CC7178

Cyber Security Management

Lecture 7

Presenter : Kiran Kumar Shah

 Learning Objectives
– Differentiate between law and ethics

– Identify some of the major national and

international laws that relate to the practice of
information security

– Understand the role of culture as it applies to

ethics in information security

– Current laws, regulations, and relevant

professional organizations' code of
conduct/ethics
Deep Web and Dark Net(tor)

Ross Willian Ulbricht

Conviction Charges

1. distribution and aiding and abetting distribution of narcotics

2. using the Internet to distribute narcotics
3. conspiracy to distribute narcotics
4. engaging in a continuing criminal enterprise
5. Conspiring to traffic in fraudulent identification documents
6. Money Laundering
7. Computer hacking(laws relating to cyber security)
 Law and Ethics in Information Security

• Laws: rules enforced by government to maintain certain behavior in

society. (mandatory).

• Ethics: define socially acceptable behavior based on cultural mores.

• Cultural mores: relatively fixed moral attitudes or beliefs of a

particular group

• Difference: laws carry sanctions (enforcement)of a governing

authority but ethics does not. Law is enforced and ethics comes from
within

Belief vs Idea.(lack of cyber security awareness)

 Types of Law

• Civil law: - represents a wide variety of laws that govern a

nation/state.

• Criminal law: - addresses violations harmful to the society that is

punishable by the law.

• Tort law: - a subset of civil law that allows individuals to seek

recourse against others in the event of personal, physical, or
financial injury.
 Types of Law
• Private law
regulates the relationships among individuals and organizations, and
encompasses family law, commercial law, and labor law.

• Public law
law affects the general public. All the citizens have to follow. For e.g.,
criminal, administrative, and constitutional law
Relevant US Laws (General)
 Relevant UK Laws (General)

• Copyright, Designs and Patent Act (1988)

• Computer Misuse Act (1990)
• Human Rights Act (1998)
• Data Protection Act (1998)
• Regulation of Investigatory Powers Act (2000)
….. Others
 Data Protection Act (1998)
(http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_
en_1)
• Received Royal Assent on 16 July 1998; came into force early 1999

• Followed EC Directive 95/46/EC rectified on 24 Oct 1995 which requires:

“Member States to protect the fundamental rights and freedoms of natural persons, in particular their
right to privacy with respect to the processing of personal data.”

• DataProtection Act deals with protecting personal data at the time of

processing by all organization or individual whether the data is stored in
computer or manual form.
 Data Protection Act (1998)
Definitions

Personal Data
means data that relate to a living individual who can be identified from
those data and includes any expression of opinion about the individual. The
information can include race, ethnic, political opinions, religious or
philosophical beliefs, trade union membership, genetic data, biometric data
(used for identification purposes)

Processing
means obtaining, recording or holding the data by organization/individual,
adaptation or alteration and disclosure of the information contained in the
data

Data Subject, Data Controller

 Data Protection Act (1998)

Principles of Data Protection Act

• Information shall be obtained and processed “fairly and lawfully‟

• Information shall be held only for one or more specific and lawful
purposes.
• Companies should not hold information that is excessive or not
relevant to the purposes the company has registered under the
Act. .(For.e.g Health Institutions)
• Information held on individuals should be accurate and up-to-date
• Information should not be held for longer than necessary.(E.g. Hiring)
• Individuals have the right to see the data held by them and have
corrections made where necessary
• Companies must take measures to protect information from
unauthorised access.
 Data Protection Act (1998)

Individuals' Rights

• Right of subject access to a copy of information held about them(What,

Why, Whom)
• Entitled to be told of the logic involved.(E.g Employee Hiring)
• If the data subject believes that a data controller has failed to comply with
subject access request they may apply for a Court Order.
• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for the purposes of direct marketing
• Rights in relation to automated decision-taking.(e.g algorithms)
• Right to take action for compensation if the individual suffers damage by
any contravention of the Act by the data controller
• Right to take action to rectify, block, erase or destroy inaccurate data
• Right to make a request to the Commissioner for an assessment to be
made as to whether any Provision of the Act has been contravened.
 Data Protection Act (1998)

Exemptions (where individuals rights don’t apply)

• Primary Exemptions
National Security, Crime, Taxation, Education,Health

• Special Purpose Exemptions

Publication of journalistic, literary or artistic material if in the public interest;
could also include research, historical and statistical studies.

