LEGAL, ETHICAL,

AND
PROFESSIONAL
ISSUES IN
INFORMATION
SECURITY
 L E A R N IN G O B J E C T I V E S

• Upon completion of this material, you should be able to:

• Describe the functions of and relationships among laws, regulations,
and professional organizations in information security
• Explain the differences between laws and ethics
• Identify major national laws that affect the practice of information
security
• Discuss the role of privacy as it applies to law and ethics in
information security
LAW AND ETHICS IN INFORMATION
SECURITY

• Cultural mores The fixed moral attitudes or customs of a particular

group.
• Ethics The branch of philosophy that considers nature, criteria,
sources, logic, and the validity of moral judgment.
• Laws Rules that mandate or prohibit certain behavior and are
enforced by the state.
LAW AND ETHICS IN INFORMATION
SECURITY

In general, people elect to trade some aspects of personal freedom for

social order. It is often a necessary but somewhat ironic proposition, as
Benjamin Franklin asserted:
“Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.”
As Jean-Jacques Rousseau explained in The Social Contract, or
Principles of Political Right, the rules that members of a society create
to balance the individual rights to self-determination against the needs
of the society as a whole are called laws. The key difference between
laws and ethics is that laws carry the authority of a governing body
and ethics do not. Ethics in turn are based on cultural mores. Some
ethical standards are universal. For example, murder, theft, assault, and
arson are generally prohibited in ethical and legal codes throughout the
world.
ORGANIZATIONAL LIABILITY AND THE
NEED FOR COUNSEL

Key Terms
Due care Measures that an organization takes to ensure every employee knows what is
acceptable and what is not.
Due diligence Reasonable steps taken by people or organizations to meet the obligations
imposed by laws or regulations.
Jurisdiction The power to make legal decisions and judgments; typically an area within
which an entity such as a court or law enforcement agency is empowered to make legal
decisions.
Liability An entity’s legal obligation or responsibility.
Long-arm jurisdiction The ability of a legal entity to exercise its influence beyond its
normal boundaries by asserting a connection between an out-of-jurisdiction entity and a
local legal case.
Restitution A legal requirement to make compensation or payment resulting from a loss
or injury.
POLICY VERSUS LAW

Policy are guidelines that dictate certain behavior within

the organization.
Thus, for a policy to be enforceable, it must meet certain
criteria.
Only when all of these conditions are met can an
organization penalize employees who violate a policy
without fear of legal retribution.
POLICY VERSUS LAW
Dissemination (distribution): The organization must be able to demonstrate that the
relevant policy has been made readily available for review by the employee. Common
dissemination techniques include hard copy and electronic distribution.
Review (reading): The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for employees who are illiterate,
reading-impaired, and unable to read English. Common techniques include record ings of
the policy in English and alternate languages.
Comprehension (understanding): The organization must be able to demonstrate that
the employee understands the requirements and content of the policy. Common
techniques include quizzes and other assessments.
Compliance (agreement): The organization must be able to demonstrate that the
employee agreed to comply with the policy through act or affirmation. Common
techniques include logon banners, which require a specific action (mouse click or
keystroke) to acknowledge agreement, or a signed document clearly indicating the
employee has read, understood, and agreed to comply with the policy.
Uniform enforcement: The organization must be able to demonstrate that the policy has
been uniformly enforced, regardless of employee status or assignment.
TYPES OF LAW
Constitutional Law:
Statutory Law:
Regulatory or Administrative Law:
Common Law, Case Law, and Precedent
Within statutory law, one can further divide laws into their association with individuals,
groups, and the “state”:
• Civil law embodies a wide variety of laws pertaining to relationships between and
among individuals and organizations. Civil law includes contract law, employment law,
family law, and tort law. Tort law is the subset of civil law that allows individuals to seek
redress in the event of personal, physical, or financial injury. Perceived damages within
civil law are pursued in civil court and are not prosecuted by the state.
• Criminal law addresses violations harmful to society and is actively enforced and
prosecuted by the state. Criminal law addresses statutes associated with traffic law,
public order, property damage, and personal damage, where the state takes on the
responsibility of seeking retribution on behalf of the plaintiff, or injured party.
PRIVACY
Key Terms
aggregate information Collective data that relates to a group or category of people and
that has been altered to remove characteristics or components that make it possible to
identify individuals within the group. Not to be confused with information aggregation.
information aggregation Pieces of nonprivate data that, when combined, may create
information that violates privacy. Not to be confused with aggregate information.
privacy In the context of information security, the right of individuals or groups to
protect themselves and their information from unauthorized access, providing
confidentiality.
CASE ON PRIVACY VIOLATION
Facebook Issue
Facebook agreed to pay $90 million to settle a decade-old privacy lawsuit accusing it
of tracking users' internet activity even after they logged out of the social media
website.

