UNIVERSITY OF CALOOCAN CITY

COLLEGE OF BUSINESS and ACCOUNTANCY

INFORMATION SECURITY & MANAGEMENT

PROFESSOR: DR. GEORGETTE CARPIO-BALAJADIA, CPA

LEARNING MODULE #: 1

WEEK: 2

TOPIC: LEGAL, ETHICAL AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

LEARNING OBJECTIVES:

 Describe the functions of and relationships among laws, regulations, and

professional organizations in information security
 Identify major international and national laws that relate to the practice of
information security.
 Understand the role of culture as it applies to ethics in information security.
 Identify issue relating to information security.

INTRODUCTION

As a future information security professional, you must understand the scope of an

organization’s legal and ethical responsibilities. The information security professional plays an
important role in an organization’s approach to managing liability for privacy and security
risks. In the modern litigious societies of the world, sometimes laws are enforced in civil
courts, where large damages can be awarded to plaintiffs who bring suits against
organizations. Sometimes these damages are punitive—assessed as a deterrent. To minimize
liability and reduce risks from electronic and physical threats, and to reduce all losses from
legal action, information security practitioners must thoroughly understand the current legal
environment, stay current with laws and regulations, and watch for new and emerging issues.
By educating the management and employees of an organization on their legal and ethical
obligations and the proper use of information technology and information security, security
professionals can help keep an organization focused on its primary objectives. In the first part
of this chapter, you learn about the legislation and regulations that affect the management of
information in an organization. In the second part, you learn about the ethical issues related
to information security, and about several professional organizations with established codes
of ethics. Use this chapter as both a reference to the legal aspects of information security and
as an aide in planning your professional career.

LAW AND ETHICS IN INFORMATION SECURITY

In general, people elect to trade some aspects of personal freedom for social order. As Jean
Jacques Rousseau explains in The Social Contract, or Principles of Political Right1 the rules
the members of a society create to balance the individual rights to self-determination against
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
the needs of the society as a whole are called laws. Laws are rules that mandate or prohibit
certain behavior; they are drawn from ethics, which define socially acceptable behaviors. The
key difference between laws and ethics is that laws carry the authority of a governing body,
and ethics do not. Ethics in turn are based on cultural mores: the fixed moral attitudes or
customs of a particular group. Some ethical standards are universal. For example, murder,
theft, assault, and arson are actions that deviate from ethical and legal codes throughout the
world.

Organizational Liability and the Need for Counsel What if an organization does not demand or
even encourage strong ethical behavior from its employees? What if an organization does not
behave ethically? Even if there is no breach of criminal law, there can still be liability. Liability
is the legal obligation of an entity that extends beyond criminal or contract law; it includes
the legal obligation to make restitution, or to compensate for wrongs committed. The bottom
line is that if an employee, acting with or without the authorization of the employer, performs
an illegal or unethical act that causes some degree of harm, the employer can be held
financially liable for that action. An organization increases its liability if it refuses to take
measures known as due care. Due care standards are met when an organization makes sure
that every employee knows what is acceptable or unacceptable behavior, and knows the
consequences of illegal or unethical actions. Due diligence requires that an organization make
a valid effort to protect others and continually maintains this level of effort. Given the
Internet’s global reach, those who could be injured or wronged by an organization’s
employees could be anywhere in the world. Under the U.S. legal system, any court can assert
its authority over an individual or organization if it can establish jurisdiction—that is, the
court’s right to hear a case if a wrong is committed in its territory or involves its citizenry.
This is sometimes referred to as long arm jurisdiction—the long arm of the law extending
across the country or around the world to draw an accused individual into its court systems.
Trying a case in the injured party’s home area is usually favorable to the injured party.2 Policy
Versus Law Within an organization, information security professionals help maintain security
via the establishment and enforcement of policies. These policies—guidelines that describe
acceptable and unacceptable employee behaviors in the workplace—function as organizational
laws, complete with penalties, judicial practices, and sanctions to require compliance. Because
these policies function as laws, they must be crafted and implemented with the same care to
ensure that they are complete, appropriate, and fairly applied to everyone in the workplace.
The difference between a policy and a law, however, is that ignorance of a policy is an
acceptable defense. Thus, for a policy to become enforceable, it must meet the following five
criteria:

● Dissemination (distribution)—The organization must be able to demonstrate that the

relevant policy has been made readily available for review by the employee. Common
dissemination techniques include hard copy and electronic distribution.
● Review (reading)—The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for illiterate, non-English reading, and
reading-impaired employees. Common techniques include recordings of the policy in English
and alternate languages.
● Comprehension (understanding)—The organization must be able to demonstrate that
the employee understood the requirements and content of the policy. Common techniques
include quizzes and other assessments.
● Compliance (agreement)—The organization must be able to demonstrate that the
employee agreed to comply with the policy through act or affirmation. Common techniques
include logon banners, which require a specific action (mouse click or keystroke) to
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
acknowledge agreement, or a signed document clearly indicating the employee has read,
understood, and agreed to comply with the policy.
● Uniform enforcement—The organization must be able to demonstrate that the policy has
been uniformly enforced, regardless of employee status or assignment. Only when all of these
conditions are met can an organization penalize employees who violate the policy without fear
of legal retribution.

THE MAIN SOURCES OF PHILIPPINE LAW ARE:

 THE CONSTITUTION - the fundamental and supreme law of the land

 STATUTES - including Acts of Congress, municipal charters, municipal legislation,

court rules, administrative rules and orders, legislative rules and presidential
issuances.

 TREATIES AND CONVENTIONS - these have the same force of authority as statutes.

 JURISPRUDENCE - Art 8 of the Civil Code provides that ‘judicial decisions applying
to or interpreting the laws or the Constitution shall form a part of the legal system of
the Philippines’. Only decisions of its Supreme Court establish jurisprudence and are
binding on all other courts.

