Principles of Information Security 4th Edition Chapter 3 Review Questions
Principles of Information Security, Fourth Edition Chapter 3 Professional, Legal, and Ethical Issues in Information Security
Learning Objectives • Upon completion of this cloth, y'all should exist able to: – Describe the functions of and relationships amid laws, regulations, and professional organizations in information security – Differentiate between laws and ethics – Identify major national laws that affect the exercise of data security – Explain the role of culture as it applies to ethics in information security Principles of Information Security, iv thursday Edition 2
Introduction • Y'all must empathise scope of an organization's legal and upstanding responsibilities • To minimize liabilities/reduce risks, the information security practitioner must: – Empathize current legal environment – Stay current with laws and regulations – Lookout for new issues that emerge Principles of Information Security, 4 thursday Edition 3
Law and Ethics in Information Security • Laws: rules that mandate or prohibit certain societal behavior • Ethics: define socially acceptable behavior • Cultural mores: fixed moral attitudes or community of a detail group; ideals based on these • Laws carry sanctions of a governing authorisation; ethics exercise non Principles of Data Security, 4 th Edition 4
Organizational Liability and the Demand for Counsel • Liability: legal obligation of an entity extending beyond criminal or contract police; includes legal obligation to make restitution • Restitution: to compensate for wrongs committed by an organization or its employees • Due care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical deportment • Due diligence: making a valid try to protect others; continually maintaining level of try Principles of Information Security, 4 th Edition five
Organizational Liability and the Demand for Counsel (cont'd. ) • Jurisdiction: court's right to hear a case if the incorrect was committed in its territory or involved its citizenry • Long arm jurisdiction: right of any court to impose its authority over an private or arrangement if it can establish jurisdiction Principles of Information Security, 4 thursday Edition 6
Policy versus Law • Policies: torso of expectations that depict adequate and unacceptable employee behaviors in the workplace • Policies function every bit laws within an organization; must be crafted carefully to ensure they are complete, advisable, fairly applied to everyone • Difference between policy and constabulary: ignorance of a policy is an acceptable defense Principles of Data Security, 4 th Edition 7
Policy versus Law (cont'd. ) • Criteria for policy enforcement: – – – Dissemination (distribution) Review (reading) Comprehension (agreement) Compliance (agreement) Compatible enforcement Principles of Information Security, Quaternary Edition 8
Types of Constabulary • Civil: governs nation or country; manages relationships/conflicts between organizational entities and people • Criminal: addresses violations harmful to club; actively enforced by the state • Private: regulates relationships between individuals and organizations • Public: regulates structure/administration of government agencies and relationships with citizens, employees, and other governments Principles of Information Security, 4 th Edition 9
Relevant U. S. Laws • United States has been a leader in the development and implementation of information security legislation • Implementation of information security legislation contributes to a more reliable business concern environment and a stable economy • U. Southward. has demonstrated understanding of problems facing the data security field; has specified penalties for individuals and organizations declining to follow requirements set up along in U. South. civil statutes Principles of Data Security, 4 th Edition ten
General Computer Crime Laws • Estimator Fraud and Abuse Act of 1986 (CFA Act): cornerstone of many computer-related federal laws and enforcement efforts • National Data Infrastructure Protection Human activity of 1996: – Modified several sections of the previous act and increased the penalties for selected crimes – Severity of penalties judged on the purpose • For purposes of commercial reward • For private financial proceeds • In furtherance of a criminal act Principles of Information Security, four th Edition eleven
Full general Computer Criminal offense Laws (cont'd. ) • USA PATRIOT Deed of 2001: provides law enforcement agencies with broader breadth in order to combat terrorism-related activities • USA PATRIOT Improvement and Reauthorization Act: made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity • Computer Security Human activity of 1987: one of the offset attempts to protect federal computer systems by establishing minimum acceptable security practices Principles of Information Security, Fourth Edition 12
Privacy • One of the hottest topics in information security • Is a "state of being gratuitous from unsanctioned intrusion" • Ability to aggregate data from multiple sources allows creation of information databases previously impossible • The number of statutes addressing an individual's right to privacy has grown Principles of Information Security, 4 thursday Edition 13
Privacy (cont'd. ) • US Regulations – Privacy of Customer Information Department of the common carrier regulation – Federal Privacy Human activity of 1974 – Electronic Communications Privacy Act of 1986 – Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Human activity – Financial Services Modernization Act, or Gramm. Leach-Bliley Human activity of 1999 Principles of Information Security, iv th Edition 14
Privacy (cont'd. ) • Identity Theft – Federal Trade Committee: "occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes" – Fraud And Related Action In Connection With Identification Documents, Authentication Features, And Information (Title 18, U. Due south. C. § 1028) Principles of Information Security, 4 thursday Edition xv
