UNIT-III

Legal, Ethical and Professional issues in Information

Security
Introduction

As a future information security professional, you must understand the scope of an

organization’s legal and ethical responsibilities. The information security professional plays an
important role in an organization’s approach to managing liability for privacy and security risks.
In the modern litigious societies of the world, sometimes laws are enforced in civil courts, where
large damages can be awarded to plaintiffs who bring suits against organizations. Sometimes
these damages are assessed as a deterrent.

To minimize liability and reduce risks from electronic and physical threats, and to reduce all
losses from legal action, information security practitioners must thoroughly understand the
current legal environment, stay current with laws and regulations, and watch for new and
emerging issues. By educating the management and employees of an organization on their legal
and ethical obligations and the proper use of information technology and information security,
security professionals can help keep an organization focused on its primary objectives.

Law and Ethics in Information Security

Laws: Laws are rules that mandate or prohibit certain behavior; they are drawn from ethics, which
define socially acceptable behaviors. The key difference between laws and ethics is that laws carry the
authority of a governing body, and ethics do not.

Ethics: Ethics in turn are based on cultural mores: the fixed moral attitudes or cus- toms
of a particular group. Some ethical standards are universal.

Organizational Liability and the Need for Counsel:

Liability is the legal obligation of an entity that extends beyond criminal or contract law; it
includes the legal obligation to make restitution, or to compensate for wrongs committed.

The bottom line is that if an employee, acting with or without the authorization of the employer,
performs an illegal or unethical act that causes some degree of harm, the employer can be held
financially liable for that action.

Due care standards are met when an organization makes sure that every employee knows what is
acceptable or unacceptable behavior, and knows the consequences of illegal or unethical actions.

Due diligence requires that an organization make a valid effort to protect others and continually
maintains this level of effort.

Jurisdiction that is, the court’s right to hear a case if a wrong is committed in its territory or
involves its citizenry.

Long arm jurisdiction the long arm of the law extending across the country or around the world
to draw an accused individual into its court systems.

Restitution a legal requirement to make compensation or payment resulting form a loss or

injury.

Policy Versus Law

organization, information security professionals help maintain security via the establishment and
enforcement of policies. These policies guidelines that describe acceptable and unacceptable
employee behaviors in the workplace function as organizational laws, complete with penalties,
judicial practices, and sanctions to require compliance.

For a policy to become enforceable, it must meet the following five criteria:

Dissemination (distribution): The organization must be able to demonstrate that the relevant
policy has been made readily available for review by the employee. Common dissemination
techniques include hard copy and electronic distribution.

Review (reading): The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for illiterate, non-English read- ing, and
reading-impaired employees. Common techniques include recordings of the policy in English
and alternate languages.

Comprehension (understanding): The organization must be able to demonstrate that the

employee understood the requirements and content of the policy. Common techniques include
quizzes and other assessments.

Compliance (agreement): The organization must be able to demonstrate that the employee agreed
to comply with the policy through act or affirmation. Common techniques include logon banners,
which require a specific action (mouse click or keystroke) to acknowledge agreement, or a
signed document clearly indicating the employee has read, understood, and agreed to comply
with the policy.

Uniform enforcement: The organization must be able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.

Types of Law

1. Civil law comprises a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizational entities and people.
2. Criminal law addresses activities and conduct harmful to society, and is actively
enforced by the state. Law can also be categorized as private or public.
3. Private law encompasses family law, commercial law, and labor law, and regulates the
relationship between individuals and organizations.
4. Public law regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments. Public law includes
criminal, administrative, and constitutional law.

In 2002 Congress passed the FISMA(Federal information Security Management Law) which
mandates all agencies establish information security programs to protect their information assets.

FISMA requires the following

1. Periodic assessments of Risks and magnitude of harm

2. Policies and procedures that are based on the risk assessments

3. Subordinate plans for providing adequate information security for networks

facilities and systems

4. Security awareness training

5. Periodic testing and evaluation of the effectiveness of information security

policies ,procedures and practices

6. Process of planning, implementing, evaluating and documenting remedial action

to address any deficiencies.

7. Procedures for detecting ,reporting and responding to security incidents

8. Plans and procedures to ensure continuity of operations for information systems

 Federal Privacy Act of 1974 regulates government agencies and holds them accountable if
they release private information about individuals or business without permission.

The following agencies ,regulated business and individuals are exempt from some of the
regulations so they can perform their duties

a) Census

b) Credit reporting agencies

c) National Archives and Records administration

• ECPA-Electronic Communications Privacy Act

• HIPPA- Health Insurance Portability and Accountability Act of 1996
• HITECH-Health Information Technology for Economic and Clinical Health Act 2009
• HIPPA has five fundamental principles
a) Consumer control of medical information
b) Boundaries on the use of medical information
c) Accountability to maintain the privacy of specified types of information
d) Balance of public responsibility for the use of medical information
e) Security of health information

Ethics and Information Security

1. Deterring Unethical and Illegal Behavior

There are three general causes of unethical and illegal behavior:

1. Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and

procedures is. The first method of deterrence is education. This is accomplished by
means of designing, publishing, and disseminating organization policies and relevant
laws, and also obtaining agreement to comply with these policies and laws from all
members of the organization. Reminders, training, and awareness programs keep the
policy information in front of the individual and thus better support retention and
compliance.

2. Accident: Individuals with authorization and privileges to manage information within the
organization are most likely to cause harm or damage by accident. Careful planning and
control helps prevent accidental modification to systems and data.

3. Intent: Criminal or unethical intent goes to the state of mind of the person performing
the act; it is often necessary to establish criminal intent to successfully prosecute
offenders. Protecting a system against those with intent to cause harm or damage is best
 accomplished by means of technical controls, and vigorous litigation or prosecution if
these controls fail.

2. professional associations: such as the Association for Computing Machinery (ACM) and the
Information Systems Security Association—and certification agencies—such as the International
Information Systems Security Certification Consortium, Inc., or (ISC) 2—work to establish the
profession’s ethical codes of conduct.

The Scenarios were grouped into 3 categories of ethical computer use

a) Software License Infringement (Piracy)

b) Illicit Use-viruses, hacking and other forms of system abuse

c) Misuse of Corporate Resources –office laptop using personally

Certification Security Analysis:

Risk Management
Risk management is the process of identifying risk, as represented by vulnerabilities, to an
organization’s information assets and infrastructure, and taking steps to reduce this risk to an
acceptable level.

Risk management involves three major undertakings: risk identification, risk assessment,
and risk control.
1. Risk identification is the examination and documentation of the security posture of an
organization’s information technology and the risks it faces.
2. Risk assessment is the determination of the extent to which the organization’s
information assets are exposed or at risk.
3. Risk control is the application of controls to reduce the risks to an organization’s data
and information systems. The various components of risk management and their
relationship to each other
 Roles of the community of interest

• Each community of interest has a role to play in managing the risks that an organization
encounters.
• Management must also ensure that sufficient time, money personnel and other resources
are allocated to the information security and IT groups to meet the organization security
needs.
• IT operations, IT community and IF security are the 3 communities that are responsible
for the following
a) Evaluating current and proposed risk control
b) Decide which control actions are more effective
c) Installing the needed controls
d) Controls remain effective

• Residual Risk (Risk Tolerance): The risk to information assets that remains even after
current controls have been applied.
• Risk Appetite: The quantity and nature of risk that organizations are willing to accept as
they evaluate the tradeoffs between perfect security and unlimited accessibility.

1. Risk Identification:
A risk management strategy requires that information security professionals know their
organizations’ information assets that is, identify, classify, and prioritize them. Once the
organizational assets have been identified, a threat assessment process identifies and
quantifies the risks facing each asset.

The components of risk identification are:

1. Plan and Organize the Process

Just as with any major information security undertaking, the first step in the Risk
Identification process is to follow your project management principles. You begin by
organizing a team, typically consisting of representatives of all affected groups.

• Risk can exist everywhere in the organization; representatives will come from every
department and will include users, managers, IT groups and information security groups.
• The process must then be planned with periodic deliverables, reviews and presentations
to management.

Components of Risk Identification

Plan and
organize the
process
Identify ,invent
ory & categorize
the assets
Classify, value &
Prioritize assets

Identify
&prioritize
threats

Specify asset
vulnerabilities
 Traditional
System SesSDLC Components Risk Management System
Components Components
People Employees Trusted
employees Other
staff
Nonemployees People at trusted
organizations Strangers

Procedures Procedures IT and business standard

procedures IT and business
sensitive procedures
Data Information Transmission
Processing
Storage

Software Software Applications

Operating systems
Security
components
Hardware System devices Systems and
and peripherals peripherals Security
devices
Networking components Intranet components
Internet or DMZ
components

Table: Categorizing the Components of an Information System

Classifying, valuing and prioritizing information assets:

Data classification scheme: A formal access control methodology used to assign a level of
confidentiality to a information asset and thus restrict the number of people who can access it.

For most NSI(National Security Information)which is vital to the security of the nation ,the govt
uses a 3 level classification scheme.

a)Top Secret

b)Secret

c)Confidential

Identifying and prioritizing Threats:

Specify asset vulnerabilities:
 2. Components of Risk Assessment:
Risk assessment assigns a risk rating or score to each information asset. While
this number does not mean anything in absolute terms, it is useful in gauging the
relative risk to each vulnerable information asset and facilitates the development of
comparative ratings later in the risk control process.

Stage-1

a)Identify Scenario components

(i) Identify the asset at Risk

(ii)Identify the threat community under consideration

Stage-2
b)Evaluate loss event frequency

(i) Estimate the probable threat event frequency

(ii) Estimate the threat capability

(iii) Estimate Control Strength

(iv)Derive vulnerability

(v) Derive loss event frequency

Stage-3

c)Evaluate probable loss magnitude

(i)Estimate worst case loss

(ii) Estimate probable loss

Stage-4

d)Derive and articulate Risk

(i)Derive and articulate Risk

 Components of Risk Assessment
Plan and
organize the
process Determine
loss
frequency
Evaluate loss
magnitude

Calculate Risk

Accept Risk
acceptability
Risk Control:

Risk control involves 3 basic steps:

1.Selection of control strategies

2.Justification of these strategies to higher management

3.Implementation,monitoring and ongoing assessment of the adopted controls.

Selection of control strategies:

The five strategies are
1. Defence: Attempts to prevent the exploitation of vulnerabilities.It is
accomplished by countering threats, removing vulnerabilities from assets,
limiting access to assets and adding protective safeguards, 3 common methods
include

a)Application of policy

b)Education and Training

c)Application Technology

2. Tansference: attempts to shift risk to other assets, other processes, or other

organizations.

These controls can be accomplished by rethinking how services are offered,

revising deployment models, outsourcing to other organizations purchasing
insurance or implementing service contracts with providers.

3. Mitigation : attempts to reduce the impact of an attack rather than reduce the
success of attack itself.
This approach requires the creation of three types of contingency plans:
a) Incident Response plan(IR)
b) Disaster Recovery plan(DR)
c) Business Continuity plan(BC)

4. Acceptance: The risk control strategy that indicates the organization is willing
to accept the current level of risk. As a result, the organization makes a conscious
decision to do nothing to protect an information asset from risk and to accept the
outcome from any resulting exploitation.

5.Termination: The risk control strategy that eliminates all risk associated with an
information asset by removing it from service. It directs the organization to avoid
business activities that introduce uncontrollable risk.
Fig : Risk Control Cycle