LAWS RELATED TO INFORMATION SECURITY IN THE PHILIPPINES

The Philippines has a growing and important business process management and health
information technology industry. Total IT spending reached $4.4 billion in 2016, and the sector
is expected to more than double by 2020. Filipinos are heavy social media users, 42.1 million
are on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn users. The country is also
in the process of enabling free public Wi-Fi. In the context of the rapid growth of the digital
economy and increasing international trade of data, the Philippines has strengthened its
privacy and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict privacy
legislation “to protect the fundamental human right of privacy, of communication while
ensuring free flow of information to promote innovation and growth.” (Republic Act. No.
10173, Ch. 1, Sec. 2). This comprehensive privacy law also established a National Privacy
Commission that enforces and oversees it and is endowed with rulemaking power. On
September 9, 2016, the final implementing rules and regulations came into force, adding
specificity to the Privacy Act.

DATA PRIVACY ACT 2012

SCOPE AND APPLICATION

The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application, applying
not only to businesses with offices in the Philippines, but when equipment based in the
Philippines is used for processing. The act further applies to the processing of the personal
information of Philippines citizens regardless of where they reside.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign jurisdictions
— an exception helpful for Philippines companies that offer cloud services.

Approach

The Philippines law takes the approach that “The processing of personal data shall be allowed
subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent, the data subject be informed
about the extent and purpose of processing, and it specifically mentions the “automated
processing of his or her personal data for profiling, or processing for direct marketing, and
data sharing.” Consent is further required for sharing information with affiliates or even
mother companies.

Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However, processing
does not always require consent.

Consent is not required for processing where the data subject is party to a contractual
agreement, for purposes of fulfilling that contract. The exceptions of compliance with a legal
obligation upon the data controller, protection of the vital interests of the data subject, and
response to a national emergency are also available.

An exception to consent is allowed where processing is necessary to pursue the legitimate

interests of the data controller, except where overridden by the fundamental rights and
freedoms of the data subject.

Required agreements

The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements are
subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
 About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding or any offense committed or alleged to have committed;
 Issued by government agencies “peculiar” (unique) to an individual, such as social
security number;
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
 Marked as classified by executive order or act of Congress.

All processing of sensitive and personal information is prohibited except in certain

circumstances. The exceptions are:

 Consent of the data subject;

 Pursuant to law that does not require consent;
 Necessity to protect life and health of a person;
 Necessity for medical treatment;
 Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a
major anti-terrorism law that enables surveillance) must comply with the Privacy Act.

Privacy program required

The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access management, providing recourse to
data subjects, and appropriate data retention policies. These requirements necessitate the
creation of a privacy program. Requirements for technical security safeguards in the act also
mandate that an entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the principles
of notice, choice, access, accuracy and integrity of data.

The Philippines law appears to contain a “right to be forgotten” in the form of a right to erasure
or blocking, where the data subject may order the removal of his or her personal data from
the filing system of the data controller. Exercising this right requires “substantial proof,” the
burden of producing which is placed on the data subject. This right is expressly limited by the
fact that continued publication may be justified by constitutional rights to freedom of speech,
expression and other rights.

Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.

A right to data portability is also provided.

Mandatory personal information breach notification

The law defines “security incident” and “personal data breach” ensuring that the two are not
confused. A “security incident” is an event or occurrence that affects or tends to affect data
protection, or may compromise availability, integrity or confidentiality. This definition includes
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
incidents that would result in a personal breach, if not for safeguards that have been put in
place.

A “personal data breach,” on the other hand, is a subset of a security breach that actually
leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise processed.

Requirement to notify

The law further provides that not all “personal data breaches” require notification, which
provides several bases for not notifying data subjects or the data protection authority. Section
38 of the IRRs provides the requirements of breach notification:

 The breached information must be sensitive personal information, or information that

could be used for identity fraud, and
 There is a reasonable belief that unauthorized acquisition has occurred, and
 The risk to the data subject is real, and
 The potential harm is serious.

The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy Commission as well as
affected data subjects within 72 hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.

It is unclear at present whether the commission would allow a delay in notification of data
subjects to allow the commission to determine whether a notification is unwarranted. By the
law, this would appear to be a gamble.

Notification contents

The contents of the notification must at least:

 Describe the nature of the breach;

 The personal data possibly involved;
 The measures taken by the entity to address the breach;
 The measures take to reduce the harm or negative consequence of the breach;
 The representatives of the personal information controller, including their contact details;
 Any assistance to be provided to the affected data subjects.

Penalties

The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.

Latest jurisprudence on the right to privacy

In a July 24, 2012 decision, promulgated before the passage of RA 10173, the
Supreme Court reiterated its ruling in the landmark case of Morfe vs. Mutuc that
compelling state interest may yield to the right of privacy. However, the SC
declined to specifically rule on whether the sharing of information during
intelligence gathering is illegal pending the enactment of a data protection law.
It nonetheless cautioned investigating entities to observe strict confidentiality in
information sharing.

The Supreme Court also discussed the writ of habeas data, which is a remedy
designed to protect the image, privacy, honor, information, and freedom of
information of an individual. The writ, the Supreme Court said, is available to any
person whose right to privacy is violated or threatened by an unlawful act or
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
omission of a public official or employee, or of a private individual or entity
engaged in gathering, collecting or storing of data information on the aggrieved
party.
With the Data Privacy Act, aggriev ed parties are given the option to seek relief
not directly from the courts but from the National Privacy Commission, which can
issue a temporary or permanent ban on the processing of personal information
and compel any entity to abide by its orders.
Next week, we will discuss the implementation of RA 10173 and how companies
can comply with the provisions of the new law.

CYBERCRIME PREVENTION ACT OF 2012

The Cybercrime Prevention Act of 2012, officially recorded as Republic Act No. 10175,
is a law in the Philippines that was approved on September 12, 2012. It aims to address legal
issues concerning online interactions and the Internet in the Philippines. Among the
cybercrime offenses included in the bill are cybersquatting, cybersex, child
pornography, identity theft, illegal access to data and libel.
While hailed for penalizing illegal acts done via the Internet that were not covered by old laws,
the act has been criticized for its provision on criminalizing libel, which is perceived to be a
curtailment of the freedom of expression—"cyber authoritarianism". Its use against
journalists like Maria Ressa, of Rappler, has drawn international condemnation.
On October 9, 2012, the Supreme Court of the Philippines issued a temporary restraining
order, stopping implementation of the Act for 120 days, and extended it on 5 February 2013
"until further orders from the court."
On February 18, 2014, the Supreme Court upheld most of the sections of the law, including
the controversial cyberlibel component.

