn about the laws and regulations that affect the management of information in an organization. Finally, we will learn about the ethical issues related to information security. Law and Ethics in Information Security Basic Definitions Cultural mores: The fixed moral attitudes or customs of a particular group. Ethics: define socially acceptable behavior. Laws: Rules that mandate or prohibit certain behavior and are enforced by the state. Laws carry sanctions of a governing authority; ethics do not. Organizational Liability and the Need for Counsel An organization should ensure that every employee knows what is acceptable and what is not, to meet the obligations imposed by laws or regulations. Why? To maintain the reputation of the company and employees. To preserve the rights of the company, employees, and customers for example. Because an employee can performs an illegal or unethical that causes some degree of harm, the employer can be held financially liable for the action. This entails/requires legal liability and sometimes compensation. Policy versus Law Key Term Policy is defined as the list of expectations that describe acceptable and unacceptable employee behavior in the workplace. Policy: Guidelines that dictate certain behavior within the organization. Within an organization, information security professionals help maintain security via the establishment and enforcement of policy. Policy -Continue For a policy to be enforceable, it must meet the following five criteria: 1- Dissemination (distribution): Dissemination (distribution): The organization must be able to prove that the policy has been made easily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution. Policy- Continue 2- Review (reading): The organization must be able to prove that it disseminated the document (policies) in an understandable form, including versions for employees who are illiterate, and reading- impaired. Common techniques include recordings of the policy in many languages. Policy - Continue 3- Comprehension (Understanding): The organization must be able to prove that the employee understands the requirements and content of the policy. Common techniques include quizzes and other assessments. Policy - Continue 4- Compliance (agreement): The organization must be able to improve that the employee agreed with the policy through act or affirmation. Common techniques include logon banners, which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy. Policy - Continue 5- Uniform enforcement: The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment. Only when all of these five conditions are met can an organization penalize employees who violate a policy without fear of legal retribution Types of Law There are several types of laws: Civil Law. Civil law includes a wide variety of laws pertaining to relationships between and among individuals and organizations. Civil law includes contract law, employment law, family law, and tort law. Tort law is the subset of civil law that allows individuals to demand redress (‫ )العدل‬in the event of personal, physical, or financial injury. Types of Laws - Continue Criminal Law Criminal law addresses violations harmful to society. Criminal law addresses rules associated with traffic law, public order, property damage, and personal damage. Types of Laws - Continue Private Law Private law is considered a subset of civil law, and regulates the relationships among individuals as well as relationships between individuals and organizations; it encompasses family law, commercial law, and labor law. Types of Laws - Continue Public Law Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal law, administrative law, and constitutional law. Regardless of how the laws are categorized, it is important to understand which laws and regulations are relevant to your organization and what the organization needs to do to comply. There are a lot of international laws related to Information Security. Actually the USA has been a leader in the development and implementation of security legislation. Specially, we are trading globally and we have more bossiness in the international level; so we need to have these kinds of laws stablished to be able to communicate with each other’s. Table 1: summary of information security-related U.S. laws. Area Act Date Description Online commerce Federal Trade Commission Act 1914 Recently used to challenge organizations and information (FTCA). with deceptive claims regarding the privacy protection. and security of customers’ personal information. Protection of credit Fair Credit Reporting Act 1970 Regulates the collection and use of consumer information. (FCRA). credit information. Table 1: summary of information security-related U.S. laws. Area Act Date Description Privacy. Federal privacy Act 1974 Governs federal agency use of personal information. Copyright. Copyright Act (update to U.S. 1976 Protects intellectual property, including Copyright Law (17 USC)). publications and software. Table 1: summary of information security-related U.S. laws. Cryptography Electronic Communications 1986 Regulates interception and disclosure of Privacy Act (update to 18 electronic information; also referred to as USC.) the Federal Wiretapping Act. Threats of Computer Fraud and Abuse 1986 Defines and formalizes laws to counter Computers (CFA) Act (also known as Fraud threats from computer-related acts and and Related Activity in offenses (amended 1996, 2001, and 2006). Connection with Computers) (18 USC 1030). Table 1: summary of information security-related U.S. laws. Encryption and Security and freedom Through 1997 Affirms the rights of persons in the digital signatures Encryption Act. United States to use and sell products that include encryption and to relax export controls on such products. Spam Controlling the Assault of Non- 2003 Sets the first national standards for Solicited Pornography and regulating the distribution of commercial e- Marketing (CAN-SPAM) Act mail, including mobile phone spam. (15 USC 7701 et seq.). Privacy Privacy In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality. Privacy Violation: A person may experience a violation of privacy in different forms such as: Privacy - Continue Many organizations collect, swap, and sell “Personal Information” such as name, location, address, Ter. Number, etc. as a commodity (goods), and as a result many people are looking to governments to protect their privacy from such organizations by enforcing the laws and considering it a crime punishable by law. Eavesdropping on phone calls, private messages, etc. References Textbook

Principles of Security - 1911194 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue