Legal and Ethical Issues in Computer Security: January 2007
Legal and Ethical Issues in Computer Security: January 2007
Legal and Ethical Issues in Computer Security: January 2007
net/publication/332570951
CITATIONS READS
0 10,106
1 author:
Rusul M. Kanona
Baghdad College of Economic Sciences University
12 PUBLICATIONS 1 CITATION
SEE PROFILE
All content following this page was uploaded by Rusul M. Kanona on 23 April 2019.
2
Ethical vs. Legal Issues
What percentage of your time would you guess that you will
spend dealing with ethical or legal issues?
3
Ethical vs. Legal Issues
Legal issues:
Sometimes have a definitive answer
Determination is made by others (not you)
Ethical issues:
Sometimes have a definitive answer
You determine your course of action
4
Ethical Issues
Ethical
1. pertaining to or dealing with morals or the principles of
morality; pertaining to right and wrong in conduct.
2. in accordance with the rules or standards for right conduct or
practice, esp., the standards of a profession.
Examples:
Should companies collect and/or sell customer data?
5
Consider Your Views on Ethical
Behavior
How will you react? How will you determine what the “right”
course of action is? What are you willing to risk to do the
“right thing”?
6
Are Your Ethics Contextual?
Are they unchanging or contextual?
Peoples know that downloading music or software they
don’t own is illegal, but do so anyway because they don’t
believe that it hurts the owners of the IP (intellectual
property)
You have an expectation of privacy (lockers, email, etc.)
except if there is suspicion of wrong doing
Never tell a lie….except if ……
7
Framework for Ethics
What motivates us to view issues a certain way?
From: “Case Studies in Information and Computer Ethics”, Richard Spinello, Prentice-Hall, 1997
8
Consequence-Based Ethics
Priority is given to choices that lead to a “good” outcome
(consequence)
9
Rule-Based Ethics
Priority is given to following the rules without undue regard
to the outcome
10
Example
Scenario:
Student copies answers on a final exam
As per policy, I confront student with evidence
My perspective was:
The right thing to do is to tell the truth regardless of the
consequences
11
Example
You are the security officer for a research network at the other
large Florida University. You suspect that students are using
P2P appliances to upload copyrighted music that they do not
own. This violates federal law (DMCA) and is against the
University computer use code.
Options:
Do nothing until a suspicion is brought forward
Bandwidth limit P2P with a packet shaper
Filter P2P outright
Actively monitor the network looking for P2P
Read the local newsgroups and follow leads when P2P is
discussed
12
Which camp were you in?
Consequence-based
Egoism: the “right choice” benefits self
Utilitarianism: the “right choice” benefits the interests of
others
Rule-based:
Pluralism: stresses fidelity to a sense of duty and principle
(“never tell a lie”)
Rule-based: rules exist for the benefit of society and should
be followed
13
Privacy Issues
Many ethical issues (and legal issues, as we will see) in
security seem to be in the domain of the individual’s right to
privacy verses the greater good of a larger entity (a
company, society, etc.)
14
Four Ethical Issues of the
1
Information Age
Privacy - right of individual to control personal information
1: Richard O. Mason, Management Information Systems Quarterly, Volume 10, Number 1, March 1986
15
Legal Issues
Q: We need to know this because: ?
16
Hierarchy of Regulations
International:
International Cyber crime Treaty
Federal:
FERPA, GLB, HIPAA, DMCA, Teach Act, Patriot Act,
Sarbanes-Oxley Act, ….
State:
UCITA, SB 1386, ….
Organization:
Computer use policy
17
Examples
Let’s take a very quick look at a few of the )many regulations
that could impact how you do your job
US Patriot Act
18
What would we expect to see in
“information protection” legislation?
Components:
Statement of what we are trying to protect
(what type of data)
Attributes that need protection (C.I.A.)
Changes to business practices
Assigning accountability for protection
Penalty for failure
Specific areas that technology should address (e.g.,
authentication, storage, transmission)
19
1- International Cyber crime Treaty
Goal: facilitate cross-border computer crime investigation
Who: 38 nations, USA has not ratified it yet
Provisions:
Obligates participants to outlaw computer intrusion,
commercial copyright infringement, online fraud
Participants must pass laws to support search & seizure of
email and computer records, perform internet surveillance,
make ISPs preserve logs for investigation
Mutual assistance provision to share data
1- Organizational Practices:
Security and confidentiality policies
Sanctions
HIPAA 21
2- Technical Practices and procedures
22
HIPAA
Health Insurance Portability and Accountability Act
Focus: Addresses confidentiality of personal medical data through
standards for administrative, physical, and technical security
How does this apply to IT professionals?
If you have systems with patient data, and you either
(a) transmit that data or
(b) allows access to systems that store the data, then you need
to be HIPAA compliant
If you transmit protected health information, you are accountable
for: Integrity controls; message authentication; alarm; audit
trail; entity authentication; and event reporting. If you
communicate with others via a network: access controls;
encryption.
HIPAA 23
HIPAA Security Examples
Data Integrity: not altered during transmission: e.g., TLS (transport
level security), etc. Regardless of access method (web, shares,
etc.)
Error reporting: error and audit logs may need to be kept for a period
of time
HIPAA 24
HIPAA Security Areas
1. Administrative procedures to guard data CIA. Documented
formal procedures to select and measure security
mechanisms
HIPAA 25
1- Administrative Safeguards
HIPAA 26
2- Physical Safeguards
Facility Access controls: contingency operations, facility security
plan
Workstation use
Workstation security
Device and media controls: disposal, media re-use, backup
3- Technical safeguards:
Access control: unique user ids, automatic logoff, encryption,
emergency access
Audit controls
Integrity: mechanism to authenticate electronic protected health
information
Entity authentication
Transmission security: integrity controls., encryption
27
3- US Patriot Act
This is a whole legal/ethical/moral debate that we could have
some other time. Bottom line, it’s the law, and you as an IT
professional need to know:
28
4- FERPA
Family Educational Rights and Privacy Act
29
View publication stats