HISTORY
The Cybercrime Prevention Act of 2012 is the one of the first law in the Philippines which
specifically criminalizes computer crime, which prior to the passage of the law had no strong
legal precedent in Philippine jurisprudence. While laws such as the Electronic Commerce Act
of 2000 (Republic Act No. 879) regulated certain computer-related activities, these laws did
not provide a legal basis for criminalizing crimes committed on a computer in general: for
example, Onel de Guzman, the computer programmer charged with purportedly writing
the ILOVEYOU computer worm, was ultimately not prosecuted by Philippine authorities due
to a lack of legal basis for him to be charged under existing Philippine laws at the time of his
arrest.
The first draft of the law started in 2001 under the Legal and Regulatory Committee of the
former Information Technology and eCommerce Council (ITECC) which is the forerunner of
the Commission on Information and Communication Technology (CICT). It was headed by
former Secretary Virgilio "Ver" Peña and the committee was chaired by Atty. Claro Parlade
(+). It was an initiative of the Information Security and Privacy Sub-Committee chaired by
Albert Dela Cruz who was the President of PHCERT together with then Anti-Computer Crime
and Fraud Division Chief, Atty. Elfren Meneses of the NBI. The administrative and operational
functions was provided by the Presidential Management Staff (PMS) acting as the CICT
secretariat.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
This was superseded by several cybercrime-related bills filed in the 14th and 15th Congress.
The Cybercrime Prevention Act ultimately was the product of House Bill No. 5808, authored
by Representative Susan Yap-Sulit of the second district of Tarlac and 36 other co-authors,
and Senate Bill No. 2796, proposed by Senator Edgardo Angara. Both bills were passed by
their respective chambers within one day of each other on June 5 and 4, 2012, respectively,
shortly after the impeachment of Renato Corona, and the final version of the Act was signed
into law by President Benigno Aquino III on September 12.

PROVISION
The Act, divided into 31 sections split across eight chapters, criminalizes several types of
offense, including illegal access (hacking), data interference, device misuse, cybersquatting,
computer-related offenses such as computer fraud, content-related offenses such
as cybersex and spam, and other offenses. The law also reaffirms existing laws against child
pornography, an offense under Republic Act No. 9775 (the Anti-Child Pornography Act of
2009), and libel, an offense under Section 355 of the Revised Penal Code of the Philippines,
also criminalizing them when committed using a computer system. Finally, the Act includes a
"catch-all" clause, making all offenses currently punishable under the Revised Penal Code also
punishable under the Act when committed using a computer, with severer penalties than
provided by the Revised Penal Code alone.
The Act has universal jurisdiction: its provisions apply to all Filipino nationals regardless of
the place of commission. Jurisdiction also lies when a punishable act is either committed
within the Philippines, whether the erring device is wholly or partly situated in the Philippines,
or whether damage was done to any natural or juridical person who at the time of commission
was within the Philippines. Regional Trial Courts shall have jurisdiction over cases involving
violations of the Act.
A takedown clause is included in the Act, empowering the Department of Justice to restrict
and/or demand the removal of content found to be contrary to the provisions of the Act,
without the need for a court order. This provision, originally not included in earlier iterations
of the Act as it was being deliberated through Congress, was inserted
during Senate deliberations on May 31, 2012. Complementary to the takedown clause is a
clause mandating the retention of data on computer servers for six months after the date of
transaction, which may be extended for another six months should law enforcement
authorities request it.
The Act also mandates the National Bureau of Investigation and the Philippine National
Police to organize a cybercrime unit, staffed by special investigators whose responsibility will
be to exclusively handle cases pertaining to violations of the Act, under the supervision of the
Department of Justice. The unit is empowered to, among others, collect real-time traffic data
from Internet service providers with due cause, require the disclosure of computer data within
72 hours after receipt of a court warrant from a service provider, and conduct searches and
seizures of computer data and equipment.

COPYRIGHT LAW OF THE PHILIPPINES

A copyright is the legal protection extended to the owner of the rights in an original
work. Original work refers to every production in the literary, scientific,
and artistic domains. The Intellectual Property Office (IPOPHL) is the leading agency
responsible for handling the registration and conflict resolution of intellectual property rights
and to enforce the copyright laws. IPOPHL was created by virtue of Republic Act No. 8293 or
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
the Intellectual Property Code of the Philippines which took effect on January 1, 1998, under
the presidency of Fidel V. Ramos.
In the Intellectual Property (IP) Code of the Philippines, literary and artistic works
include books, writings, musical works, films, paintings, and other works including computer
programs.
Works are created on the sole fact of their very creation - regardless of their mode or form of
expression as well as their content, the quality of said content, and purpose.

Works Covered

Works covered by the copyright law are (1) literary and artistic works and (2) derivative
works. On the other hand, works not protected by the copyright law are (1) unprotected
subject matter and (2) works of the government.

Ownership

According to Section 178 and 179 of Republic Act 8293, the copyright ownership is under the
following rules:
 Copyright shall belong to the author of the work for original literary and artistic works
 For works with joint ownership, all the authors will be recognized as original owners.
In the absence of agreement, their rights shall fall under the rules of co-ownership. In
the case of works whose author per part can be identified, the author of each part shall
be considered as the owner of the copyright in that respective part.
 For works created during the course of employment of an author, copyright ownership
are as follows:
o If the object of ownership is not a part of the regular duties of the author, the
employee shall get the copyright even if he/she used the time, facilities, and
materials of the employer.
o If the work is an output of the author for his regularly-assigned duties, the
employer shall get the copyright unless there is an agreement to the contrary.
 For works created in pursuance of a commission to the author by a person other than
his/her employer, the ownership shall be granted to the person who commissioned but
the copyright ownership shall remain with the creator, unless there is an agreement
to the contrary.
 For audiovisual works, the copyright shall belong to the producer, the author of the
scenario, the composer of the music, the film director, and the author of the work
adapted. However, the producer shall exercise copyright only up to what is required
for the exhibition of the work, except for the right to collect performing license fees
for the performance of the compositions incorporated into the work.
 For letters, the copyright shall belong to the writer subject to Article 723 of the Civil
Code.
 For anonymous works and works under a pseudonym, the publisher shall represent
the work's author who are either anonymous or under a pseudonym, unless the
contrary appears or the author discloses his/her identity.

