CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

4.1 INTRODUCTION TO ETHICS

Ethics are a system of moral principles and a branch of philosophy which defines what
is good for individuals and society. They involve systematizing, defending, and
recommending concepts of right and wrong behavior. Ethics are based on well-founded
standards of right and wrong that prescribe what humans ought to do, usually in terms
of rights, obligations, benefits to society, fairness, or specific virtues.
They affect how people make decisions and lead their lives. Ethics are concerned with
what is good for individuals and society, also described as moral philosophy. The term
is derived from the Greek word ethos which can mean custom, habit, character or
disposition. Ethics covers the following dilemmas:
- how to live a good life
- our rights and responsibilities
- the language of right and wrong
- moral decisions - what is good and bad?
Our concepts of ethics have been derived from religions, philosophies and cultures.
They infuse debates on topics like abortion, human rights and professional conduct.
Philosophers nowadays tend to divide ethical theories into three areas: Meta-ethics
(deals with the nature of moral judgment. It looks at the origins and meaning of ethical
principles); normative ethics (concerned with the content of moral judgements and the
criteria for what is right or wrong) and applied ethics (looks at controversial topics like
war, animal rights and capital punishment).

Ethical Principles
These include:
Beneficence
The principle of beneficence guides the decision maker to do what is right and good.
This priority to “do good” makes an ethical perspective and possible solution to an
ethical dilemma acceptable. This principle is also related to the principle of utility, which
states that we should attempt to generate the largest ratio of good over evil possible in
the world. This principle stipulates that ethical theories should strive to achieve the
greatest amount of good because people benefit from the most good. This principle is
mainly associated with the utilitarian ethical theory.

Least Harm
Similar to beneficence, least harm deals with situations in which no choice appears
beneficial. In such cases, decision makers seek to choose to do the least harm possible
and to do harm to the fewest people. However, it can be argued that people have a
greater responsibility to “do no harm” than to take steps to benefit others. For example,
a student has a larger responsibility to simply walk past a teacher in the hallway rather
than to make derogatory remarks about that teacher as he/she walks past even though
the student had failed that teacher’s class.

Respect for Autonomy

This principle states that decision making should focus on allowing people to be
autonomous—to be able to make decisions that apply to their lives. Thus, people should
have control over their lives as much as possible because they are the only people who
completely understand their chosen type of lifestyle. Each individual deserves respect
because only he/she has had those exact life experiences and understands his

Page 1 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

emotions, motivations, and physical capabilities in such an intimate manner. In essence,

this ethical principle is an extension of the ethical principle of beneficence because a
person who is independent usually prefers to have control over his life experiences in
order to obtain the lifestyle that he/she enjoys.

Justice
The justice ethical principle states that decision makers should focus on actions that are
fair to those involved. This means that ethical decisions should be consistent with the
ethical theory unless extenuating circumstances that can be justified exist in the case.
This also means that cases with extenuating circumstances must contain a significant
and vital difference from similar cases that justify the inconsistent decision.

 Ethical Theories
Ethical theories are another tool to help an individual clearly and logically think about an
ethical issue, and arrive at a decision that can be rationally defended. A moral theory is
a mechanism for assessing whether a particular action or rule is ethically justified. More
precisely, a moral theory can help us to sharpen our moral vision, it helps us determine
whether an action or a rule is ethically right (meaning it is required and must be
performed and followed), wrong (meaning it must not be performed or followed), or
permissible (meaning it may be, but need not be, performed or followed). Ethical theory
serves as the foundation for ethical solutions to the difficult situations people encounter
in life. Four broad categories of ethical theory include:

o Utilitarianism
Utilitarianism is a family of normative ethical theories that promotes actions that
maximize happiness and well-being for all affected individuals. It is often equated with
the concept of “the greatest good for the greatest number of people.” sometimes called
consequentialism because ethical decisions are made based on the consequences of
the action. Jeremy Betham, the founder of utilitarianism, described utility as "that
property in any object, whereby it tends to produce benefit, advantage, pleasure, good,
or happiness...[or] to prevent the happening of mischief, pain, evil, or unhappiness to
the party whose interest is considered." Utilitarianism considers the interests of all
humans equally. Utilitarianism is an effort to provide an answer to the practical question
“What ought a person to do?” The answer is that a person ought to act so as to produce
the best consequences possible. The concept has been applied towards social welfare
economics, the crisis of global poverty, the ethics of raising animals for food, and the
importance of avoiding existential risks to humanity. To a utilitarian, the choice that
yields the greatest benefit to the most people is the one that is ethically correct. There
are two types of utilitarianism, act utilitarianism (a person performs the acts that
benefit the most people, regardless of personal feelings or the societal constraints such
as laws); and rule utilitarianism (takes into account the law and is concerned with
fairness). The rule utilitarianism values justice and includes beneficence at the same
time.

Advantages of Utilitarianism
- Focus is on happiness as a society.
- It teaches us that harming other people is wrong.
- Utilitarianism is an easy theory to implement.

Page 2 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- It is a secular system that focuses on humanity.

- Utilitarianism seeks to create the highest good.
- It focuses on the democratic process for forward movement.
- We get to focus on an objective, universal solution.

Disadvantages of Utilitarianism
- No any other element besides happiness is considered.
- It creates an unrealistic perspective for society as it considers happiness over harm.
- Utilitarianism can be unpredictable forcing decision makers to guess the outcome of
their choice.
- It relies on people making consistent decisions which can be very rare considering
human nature.
- Utilitarianism relies on multiple definitions of happiness. Common ground may not be
feasible.
- It creates the potential for the majority to rule through tyranny. Harming a minority and
benefitting a majority doesn’t build mutually beneficial relationships.

o Deontological ethics
Derived from the Greek words ‘deon’ (meaning obligation, duty) and ‘logos (meaning
study), is the normative ethical theory that the morality of an action should be based on
whether that action itself is right or wrong under a series of rules, rather than based on
the consequences of the action. It is sometimes described as duty-, obligation-, or rule-
based ethics. It is the idea that people should be treated with dignity and respect.
Immanuel Kant’s theory of ethics (Kantianism) is considered deontological for several
different reasons. Kant argued that in order to act in the morally right way, people must
act from duty. Kant also argued that it is not the consequences of actions that make
them right or wrong, but the motives of the person who carries out the action. In
deontological ethics an action is considered morally good because of some
characteristic of the action itself, not because the product of the action is good.
Deontological ethics holds that at least some acts are morally obligatory regardless of
their consequences for human welfare. The deontological class of ethical theories
states that people should adhere to their obligations and duties when engaged in
decision making when ethics are in play. This means that a person will follow his or her
obligations to another individual or society because upholding one’s duty is what is
considered ethically correct. For instance, a deontologist will always keep his promises
to a friend and will follow the law. A person who adheres to deontological theory will
produce very consistent decisions since they will be based on the individual’s set duties.

Advantages of Deontological ethics

- Deontological ethics create a foundation for human conduct.
- Deontological ethics create higher levels of personal responsibility.
- Deontological ethics create moral absolutes. No exceptions to any moral rules are
permitted within this concept.
- Deontological ethics emphasize the value of every person.
- Deontological ethics provide certainty.
- Strongest model for applied public relations ethics.

Disadvantages of Deontological ethics

Page 3 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- Deontological ethics create a paradox. Deontological ethics dictate how you react to
the situation no matter the need for action that may save the situation.
- Deontological ethics become useful as supernatural excuses to override the morality
on a personal level.
- Deontological ethics are a matter of subjective opinion.
- Deontological ethics do not incorporate self-defense ideas creating conflict in duties.
- Deontological ethics are absolutist hence the possibility of making a ‘right’ choice with
bad consequence.

o Virtue ethics
Virtue ethics are normative ethical theories which emphasize virtues of mind, character
and sense of honesty. Virtue ethicists discuss the nature and definition of virtues and
other related problems that focus on the consequences of action. These include how
virtues are acquired, how they are applied in various real life contexts, and whether they
are rooted in a universal human nature or in a plurality of cultures. A virtue is generally
agreed to be a character trait conceived as excellence, such as a habitual action or
settled sentiment. Specifically, a virtue is a positive trait that makes its possessor a
good human being. A virtue is thus to be distinguished from single actions or feelings.
Virtue ethics is primarily concerned with traits of character that are essential to human
flourishing, not with the enumeration of duties. The virtue ethical theory judges a person
by his/her character rather than by an action that may deviate from his/her normal
behavior. It takes the person’s morals, reputation, and motivation into account when
rating an unusual and irregular behavior that is considered unethical. For instance, if a
person plagiarized a passage that was later detected by a peer, the peer who knows the
person well will understand the person’s character and will judge the friend accordingly.
There are three central concepts of Virtue Ethics, namely: eudaimonism, ethics of care
and agent-based theories. Eudaimonism can be referred to as happiness or having a
good life which is said to be achievable by practicing the values of an individual in daily
activities and in resolving conflicts while the ethics of care is based on a principle that
when it comes to autonomy and justice, men uses masculinity and women, through
caring. Agent-based theories, on the other hand, are about virtues based on intuition
that uses common sense. In this concept, character traits are kindness, compassion
and benevolence. However, there are four cardinal virtues included in the traditional list.
These are prudence, justice, fortitude or bravery and temperance. According to
theologian James Keenan, justice makes it imperative for a man to treat others equally
and impartially while bravery or fortitude makes it possible for a person to aim for self-
care of protecting oneself.

Advantages of Virtue ethics

- Focuses on the development of habits that promote human excellence and happiness.
Virtue Ethics serves as a shield against polluting the minds of individuals
- Recognizes how rational behavior requires being sensitive to the social and personal
dimensions of life.
- Rational” actions are not based on abstract principles but on moderation, hence are
broad and holistic.
- Provides moral motivation rooted in disposition of excellence that strengthens resolve
and enriches the attitude to do a moral action in a healthy direction.
- Virtues are character traits that are “good” for people to have; the virtuous person will
flourish in life.

Page 4 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Disadvantages of Virtue ethics

- Vast differences on what constitutes a virtue makes it difficult to come to a conclusion.
Different people, cultures, and societies have different opinions on what counts as a
virtue.
- Lacks clarity in resolving moral conflicts.
- Misses the importance obligations to client and publics.
- Self-centeredness because its primary concern is the agent’s own character.
- Imprecise. It fails to give any practical step-by-step help of how one should behave.
- Leave participants in hostage to luck. Some will attain moral maturity and others will
not.
It is weak in the area of what to do in right-action approach since it is focused on
character-formation.

o Social contract
Social contract theory is based upon the idea that each person implicitly agrees to the
rules, morals, and general impulses of the particular society and its government under
which they live from which all civilized behavior flows. It proposes thinking about ethics
in terms of agreements between people (social rights) in contrast to natural rights.
Doing the right thing means abiding by the agreements that the members of a rational
society would choose. So for contract theorists, ethics isn’t necessarily about character,
consequences, or principles. According to the theory, individuals were born into an
anarchic state of nature, which was happy or unhappy according to the particular
version. The rights established by a society are protected and given the highest priority.
Rights are considered to be ethically correct and valid since a large population endorses
them. Individuals may also bestow rights upon others if they have the ability and
resources to do so. Cecile Fabre argues that "it is legitimate to constrain democratic
majorities, by way of the constitution, to respect and promote those fundamental rights
that protect the secure exercise of autonomy and enable participants to achieve well-
being. Social rights are such fundamental rights it follows that they should be
constitutionalized.

Advantages of Social contract theory

- Prevent serious physical assault or harm against others that would be victimized
(ensure safety and security for everyone).
- Prevent behavior that would offend those who might otherwise be victimized.
- Prevents immoral activities such as irresponsible gambling.
- Prevent actions that are detrimental to a segment of the population.

Disadvantages of Social contract theory

- It gives government too much power to make laws under the guise of protecting the
public.
- In some case, participants are not in consent to the contract.
- May not be clear to other participants ant what they ought to be.
- Contracts can be unfair for some. For example, the poor do not get the same benefits
of the contract.

 Comparing workable ethics

Page 5 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Ethical theories are sought based on the ethical point of view and objective moral
principles developed using logical reasoning based on facts and commonly held values.
Examples of workable ethical theories Kantianism (deontology), act and rule
utilitarianism, social contract theory and virtue ethics. These theories are compared in
the diagram below.

Comparison of the five workable ethical theories shows that all of these theories
explicitly take people other than the decision maker into consideration, assume that
moral good and moral precepts are objective, and rely upon reasoning from facts and
commonly held values. In summary, the workable theories states that:
Kantianism
Every person is equally valuable, and when interacting with other people, one should
always respect them as rational beings.

Utilitarianism
One should consider the consequences of an action before deciding whether it’s right or
wrong.

Social contract theory

Page 6 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

We should collectively promote human rights, such as the rights to life, liberty, and
property.

Virtue ethics
One can count on a good person to do the right thing at the right time in the right way.

Theory Motivation Criteria Focus

Kantianism Dutifulness Rules Individual
Act Utilitarianism Consequence Actions Group
Rule Utilitarianism Consequence / Duty Rules Group
Social Contract Rights Rules Individual

 Morality of Breaking the Law

Morality (derived from Latin word ‘moralitas’, meaning 'manner, character, proper
behavior') is the differentiation of intentions, decisions and actions between those that
are distinguished as proper and those that are improper. Morality can be a body of
standards or principles derived from a code of conduct from a particular philosophy,
religion or culture, or it can derive from a standard that a person believes should be
universal. Morality may also be specifically synonymous with “goodness” or "rightness".
Immorality is the active opposition to morality (i.e. opposition to that which is good or
right), while amorality is variously defined as an unawareness of, indifference toward, or
disbelief in any particular set of moral standards or principles. The morality of breaking
the law can differ depending on a situation and the theory in practice.

Social Contract Theory Perspective

Everyone in society bears certain burdens in order to receive certain benefits. Legal
system is supposed to guarantee people’s rights are always protected. Everything else
being equal, participants should be law-abiding. One should only break law if compelled
to follow a higher-order moral obligation.

Kantianism Perspective
Everyone wants to be treated justly. Imagine rule: “I may break a law I believe to be
unjust”. If everyone acted according to this rule, then laws would be subverted. One
cannot wish to be treated justly and allow laws to be subverted at the same time.

Rule Utilitarian Perspective

What would be consequences of people ignoring laws they felt to be unjust? Beneficial
consequence (happiness of people who are doing what they please) or harmful
consequence (harm to people directly affected by lawless actions, general loss of
respect for laws, increased burden on criminal justice system). One should only break
law if harms are greater than benefits.

Act Utilitarian Perspective

Possible to conceive of situations where benefits of breaking law exceed harms.
Suppose give penniless, bedridden friend copy of CD and he/she benefits by $15 (value
of CD), I benefit by $10 (satisfaction of helping friend), harms of $0 (no lost sale, no
police involvement). With $25 of benefit and $0 of harm, action is determined to be good

Page 7 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

4.2 NETWORKED COMMUNICATION

Networked communication refers to communication based on the rapid, multi-directional
flow of messages and information supported by interconnected online and mobile data-
sharing technologies. It is a paradigm associated with the concept of an information
society, based on many-to-many. A network of a group of devices comprising hardware
and software are connected together, whether in the same geographical location or
globally to facilitate communication and information sharing. Modern communication
network consist of servers, clients, transmission media, data, operating systems,
switches, routers, cables, printers and various peripheral devices extending
communication between devices from local area network to globally covered networks
as shown in the diagram below.

 Cybercrime
Cybercrime, or computer-oriented crime, is a crime that involves a computer and a
network that may be used in the commission of a crime (computer as a tool), or may be
the target itself (computer as a target) threatening a person, a group or a nation's
security and financial health. Besides outsiders, or hackers, many computer crimes,
such as embezzlement or planting of logic bombs, are committed by trusted personnel
who have authorization to use company computer systems. Some cybercriminals are
organized, use advanced techniques and are highly technically skilled while others are
novice hackers. Most cyber criminals have the intention to make money or ruin the
target organization’s reputation.

o Types of cybercrimes
Some examples of these types of crimes include the following:

DDoS Attacks
These are used to make an online service unavailable and take the network down by
overwhelming the site with traffic from a variety of sources. Large networks of infected

Page 8 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

devices (Botnets) are created by depositing malware on users’ computers. The hacker
then hacks into the system once the network is down.

Botnets
Botnets are networks from compromised computers that are controlled externally by
remote hackers. The remote hackers then send spam or attack other computers
through these botnets. Botnets can also be used to act as malware and perform
malicious tasks.

Identity Theft
This cybercrime occurs when a criminal gains access to a user’s personal information to
steal funds, access confidential information, or participate in tax or health insurance
fraud. They can also open a phone/internet account in your name, use your name to
plan a criminal activity and claim government benefits in your name. They may do this
by finding out user’s passwords through hacking, retrieving personal information from
social media, or sending phishing emails.

Cyberstalking
This kind of cybercrime involves online harassment where the user is subjected to a
plethora of online messages and emails. Typically cyberstalkers use social media,
websites and search engines to intimidate auser and instill fear. Usually, the
cyberstalker knows their victim and makes the person feel afraid or concerned for their
safety.

Social Engineering
Social engineering involves criminals making direct contact with users usually by phone
or email with the aim of gaining one’s confidence and usually pose as a customer
service agent to get the necessary information needed like passwords or bank
information. Cybercriminals will find out what they can about the target on the internet
and then attempt to add him/her as a friend on social accounts. Once they gain access
to an account, they can sell the information or secure accounts in the victim’s name.

Potentially Unwanted Programs PUPs

PUPS are less threatening than other cybercrimes, but are a type of malware. They
uninstall necessary software in your system including search engines and pre-
downloaded apps. They can include spyware or adware, so it’s a good idea to install an
antivirus software to avoid the malicious download.

Phishing
This type of attack involves hackers sending malicious email attachments or URLs to
users to gain access to their accounts or computer. Cybercriminals are becoming more
established and many of these emails are not flagged as spam. Users are tricked into
emails claiming they need to change their password or update their billing information,
giving criminals access.

Prohibited/Illegal Content
This cybercrime involves criminals sharing and distributing inappropriate content that
can be considered highly distressing and offensive. Offensive content can include, but is
not limited to, sexual activity between adults, videos with intense violent and videos of
criminal activity. Illegal content includes materials advocating terrorism-related acts and

Page 9 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

child exploitation material. This type of content exists both on the everyday internet and
on the dark web, an anonymous network.

Online Scams
These are usually in the form of ads or spam emails that include promises of rewards or
offers of unrealistic amounts of money. Online scams include enticing offers that are
“too good to be true” and when clicked on can cause malware to interfere and
compromise information.

Exploit Kits
Exploit kits need a vulnerability (bug in the code of a software) in order to gain control of
a user’s computer. They are readymade tools criminals can buy online and use against
anyone with a computer. The exploit kits are upgraded regularly similar to normal
software and are available on dark web hacking forums.

Fake or Rogue Anti-Virus Software

In this scheme, victims are scared into purchasing anti-virus software that would
allegedly remove viruses from their computers. A pop-up box appears that informs
users that their computers are full of viruses and need to be cleaned. The pop-up
message has a button victims can click to purchase anti-virus software that supposedly
can immediately get rid of these viruses. If the victims click the pop-up to purchase the
anti-virus software, they are infected with malware. In some instances, victims have
been infected regardless of clicking on the pop-up box.

Specific examples of the different types of cybercrime also include :

- Email and internet fraud.
- Identity fraud (where personal information is stolen and used).
- Theft of financial or card payment data.
- Theft and sale of corporate data.
- Cyberextortion (demanding money to prevent a threatened attack).
- Ransomware attacks (a type of cyberextortion).
- Crypto jacking (where hackers mine cryptocurrency using resources they do not own).
- Cyberespionage (where hackers access government or company data).

 Cybercrime vulnerabilities and exploitations of the internet

Vulnerabilities are weaknesses in a system, its design, its implementation, or operation
and management which can be exploited by a threat actor, such as an attacker, to
perform unauthorized actions within a system thereby executing commands, accessing
unauthorized data, and/or conducting denial-of-service attacks. Vulnerabilities may have
different dimensions depending on the asset class they are related to. Common
examples include:

Hardware
- susceptibility to humidity
- susceptibility to dust
- susceptibility to soiling
- susceptibility to unprotected storage

Software

Page 10 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- insufficient testing
- lack of audit trail
- design flaw

Network
- Unprotected communiction lines
- Insecure network architecture

Personnel
- Inadequate recruiting process
- Inadequate security awareness

Physical site
- area subject to flood
- unreliable power source

Organizational
- lack of regular audits
- lack of continuity plans
- lack of security

To exploit a vulnerability, an attacker must have at least one applicable tool or

technique that can connect to a system weakness. In this frame, vulnerability is also
known as the attack surface. A security risk is the potential of a significant impact
resulting from a vulnerability exploitation. There are vulnerabilities without risk, for
instance when the affected asset has no value. An exploitable vulnerability refers to a
vulnerability with one or more known instances of working and fully implemented
attacks.

 Responses to cybercrime activities

Recommended actions to be undertaken by organizations and end users in response to
cybercrime include the following:
- Prioritize patching of all the vulnerabilities identified in this report.
- Remove the affected software if it doesn’t impact key business processes.
- Consider Google Chrome as a primary browser.
- Be aware that Facebook and other social media sites use Flash technology and users
frequently enable Flash to run on these sites.
- Utilize browser ad-blockers to prevent exploitation via malvertising.
- Frequently backup systems, particularly those with shared files, which are regular
ransomware targets.
- Deliver user training to encourage skepticism of emails requesting additional
information or prompting clicks on any links or attachments. Companies will not
generally ask customers for personal or financial data, but when in doubt, contact the
company directly by phone and confirm if they actually need the information.

Page 11 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

4.3 INFORMATION PRIVACY AND THE GOVERNMENT

Information privacy is the relationship between the collection and dissemination of data,
technology, the public expectation of privacy legal and political issues surrounding
them. It is also known as data privacy or data protection. Data privacy is challenging
since it attempts to use data while protecting an individual's privacy preferences and
personally identifiable information.

 ICT Legislation and laws governing ICT in Zimbabwe, Regional and International
The development of information and communications technologies (ICTs) enables
businesses and individuals to communicate and engage in transactions with other
parties electronically, instantaneously and internationally. This gives rise to a variety of
legal and regulatory issues for policymakers, from the validity of electronic methods of
contracting and the security risks associated with them, to concerns over cybercrime
and the ability to protect intellectual property rights online. ICT policymakers are
constantly facing challenges in dealing with these issues. Adversaries are always keen
to create and exploit vulnerabilities in ICT services, which store and communicate vast
amounts of sensitive information, facilitate the digital economy and support critical
infrastructure and vital emergency services, in order to commit malicious cyber-enabled
actions. Various laws and regulations have been formulated locally, regionally and
internationally to curb or minimize such acts.

o Zimbabwe
Zimbabwe has five laws that govern the terrain of information and communications.
With regards to cybercrime, the laws and regulations in place ensure policy on the
enactment of the necessary cyber laws and legislative provisions:
a. Develop the information economy and society that will be facilitated by necessary
legal and legislative provisions.
b. Administer the enactment of the necessary cyber laws and legislative provisions to
govern and regulate cyber-related activities in the country.
c. Put in place the necessary legislation to facilitate electronic commerce.
d. Facilitate the enactment of laws relating to intellectual property rights, data
protection and security, freedom of access to information, computer related and
cybercrime laws, i.e.
- Adopt data protection and privacy
- Intellectual property protection and copyright
- Consumer protection
- Child online protection.

Postal and Communications Act (2004)

AN ACT to provide for the establishment of the Postal and Telecommunications
Authority and to provide for its functions and management; to provide for the licensing
and regulation of cellular telecommunication, postal and telecommunication services.

Broadcasting Services Act (2001)

to plan and advise on the allocation and distribution of the available frequency
spectrum, for which purpose it shall have regard to the provisions for the planning
of the broadcasting service bands. to receive, evaluate and consider applications

Page 12 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

for the issue of any broadcasting licence or signal carrier licence. to monitor tariffs
charged by broadcasting licensees with a view to eliminating unfair business
practices among such licensees and to protect the interests of consumers. to
encourage providers of commercial and community broadcasting services and
systems to be responsive to the need for a fair and accurate coverage of matters
of public interest and for an appropriate coverage of matters of local significance

Access to Information and Protection of Privacy Act (AIPPA) (2002)

This act regulates the collection, protection and retention of personal information held
by public bodies. Protected information includes
- deliberations of Cabinet and Local government bodies
- advice or recommendation given to the President, Cabinet member or a public body
- information that is subject to client-attorney privilege of the public body
- information whose disclosure will be harmful to law enforcement process and national
security
- information relating to intergovernmental relations/negotiations
- information relating to the financial or economic interests of the public body or the
state
- research information if such disclosure will result in the researcher losing their right of
first publication or any intellectual property rights
- information which if disclosed will result in damage or interference with conservation
of heritage sites
- information that relates to a person’s safety or mental or physical health and personal
privacy
- business interests of a party including but not limited to trade secrets, commercial
information, scientific information and technical information
- Provision of false information is an offence for which one may result in a level 5 fine
and / or imprisoned for 6 months.
In addition to the above, the Act provides for regulation of mass media services and the
establishment of the Media and Information Commission.

Interception of Communications Act (ICA) (2007)

The purpose of this act is to provide for the lawful interception and monitoring of
communications of any form of transmission including telecommunications and postal.
Access to the information is restricted to security services who are required to apply for
permission to intercept their desired and specific information. A holder of encrypted
(protected) information may be put on notice and required to disclose such information
where there is reasonable belief that disclosure of such information is in the interests of
national security, prevents or exposes a serious office or is in the interests of the
economic well-being of Zimbabwe. Information obtained may not be disclosed to any
other person unless for the purposes of the act or as evidence in a court of law. A
breach of this may result in a level 14 fine and / or 5 years imprisonment.

Criminal Law (Codification and Reform) Act (Criminal Code) (2004).

The act consolidate and amend the criminal law of Zimbabwe. It basically replaced the
non-statutory Roman-Dutch criminal law. A person may be tried, convicted and
punished for a crime, whether in terms of this Code or any other enactment, regardless
of where the crime or an essential element of the crime took place.

Page 13 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

o International
To create an international network on cybersecurity, a conference was held in March
2014 in New Delhi, India. The objectives set in the International Conference on
Cyberlaw & Cybercrime are as follows:
- To recognize the developing trends in Cyberlaw and the legislation impacting
cyberspace in the current situation.
- To generate better awareness to battle the latest kinds of cybercrimes impacting all
investors in the digital and mobile network.
- To recognize the areas for stakeholders of digital and mobile network where Cyberlaw
needs to be further evolved.
- To work in the direction of creating an international network of cybercrimes. Legal
authorities could then be a significant voice in the further expansion of cyber-crimes
and cyber law legislations throughout the globe.

Intellectual property rights are the legal rights that cover the privileges given to
individuals who are the owners and inventors of a work, and have created something
with their intellectual creativity. Individuals related to areas such as literature, music,
invention, etc., can be granted such rights, which can then be used in the business
practices by them. The creator/inventor gets exclusive rights against any misuse or use
of work without his/her prior information. However, the rights are granted for a limited
period of time to maintain equilibrium. The following list of activities which are covered
by the intellectual property rights are laid down by the World Intellectual Property
Organization (WIPO) –
- Industrial designs
- Scientific discoveries
- Protection against unfair competition
- Literary, artistic, and scientific works
- Inventions in all fields of human endeavour
- Performances of performing artists, phonograms, and broadcasts
- Trademarks, service marks, commercial names, and designations
- All other rights resulting from intellectual activity in the industrial, scientific, literary, or
artistic fields

 Legislative and Regulatory Compliance

Compliance means conforming to a rule, such as a specification, policy, standard or
law. Regulatory compliance describes the goal that organizations aspire to achieve in
their efforts to ensure that they are aware of and take steps to comply with relevant
laws, policies, and regulations. Due to the increasing number of regulations and need
for operational transparency, organizations are increasingly adopting the use of
consolidated and harmonized sets of compliance controls. This approach is used to
ensure that all necessary governance requirements can be met without the
unnecessary duplication of effort and activity from resources. Regulatory compliance
varies not only by industry but often by location. Information technology legislature (also
called "cyberlaw") concerns the law of information technology, including computing and
the internet. It is related to legal informatics, and governs the digital dissemination of
both (digitalized) information and software, information security and electronic
commerce aspects and it has been described as "paper laws" for a "paperless
environment". It raises specific issues of intellectual property in computing and online,
contract law, privacy, freedom of expression, and jurisdiction.
Page 14 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

o Application of legislation in investigation and prosecution of cyber criminals

Investigation of cyber crime

Even with strong substantive and procedural domestic criminal laws and assent to
international instruments, investigations may yield little unless the investigators are well
equipped and competent. A major task faced by the broader criminal justice community
is communicating a shared understanding regarding the main technical skills,
knowledge and roles performed during investigations and prosecutions. Many cyber
crimes are sophisticated and well-conceived, requiring the application of technological
expertise and deductive reasoning to unravel complex 'modus operandi' and
substantiate elements of an offence. Criminals use behavioral profiling to masquerade
as ordinary system users whilst navigating private networks and exploiting applications
to avoid arousing suspicion. The idiom ‘rubbish in, rubbish out’ reflects the danger of
appointing untrained and incapable personnel to capture proof of malevolent activity
and secure evidence of cyber crime offending. Like the organized criminal elements that
embrace new technologies whilst adhering to proven techniques for committing crime,
investigators must think like their criminal adversaries to decipher the technical
underpinnings of cyber crime offending. Although forensic analysis can uncover the
‘smoking gun’ which makes or breaks a case, more often it adds value by providing
intelligence to establish facts of a corroborative nature. The need for trained
investigators and prosecutors who are conversant with sources of electronic evidence is
becoming increasingly critical as criminal acts move from physical to digital domains. In
order to effectively attend to the rigors of a cyber crime inquiry, investigators require a
range of ‘soft’ and ‘hard’ skills, coupled with the experience to apply those skills in real
and virtual environments as shown in the two tables below.

Soft Digital Forensics Investigative Skill Sets

Soft Skill Competency
Communicative Liaise with the public, other team members, court staff, lawyers,
law enforcement personnel, and other interlocutors.
Rational Swiftly assess a situation and make appropriate decisions.
Collaborative Rapidly gain the confidence of others and sustain those
relationships.
Intuitive Instinctively differentiate between normal and abnormal events.
Coherent Explain technical subject matter in plain language and make
information accessible to diverse audiences.
Resilient Prioritize and maintain composure whilst working under pressure.
Punctual Meet deadlines and provide deliverables to specification.
Fastidious Maintain focus with persistent attention to detail.
Disciplined Restrained work ethic with strict observance to directives and
mindfulness of personal and technical limitations.
Strategic Formulate and ask probing questions to key stakeholders and
devise plans, which bring value to an inquiry.

Hard Digital Forensics Investigative Skill Sets

Page 15 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Hard Skill Competency

Research Expeditious retrieval of information in the public domain and
reference material stored across the corporate network. Capacity
to gain insights by triangulating information from disparate sources
that are inaccessible via public search engines.
Awareness Vigilance in maintaining awareness of developments in the field of
information security. Applied knowledge of industry best practices
for conducting digital forensics investigations
Evidence Strict compliance with established processes for demonstrating
Continuity chain-of-custody when handling electronically stored information.
Forensic Imaging Applied knowledge of data preservation techniques, which use
both physical and logical methods to forensically acquire data and
verify sources of information.
Networking Practical understanding of the Open System Interconnection (OSI)
Architecture model and the function of communication technologies in the
storage and transmission of data, such as network protocols,
media access control (MAC) addresses, firewalls, routers, proxy
servers, data centers, online applications, cloud services, host-
based applications, redundant array of independent disks (RAID),
clusters, virtual servers, and modes of multifactor authentication.
Hardware Applied knowledge of components and peripherals connected to
information systems, including hard disk drives, solid state drives
(SSDs), random access memory (RAM), the basic input output
system (BIOS), network interface cards (NICs), chipsets, and flash
storage.
File Systems Applied knowledge of diverse file system attributes such as FAT,
FAT32, exFAT, NTFS, HFS+, XFS, Ext2, Ext3, Ext4, and UFS.
Structured Data Retrieval and interpretation of universally formatted information,
Analysis such as fixed field entries inside records, as well as embedded
information associated with operating systems, relational
databases, spreadsheets, registries, Internet history, security and
system logs, and encrypted file systems.
Unstructured Interpretation of values associated with detached files stored
Data Analysis across various file systems such as digital photos, graphic images,
videos, streaming data, webpages, PDF files, PowerPoint
presentations, email data, blog entries, wikis, and word processing
documents.
Semi-structured Extraction of tags, metadata, or other types of identity markers
Data Analysis subsisting within detached files, including information indicative of
authorship, revision number, creator, sender, recipient, time and
date particulars, GPS coordinates, keywords, and firmware
version. This activity also extends to analysis of relational data
within files that are associated with detached files, such as XML
and other markup languages.
Reverse Functional understanding of the mechanics of software
Engineering development, remote administration, and malware proliferation.

Page 16 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Programming Knowledge of coding using languages such as C, C++, C#, Perl,

and Scripting Delphi, Html, .NET, ASP, Python, Java, JavaScript, Ruby, Bash
Scripting, VBScript, PowerShell, Unix/Linux, EnScript.
Virtualization Applied knowledge of building, configuring, and deploying virtual
machines.
Technical Experience in producing highly granular reports detailing the inner
Reporting workings of information communication technologies, file integrity,
authenticity of information, and movement of data.

Prosecuting Cyber criminals

In the analog world, a crime will result in investigations, arrests and punishment. The
world of cyber crime is more complicated. There are too many cybersecurity incidents
and too little law enforcement resources available to keep up with the crime. To add
more complexity to the issue, there are jurisdictional boundaries that prevent criminals
from being prosecuted. This comes despite assistance from Interpol and other
agencies. To try and mitigate jurisdictional boundaries challenge, countries enter into
extradition treaties with each other but again not ll countries participate. Globally, the
manpower and skills to investigate is lacking. As a result, law enforcement agencies
tend to focus their time and efforts on the bigger cases they know will result in
successful prosecution. Cyber crime that has real effects to people is prioritized. These
include cyber bullying, child sex crimes, single incidents that cause financial burden to a
large number of people, and crimes that look to threaten the security of the country.
Smaller crimes are not usually on the radar of law enforcement. The reality of the
situation today is that most small, mid and even large-size businesses don’t have a
great opportunity to see legal justice. Often times, companies and individuals do not
even report cyber incidents to authorities. The best bet is for them is to build up their
cybersecurity programs. Often, companies should also consider investing in insurance
programs to help support the business financially if they are victims of cybercrime.

o Law enforcement strategies to prevent and control cybercrime

Cybercrimes, or offenses enabled by technology, affect computer systems and people
and prove difficult to pursue through traditional criminal justice strategies due to
jurisdictional challenges and legal hurdles. As a result, corporations and industry put
much more emphasis on mitigating various forms of cybercrime. The widely accepted
plan to prevent or control cybercrime builds on the operational framework consisting
of various action items, including success indicators and timelines, to implement the
Cybercrime Operational Framework and improve the organization’s posture against
cybercrime.

Create a new investigative team dedicated to combat cybercrime

The law enforcement team requires dedicated investigative capacity to address
cybercrime, where new technical capabilities are integrated with traditional enforcement
measures.

Success indicators
- Conduct more cybercrime investigations.
- Apprehend more cybercriminals.

Page 17 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- Disrupt more cybercrime activity.

Establish a governance structure for cybercrime priorities and operations.

A reliable governance structure is required to oversee cybercrime investigative priorities
and operations.

Success indicators
- Provide governance, oversight and accountability for the cybercrime investigative
team.
- Provide tactical operational support, advice and direction to all major investigational
cybercrime projects.

Create a dedicated intelligence unit to identify new and emerging cybercrime threats.
It is important to put in place dedicated resources to analyze more data sources and
foster a strategic, the intelligence picture of cybercrime as a whole, and to better identify
major cybercrimes for enforcement action.

Success indicators
- Collect and analyze data sources on cybercrime threats and trends to identify
vulnerabilities and enforcement opportunities for investigators.
- Produce cybercrime intelligence to identify leads and operational priorities for
enforcement action.

Improve digital evidence capabilities for cybercrime investigations.

Cybercrime investigations have a greater requirement for operating in online
environments through open source analysis and covert means, and obtaining and
analyzing data (potential digital evidence) to drive investigations. The new cybercrime
investigative team is expected to handle large and complex volumes of digital evidence,
such as potential evidence from lawfully seized digital devices and servers.

Success indicators
- Provide digital forensic support to cybercrime investigations, including those led by the
cybercrime investigative team.
- Acquire new operational tools to analyze digital evidence more effectively.

Expand cybercrime investigative training opportunities for law enforcement

Criminal investigators and intelligence analysts require basic and advanced training in
new and emerging technologies to keep pace with cybercrime. To address this
requirement, the team should improve its law enforcement training for cybercrime-
related matters by providing new cybercrime investigative and intelligence training
opportunities for the law enforcement partners.

Success indicators
- Develop and implement new cybercrime investigative courses for law enforcement.
- Expand basic and advanced cybercrime investigative skills across Canada.

Examine ways to improve the collection and analysis of suspicious cybercrime incidents
involving critical infrastructure and other vital cyber systems.
It is important to examine physical and cyber threats to critical infrastructure, and
collaborate with law enforcement, public and private sector stakeholders to ensure a

Page 18 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

common understanding of the criminal threats and risks surrounding critical

infrastructure, including those in the cyber realm.