• Miscellaneous Exemptions
Personal data concerning the armed forces, judicial and ministerial
appointments,

What is the purpose this Act?

 Computer Misuse Act (1990)
(http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm)

This act penalizes the following activities

• unauthorized access to computer material
• unauthorized access with the intention of carrying out or assisting others
with the commission of further offences

• unauthorized modification of computer material

• impairing the operation of a program or the reliability of
the data
• preventing or hindering access to any program or data

(1980, UK post office Prestel(videotext sytem),Robert scriffen and Stephen

gold)
 Copyright, Designs and Patent Act (1988)
(http://www.opsi.gov.uk/acts/acts1988/UKpga_19880048_en_1.htm)

• The Act is the chief defense to protect organizations and software

developers from the unauthorized copying of designs, software, printed
materials and any other works.

• It allows a company to safeguard its intellectual property rights (IPR)

against competitors and others who might wish to profit from the company’s
or individual’s research and investment.

Intellectual property (IP)

• Creation of human mind that has commercial and moral value like
designs, ideas and inventions. To foster creativity.
• In general, IP covers the areas of patents, trademarks, and
copyright
 Digital Millennium Copyright Act (DMCA)
(http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act)

• U.S. contribution to international effort to reduce impact of copyright, trademark,

and privacy infringement.
• A response to European Union Directive 95/46/EC, which adds protection to
individuals with regard to processing and free movement of personal data.
• UK has already implemented a version of this directive.

Two important points

1. It criminalizes production and dissemination of technology, devices, or
services intended to circumvent measures (commonly known as digital rights
management or DRM) that control access to copyrighted works. It also criminalizes
the act of circumventing an access control, whether or not there is actual
infringement of copyright itself.

2. creates a safe harbor for online service providers(OSPs, including ISPs) against
copyright infringement liability, provided they meet specific requirements.
 International Laws and treaty

International Law: Regulates the conduct of one state with another.

Binding. E.g European Union

International Treaty: also regulates the conduct of state but not

binding.

Many domestic laws and customs have limited scope e.g

international trade, which is governed by international treaties and
trade agreements.

• Difficulty to formulate because of the political complexities of the

relationships among nations and cultural differences, there are
currently few international laws relating to privacy and information
security.
 European Convention on Cybercrime
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
A legally binding text since 2004
• Ratified by 21 countries and 22 remains as signatories (including the UK)

Budapest Conventions
• address internet and computer crimes by harmonizing national laws.

• Establishes international task force overseeing international investigations

into breaches of technology law.
• The overall goal is to simplify the acquisition of information for law
enforcement agents in certain types of international crimes, as well as
the extradition process.
• Well received by intellectual property rights advocates due to
emphasis on copyright infringement prosecution.
 Cyber Warfare

Cyberwarfare refers to the use of digital attacks -- like computer

viruses and hacking -- by one country to disrupt the vital computer
systems of another, with the aim of creating damage, death and
destruction.
 Policy as Law

Policies serve as organizational laws. Unlike law however, ignorance is an

acceptable defense.

Therefore to be enforceable as law, policies must be:

● Distributed to all individuals who are expected to comply with them
● Readily available for employee reference
● Easily understood, with multilingual translations and translations for
visually impaired or low-literacy employees
● Acknowledged by the employee, usually by means of a signed consent
form
● Uniformly enforced for all employees
 Ethical and Information Security

The Ten Commandments of Computer Ethics (from the Computer Ethics Institute)

Thou shalt not:

• Use a computer to harm other people
• Interfere with other people's computer work
• Snoop around in other people's computer files
• Use a computer to steal
• Use a computer to bear false witness.(planting evidence)
• Copy or use proprietary software for which you have not paid
• Use other people's computer resources without authorization or
proper compensation
• inappropriate other people's intellectual output.
• think about the social consequences of the program you are writing or
the system you are designing
• always use a computer in ways that ensure consideration and respect
for your fellow humans
 Ethics and Information Security

Cultural differences create difficulty in determining what is and is not

ethical.