WHAT ARE THE CONCERNS ABOUT TIKTOK?

Both the FBI and officials at the Federal Communications Commission have warned that
ByteDance could share TikTok user data such as browsing history, location and biometric
identifiers with China’s authoritarian government.
Sources
https://apnews.com/article/tiktok-ceo-shou-zi-chew-security-risk-cc36f36801d84fc0652112fa461ef140

https://www.france24.com/en/americas/20220216-meta-s-facebook-agrees-to-pay-90-million-to-settle-privacy-lawsuit
RELEVANT LAWS IN THE PHILIPPINES

• REPUBLIC ACT NO. 10175 AN ACT DEFINING CYBERCRIME,

PROVIDING FOR THE PREVENTION, INVESTIGATION,
SUPPRESSION AND THE IMPOSITION OF PENALTIES
THEREFOR AND FOR OTHER PURPOSES
• Republic Act 10173 – Data Privacy Act of 2012
ETHICS AND INFORMATION SECURITY
The Ten Commandments of Computer Ethics 22 from the Computer Ethics
Institute
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or
proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or
the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect
for your fellow humans.
ETHICS AND INFORMATION SECURITY
Whatever the cause of illegal, immoral, or unethical behavior, one thing is
certain: information security personnel must do everything in their power to
deter these acts and to use policy, education and training, and technology to
protect information and systems. Many security professionals understand the
technology aspect of protection but underestimate the value of policy.
However, laws, policies, and their associated penalties only provide deterrence
if three conditions are present.

Fear of penalty: Potential offenders must fear the penalty. Threats of informal
reprimand or verbal warnings do not have the same impact as the threat of
imprisonment or forfeiture of pay.
Probability of being apprehended: Potential offenders must believe there is a
strong possibility of being caught.
Probability of penalty being applied: Potential offenders must believe that
the penalty will be administered.
CODE OF ETHICS OF PROFESSIONAL
ORGANIZATION
 MAJOR IT AND INFOSEC PROFESSIONAL
ORGANIZATIONS

• Association of Computing Machinery (ACM)

• International Information Systems Security Certification Consortium,Inc. (ISC) 2
• SANS Formerly known as the System Administration, Networking, and Security
Institute, SANS was founded in 1989 as a professional research and education
cooperative organization and has awarded certifications to more than 55,000
information security professionals. SANS offers a set of certifications called the Global
Information Assurance Certification (GIAC).
• ISACA Originally known as the Information Systems Audit and Control Association,
ISACA is a professional association that focuses on auditing, control, and security.
• Information Systems Security Association (ISSA) ISSA is a nonprofit society of more
than 10,000 information security professionals in over 100 countries.
 GOVERNMENT AGENCY CONCERNED
WITH ICT
• Republic Act No. 10844, otherwise known as the “Department of Information and Communications Technology Act of 2015
In accordance to the law, the Department of Information and Communications Technology (DICT) shall be the primary policy,
planning, coordinating, implementing, and administrative entity of the Executive Branch of the government that will plan, develop,
and promote the national ICT development agenda.
The DICT shall strengthen its efforts on the following focus areas:
• Policy and Planning
• Improved Public Access
• Resource-Sharing and Capacity-Building
• Consumer Protection and Industry Development
Apart from this, the DICT is expected to spearhead the following endeavors:
• Nation building Through ICT
• Safeguarding of Information
• Advancement of ICT in the Philippines
Aligning with the current administration’s ICT Agenda, the DICT will prioritize the following:
• Development of a National Broadband Plan to accelerate the deployment of fiber optic cables and wireless technologies to
improve internet speed
• Provision of Wi-Fi access at no charge in selected public places including parks, plazas, public libraries, schools, government
hospitals, train stations, airports, and seaports
• Development of a National ICT Portal
ABOLISHED AGENCIES IN RELATED TO
ICT MANAGEMENT

The functions of the following government agencies

have been transferred to the DICT:
• All operating units of the DOTC with functions and
responsibilities dealing with communications
• Information and Communications Technology Office
(ICTO)
• National Computer Center (NCC)
• National Computer Institute (NCI)
• National Telecommunications Training Institute (NTTI)
• Telecommunications Office (TELOF)
ABOLISHED AGENCIES IN RELATED TO
ICT MANAGEMENT

The functions of the following government agencies

have been transferred to the DICT:
• All operating units of the DOTC with functions and
responsibilities dealing with communications
• Information and Communications Technology Office
(ICTO)
• National Computer Center (NCC)
• National Computer Institute (NCI)
• National Telecommunications Training Institute (NTTI)
• Telecommunications Office (TELOF)