Success indicators
- Improve the collection and analysis of suspicious and possibly criminal cyber incidents
occurring at critical infrastructure facilities and other vital cyber operations.
- Engage critical infrastructure and vital cyber systems community to inform of
suspected cybercrime threats and ways to address them.

Examine integrated enforcement models for combating cybercrime.

Cybercrime activities are often multi-jurisdictional in nature and require the combined

efforts of the law enforcement principals. Expand international collaboration with close
allies to better understand and combat cybercrimes that are transnational in character.

Success indicators
- Greater international coordination and deconfliction for major cybercrime
investigations.

Examine ways to further inform users and industry of emerging cybercrime threats.
Under the broad context of cyber security, public and private sector organizations, and
users themselves, play important roles in addressing cybercrime. The private sector has
a critical cyber role in securing its own networks and systems of wider importance, such
as telecommunications, banking and other critical infrastructure sectors. Users should
also take basic measures to protect themselves online, such as using up-to-date cyber
security and anti-virus software, using unique and secure user names and passwords,
and downloading online applications from only trusted sources. To take these and other
proactive measures against cyber threats, users and industry must be aware of
cybercrimes they are facing.

Success indicators
- Provide users and industry with more relevant and timely information on cybercrime
threats.
- Encourage users and industry to take proactive measures against cybercrime.

Support the modernization of legal and policy tools to keep pace with technological
change.

At all levels of government, the law enforcement agents address cybercrime within the
boundaries of legal environment, which includes a combination of jurisprudence,
legislation, public policies, and other legal and policy instruments. The legal and public
policy regime will need to keep pace with the evolution of technology to permit the
effective investigation of cybercrime, both domestically and internationally.

Success indicators
- Modernized and new criminal offences and investigative legal tools to better address
cybercrime.
- Improve law enforcement's ability to conduct international cybercrime investigations
through harmonized legal tools between state allies.

Page 19 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

o Effects of inappropriate content to minors

If not monitored, children face various challenges on the cyber space emanating from
many factors that include cyber bullying and pornographic material. Pornography use
can shape sexual practices and is associated with unsafe sexual health practices such
as not using condoms and unsafe anal and vaginal sex. Pornography may strengthen
attitudes supportive of sexual violence and violence against women. The best approach
for parents, caregivers and teachers responding to children's exposure to pornography
is to encourage open communication, discussion and critical thinking on the part of
children, while educating themselves about the internet and social media. Exposure to
explicit online content may cause children and young people to develop different
"sexual literacies" to previous generations. Australian Government and non-government
services have taken steps to reduce children and young people's exposure to online
risks - including pornography - and enact harm minimisation strategies. Three key types
of intervention have been identified:
- legal and regulatory avenues to existing legislation regarding online pornography and
online behaviour such as sexting and the sharing of explicit images;
- education for children and young people (e.g., critical media and digital literacy,
respectful relationships, sexuality and sexual health); and
- education and resources for teachers and parents about how they can support safe,
respectful relationships for children and young people both online and IRL (in real life).

o Morality of Whistleblowing
Whistleblowers are those employees or ex-employees of a company who report their
company’s misdoings and expose the wrongful and unethical actions of their
employer(s). Depending on the kind of whistleblowing they do, whistleblowers are
categorized into the following two types:

Internal whistleblowers
Internal whistleblowers report the unethical actions or illegal procedures of an employee
or a group of employees of their company to someone who is a supervisor or senior
authority in that company.

External whistleblowers
External whistleblowers report the misgivings of their companies to external agencies.
Most of the external whistleblowers come from huge corporations where the top
management itself passes on unethical and at times, illegal directions to follow.
There are times when whistleblowers are also employees working with various other
corporations, both local and international. Due to this, many whistleblowers are also
categorized based on the organizations they come from. Depending on that, there are
two types of whistleblowers:

Federal whistleblowers
Federal whistleblowers work with government bodies and report cases that are related
to national policies, etc. A recent case could be cited of Mr Edward Snowden, who
used to work with NSA as a government contractor and reported NSA to be spying on
people and tapping their phone calls.

Page 20 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Corporate whistleblowers
Corporate whistleblowers work with private corporate houses and leak acts of cheating
and fudging records and accounts to higher authorities.

Many big insurance houses in the past had been brought to task by ethical employees
who didn’t like the way the companies were functioning. One of the largest energy
companies, Enron, from the US was brought to its knees by Sherron Watkins, who was
the Vice President of the company and had reported massive irregularities in the
accounting stages of various financial reports.

o Ethical perspectives on censorship

Censorship is the destruction of speech, public communication, or other information, on
the basis that such material is considered objectionable, harmful, sensitive, or
inconvenient. Censorship can be conducted by governments, private institutions, and
other controlling bodies. Self censorship is when an individual such as an author or
other creator engages in censorship of their own works or speech. General censorship
occurs in a variety of different media, including speech, books, music, films, and other
arts, the press, radio, television, and the Internet for a variety of claimed reasons
including national security, to control obscenity, child pornography, and hate speech, to
protect children or other vulnerable groups, to promote or restrict political or religious
views, and to prevent slander and libel. Censorship has been criticized throughout
history for being unfair and hindering progress. Censorship is often used to impose
moral values on society, as in the censorship of material considered obscene.

Advantages of Censorship
- Censorship can reduce the impact of hate speech in society.
- Censorship can protect children from unhealthy content.
- Censorship can reduce the amount of conflict that is in society.
- It can provide another level of security to a country’s or organization’s profile.
- Censorship protects the rights of artists, innovators, and inventors.
- Censorship provides us with a vehicle to stop false content.
- Censorship can work to improve a person’s knowledge.
- Censorship can limit the impact of identity theft.

Disadvantages of Censorship
- It represses one group of people in favor for what the majority wants.
- It allows people to create a specific narrative in society to call it truth.
- It stops people from pursuing career opportunities.
- It reduces the overall intelligence of the general public.
- It prevents an individual from expressing themselves freely.
- It shifts where the responsibility of consumption is in society.
- It allows a false narrative to become the truth.
- It is expensive to be engaged in the practice of censorship.
- It creates repression so that it encourages compliance.

 Security governance principles

Security governance is the process for providing concepts and guidance on principles
and processes by which organizations evaluate, direct, and monitor the management of

Page 21 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

information security. It offers the alignment of information security objectives and

strategy with overall business objectives and strategy.

Framework for Security Governance

The basic security governance functions are as follows:

Direct
Guiding security management from the point of view of enterprise strategies and risk
management. This function involves developing an information security policy.

Monitor
Monitoring the performance of security management with measurable indicators.

Evaluate
Assessing and verifying the results of security performance monitoring in order to
ensure that objectives are met and to determine future changes to the ISMS and its
management.

Communicate
Reporting enterprise security status to stakeholders and evaluating stakeholder
requirements.

Six principles of Security Governance

Establish organization wide information security

Information security, or cybersecurity, concerns should permeate the organization’s
structure and functions. Management at all levels should ensure that information
security is integrated with information technology (IT) and other activities. Top-level

Page 22 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

management should ensure that information security serves overall business objectives
and should establish responsibility and accountability throughout the organization.

Adopt a risk-based approach

Security governance, including allocation of resources and budgets, should be based on
the risk appetite of an organization, considering loss of competitive advantage,
compliance and liability risks, operational disruptions, reputational harm, and financial
loss.

Set the direction of investment decisions

Information security investments are intended to support organizational objectives.
Security governance entails ensuring that information security is integrated with existing
organization processes for capital and operational expenditure, for legal and regulatory
compliance, and for risk reporting.

Ensure conformance with internal and external requirements

External requirements include mandatory legislation and regulations, standards leading
to certification, and contractual requirements. Internal requirements comprise broader
organizational goals and objectives. Independent security audits are the accepted
means of determining and monitoring conformance.

Foster a security-positive environment for all stakeholders

Security governance should be responsive to stakeholder expectations, keeping in
mind that various stakeholders can have different values and needs. The governing
body should take the lead in promoting a positive information security culture, which
includes requiring and supporting security education, training, and awareness
programs.

Review performance in relation to business outcomes.

From a governance perspective, security performance encompasses not just
effectiveness and efficiency but also impact on overall business goals and objectives.
Governance executives should mandate reviews of a performance measurement
program for monitoring, audit, and improvement that links information security
performance to business performance.

Adherence to these principles is essential to the success of information security in the

long term. How these principles are to be satisfied and who is responsible and
accountable depend on the nature of the organization.

Desired outcomes of security governance

The IT Governance Institute defines five basic outcomes of information security
governance that lead to successful integration of information security with the
organization’s mission [ITGI06]:

Strategic alignment
The support of strategic organizational objectives requires that information security
strategy and policy be aligned with business strategy.
Risk management

Page 23 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

The principal driving force for information security governance is risk management,
which involves mitigating risks and reducing or preventing potential impact on
information resources.

Resource management
The resources expended on information security (e.g., personnel time and money) are
somewhat open ended and a key goal of information security governance is to align
information security budgets with overall enterprise requirements.

Value delivery
Not only should resources expended on information security be constrained within
overall enterprise resource objectives, but also information security investments need to
be managed to achieve optimum value.

Performance measurement
The enterprise needs metric against which to judge information security policy to ensure
that organizational objectives are achieved.

Security Governance Roles and Responsibilities

o Alignment of security function to strategy, goals, mission and objectives

Security Council Vision Statement

A clear security vision statement should exist that is in alignment with, and supports, the
organizational vision. Typically, these statements draw upon the security concepts of
confidentiality, integrity, and availability to support the business objectives. Vision
statements are not technical and focus on the advantages to the business. People will
be involved in the council from management and technical areas and have limited time
to participate, so the vision statement must be something that is viewed as worthwhile
to sustain their continued involvement. The vision statement is a high-level set of
statements that is brief, to the point, and achievable.

Page 24 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Mission Statement
Mission statements are objectives that support the overall vision. These become the
road map to achieving the vision and help the council clearly view the purpose for its
involvement. Some individuals may choose nomenclature such as goals, objectives,
initiatives, etc. A sample mission statement is shown below

Page 25 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Page 26 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Effective mission statements do not need to be lengthy because the primary concern is
to communicate the goals so both technical and nontechnical individuals readily
understand them. The primary mission of the Security Council will vary by organization.
The vision and mission statements should also be reviewed on an annual basis to
ensure that the council is still functioning according to the values expressed in the
mission statement, as well as to ensure that new and replacement members are in
alignment with the objectives of the council.

The Cybercrime Operational Framework is designed to capture the security team’s

vision, pillars, objectives and strategic enablers to combat cybercrime, which cascade
throughout the action plan. The framework and action plan centre on core operations in
the cyber realm, and equipping the team with the right people, skills and tools in a digital
era. Another example is given below:

Vision
Reduce the threat, impact and victimization of cybercrime, identify and prioritize
cybercrime threats through intelligence collection and analysis

Enablers
Skills – Develop a robust and scalable law enforcement training regime to more
effectively address cybercrime
Tools – Equip law enforcement with the operational tools they need to investigate
cybercrime at all levels of policing
Information Sharing – Make it easier for victims to report cybercrime and improve
information sharing between partners
Coordination – Enable joint force operations and deconfliction with law enforcement
partners when targeting cybercrime
Industry – Engage industry to address shared cybercrime issues and foster mutually
beneficial relationships
Community Awareness – Inform Canadians and industry of new and emerging threats
to help prevent cybercrime at the onset
Legislation and Policy – Support the modernization of Canada's legal tools to keep pace
with technological change.

o Organizational processes

o Security roles and responsibilities

Information Security Roles and Responsibilities

Purpose
Under federal, state, regulatory, and contractual requirements, Michigan Tech is
responsible for developing and implementing a comprehensive information security
program. The purpose of this document is to clearly define roles and responsibilities that
are essential to the implementation and continuation of the University’s Information
Security Plan (ISP).
Definitions