Privacy (cont'd. ) • If someone suspects identity theft – Report to the three ascendant consumer reporting companies that your identity is threatened – Account • Close compromised account • Dispute accounts opened without permission – Register your concern with the FTC – Report the incident to either your local police or law in the location where the identity theft occurred Principles of Data Security, Fourth Edition 16
Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Protects the confidentiality and security of health intendance data by establishing and enforcing standards and by standardizing electronic information interchange • Consumer command of medical data • Boundaries on the use of medical information • Accountability for the privacy of private information • Rest of public responsibility for the use of medical information for the greater good measured against affect to the private • Security of health information Principles of Information Security, Fourth Edition 17
Export and Espionage Laws • Economic Espionage Act of 1996 (EEA) • Security And Freedom Through Encryption Human activity of 1999 (SAFE) • The acts include provisions about encryption that: – Reinforce the right to use or sell encryption algorithms, without business organisation of primal registration – Prohibit the federal regime from requiring information technology – Make it not probable crusade in criminal activity – Relax consign restrictions – Additional penalties for using it in a law-breaking Principles of Information Security, 4 thursday Edition 18
Figure iii -ane Export and Espionage Principles of Information Security, 4 th Edition 19
U. Southward. Copyright Constabulary • Intellectual property recognized as protected nugget in the U. South. ; copyright law extends to electronic formats • With proper acquittance, permissible to include portions of others' piece of work as reference • U. Southward. Copyright Office Spider web site: world wide web. copyright. gov Principles of Information Security, 4 th Edition xx
Financial Reporting • Sarbanes-Oxley Act of 2002 • Affects executive management of publicly traded corporations and public accounting firms • Seeks to meliorate reliability and accuracy of financial reporting and increase the accountability of corporate governance • Penalties for noncompliance range from fines to jail terms • Reliability assurance will require additional emphasis on confidentiality and integrity Principles of Information Security, 4 th Edition 21
Freedom of Information Act of 1966 (FOIA) • Allows admission to federal bureau records or information not determined to be matter of national security • U. S. government agencies required to disclose whatsoever requested information upon receipt of written asking • Some information protected from disclosure Principles of Information Security, four th Edition 22
State and Local Regulations • Restrictions on organizational computer technology apply exist at international, state, local levels • Information security professional responsible for agreement land regulations and ensuring organization is compliant with regulations Principles of Information Security, 4 th Edition 23
International Laws and Legal Bodies • When organizations do business on the Internet, they do business globally • Professionals must be sensitive to laws and ethical values of many dissimilar cultures, societies, and countries • Considering of political complexities of relationships among nations and differences in culture, there are few international laws relating to privacy and information security • These international laws are important but are limited in their enforceability Principles of Information Security, 4 th Edition 24
European Quango Cyber-Law-breaking Convention • Establishes international task force overseeing Internet security functions for standardized international technology laws • Attempts to better effectiveness of international investigations into breaches of technology law • Well received by intellectual belongings rights advocates due to accent on copyright infringement prosecution • Lacks realistic provisions for enforcement Principles of Information Security, 4 th Edition 25
Understanding on Trade-Related Aspects of Intellectual Holding Rights • Created past Globe Merchandise Organisation (WTO) • First meaning international effort to protect intellectual property rights • Outlines requirements for governmental oversight and legislation providing minimum levels of protection for intellectual property Principles of Information Security, 4 th Edition 26
Understanding on Trade-Related Aspects of Intellectual Belongings Rights (cont'd. ) • Agreement covers 5 issues: – Application of basic principles of trading system and international intellectual property agreements – Giving adequate protection to intellectual holding rights – Enforcement of those rights by countries in their ain territories – Settling intellectual property disputes – Transitional arrangements while new system is being introduced Principles of Information Security, Fourth Edition 27
Digital Millennium Copyright Act (DMCA) • U. Due south. contribution to international effort to reduce touch on of copyright, trademark, and privacy infringement • A response to European Union Directive 95/46/EC, • Prohibits – Circumvention of protections and countermeasures – Manufacture and trafficking of devices used to circumvent such protections – Prohibits altering information fastened or imbedded in copyrighted material • Excludes ISPs from some copyright infringement Principles of Information Security, 4 thursday Edition 28
Ideals and Information Security • Many Professional person groups accept explicit rules governing ethical beliefs in the workplace • IT and It security do non have binding codes of ethics • Professional associations and certification agencies work to plant codes of ethics – Tin can prescribe ethical carry – Practise not e'er have the power to ban violators from practice in field Principles of Data Security, Fourth Edition 29