Types of Rights under the Law of Copyright

These are the rights that authors are entitled to according to the law of copyright, under Part
IV of R.A. 8293, or the Intellectual Property Code of the Philippines.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
Economic Rights
This allows a creator to ask for or obtain payment for the use of his or her work by third
parties. According to Section 177 of the Law of Copyright, these rights consist of the right to
allow, impede, or carry out the following by the author:
 Replication of the work, or a portion of the work
 Transformation or dramatization of the original work
 The first public distribution of the original work and each copy of the work
 Rental of the original work, or copy of the work embodied in any form, including
audiovisuals, cinematography, sound recordings, computer programming, or graphic
work, regardless of ownership of the original work
 Public display of the original or copy of the work
 Public performance of the work
 Other communication of the work to the public

Moral Rights
These rights allow the author of the work to maintain his or her personal connection to the
work, and to undertake measures in order to protect this connection. The author of the work,
independent of the economic rights, also have the right to:
 Require the authorship of the work be attributed to him or her, meaning that the
author may require that his or her name be displayed in a prominent fashion on a copy
or public distribution or use of the work
 To make any transformation or adjustment to the work, or withhold it from publication
 To oppose any and all mutilation or any other derogatory action to the work which
could potentially be detrimental to the author's honor and reputation
 To refuse to the use of the author's name on any mutilated or distorted version of his
work, or any work not of his own creation

Exceptions to moral rights

 Under Section 195 of the Law on Copyright, an author may waive his moral rights
through a written contract. However, this contract is deemed invalid if it allows third
parties to do the following:
o Make use of the author's name, the title of the work, or the author's reputation,
in any version or adaptation of the work which could harm or be detrimental to
the artistic reputation of another author
o Make use of an author's name for a piece of work not of his own creation
 The right of an author to have his contribution to a collective work credited to his name
is deemed waived. A collective work here is defined as work created by two or more
persons and under the understanding that the work will be attributed to the person
whose direction said work is under. It is also understood that contributing natural
persons will not be identified.
 If an author licenses or permits a third party to make use of his or her work, any
necessary transformation, such as arranging, editing, or adaptations of work for use
in publications, broadcast, or motion pictures, in accordance with the standards of the
medium in which the work is to be used, shall not be found in contrary to the author's
rights. In addition, the destruction of work unconditionally and completely transferred
by an author shall likewise not be found in violation of the author's rights.

Resale rights
The author and his or her heirs have the inalienable right to partake of 5% of the proceeds of
the sale or lease of his or her original work (painting, sculpture, manuscript, composition).
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
This inalienable right is in effect during the lifetime of the author, and for fifty years after his
or her death.

Related rights
Related rights are the rights of those whose help the author avails of in order to assist him in
producing his work, and distributing this work to the public. These rights are also referred to
as "neighboring rights" and include the following:
 Rights of performers
 Rights of producers of sound recordings
 Rights of broadcasting organizations

Infringement

Acts constituting infringement

Section 216 of Republic Act No. 10372 states that a person infringes a right protected under
this Act when one:
 Directly commits an infringement against copyright;
 Benefits from the infringing activity of another person who commits an infringement if
the person benefiting has been given notice of the infringing activity and has the right
and ability to control the activities of the other person;
 With knowledge of infringing activity, induces, causes or materially contributes to the
infringing conduct of another.

Liabilities of infringement

Any person found infringing rights protected under RA 10372 shall be liable:
 To pay the copyright owner actual damages, legal costs, and other expenses, that may
have been incurred due to infringement as well as profits earned by the infringement.
Instead of recovering actual damages and profits, the copyright owner may file instead for an
award of statutory damages for all infringements involved for not less than Fifty thousand
pesos (Php 50,000.00). The court may consider the following factors in awarding statutory
damages:
 The nature and purpose of the infringing act;
 The flagrancy of the infringement;
 Whether the defendant acted in bad faith;
 The need for deterrence;
 Any loss that the plaintiff has suffered or is likely to suffer by reason of the
infringement; and
 Any benefit shown to have accrued to the defendant by reason of the infringement.

Limitations

The following acts shall not constitute infringement of copyright:

 The recitation or performance of a work, if it had been made accessible to the public,
and if done in private and free of charge. Performance of a work done under a
charitable or religious institution shall also fall under this.
 The quotation of published works if they are compatible with fair use and only to an
extent. This includes quotations from newspaper articles and periodicals provided that
the source and the name of the author, if available, are mentioned.
 The reproduction of articles or communication by the mass media on current political,
social, economic, scientific, or religious topics, lectures, addresses, and other works of
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
the same nature, which are delivered in public and will only be used for information
purposes.
 The reproduction and communication to the public of literary, scientific, or artistic
works for reporting current events.
 The inclusion of a work in a publication, broadcast, or other forms of communication,
if it will be used as aids in teaching and if it is compatible with fair use. Also, the author
and the name of the author shall be mentioned.
 The recording of a work made in educational institutions for the use of that education
institution. In accordance to this, the recording should be deleted after the first
broadcast. Also, the said recording should not be from works which are part of a film
except for brief excerpts of the work.
 The making of recordings by a broadcast organization for its own broadcasting
purposes.
 The use of a work under the direction or control of the government or other institutions
for the purpose of informing and public. It must also be compatible with fair use.
 The public performance of a work in a place without admission fee and for other
purposes that does not include profit making.
 The public display of a work not made on screen or by other devices.
 The use of a work for judicial proceedings or for legal advice.

The provisions under this shall not be interpreted in a way that exploit the works and does
not harm the interest of the right holder.