Page 27 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

 Information System—Any electronic system that stores, processes, or

transmits information.
 Information Assets—Definable pieces of information in any form, recorded or
stored on any media that is recognized as "valuable" to the University
 Principle of Least Privilege—Access privileges for any user should be
limited to only what is necessary to complete their assigned duties or
functions, and nothing more.
 Principle of Separation of Duties—Whenever practical, no one person
should be responsible for completing or controlling a task, or set of tasks, from
beginning to end when it involves the potential for fraud, abuse, or other harm.
Information Security Board of Review
The Information Security Board of Review (ISBR) is an appointed administrative
authority whose role is to provide oversight and direction regarding information systems
security and privacy assurance campus-wide. In collaboration with the Chief Information
Officer (CIO), the ISBR’s specific oversight responsibilities include the following:
 Oversee the development, implementation, and maintenance of a University-
wide strategic information systems security plan.
 Oversee the development, implementation, and enforcement of University-
wide information systems security policy and related recommended guidelines,
operating procedures, and technical standards.
 Oversee the process of handling requested policy exceptions
 Advise the University administration on related risk issues and recommend
appropriate actions in support of the University’s larger risk management
programs.
Security and Information Compliance Officers
The Security and Information Compliance Officers oversee the development and
implementation of the University’s ISP. Specific responsibilities include:
 Ensure related compliance requirements are addressed, e.g., privacy,
security, and administrative regulations associated with federal and state laws.
 Ensure appropriate risk mitigation and control processes for security incidents
as required.
 Document and disseminate information security policies, procedures, and
guidelines
 Coordinate the development and implementation of a University-wide
information security training and awareness program
 Coordinate a response to actual or suspected breaches in the confidentiality,
integrity or availability of information assets.
Data Owner
A Data Owner is an individual or group or people who have been officially designated as
accountable for specific data that is transmitted, used, and stored on a system or
systems within a department, college, school, or administrative unit of the University.
The role of the data custodians is to provide direct authority and control over the
management and use of specific information. These individuals might be deans,
department heads, managers, supervisors, or designated staff. Responsibilities of a
Data Owner include the following:
Ensure compliance with Michigan Tech polices and all regulatory requirements
Data Owners need to understand whether or not any University policies govern their
information assets. Data Owners are responsible for having an understanding of legal
and contractual obligations surrounding information assets within their functional areas.
For example, the Family Educational Rights and Privacy Act (“FERPA”) dictates

Page 28 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

requirements related to the handling of student information. Information Technology

Services can assist Data Owners in gaining a better understanding of legal obligations.
Assign an appropriate classification to information assets
All information assets are to be classified based upon its level of sensitivity, value and
criticality to the University. Michigan Tech has adopted three primary classifications:
Confidential, Internal/Private, and Public. Please see the Data Classification and
Protection Standard for further reference.
Determine appropriate criteria for obtaining access to sensitive information
assets
A Data Owner is accountable for who has access to information assets within their
functional areas. This does not imply that a Data Owner is responsible for day-to- day
provisioning of access. Provisioning access is the responsibility of a Data Custodian.
A Data Owner may decide to review and authorize each access request individually or
may define a set of rules that determine who is eligible for access based on business
function, support role, etc. Access must be granted based on the principles of least
privilege as well as separation of duties. For example, a simple rule may be that all
students are permitted access to their own transcripts or all staff members are permitted
access to their own health benefits information. A Data Custodian should document
these rules in a manner that allows little or no room for interpretation.
Approve standards and procedures related to management of information assets
While it is the responsibility of the Data Custodian to develop and implement operational
procedures, it is the Data Owner’s responsibility to review and approve these standards
and procedures. A Data Owner should consider the classification of the data and
associated risk tolerance when reviewing and approving these standards and
procedures. For example, high risk and/or highly sensitive data may warrant more
comprehensive documentation and, similarly, a more formal review and approval
process.
Understand how information assets are stored, processed, and transmitted
Understanding and documenting how information assets are being stored, processed
and transmitted is the first step toward safeguarding that data. Without this knowledge,
it is difficult to implement or validate safeguards in an effective manner.
One method of performing this assessment is to create a data flow diagram for a subset
of data that illustrates the system(s) storing the data, how the data is being processed
and how the data traverses the network. Data flow diagrams can also illustrate security
controls as they are implemented. Regardless of approach, documentation should exist
and be made available to the appropriate Data Owner.
Implement appropriate physical and technical safeguards to protect the
confidentiality, integrity and availability of information assets
Information Technology has published guidance on implementing reasonable and
appropriate security controls for the three classifications of data: Confidential,
Internal/Private, and Public. Contractual obligations, regulatory requirements and
industry standards also play in important role in implementing appropriate safeguards.
Data Custodians should work with Data Owners to gain a better understanding of these
requirements. Data Custodians should also document what security controls have been
implemented and where gaps exist in current controls. This documentation should be
made available to the appropriate Data Owner.
Document and disseminate administrative and operational procedures to ensure
consistent storage, processing and transmission of information assets
Documenting administrative and operational procedures goes hand in hand with
understanding how data is stored, processed and transmitted. Data Custodians should

Page 29 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

document as many repeatable processes as possible. This will help ensure that
information assets are handled in a consistent manner and will also help ensure that
safeguards are being effectively leveraged.
Provision and de-provision access as authorized by the Data Owner
Data Custodians are responsible for provisioning and de-provisioning access based on
criteria established by the appropriate Data Owner. As specified above, standard
procedures for provisioning and de-provisioning access should be documented and
made available to the appropriate Data Owner.
Understand and report security risks and how they impact the confidentiality,
integrity and availability of information assets
Data Custodians need to have a thorough understanding of security risks impacting
their information assets. For example, storing or transmitting sensitive data in an
unencrypted form is a security risk. Protecting access to data using a weak password
and/or not patching vulnerability’s in a system or application are both examples of
security risks.
Security risks need to be documented and reviewed with the appropriate Data Owner so
that he or she can determine whether greater resources need to be devoted to
mitigating these risks. Information Technology Services can assist Data Custodians with
gaining a better understanding of their security risks.
Data Users
All users have a critical role in the effort to protect and maintain University information
systems and data. For the purpose of information security, a Data User is any
employee, contractor or third-party provider of the University who is authorized to
access University Information Systems and/or information assets. Responsibilities of
data users include the following:
Adhere to policies, guidelines and procedures pertaining to the protection of
information assets
Information Technology publishes various policies, procedures, and guidelines related
to the protection of information assets and systems and can be found on the IT web
site.
Users are also required to follow all specific policies, guidelines, and procedures
established by departments, schools, colleges, or business units with which they are
associated and that have provided them with access privileges.
Report actual or suspected security and/or policy violations or breaches to IT
During the course of day-to-day operations, users may come across a situation where
they feel the security of information assets might be at risk. For example, a user comes
across sensitive information on a website that he or she feels shouldn’t be accessible. If
this happens, it is the users responsibly to report the situation.
Please see the Incidence Response Procedure for further guidance on what steps to
take if you suspect a violation or breach.

o Control Frameworks

o Developing and implementing documented security policies, standards,

procedures and guidelines

Page 30 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

An Information Technology (IT) Security Policy identifies the rules and procedures for
all individuals accessing and using an organization's IT assets and resources. Effective
IT Security Policy is a model of the organization’s culture, in which rules and procedures
are driven from its employees' approach to their information and work. Thus, an
effective IT security policy is a unique document for each organization, cultivated from
its people’s perspectives on risk tolerance, how they see and value their information,
and the resulting availability that they maintain of that information. For this reason, many
companies will find a boilerplate IT security policy inappropriate due to its lack of
consideration for how the organization’s people actually use and share information
among themselves and to the public.
The objectives of an IT security policy is the preservation of confidentiality, integrity, and
availability of systems and information used by an organization’s members. These three
principles compose the CIA triad:
 Confidentiality involves the protection of assets from unauthorized entities
 Integrity ensures the modification of assets is handled in a specified and
authorized manner
 Availability is a state of the system in which authorized users have
continuous access to said assets
The IT Security Policy is a living document that is continually updated to adapt with
evolving business and IT requirements. Institutions such as the International
Organization of Standardization (ISO) and the U.S. National Institute of Standards and
Technology (NIST) have published standards and best practices for security policy
formation. As stipulated by the National Research Council (NRC), the specifications of
any company policy should address:
1. 1. Objectives
2. 2. Scope
3. 3. Specific goals
4. 4. Responsibilities for compliance and actions to be taken in the event of
noncompliance.
Also mandatory for every IT security policy are sections dedicated to the adherence to
regulations that govern the organization’s industry. Common examples of this include
the PCI Data Security Standard and the Basel Accords worldwide, or the Dodd-Frank
Wall Street Reform, the Consumer Protection Act, the Health Insurance Portability and
Accountability Act, and the Financial Industry Regulatory Authority in the United States.
Many of these regulatory entities require a written IT security policy themselves.
An organization’s security policy will play a large role in its decisions and direction, but it
should not alter its strategy or mission. Therefore, it is important to write a policy that is
drawn from the organization’s existing cultural and structural framework to support the
continuity of good productivity and innovation, and not as a generic policy that impedes
the organization and its people from meeting its mission and goals.

To design and implement a secure cyberspace, some stringent strategies have been
put in place. This chapter explains the major strategies employed to ensure
cybersecurity, which include the following −
 Creating a Secure Cyber Ecosystem
 Creating an Assurance Framework
 Encouraging Open Standards
 Strengthening the Regulatory Framework
 Creating Mechanisms for IT Security
 Securing E-governance Services

Page 31 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

 Protecting Critical Information Infrastructure

Strategy 1 − Creating a Secure Cyber Ecosystem
The cyber ecosystem involves a wide range of varied entities like devices
(communication technologies and computers), individuals, governments, private
organizations, etc., which interact with each other for numerous reasons.
This strategy explores the idea of having a strong and robust cyber-ecosystem where
the cyber-devices can work with each other in the future to prevent cyber-attacks,
reduce their effectiveness, or find solutions to recover from a cyber-attack.
Such a cyber-ecosystem would have the ability built into its cyber devices to permit
secured ways of action to be organized within and among groups of devices. This
cyber-ecosystem can be supervised by present monitoring techniques where software
products are used to detect and report security weaknesses.
A strong cyber-ecosystem has three symbiotic structures − Automation,
Interoperability, and Authentication.
 Automation − It eases the implementation of advanced security measures,
enhances the swiftness, and optimizes the decision-making processes.
 Interoperability − It toughens the collaborative actions, improves awareness,
and accelerates the learning procedure. There are three types of
interoperability −
o Semantic (i.e., shared lexicon based on common understanding)
o Technical
o Policy − Important in assimilating different contributors into an inclusive
cyber-defense structure.
 Authentication − It improves the identification and verification technologies
that work in order to provide −
o Security
o Affordability
o Ease of use and administration
o Scalability
o Interoperability
Strategy 2 − Creating an Assurance Framework
The objective of this strategy is to design an outline in compliance with the global
security standards through traditional products, processes, people, and technology.
To cater to the national security requirements, a national framework known as
the Cybersecurity Assurance Framework was developed. It accommodates critical
infrastructure organizations and the governments through "Enabling and Endorsing"
actions.
Enabling actions are performed by government entities that are autonomous bodies
free from commercial interests. The publication of "National Security Policy Compliance
Requirements" and IT security guidelines and documents to enable IT security
implementation and compliance are done by these authorities.
Endorsing actions are involved in profitable services after meeting the obligatory
qualification standards and they include the following −
 ISO 27001/BS 7799 ISMS certification, IS system audits etc., which are
essentially the compliance certifications.
 'Common Criteria' standard ISO 15408 and Crypto module verification
standards, which are the IT Security product evaluation and certification.
 Services to assist consumers in implementation of IT security such as IT
security manpower training.
Trusted Company Certification

Page 32 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Indian IT/ITES/BPOs need to comply with the international standards and best practices
on security and privacy with the development of the outsourcing market. ISO 9000,
CMM, Six Sigma, Total Quality Management, ISO 27001 etc., are some of the
certifications.
Existing models such as SEI CMM levels are exclusively meant for software
development processes and do not address security issues. Therefore, several efforts
are made to create a model based on self-certification concept and on the lines of
Software Capability Maturity Model (SW-CMM) of CMU, USA.
The structure that has been produced through such association between industry and
government, comprises of the following −
 standards
 guidelines
 practices
These parameters help the owners and operators of critical infrastructure to manage
cybersecurity-related risks.
Strategy 3 − Encouraging Open Standards
Standards play a significant role in defining how we approach information security
related issues across geographical regions and societies. Open standards are
encouraged to −
 Enhance the efficiency of key processes,
 Enable systems incorporations,
 Provide a medium for users to measure new products or services,
 Organize the approach to arrange new technologies or business models,
 Interpret complex environments, and
 Endorse economic growth.
Standards such as ISO 27001[3] encourage the implementation of a standard
organization structure, where customers can understand processes, and reduce the
costs of auditing.
Strategy 4 − Strengthening the Regulatory Framework
The objective of this strategy is to create a secure cyberspace ecosystem and
strengthen the regulatory framework. A 24X7 mechanism has been envisioned to deal
with cyber threats through National Critical Information Infrastructure Protection Centre
(NCIIPC). The Computer Emergency Response Team (CERT-In) has been designated
to act as a nodal agency for crisis management.
Some highlights of this strategy are as follows −
 Promotion of research and development in cybersecurity.
 Developing human resource through education and training programs.
 Encouraging all organizations, whether public or private, to designate a person
to serve as Chief Information Security Officer (CISO) who will be responsible
for cybersecurity initiatives.
 Indian Armed Forces are in the process of establishing a cyber-command as a
part of strengthening the cybersecurity of defense network and installations.
 Effective implementation of public-private partnership is in pipeline that will go
a long way in creating solutions to the ever-changing threat landscape.
Strategy 5 − Creating Mechanisms for IT Security
Some basic mechanisms that are in place for ensuring IT security are − link-oriented
security measures, end-to-end security measures, association-oriented measures, and
data encryption. These methods differ in their internal application features and also in
the attributes of the security they provide. Let us discuss them in brief.
Link-Oriented Measures