Principles of Information Security, 4 th Edition 30
Upstanding Differences Across Cultures • Cultural differences create difficulty in determining what is and is not ethical • Difficulties arise when i nationality'due south ethical beliefs conflicts with ideals of some other national group • Scenarios are grouped into: – Software License Infringement – Illicit Use – Misuse of Corporate Resources • Cultures have different views on the scenarios Principles of Information Security, 4 th Edition 31
Ethics and Education • Overriding factor in levelling ethical perceptions within a small population is education • Employees must exist trained in expected behaviors of an upstanding employee, especially in areas of information security • Proper ethical training is vital to creating informed, well prepared, and low-risk organization user Principles of Data Security, iv th Edition 32
Deterring Unethical and Illegal Behavior • Three general causes of unethical and illegal behavior: ignorance, accident, intent • Deterrence: all-time method for preventing an illegal or unethical activity; e. g. , laws, policies, technical controls • Laws and policies just deter if 3 conditions are nowadays: – Fear of penalty – Probability of existence caught – Probability of penalty being administered Principles of Information Security, iv th Edition 33
Codes of Ideals and Professional Organizations • Several professional organizations take established codes of conduct/ethics • Codes of ideals tin can have positive effect; unfortunately, many employers do not encourage joining these professional person organizations • Responsibleness of security professionals to deed ethically and co-ordinate to policies of employer, professional organization, and laws of society Principles of Information Security, four th Edition 34
Major It Professional person Organizations • Association of Calculating Machinery (ACM) – Established in 1947 every bit "the world'due south first educational and scientific calculating society" – Lawmaking of ethics contains references to protecting information confidentiality, causing no harm, protecting others' privacy, and respecting others' intellectual holding Principles of Data Security, four th Edition 35
Major IT Professional Organizations (cont'd. ) • International Information Systems Security Certification Consortium, Inc. (ISC)2 – Nonprofit system focusing on development and implementation of information security certifications and credentials – Lawmaking primarily designed for information security professionals who have certification from (ISC)two – Lawmaking of ethics focuses on four mandatory canons Principles of Information Security, 4 thursday Edition 36
Major IT Professional Organizations (cont'd. ) • System Administration, Networking, and Security Constitute (SANS) – Professional organization with a large membership dedicated to protection of information and systems – SANS offers gear up of certifications called Global Information Assurance Certification (GIAC) Principles of Information Security, 4 th Edition 37
Major IT Professional Organizations (cont'd. ) • Data Systems Audit and Command Clan (ISACA) – Professional clan with focus on auditing, control, and security – Concentrates on providing It control practices and standards – ISACA has code of ethics for its professionals Principles of Information Security, four th Edition 38
Major IT Professional Organizations (cont'd. ) • Information Systems Security Association (ISSA) – Nonprofit society of data security (IS) professionals – Primary mission to bring together qualified IS practitioners for information exchange and educational evolution – Promotes lawmaking of ethics similar to (ISC)2, ISACA, and ACM Principles of Information Security, 4 th Edition 39
Fundamental U. Southward. Federal Agencies • Department of Homeland Security (DHS) – Made up of v directorates, or divisions – Mission is to protect the people as well as the physical and advisory avails of the US • Federal Agency of Investigation'south National Infra. Gard Program – Maintains an intrusion alarm network – Maintains a secure Spider web site for communication about suspicious activeness or intrusions – Sponsors local affiliate activities – Operates a help desk for questions Principles of Information Security, 4 th Edition 40
Cardinal U. S. Federal Agencies (cont'd. ) • National Security Agency (NSA) – – Is the Nation'southward cryptologic organisation Protects United states information systems Produces foreign intelligence data Responsible for point intelligence and information arrangement security • U. S. Secret Service – In addition to protective services, charged with the detection and abort of persons committing a federal function relating to computer fraud or false identification Principles of Information Security, Fourth Edition 41
Summary • Laws: rules that mandate or prohibit certain behavior in society; drawn from ideals • Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or community of a detail group) • Types of law: ceremonious, criminal, private, public Principles of Information Security, four th Edition 42
Summary (cont'd. ) • Relevant U. South. laws: – Computer Fraud and Abuse Human activity of 1986 (CFA Act) – National Information Infrastructure Protection Act of 1996 – USA PATRIOT Act of 2001 – USA PATRIOT Comeback and Reauthorization Act – Reckoner Security Deed of 1987 – Championship eighteen, U. S. C. § 1028 Principles of Information Security, four th Edition 43
Summary (cont'd. ) • Many organizations have codes of conduct and/or codes of ethics • Organization increases liability if it refuses to take measures known every bit due intendance • Due diligence requires that organization make valid effort to protect others and continually maintain that effort Principles of Data Security, 4 th Edition 44
Source: https://slidetodoc.com/principles-of-information-security-fourth-edition-chapter-3/
0 Response to "Principles of Information Security 4th Edition Chapter 3 Review Questions"
แสดงความคิดเห็น