Fair use

A fair use, in its most general sense, is the act of copying of copyrighted materials done for
purpose such as commenting, criticizing, or parodying a copyrighted work without the
permission from the copyright owner. It is used as a defense under copyright infringement.
Factors in determining fair use
Under fair use, the use of a copyrighted work for purposes of criticizing, commenting, news
reporting, teaching, creating researches, and other similar purposes is not an infringement of
copyright. In determining whether the use made is under fair use, the following factors should
be considered:
 The purpose of the use, including it is of a commercial nature or for non-profit purposes
 The nature of the copyrighted work
 The amount and sustainability of the portion used in relation to the copyrighted work
as a whole
 The effect of the use to the value of the copyrighted work

List of reproductions allowed

Given the mentioned rules and regulations above about copyright, reproduction of different
materials, without the permission of the author, are still allowed given that they are done for
reasons allowed by the Intellectual Property Code of the Philippines. Provided here are the
reproductions and purposes allowed by the law.

Reproduction of published work

Under Subsection 187.1 of the Intellectual Property Code of the Philippines, the reproduction
of a published work shall be permitted without the owner's authorization given that the
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
reproduction was made for research purposes. The permission granted here shall not extend
to:
 A work of architecture in the form of building or other construction
 An entire or a substantial part of a book or of a musical work
 A compilation of data and other materials
 A computed program except those stated in Section 189
 Any reproduction that would exploit the work

Reprographic reproduction by libraries

Any library or archive with non-profit purposes may make a single copy of the work without
the authorization of the author given that:
 The work cannot be lent to user in its original form
 The works are isolated articles contained in composite works or portions of other
published works and the reproduction can supply them
 The making of a copy is for the purposes of preserving or replacing the original in
situations that it is destroyed or lost

Reproduction of computer program

The reproduction of one back-up copy of a computer program shall be allowed without the
permission of the copyright owner given that the reproduction is for the following uses:
 The use of the computer program in a computer for which it will be run
 To create a copy of the original computer program so that replacement is available if
the original copy is lost or destroyed

Notable cases

La Concepcion College vs. Catabijan

Author and publisher Raymund Sta. Maria Catabijan was issued 608,450.00 pesos in damages
from La Concepcion College, whom he claimed directly copied his work books in order to sell
to students. La Concepcion College was found guilty of copyright infringement by the
Intellectual Property Office of the Philippines (IPOPHL). The non-sectarian school was hence
banned from publishing, selling and distributing copies of Mr. Catabijan's works.

ABS-CBN vs. Willing Willie

ABS-CBN demanded 127 million pesos from their former reality show star, Willie Revillame,
citing copyright infringement due to stark similarities in Revillame's show, Willing Willie, and
ABS CBN's Wowowee. ABS-CBN listed 5 acts of plagiarism allegedly committed by Willing
Willie in their complaint as follows:
1. Willing Willie's opening song and dance number was similar to that of Wowowee's
2. “BIGA-Ten” and “Big Time Ka,” both segments from the shows involved, bear similar
names.
3. “Willie of Fortune” and “Willtime Bigtime” are segments from both shows which
resemble each other. ABS-CBN claimed that Willtime Bigtime resembled its show as it
also showcases contestants relaying their personal stories before proceeding to play a
singing/trivia game.
4. April “Congratulations” Gustilo is one of several backup dancers from Wowowee who
also appear in Willing Willie.
5. Other striking similarities ABS-CBN claimed are found in Willing Willie's set design,
stage, studio viewers' seats lay-out, lighting angles and camera angles.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
A 25-page ruling later on dated May 22, 2015 junked the case against Revillame, declaring it
moot. After the Quezon City RTC demanded a 400 million peso bond from Revillame to answer
any further damage the network might sustain, it was later discharged. Revillame signed a
contract with GMA network two days prior to the ruling, to work on a new show entitled,
“Wowowin."

Dating show alleged copyright infringement

BJ Productions, Inc, produced a dating game show Rhoda and Me which aired from 1970 to
1977. On July 14, 1991, Francisco Joaquin, Jr., president of BJPI, saw on RPN Channel 9 an
episode of It's a Date, produced by IXL Productions, Inc. (IXL) with similar format of his dating
show. Joaquin filed a case against IXL Productions, headed by Gabriel Zosa and RPN 9 before
Regional Trial Court of Quezon City. Meanwhile, Zosa sought a review of the resolution of the
Assistant City Prosecutor before the Secretary of Justice Franklin Drilon. On August 12, 1992,
Drilon reversed the Assistant City Prosecutor's findings and directed him to move for the
dismissal of the case against private respondents. Joaquin filed a motion for reconsideration,
but his motion denied by Drilon on December 3, 1992.

The Supreme Court ruled on January 28, 1999 that the format or mechanics of a television
show is not included in the list of the protected work provided by Presidential Decree no. 49
and Republic Act No. 8293. It further state that copyright, in the strict sense of the term, is
purely a statutory right and does not extend to an idea, procedure, process, system, method
or operation, concept, principles or discovery regardless of the form to which it is described,
explained, and illustrated or embodied in the work.

Pearl & Dean Philippines vs. Shoemart

Pearl and Dean Philippines is a corporation engaged in the manufacture of advertising display
units simply referred to as light boxes. In 1985, Pearl and Dean negotiated with Shoemart,
Inc. (now SM Prime Holdings) for the lease and installation of the light boxes in SM Makati
and SM Cubao. Only SM Makati was signed but later rescinded by Pearl and Dean due to non-
performance of their terms. Years later, Pearl and Dean found out that exact copies of its light
boxes were installed at different SM stores. It was further discovered that SM's sister company
North Edsa Marketing Inc. (NEMI), sold advertising space in lighted display units located in
SM's different branches.