Page 33 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

It delivers security while transferring data between two nodes, irrespective of the
eventual source and destination of the data.
End-to-End Measures
It is a medium for transporting Protocol Data Units (PDUs) in a protected manner from
source to destination in such a way that disruption of any of their communication links
does not violate security.
Association-Oriented Measures
Association-oriented measures are a modified set of end-to-end measures that protect
every association individually.
Data Encryption
It defines some general features of conventional ciphers and the recently developed
class of public-key ciphers. It encodes information in a way that only the authorized
personnel can decrypt them.
Strategy 6 − Securing E-Governance Services
Electronic governance (e-governance) is the most treasured instrument with the
government to provide public services in an accountable manner. Unfortunately, in the
current scenario, there is no devoted legal structure for e-governance in India.
Similarly, there is no law for obligatory e-delivery of public services in India. And nothing
is more hazardous and troublesome than executing e-governance projects without
sufficient cybersecurity. Hence, securing the e-governance services has become a
crucial task, especially when the nation is making daily transactions through cards.
Fortunately, the Reserve Bank of India has implemented security and risk mitigation
measures for card transactions in India enforceable from 1st October, 2013. It has put
the responsibility of ensuring secured card transactions upon banks rather than on
customers.
"E-government" or electronic government refers to the use of Information and
Communication Technologies (ICTs) by government bodies for the following −
 Efficient delivery of public services
 Refining internal efficiency
 Easy information exchange among citizens, organizations, and government
bodies
 Re-structuring of administrative processes.
Strategy 7 − Protecting Critical Information Infrastructure
Critical information infrastructure is the backbone of a country’s national and economic
security. It includes power plants, highways, bridges, chemical plants, networks, as well
as the buildings where millions of people work every day. These can be secured with
stringent collaboration plans and disciplined implementations.
Safeguarding critical infrastructure against developing cyber-threats needs a structured
approach. It is required that the government aggressively collaborates with public and
private sectors on a regular basis to prevent, respond to, and coordinate mitigation
efforts against attempted disruptions and adverse impacts to the nation’s critical
infrastructure.
It is in demand that the government works with business owners and operators to
reinforce their services and groups by sharing cyber and other threat information.
A common platform should be shared with the users to submit comments and ideas,
which can be worked together to build a tougher foundation for securing and protecting
critical infrastructures.
The government of USA has passed an executive order "Improving Critical
Infrastructure Cybersecurity" in 2013 that prioritizes the management of cybersecurity

Page 34 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

risk involved in the delivery of critical infrastructure services. This Framework provides a
common classification and mechanism for organizations to −
 Define their existing cybersecurity bearing,
 Define their objectives for cybersecurity,
 Categorize and prioritize chances for development within the framework of a
constant process, and
Communicate with all the investors about cybersecurity.

4.4 PROFESSIONL ETHICS

Professional ethics are principles that govern the behavior of a person or group in a
business environment. They encompass the personal and corporate standards of
behavior expected by professionals and those working in acknowledged professions
exercising specialist knowledge and skill. Professional ethics provide rules that govern
how the use of this knowledge should be applied when providing a service to the public
and institutions in such an environment. Some professional organizations may define
their ethical approach in terms of a number of discrete components. Typically these
include honesty, trustworthiness, transparency, accountability, confidentiality,
objectivity, respect, obedience to the law and loyalty. These ethics are often codified as
a set of rules, which a particular group of people use. This means that all those in a
particular group will use the same professional ethics, even though their values may be
unique to each person. Ethical principles underpin all professional codes of conduct.
Professional codes of conduct draw on these professional ethical principles as the basis
for prescribing required standards of behavior for members of a profession. They also
seek to set out the expectations that the profession and society have of its members.
The intention of codes of conduct is to provide guidelines for the minimum standard of
appropriate behavior in a professional context. Codes of conduct sit alongside the
general law of the land and the personal values of members of the profession.
Professional codes of conduct provide benefits to:
- the public, as they build confidence in the profession’s trustworthiness.
- clients, as they provide greater transparency and certainty about how their affairs will
be handled.
- members of the profession, as they provide a supporting framework for resisting
pressure to act inappropriately, and for making acceptable decisions in what may be
‘grey areas’.
- the profession as a whole, as they provide a common understanding of acceptable
practice which builds collegiality and allows for fairer disciplinary procedures.
- others dealing with the profession, as the profession will be seen as more reliable and
easier to deal with.

Page 35 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

 Characteristics of a professional in regards to codes of ethics

Professional characteristics refer to the qualities a person exemplifies in a business
environment which amounts to professionalism. It includes standards for behavior and
the employee's ability to embody the company's values and do what their employer
expects of them. Professionalism is necessary for the long-term success of any
business, large or small. It ensures that customer relationships are maintained,
employee interactions are positive and that a company meets its goals and objectives.
Professional characteristics that are underpinned in the code of ethics include:

Professional appearance
Professionals should always strive for a professional appearance, including appropriate
attire and proper hygiene and grooming. Clothing should always be clean and ironed
properly.

Reliable
Professionals are dependable and keep their commitments. Professionals respond to
colleagues and customers promptly and follow through on their commitments in a timely
manner. Punctuality is a key aspect of this professional characteristic. It's always
important to clarify any areas of uncertainty when dealing with customers or team
members to ensure there are no mistaken assumptions or surprises.

Ethical behavior
Embodying professionalism also means to be committed to doing the right thing.
Honesty, open disclosure and sincerity are all characteristics of ethical behavior.

Organized
A professional keeps their workspace neat and organized so that they can easily find
items when they need them.

Accountable
Just as a professional accepts credit for having completed a task or achieved a goal,
they also are accountable for their actions when they fail. They take responsibility for
any mistakes that they make and take whatever steps necessary to resolve any
consequences from mistakes.

Professional language
Professionals should monitor how they talk. Minimize the use of slang and avoid using
inappropriate language in the workplace.

Separates personal and professional

Professionals understand the importance of separating their personal lives from their
professional lives.

Positive attitude
a professional should maintain a positive attitude while working. A positive attitude will
improve a professional's overall performance and increase the likelihood of a positive
outcome. It will also impact the behavior and performance of others, improving
employee morale in the office.

Emotional control

Page 36 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Emotional control is another key characteristic of professionalism. Professionals

understand the importance of maintaining their composure and staying calm in all
situations even during challenging moments, others can rely on them to be rational and
of sound judgment.

Effective time management

An employee who knows how to manage their time well is viewed by their peers as a
professional. Some characteristics of time management abilities include showing up at
the office on time, being on time for meetings and letting someone in the office know if
they suspect that they might be late.

Focused
A professional is clear about their goals and understands what they need to accomplish
to achieve them. They know how to stay focused on their work to maintain their
productivity, improve the quality of their work and be as efficient as possible.

Poised
Professionals should demonstrate poise, a calm and confident state of being. Being
poised means maintaining a straight posture, making eye contact when communicating
and helping establish a friendly and professional presence. Being poised means also
staying calm during times of heightened pressure.

Respectful of others
Professionals always treat others with respect. They understand that though humor is
appropriate in the workplace, they should always use it with respect to others.

Strong communicator
A professional must have strong communication skills. This means that they not only
can effectively and efficiently convey messages to others but also that they can actively
listen to and understand what others are telling them. By engaging in open and
constructive communication with others, professionals can collaborate more effectively
and accomplish a lot.

Possess soft skills

Soft skills are personal attributes that allow someone to interact effectively with others.
Soft skills include things like leadership, critical thinking, teamwork and people skills.
Soft skills help professionals to behave courteously when addressing colleagues and
managers, use the right language when communicating and respect the opinions of
others.

o Codes of ethics
The codes of ethics play at least eight important roles such as the following:

Serving and protecting the public

Engineers are in a responsible position where trust and trustworthiness, both are
essential. A code of ethics functions as a commitment by the profession as a whole that
engineers will serve the public health, safety and welfare.

Guidance

Page 37 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Codes are written in brief yet prove effective in offering general guidance to the
engineers. More specific directions may be given in supplementary statements or
guidelines, which tell how to apply the code. If needed, the assistance is obtained for
further specification.

Inspiration
Codes of ethics, which specify a collective commitment towards a profession, help in
motivating the engineers towards ethical conduct. Actually, these codes make one feel
really responsible and proud to be a professional thus motivating towards the
commitment one should have towards one’s profession.

Shared Standards
The standards established should be applicable to all individuals, in their particular
professions. With the codes of ethics, the public is assured of engineers with minimum
standard of excellence and the professionals are provided a fair way to compete.

Support for Responsible Professionals

The professionals who act ethically have more positive support through these codes. A
professional engineer who has the intention to stand by the codes of ethics, can have
no harm from immoral professional obligations, as he can reject smoothly yet formally.
As well, these codes can provide legal support for engineers criticized for living up to
work-related professional obligations.

Education and Mutual understanding

The codes which are widely circulated and officially approved by professional societies,
promote a shared understanding among professionals, the public and government
organizations about the moral responsibilities of engineers. These codes prompt
discussion and reflection on moral issues.

Deterrence and Discipline

The professionals who fail to follow the codes exhibit unethical conduct, which is evident
from the disobedience towards their profession. Such an investigation generally
requires paralegal proceedings designed to get at the truth about a given charge without
violating the personal rights of those being investigated. This might lead to expulsion of
those whose professional conduct has been proven unethical, which also leads to loss
of respect from colleagues and the local community.

Contributing to the Profession’s Image

Codes project the engineers as the professionals of ethically committed profession,
which inspires them to work with great commitment and more effectively to serve the
public. It can also win greater powers of self-regulation for the profession itself, while
lessening the demand for more government regulation.

Advantages of Codes of Ethics

- Set out the ideals and responsibilities of the profession.
- Exert a de facto regulatory effect protecting both clients and professionals.
- Improve the profile of the profession.
- Motivate and inspire practitioners, by attempting to define their raison d’etre.
- Provide guidance on acceptable conduct.
- Raise awareness and consciousness of issues.

Page 38 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- Improve quality and consistency.

 Licensing and Intellectual Property

o Licensing
Licensing is defined as a business arrangement, wherein a company authorizes another
company by issuing an official permission or permit to temporarily access its intellectual
property rights, i.e. manufacturing process, brand name, copyright, trademark, patent,
technology, trade secret, etc. for adequate consideration and under specified
conditions. A shorthand definition of a license is "an authorization to use licensed
material." Licensing agreements delineate the terms under which one party may use
property owned by another party. In addition to detailing all parties involved, licensing
agreements specify in granular detail, how licensed parties may use properties,
including the following parameters:
- The geographical regions within which the property may be utilized.
- The time period parties are allotted to use the property.
- The exclusivity or non-exclusivity of a given arrangement.
- Scaling terms, such that new royalty fees will be incurred if the property is reused a
certain number of times. For example, a book publisher may enter a licensing
agreement with another party to use a piece of artwork on the hardcover editions of a
book, but not on the covers of subsequent paperback issuances. The publisher may
also be restricted from using the artistic image in certain advertising campaigns.
An example of a licensing agreement in the restaurant space would be when a Chicken
Slice's franchisee has a licensing agreement with the Chicken Slice's Corporation that
lets them use the company's branding and marketing materials.

o Intellectual Property
Intellectual property is a broad categorical description for the set of intangible assets, a
product of human intellect, owned and legally protected by a company from outside use
or implementation without consent. The concept of intellectual property relates to the
fact that certain products of human intellect should be afforded the same protective
rights that apply tangible assets. Types of intellectual property include copyrights,
patents, trademarks, franchises, trade secrets, etc. For example, in 2017, there was a
widely publicized intellectual property case in which a company called Waymo sued
Uber over alleged stealing and implementation of technology relating to Waymo's self-
driving car program. The plans for the technology, although not yet completely viable,
constituted significant intellectual property for Waymo. When they alleged that Uber had
obtained their intellectual property, they were able to take action through the court
system to attempt to keep Uber from utilizing the information to enhance their own self-
driving car program.
Intellectual property laws are designed to protect both tangible and intangible items and
property. IP is protected in law by, for example, patents, copyright and trademarks,
which enable people to earn recognition or financial benefit from what they invent or
create. By striking the right balance between the interests of innovators and the wider
public interest, the IP system aims to foster an environment in which creativity and
innovation can flourish. Although there are various rationales behind the state-based
creation of protection for this type of property, the general goal of intellectual property
Page 39 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

law is to protect property from those wishing to copy or use it, without due
compensation to the inventor or creator. The notion is that copying or using someone
else’s ideas entails far less work than what is required for the original development.
Intellectual property is divided into two categories: Industrial property, which includes
inventions (patents), trademarks, industrial designs, and geographical indications of
source; and Copyright, which includes literary and artistic works such as novels,
poems and plays, films, musical works, artistic works such as drawings, paintings,
photographs and sculptures, and architectural designs.