• Difficulties arise when one nationality's ethical behavior conflicts

with ethics of another national group.

• Overriding factor in leveling the ethical perceptions within a small

population is education.

• Employees must be trained in expected behaviors of an ethical

employee, especially in areas of information security.
 Deterrence to Unethical and
Illegal Behavior
Three cause of unethical and illegal behavior(Ignorance ,accident,
intent)

Deterrence is the best method for preventing an illegal or unethical

activity.
• Examples of deterrents include laws, policies, and technical
controls.

However, organization laws/policies and their associated

penalties only deter if three conditions are present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered
 Codes of Ethics & Professional Organizations

Several professional organizations have established codes of

conduct/ethics. (ISACA,SANS)

The loss of accreditation or certification due to a violation of a code of

conduct can be a deterrent, as it can dramatically reduce the individual’s
marketability and earning power.
 System Administration, Networking,
and Security Institute (SANS)
(http://www.sans.org/)

• Founded in 1989, SANS is a professional organization with over 156,000

security professionals, auditors, system
and network administrators.
• SANS offers set of certifications called Global Information Assurance
Certification (GIAC), whose Code of Ethics
requires:
– Respect for the public (impact social welfare)
– Respect for the certification(no disseminate information, misuse)
– Respect for my employer (competent service)
– Respect for myself (conflict of interest, misrepresent my abilities)
 Information Systems Audit and Control
Association (ISACA)
(http://www.isaca.org/)

Professional association with focus on auditing, control, and security.

• The membership comprises both technical and managerial professionals.

• Concentrates on providing IT control practices and standards.
• ISACA has code of ethics for its professionals.
• Nonprofit society of information security professionals.
• Primary mission to bring together qualified IS
practitioners for information exchange and educational
development.
• Promotes code of ethics similar to (ISC)2, ISACA and
ACM, “promoting management practices that will ensure
the confidentiality, integrity, and availability of
organizational information resources.”
 Information Systems Audit and Control
Association (ISACA)
(http://www.isaca.org/)

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards,
procedures and controls for information systems.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards and best practices.
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high
standards of conduct and character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless
disclosure is required by legal authority. Such information shall not be used for personal benefit or
released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities that
they can reasonably expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed; revealing all significant facts known to
them.
7. Support the professional education of stakeholders in enhancing their understanding of information
systems security and control
 Other Professional Bodies

British Computer Society (http://www.bcs.org/)

Association of Computing Machinery (ACM) (https://www.acm.org/)

International Information Systems Security Certification Consortium, Inc. (ISC)2

(http://en.wikipedia.org/wiki/(ISC)%C2%B2)
 Organizational Liability

• If an employee, acting with or without the authorization, performs an

illegal or unethical act, causing some degree of harm, the organization
can be held financially liable for that action.

• An organization increases its liability (legal obligation) if it refuses

to take measures known as due care that is to make sure that every
employee knows what is acceptable and what is not, and the
consequences of illegal or unethical actions(policy, training)

• Due diligence requires that an organization make a valid and

ongoing effort to maintain due care.
Coursework assignment: Critical analysis part….

Week 7 Seminar Exercises Questions

Review Questions
•What is the difference between criminal law and civil law?
•What are the primary examples of public law?
•What is intellectual property? Is it offered the same protection in every country of the world?
What laws currently protect it in the UK. and Europe?
•What is a policy? How does it differ from a law?
•What is the best method for preventing an illegal or unethical activity?
•Of the professional organizations discussed, which is focused on auditing and control?
•What is due care? Why would an organization want to make sure it exercises due care in its usual
course of operations?
•What are the individual rights in respect of personal data which the Data Protection Act provides?
What can be done to deter someone from committing a crime?
•How does due diligence differ from due care? Why are both important?