Pearl and Dean filed this instant case for infringement of trademark and copyright, unfair
competition and damages. SM on its part maintained that it independently developed its
poster panels using commonly known techniques and available technology, without notice of
or reference to Pearl and Dean's copyright. Makati Regional Trial Court decided in favor of
Pearl and Dean, finding SM and NEMI jointly and severally liable for infringement of copyright
and infringement of trademark. On appeal, however, the Court of Appeals reversed the trial
court. On August 15, 2003, Supreme Court strengthened the Court of Appeals' decision by
stating Pearl and Dean never secured a patent for the light boxes and the copyright patent is
on its technical drawings within the category of "pictorial illustrations." It applied the similar
ruling of G.R. No. 108946 (Joaquin, Jr. v. Drilon)
2016 ruling requiring evidence over suspicion

On G.R. No. 195835, penned March 14, 2016, the Supreme Court ruled that For a claim of
copyright infringement to prevail, the evidence on record must demonstrate: (1) ownership
of a validly copyrighted material by the complainant; and (2) infringement of the copyright
by the respondent. It further stated that probable cause is not imputable against the
respondent.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
The ruling stemmed from a dispute between LEC Steel Manufacturing Corporation and
Metrotech Steel Industries where the former accused the latter infringing its intellectual
property rights. The LEC failed to substantiate the alleged reproduction of the
drawings/sketches of hatch doors it copyrighted had had no proof that the Metrotech reprinted
the copyrighted sketches/drawings of LEC's hatch doors. The raid conducted by the NBI on
Metrotech's premises yielded no copies or reproduction of LEC's copyrighted
sketches/drawings of hatch doors. What were discovered instead were finished and unfinished
hatch doors.

Privacy

Privacy has become one of the hottest topics in information security at the beginning of the
21st century. Many organizations are collecting, swapping, and selling personal information
as a commodity, and many people are looking to governments for protection of their privacy.
The ability to collect information, combine facts from separate sources, and merge it all with
other information has resulted in databases of information that were previously impossible to
set up. One technology that was proposed in the past was intended to monitor or track private
communications. Known as the Clipper Chip, it used an algorithm with a two-part key that
was to be managed by two separate government agencies, and it was reportedly designed to
protect individual communications while allowing the government to decrypt suspect
transmissions. This technology was the focus of discussion between advocates for personal
privacy and those seeking to enable more effective law enforcement. Consequently, this
technology was never implemented by the U.S. government. In response to the pressure for
privacy protection, the number of statutes addressing an individual’s right to privacy has
grown. It must be understood, however, that privacy in this context is not absolute freedom
from observation, but rather is a more precise “state of being free from unsanctioned
intrusion.” To help you better understand this rapidly evolving issue, some of the more
relevant privacy laws are presented here.
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

Top 20 Government-imposed Data Privacy Fines

W orldwide, 1999-2014 **
Amount of
Privacy principles
Rank Fined entity fines Year Country
violated
and penalties

1 Apple $32.5M 2014 U.S. Choice and Consent

2 Google $22.5M 2012 U.S. Collection
3 Google $17M 2013 U.S. Collection and Notice
4 ChoicePoint $15M 2006 U.S. Security
5 Hewlitt-Packard $14,5M 2006 U.S. Collection
6 LifeLock $12M 2010 U.S. Accuracy, Security
7 TJ Maxx $9.8M 2009 U.S. Security
8 Dish Network $6M 2009 U.S. Choice and Consent
9 DirecTV $5.3M 2005 U.S. Choice and Consent
10 HSBC $5M 2009 UK Security
1999-
11 US Bancorp $5M U.S. Disclosure
2000
12 Craftmatic $4.3 2007 U.S. Choice and Consent
13 Cignet Health $4.3M 2011 U.S. Access
14 Barclays Bank $3.8M 2013 U.S. Use and Retention
15 Certegy Check Services $3.5M 2013 U.S. Accuracy
16 Playdom $3M 2011 U.S. Collection and Notice
17 The Broadcast Team $2.8M 2007 U.S. Collection
Equifax, TransUnion and
18 $2.5M 2000 U.S. Access
Experian
19 CVS Caremark $2.3M 2009 U.S. Security and Disposal
20 Norwich Union Life $1.8M 2007 UK Disclosure

**SOURCE IAPP 17 FEB 2014

International Laws and Legal Bodies

It is important for IT professionals and information security practitioners to realize that when
their organizations do business on the Internet, they do business globally. As a result, these
professionals must be sensitive to the laws and ethical values of many different cultures,
societies, and countries. While it may be impossible to please all of the people all of the time,
dealing with the laws of other states and nations is one area where it is certainly not easier
to ask for forgiveness than for permission.

A number of different security bodies and laws are described in this section. Because of the
political complexities of the relationships among nations and the differences in culture, there
are currently few international laws relating to privacy and information security. The laws
discussed below are important, but are limited in their enforceability.

Council of Europe Convention on Cybercrime

The Council of Europe adopted the Convention on Cybercrime in 2001. It created an
international task force to oversee a range of security functions associated with Internet
activities for standardized technology laws across international borders. It also attempts to
improve the effectiveness of international investigations into breaches of technology law. This
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
convention has been well received by advocates of intellectual property rights because it
emphasizes prosecution for copyright infringement.

While thirty-four countries attended the signing in November 2001, only twenty-nine nations,
including the United States, have ratified the Convention as of April 2010. The United States
is technically not a “member state of the council of Europe” but does participate in the
Convention. As is true with much complex international legislation, the Convention on
Cybercrime lacks any realistic provisions for enforcement. The overall goal of the convention
is to simplify the acquisition of information for law enforcement agencies in certain types of
international crimes. It also simplifies the extradition process. The convention has more than
its share of skeptics, who see it as an overly simplistic attempt to control a complex problem.