IP Rights
Intellectual property rights (IPR) are legal rights aimed at protecting the creations of the
intellect, such as inventions, the appearance of products, literary, artistic and scientific
works and signs, among others.

Advantages of Intellectual Property Rights

- Provides exclusive rights to the creators or inventors.
- Encourages individuals to distribute and share information and data instead of keeping
it confidential.
- Provides legal defence and offers the creators the incentive of their work.
- Helps in social and financial development.

The table below summarizes different types of available Intellectual Property Rights:
Type of creation Intellectual Property Rights
literary, artistic and scientific works copyright
performances of performing artists, phonogram related rights or neighboring
recordings by producers, and rights of broadcasters rights
over radio and TV programs
Inventions patents and utility models
product appearance design
signs - words, phrases, symbols or designs (or a trade mark
combination of these) which are used as brands of
goods and services

Copyright
Copyright is a legal term used to describe the rights that creators have over their literary
and artistic works. Works covered by copyright range from books, music, paintings,
sculpture and films, to computer programs, databases, advertisements, maps and
technical drawings. Copyright provides authors and creators of original material the
exclusive right to use, copy, or duplicate their material. Authors of books have their
works copyrighted as do musical artists. A copyright also states that the original
creators can grant anyone authorization through a licensing agreement to use the work.

Trademark
A trademark is a symbol, phrase, or insignia that is recognizable and represents a
product that legally separates it from other products. It is capable of distinguishing the
goods or services of one enterprise from those of other enterprises. A trademark is
exclusively assigned to a company, meaning the company owns the trademark so that
no others may use or copy it. A trademark is often associated with a company's brand.

Page 40 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

For example, the logo and brand name of "Coca Cola," is owned by the Coca-Cola
Company (KO).

Patent
A patent is an exclusive right granted for an invention. The patent allows the inventor
exclusive rights to the invention, which could be a design, process, an improvement, or
physical invention. A patent provides the patent owner with the right to decide how - or
whether - the invention can be used by others. In exchange for this right, the patent
owner makes technical information about the invention publicly available in the
published patent document. Technology and software companies often have patents for
their designs. For example, the patent for the personal computer was filed in 1980 by
Steve Jobs and three other colleagues at Apple Inc.

Digital Rights Management

Digital rights management (DRM) tools or technological protection measures (TPM) are
a set of access control technologies for restricting the use of proprietary hardware and
copyrighted works. DRM technologies try to control the use, modification, and
distribution of copyrighted works (such as software and multimedia content), as well as
systems within devices that enforce these policies. Though the use of digital rights
management is not universally accepted, proponents of DRM argue that it is necessary
to prevent intellectual property from being copied freely. It can help the copyright holder
maintain artistic control and ensure continued revenue streams. However, works can
become permanently inaccessible if the DRM scheme changes or if the service is
discontinued. DRM can also restrict users from exercising their legal rights under the
copyright law, such as backing up copies of CDs or DVDs (instead having to buy
another copy, if it can still be purchased), lending materials out through a library,
accessing works in the public domain, or using copyrighted materials for research and
education under the fair use doctrine.

Trade Secrets
A trade secret is a company's process or practice that is not public information, which
provides an economic benefit or advantage to the company or holder of the trade
secret. Trade secrets must be actively protected by the company and are typically the
result of a company's research and development. Examples of trade secrets could be a
design, pattern, recipe, formula, or proprietary process. Trade secrets are used to
create a business model that differentiates the company's offerings to its customers by
providing a competitive advantage.

o Fair use
Fair use is a doctrine in the international law that permits limited use of copyrighted
material without having to first acquire permission from the copyright holder. Fair use is
one of the limitations to copyright intended to balance the interests of copyright holders
with the public interest in the wider distribution and use of creative works by allowing as
a defense to copyright infringement claims certain limited uses that might otherwise be
considered infringement. The fair use right is a general exception that applies to all
different kinds of uses with all types of works and turns on a flexible proportionality test
that examines the purpose of the use, the amount used, and the impact on the market
of the original work. The innovation of the fair use right in US law is that it applies to a

Page 41 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

list of purposes that is preceded by the opening clause "such as." This has allowed
courts to apply it to technologies never envisioned in the original statute including
Internet search, the VCR, and the reverse engineering of software.

What Is Fair Use?

In its most general sense, a fair use is any copying of copyrighted material done for a
limited and “transformative” purpose, such as to comment upon, criticize, or parody a
copyrighted work. Such uses can be done without permission from the copyright owner.
In other words, fair use is a defense against a claim of copyright infringement. If your
use qualifies as a fair use, then it would not be considered an infringement.
So what is a “transformative” use? If this definition seems ambiguous or vague, be
aware that millions of dollars in legal fees have been spent attempting to define what
qualifies as a fair use. There are no hard-and-fast rules, only general guidelines and
varied court decisions, because the judges and lawmakers who created the fair use
exception did not want to limit its definition. Like free speech, they wanted it to have an
expansive meaning that could be open to interpretation.
Most fair use analysis falls into two categories: (1) commentary and criticism, or (2)
parody.
Commentary and Criticism
If you are commenting upon or critiquing a copyrighted work—for instance, writing a
book review—fair use principles allow you to reproduce some of the work to achieve
your purposes. Some examples of commentary and criticism include:
 quoting a few lines from a Bob Dylan song in a music review
 summarizing and quoting from a medical article on prostate cancer in a news
report
 copying a few paragraphs from a news article for use by a teacher or student
in a lesson, or
 copying a portion of a Sports Illustrated magazine article for use in a related
court case.
The underlying rationale of this rule is that the public reaps benefits from your review,
which is enhanced by including some of the copyrighted material. Additional examples
of commentary or criticism are provided in the examples of fair use cases.
Parody
A parody is a work that ridicules another, usually well-known work, by imitating it in a
comic way. Judges understand that, by its nature, parody demands some taking from
the original work being parodied. Unlike other forms of fair use, a fairly extensive use of
the original work is permitted in a parody in order to “conjure up” the original.

o Creative Commons and Open Source movement

Creative Commons
A Creative Commons (CC) license is one of several public copyright licenses that
enable the free distribution of an otherwise copyrighted "work". A CC license is used
when an author wants to give other people the right to share, use, and build upon a
work that they (the author) have created.

Page 42 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Creative Commons is a nonprofit organization that offers copyright licenses for digital
work.
No registration is necessary to use the Creative Commons licenses. Instead, content
creators select which of the organization's six licenses best meets their goals, then tag
their work so that others know under which terms and conditions the work is
released. Users can search the CreativeCommons.org website for creative works such
as music, videos, academic writing, code or images to use commercially or to modify,
adapt or build upon.
The six categories of licenses offered are:
Attribution - lets others distribute, remix, tweak and build upon work, even
commercially, as long as they credit the creator for the original work.
Attribution-NoDerivs - allows for commercial and non-commercial redistribution, as
long as the work is passed along unchanged and in whole, crediting the creator.
Attribution-NonCommercial-ShareAlike - lets others remix, tweak, and build upon
work for non-commercial purposes, as long as they credit the creator and license any
new creations under the identical terms.
Attribution-ShareAlike - lets others remix, tweak, and build upon work for commercial
and non-commercial purposes, as long as they credit the creator and license new
creations under the identical terms.
Attribution-NonCommercial - lets others remix, tweak, and build upon work for non-
commercial purposes, crediting the creator. Derivative works do not have to be
licensed under the same terms.
Attribution-NonCommercial-NoDerivs - allows others to download work and share it
as long as they credit the creator, don't change the work in any way or use it for
commercial purposes.
Open-source-software movement. ... The open-source-software movement is
a movement that supports the use of open-source licenses for some or all software, a
part of the broader notion of open collaboration. The open-source movement was
started to spread the concept/idea of open-source software.
The term "open source" refers to something people can modify and share because its
design is publicly accessible.
The term originated in the context of software development to designate a specific
approach to creating computer programs. Today, however, "open source" designates a
broader set of values—what we call "the open source way." Open source projects,
products, or initiatives embrace and celebrate principles of open exchange,
collaborative participation, rapid prototyping, transparency, meritocracy, and
community-oriented development.
What is open source software?
Open source software is software with source code that anyone can inspect, modify,
and enhance.
"Source code" is the part of software that most computer users don't ever see; it's the
code computer programmers can manipulate to change how a piece of software—a
"program" or "application"—works. Programmers who have access to a computer
program's source code can improve that program by adding features to it or fixing parts
that don't always work correctly.

o Plagiarism

Page 43 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Plagiarism is presenting someone else's work or ideas as your own, with or without
their consent, by incorporating it into your work without full acknowledgement. All
published and unpublished material, whether in manuscript, printed or electronic form, is
covered under this definition.
The Common Types of Plagiarism
There are different types of plagiarism and all are serious violations of academic
honesty. We have defined the most common types below and have provided links to
examples.
Direct Plagiarism
Direct plagiarism is the word-for-word transcription of a section of someone else’s work,
without attribution and without quotation marks. The deliberate plagiarism of someone
else's work is unethical, academically dishonest, and grounds for disciplinary actions,
including expulsion. [See examples.]
Self Plagiarism
Self-plagiarism occurs when a student submits his or her own previous work, or mixes
parts of previous works, without permission from all professors involved. For example, it
would be unacceptable to incorporate part of a term paper you wrote in high school into
a paper assigned in a college course. Self-plagiarism also applies to submitting the
same piece of work for assignments in different classes without previous permission
from both professors.
Mosaic Plagiarism
Mosaic Plagiarism occurs when a student borrows phrases from a source without using
quotation marks, or finds synonyms for the author’s language while keeping to the same
general structure and meaning of the original. Sometimes called “patch writing,” this
kind of paraphrasing, whether intentional or not, is academically dishonest and
punishable – even if you footnote your source! [See examples.]
Accidental Plagiarism
Accidental plagiarism occurs when a person neglects to cite their sources, or misquotes
their sources, or unintentionally paraphrases a source by using similar words, groups of
words, and/or sentence structure without attribution. (See example for mosaic
plagiarism.) Students must learn how to cite their sources and to take careful and
accurate notes when doing research. (See the Note-Taking section on the Avoiding
Plagiarism page.) Lack of intent does not absolve the student of responsibility for
plagiarism. Cases of accidental plagiarism are taken as seriously as any other
plagiarism and are subject to the same range of consequences as other types of
plagiarism.

Differences between plagiarism and Fair use

o Perspectives on Privacy

Page 44 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

 Case Studies on Professional Ethics

The following diagram was prepared by Guilbert Gates for The New York
Times, which shows how an Iranian plant was hacked through the internet.

Explanation

Page 45 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

A program was designed to automatically run the Iranian nuclear plant. Unfortunately, a
worker who was unaware of the threats introduced the program into the controller. The
program collected all the data related to the plant and sent the information to the
intelligence agencies who then developed and inserted a worm into the plant. Using the
worm, the plant was controlled by miscreants which led to the generation of more
worms and as a result, the plant failed completely.

4.5 IT AUDIT

An information technology audit, or information systems audit, is an examination and

evaluation of the management controls within an information technology infrastructure,
policies and operations. The evaluation of obtained evidence determines if the
information systems are safeguarding assets, maintaining data integrity, and operating
effectively to achieve the organization's goals or objectives. IT auditors examine not
only physical security controls, but also overall business and financial controls that
involve information technology systems and may be performed in conjunction with a
financial statement audit, internal audit, or other form of attestation engagement. IT
audits are also known as automated data processing audits (ADP audits) and computer
audits.
Because operations at modern companies are increasingly computerized, IT audits are
used to ensure information-related controls and processes are working properly. The
primary objectives of an IT audit include:
- Evaluate the systems and processes in place that secure company data.
- Determine risks to a company's information assets, and help identify methods to
minimize those risks.
- Ensure information management processes are in compliance with IT-specific laws,
policies and standards.
- Determine inefficiencies in IT systems and associated management.