Agreement on Trade-Related Aspects of Intellectual Property Rights

The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by
the World Trade Organization (WTO) and negotiated over the years 1986–1994, introduced
intellectual property rules into the multilateral trade system. It is the first significant
international effort to protect intellectual property rights. It outlines requirements for
governmental oversight and legislation of WTO member countries to provide minimum levels
of protection for intellectual property. The WTO TRIPS agreement covers five issues:
● How basic principles of the trading system and other international intellectual
property agreements should be applied
● How to give adequate protection to intellectual property rights
● How countries should enforce those rights adequately in their own territories
● How to settle disputes on intellectual property between members of the WTO
● Special transitional arrangements during the period when the new system is being
introduced

Digital Millennium Copyright Act (DMCA)

The Digital Millennium Copyright Act (DMCA) is the American contribution to an international
effort by the World Intellectual Properties Organization (WIPO) to reduce the impact of
copyright, trademark, and privacy infringement, especially when accomplished via the
removal of technological copyright protection measures. This law was created in response to
the 1995 adoption of Directive 95/46/EC by the European Union, which added protection for
individuals with regard to the processing of personal data and the use and movement of such
data. The United Kingdom has implemented a version of this law called the Database Right,
in order to comply with Directive 95/46/EC. The DMCA includes the following provisions:
● Prohibits the circumvention protections and countermeasures implemented by
copyright owners to control access to protected content
● Prohibits the manufacture of devices to circumvent protections and countermeasures
that control access to protected content
● Bans trafficking in devices manufactured to circumvent protections and
countermeasures that control access to protected content
● Prohibits the altering of information attached or imbedded into copyrighted material
● Excludes Internet service providers from certain forms of contributory copyright
infringement

Ethics and Information Security

Many Professional groups have explicit rules governing ethical behavior in the workplace. For
example, doctors and lawyers who commit egregious violations of their professions’ canons
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
of conduct can be removed from practice. Unlike the medical and legal fields, however, the
information technology field in general, and the information security field in particular, do not
have a binding code of ethics. Instead, professional associations—such as the Association for
Computing Machinery (ACM) and the Information Systems Security Association—and
certification agencies—such as the International Information Systems Security Certification
Consortium, Inc., or (ISC) —work to establish the profession’s ethical codes of conduct. While
these professional organizations can prescribe ethical conduct, they do not always have the
authority to banish violators from practicing their trade. To begin exploring some of the ethical
issues particular to information security, take a look at the Ten Commandments of Computer
Ethics in the nearby Offline.

The TEN COMMANDMENTS OF COMPUTER ETHICS

From The Computer Ethics Institute

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the
system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your
fellow humans.

Ethical Differences Across Cultures

Cultural differences can make it difficult to determine what is and is not ethical—especially
when it comes to the use of computers. Studies on ethics and computer use reveal that people
of different nationalities have different perspectives; difficulties arise when one nationality’s
ethical behavior violates the ethics of another national group. For example, to Western
cultures, many of the ways in which Asian cultures use computer technology is software
piracy. This ethical conflict arises out of Asian traditions of collective ownership, which clash
with the protection of intellectual property. Approximately 90 percent of all software is created
in the United States. Some countries are more relaxed with intellectual property copy
restrictions than others.

A study published in 1999 examined computer use ethics of eight nations: Singapore, Hong
Kong, the United States, England, Australia, Sweden, Wales, and the Netherlands. This study
selected a number of computer-use vignettes (see the Offline titled The Use of Scenarios in
Computer Ethics Studies) and presented them to students in universities in these eight
nations. This study did not categorize or classify the responses as ethical or unethical. Instead,
the responses only indicated a degree of ethical sensitivity or knowledge about the
performance of the individuals in the short case studies. The scenarios were grouped into
three categories of ethical computer use: software license infringement, illicit use, and misuse
of corporate resources.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
Software License Infringement

The topic of software license infringement, or piracy, is routinely covered by the popular press.
Among study participants, attitudes toward piracy were generally similar; however,
participants from the United States and the Netherlands showed statistically significant
differences in attitudes from the overall group. Participants from the United States were
significantly less tolerant of piracy, while those from the Netherlands were significantly more
permissive. Although other studies have reported that the Pacific Rim countries of Singapore
and Hong Kong are hotbeds of software piracy, this study found tolerance for copyright
infringement in those countries to be moderate, as were attitudes in England, Wales,
Australia, and Sweden. This could mean that the individuals surveyed understood what
software license infringement was, but felt either that their use was not piracy, or that their
society permitted this piracy in some way. Peer pressure, the lack of legal disincentives, the
lack of punitive measures, and number of other reasons could explain why users in these
alleged piracy centers disregarded intellectual property laws despite their professed attitudes
toward them. Even though participants from the Netherlands displayed a more permissive
attitude toward piracy, that country only ranked third in piracy rates of the nations surveyed
in this study.

Illicit Use

The study respondents unilaterally condemned viruses, hacking, and other forms of system
abuse. There were, however, different degrees of tolerance for such activities among the
groups. Students from Singapore and Hong Kong proved to be significantly more tolerant
than those from the United States, Wales, England, and Australia. Students from Sweden and
the Netherlands were also significantly more tolerant than those from Wales and Australia,
but significantly less tolerant than those from Hong Kong. The low overall degree of tolerance
for illicit system use may be a function of the easy correspondence between the common
crimes of breaking and entering, trespassing, theft, and destruction of property and their
computer-related counterparts.

Misuse of Corporate Resources

The scenarios used to examine the levels of tolerance for misuse of corporate resources each
presented a different degree of noncompany use of corporate assets without specifying the
company’s policy on personal use of company resources. In general, individuals displayed a
rather lenient view of personal use of company equipment. Only students from Singapore and
Hong Kong view personal use of company equipment as unethical. There were several
substantial differences in this category, with students from the Netherlands revealing the
most lenient views. With the exceptions of those from Singapore and Hong Kong, it is apparent
that many people, regardless of cultural background, believe that unless an organization
explicitly forbids personal use of its computing resources, such use is acceptable. It is
interesting to note that only participants among the two Asian samples, Singapore and Hong
Kong, reported generally intolerant attitudes toward personal use of organizational computing
resources. The reasons behind this are unknown.

Ethics and Education

Attitudes toward the ethics of computer use are affected by many factors other than
nationality. Differences are found among individuals within the same country, within the same
social class, and within the same company. Key studies reveal that the overriding factor in
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
leveling the ethical perceptions within a small population is education. Employees must be
trained and kept aware of a number of topics related to information security, not the least of
which are the expected behaviors of an ethical employee. This is especially important in
information security, as many employees may not have the formal technical training to
understand that their behavior is unethical or even illegal. Proper ethical and legal training is
vital to creating an informed, well prepared, and low-risk system user.
Deterring Unethical and Illegal Behavior

There are three general causes of unethical and illegal behavior:

● Ignorance—Ignorance of the law is no excuse; however, ignorance of policy and procedures

is. The first method of deterrence is education. This is accomplished by means of designing,
publishing, and disseminating organization policies and relevant laws, and also obtaining
agreement to comply with these policies and laws from all members of the organization.
Reminders, training, and awareness programs keep the policy information in front of the
individual and thus better support retention and compliance.
● Accident—Individuals with authorization and privileges to manage information within the
organization are most likely to cause harm or damage by accident. Careful planning and
control helps prevent accidental modification to systems and data.
● Intent—Criminal or unethical intent goes to the state of mind of the person performing the
act; it is often necessary to establish criminal intent to successfully prosecute offenders.
Protecting a system against those with intent to cause harm or damage is best accomplished
by means of technical controls, and vigorous litigation or prosecution if these controls fail.
Whatever the cause of illegal, immoral, or unethical behavior, one thing is certain: it is the
responsibility of information security personnel to do everything in their power to deter these
acts and to use policy, education and training, and technology to protect information and
systems. Many security professionals understand the technology aspect of protection but
underestimate the value of policy. However, laws and policies and their associated penalties
only deter if three conditions are present:
● Fear of penalty—Potential offenders must fear the penalty. Threats of informal reprimand
or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture
of pay.
● Probability of being caught—Potential offenders must believe there is a strong possibility of
being caught. Penalties will not deter illegal or unethical behavior unless there is reasonable
fear of being caught.
● Probability of penalty being administered—Potential offenders must believe that the penalty
will in fact be administered.

Codes of Ethics and Professional Organizations

A number of professional organizations have established codes of conduct or codes of ethics

that members are expected to follow. Codes of ethics can have a positive effect on people’s
judgment regarding computer use. Unfortunately, many employers do not encourage their
employees to join these professional organizations. But employees who have earned some
level of certification or professional accreditation can be deterred from ethical lapses by the
threat of loss of accreditation or certification due to a violation of a code of conduct. Loss of
certification or accreditation can dramatically reduce marketability and earning power. It is
the responsibility of security professionals to act ethically and according to the policies and
procedures of their employers, their professional organizations, and the laws of society. It is
likewise the organization’s responsibility to develop, disseminate, and enforce its policies.
Following is a discussion of professional organizations and where they fit into the ethical
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
landscape. Table below provides an overview of these organizations. Many of these
organizations offer certification programs that require the applicants to subscribe formally to
the ethical codes.

Major IT Professional Organizations

Many of the major IT professional organizations maintain their own codes of ethics. The
Association of Computing Machinery (ACM) (www.acm.org) is a respected professional society
that was established in 1947 as “the world’s first educational and scientific computing society.”
It is one of the few organizations that strongly promotes education and provides discounts for
student members. The ACM’s code of ethics requires members to perform their duties in a
manner befitting an ethical computing professional. The code contains specific references to
protecting the confidentiality of information, causing no harm (with specific references to
viruses), protecting the privacy of others, and respecting the intellectual property and
copyrights of others. The ACM also publishes a wide variety of professional computing
publications, including the highly regarded Communications of the ACM.

The International Information Systems Security Certification Consortium, Inc. (ISC)

(www. isc2.org) is a nonprofit organization that focuses on the development and
implementation of information security certifications and credentials. The (ISC) manages a
body of knowledge on information security and administers and evaluates examinations for
information security certifications. The code of ethics put forth by (ISC) is primarily designed
for information security professionals who have earned an (ISC) certification, and has four
mandatory canons: “Protect society, the commonwealth, and the infrastructure; act
honorably, honestly, justly, responsibly, and legally; provide diligent and competent service
to principals; and advance and protect the profession.” This code enables (ISC) to promote
reliance on the ethicality and trustworthiness of the information security professional as the
guardian of information and systems.

The System Administration, Networking, and Security Institute (SANS)

(www.sans.org), which was founded in 1989, is a professional research and education
cooperative organization with a current membership of more than 156,000 security
professionals, auditors, system administrators, and network administrators. SANS offers a set
of certifications called the Global Information Assurance Certification, or GIAC. All GIAC-
certified professionals are required to acknowledge that certification and the privileges that
come from it carry a corresponding obligation to uphold the GIAC Code of Ethics. Those
certificate holders that do not conform to this code face punishment, and may lose GIAC
certification.

The Information Systems Audit and Control Association (ISACA) (www.isaca.org) is a

professional association that focuses on auditing, control, and security. The membership
comprises both technical and managerial professionals. ISACA provides IT control practices
and standards, and although it does not focus exclusively on information security, it does
include many information security components within its areas of concentration. ISACA also
has a code of ethics for its professionals, and it requires many of the same high standards for
ethical performance as the other organizations and certifications.

The Information Systems Security Association (ISSA) (www.issa.org) is a nonprofit

society of information security professionals. As a professional association, its primary mission
is to bring together qualified information security practitioners for information exchange and
educational development. ISSA provides a number of scheduled conferences, meetings,
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
publications, and information resources to promote information security awareness and
education. ISSA also promotes a code of ethics, similar in content to those of (ISC) , ISACA,
and the ACM, whose focus is “promoting management practices that will ensure the
confidentiality, integrity, and availability of organizational information resources.”

REFERENCES:

https://iapp.org/news/a/summary-philippines-data-protection-act-and-
implementing-regulations/?fbclid=IwAR0InFnX0kUc-
H1XskkDnLDU35cVmQ4MSsMWiq2fNWbH97zyhww6-JoxQbg

https://en.wikipedia.org/wiki/Copyright_law_of_the_Philippines

https://www.dataguidance.com/notes/philippines-data-protection-overview-0

https://www.cengage.com/resource_uploads/downloads/1111138214_259148.p
df?fbclid=IwAR0InFnX0kUc-H1XskkDnLDU35cVmQ4MSsMWiq2fNWbH97zyhww6-
JoxQbg

WEEK 2 ACTIVITY:

REFLECTIVE JOURNAL

QUESTION: Is the cultural differences affect the ethical standards on Information Security
Management? Explain further.

THANK YOU & STAY SAFE!

GCB