 Audit Life cycle

An audit cycle is the structured process that auditors employ in the review of a
company's information technology system. The audit cycle includes the steps that an
auditor will take to ensure that the company's systems are valid and accurate. The audit
cycle can call for different tasks to be performed at different times. The following phases
are critical for a successful audit:

Phase 1: Planning
In this phase we plan the information system coverage to comply with the audit
objectives specified by the Client and ensure compliance to all Laws and Professional
Standards. The first thing is to obtain an Audit Charter from the Client detailing the
purpose of the audit, the management responsibility, authority and accountability of the
Information Systems Audit function as follows:
1. Responsibility: The Audit Charter should define the mission, aims, goals and
objectives of the Information System Audit. At this stage we also define the
Key Performance Indicators and an Audit Evaluation process;

Page 46 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

2. Authority: The Audit Charter should clearly specify the Authority assigned to
the Information Systems Auditors with relation to the Risk Assessment work
that will be carried out, right to access the Client’s information, the scope
and/or limitations to the scope, the Client’s functions to be audited and the
auditee expectations; and
3. Accountability: The Audit Charter should clearly define reporting lines,
appraisals, assessment of compliance and agreed actions.
The Audit Charter should be approved and agreed upon by an appropriate level within
the Client’s Organization.
See Template for an Audit Charter/ Engagement Letter here.
In addition to the Audit Charter, we should be able to obtain a written representation
(“Letter of Representation”) from the Client’s Management acknowledging:
1. Their responsibility for the design and implementation of the Internal Control
Systems affecting the IT Systems and processes
2. Their willingness to disclose to the Information Systems Auditor their
knowledge of irregularities and/or illegal acts affecting their organisation
pertaining to management and employees with significant roles within the
internal audit department.
3. Their willingness to disclose to the IS Auditor the results of any risk
assessment that a material misstatement may have occurred

 Requirements from sponsors request

 Pre-audit questionnaire request to the company to be audited
 Risk Evaluation performance
 Objectives and Audit Approach definition
 Agenda preparation and sending
 Audit records preparation

Phase 2: Testing

Phase 3: Reporting

Phase 4: Review

 Types of audits

Page 47 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

IT audits involves a review of the controls over software development, data processing,
and access to computer systems. The intent is to spot any issues that could impair the
ability of IT systems to provide accurate information to users, as well as to ensure that
unauthorized parties do not have access to the data. Various authorities have created
differing taxonomies to distinguish the various types of IT audits. Goodman & Lawless
state that there are three specific systematic approaches to carry out an IT audit:

o Technological innovation process audit.

This audit constructs a risk profile for existing and new projects. The audit will assess
the length and depth of the company's experience in its chosen technologies, as well as
its presence in relevant markets, the organization of each project, and the structure of
the portion of the industry that deals with this project or product, organization and
industry structure.

o Innovative comparison audit

This audit is an analysis of the innovative abilities of the company being audited, in
comparison to its competitors. This requires examination of company's research and
development facilities, as well as its track record in actually producing new products.

o Technological position audit

This audit reviews the technologies that the business currently has and that it needs to
add. Technologies are characterized as being either "base", "key", "pacing" or
"emerging".

Others describe the spectrum of IT audits with five categories of audits:

o Systems and Applications

An audit to verify that systems and applications are appropriate, are efficient, and are
adequately controlled to ensure valid, reliable, timely, and secure input, processing, and
output at all levels of a system's activity. System and process assurance audits form a
subtype, focusing on business process-centric business IT systems. Such audits have
the objective to assist financial auditors.

o Information Processing Facilities

An audit to verify that the processing facility is controlled to ensure timely, accurate, and
efficient processing of applications under normal and potentially disruptive conditions.

o Systems Development
An audit to verify that the systems under development meet the objectives of the
organization, and to ensure that the systems are developed in accordance with
generally accepted standards for systems development.

o Management of IT and Enterprise Architecture

An audit to verify that IT management has developed an organizational structure and
procedures to ensure a controlled and efficient environment for information processing.

o Client/Server, Telecommunications, Intranets, and Extranets

An audit to verify that telecommunications controls are in place on the client (computer
receiving services), server, and on the network connecting the clients and servers.

Page 48 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

A number of IT audit professionals consider there to be three fundamental types of

controls regardless of the type of the IT audit to be performed. These three types of
fundamental controls are: Protective/Preventative Controls, Detective Controls and
Reactive/Corrective Controls. There are two types of auditors and audits: internal and
external. Internal auditing is frequently performed by corporate internal auditors. An
external auditor reviews the findings of the internal audit as well as the inputs,
processing and outputs of information systems. The external audit of information
systems is frequently a part of the overall external auditing performed by a Certified
Public Accountant (CPA) firm. IT audit mainly focuses on issues like operations, data,
integrity, software applications, security, privacy, budgets and expenditures, cost
control, and productivity. Guidelines are available to assist auditors in their jobs, such as
those from Information Systems Audit and Control Association.

 Planning the audit

Audit planning is a vital area of the audit primarily conducted at the beginning of
audit process to ensure that appropriate attention is devoted to important areas,
potential problems are promptly identified, work is completed an efficient and timely
manner and work is properly coordinated. "Audit planning" means developing a general
strategy and a detailed approach for the expected nature, timing and extent of the audit.
An audit plan is the specific guideline to be followed when conducting an audit. It helps
the auditor obtain sufficient appropriate evidence for the circumstances, helps keep
audit costs at a reasonable level, and helps avoid misunderstandings with the client. It
includes procedures such as knowledge of client's business, development of
audit strategies or overall plan (who, when and how) and preparation of audit program.

Benefits of the audit plan

- It helps the auditor obtain sufficient appropriate evidence for the circumstances.
- It helps to keep audit costs at a reasonable level.
- It helps to avoid misunderstandings with the client.
- It helps to ensure that potential problems are promptly identified.
- It helps to know the scope of audit program by an auditor.
- It helps to carry out the audit work smoothly and in a well defined manner.

o Audit Charter
Specifically referred to as the Internal Audit Charter, it is the formal document that
clearly defines and articulates detail about the main purpose of internal audit, right, and
obligation, reporting line, authority and code of ethics that internal auditors should have.
It is prepared by the governing body (typically the audit committee) and management
and it should be reviewed and approved on an annual basis. The charter must define, at
minimum, the following items:
- Internal audit’s purpose within the organization
- Internal audit’s authority
- Internal audit’s responsibility
- Internal audit’s position within the organization
The charter provides a blueprint for how internal audit will operate and allows the
governing body to emphasize the value it places on the independence of the internal
audit function. It also provides internal audit the authority to achieve its tasks by allowing
unrestricted access to records, personnel etc. for the purpose of performing its duties.

Page 49 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Components of an Audit Charter

There are at least seven vital components that support the overall strength and
effectiveness of the internal audit function and should be included in the internal audit
charter:

Mission and Purpose

The charter should define both the mission and the purpose of the internal audit
function. The mission should be to enhance and protect organizational value by
providing risk-based and objective assurance, advice, and insight. Internal audit’s
independent and objective assurance and consulting services should be designed to
add value and improve the organization’s operations.

Adherence to the International Standards for the Professional Practice of Internal

Auditing
The charter should include details about how the internal audit function governs itself
and how it adheres to various codes of ethics, ICT standards, guidelines and
frameworks. Core principles for the professional practice of internal auditing should be
well articulated.

Authority
The charter should define the audit executive’s functional and administrative reporting
relationship in the organization. In addition, a statement should be included affirming
that the governing body will establish, maintain, and assure that the internal audit
function has sufficient authority to fulfill its duties.

Independence and Objectivity

The charter should state that the audit executive will ensure independence and
objectivity of the internal audit function to carry out its duties in an unbiased manner.
Furthermore, internal audit should have no direct operational responsibility or authority
over any of the activities audited.

Scope of Internal Audit Activities

The charter should define the scope of the internal audit function. The scope should
include providing independent assessments of the adequacy and effectiveness of
governance, risk management, and control processes.

Responsibility
The responsibility of the internal audit function should also be described in the charter
and the following should be performed at least annually:
- Creation of a risk-based internal audit plan
- Confirmation that the internal audit activity has access to appropriate, competent, and
skilled resources
- Verification that the internal audit function is fulfilling its mandate
- Assurance of compliance with stipulated standards.
- Communication of the results of its work and follow up of agreed corrective actions

Quality Assurance and Improvement Program

The charter should define the internal audit’s Quality Assurance and Improvement
Program (QAIP), which covers all aspects of the internal audit function including:

Page 50 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- Evaluation of conformance to standards and requirement to report the results of its

QAIP periodically to senior management and the governing body.
- An external assessment of the activity at least once every five years

o ICT Standards, Guidelines and Frameworks

The growing extent of ICT application globally has motivated the development of
guidelines, standards and frameworks, notably by the International Organization for
Standardization (ISO), Control Objectives for Information and Related Technology
(COBIT®), IT Infrastructure Library® (ITIL®), Data Management International (DAMA),
Organization for the Advancement of Structured Information Standards (OASIS), World
Wide Web Consortium (W3C), Object Management Group (OMG), Dublin Core
Metadata Initiative and Capability Maturity Model Integrated (CMM/CMMI) among many
others. These standards and frameworks are generic and cover a very wide range of
activities, and so are applicable in all kinds of business areas.

ISO/IEC 38500
Short for International Organization for Standardization (ISO), the standard is widely
regarded as the starting point for adopting ICT governance practices and developing an
institutional framework. It provides guiding principles for members of governing bodies
of organizations (which can comprise owners, directors, partners, executive managers,
or similar) on the effective, efficient, and acceptable use of information technology (IT)
within their organizations. It also provides guidance to those advising, informing, or
assisting governing bodies. The purpose of ISO/IEC 38500:20015 is to promote
effective, efficient, and acceptable use of IT in all organizations by:
- Assuring stakeholders that, if the principles and practices proposed by the standard
are followed, they can have confidence in the organization's governance of IT,
- Informing and guiding governing bodies in governing the use of IT in their organization.
- Establishing a vocabulary for the governance of IT.
However, this standard does not address specific governance and management
processes, which are covered by other standards and practices.

Control Objectives for Information Technologies COBIT®

COBIT 5 framework provides an end-to-end business view of the governance of IT
enterprise that reflects the central role of information and technology in creating value
for enterprises. The principles, practices, analytical tools and models found in COBIT 5
embody thought leadership and guidance from business, IT and governance experts
around the world. COBIT 5 is the only business framework for the governance and
management of enterprise IT. This evolutionary version incorporates the latest thinking
in enterprise governance and management techniques, and provides globally accepted
principles, practices, analytical tools and models to help increase the trust in, and value
from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating
other major frameworks, standards and resources, including ISACA’s Val IT, Risk IT
and BMIS. It is a generic, process-based framework which is increasingly accepted
internationally, covers overall ICT governance and management.

Page 51 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Information Technology Infrastructure Library ITIL®

ITIL® is an integrated set of best practice recommendations for IT service management
which focuses on managing and aligning the ICT service lifecycle in line with the
requirements of the business.

Information Technology Assurance Framework (ITAF)

ITAF is a professional practices framework for IS audit and assurance professionals to
seek guidance, research policies and procedures, obtain audit and assurance programs
and develop effective reports. It was published by ISACA, is a comprehensive and
good-practice-setting model that:
- Provides guidance on the design, conduct and reporting of IT audit and assurance
assignments.
- Defines terms and concepts specific to IT assurance.
- Establishes standards that address IT audit and assurance professional roles and
responsibilities; knowledge and skills; and diligence, conduct and reporting
requirements.
ITAF provides a single source through which IT audit and assurance professionals can
seek guidance, research policies and procedures, obtain audit and assurance
programs, and develop effective reports. While ITAF incorporates existing ISACA
standards and guidance, it has been designed to be a living document. As new
guidance is developed and issued, it will be indexed within the framework.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 was created primarily to
modernize the flow of healthcare information, stipulate how Personally Identifiable
Information maintained by the healthcare and healthcare insurance industries should be
protected from fraud and theft, and address limitations on healthcare insurance
coverage. The act consists of five titles.
- Title I of HIPAA protects health insurance coverage for workers and their families
when they change or lose their jobs.

Page 52 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires

the establishment of national standards for electronic health care transactions and
national identifiers for providers, health insurance plans, and employers.
- Title III sets guidelines for pre-tax medical spending accounts.
- Title IV sets guidelines for group health plans.
- Title V governs company-owned life insurance policies.

On the other hand, the corporate application of these standards requires significant
administrative effort, and, frequently, changes in the organizational culture and
processes. The burden of this transformation very often constitutes a barrier to adoption
of these standards. Therefore, these practices should be adopted as medium-term
capacity-building projects, focusing on selected areas which address the institution’s
priorities, especially those related to the implementation of social security programs and
services. Individually, these standards do not completely cover all aspects of social
security administration. The International Social Security Association (ISSA) Guidelines
on Information and Communication Technology aims at supporting social security
institutions in the application of systematic and consistent ICT governance and
management practices and providing a general framework for the application of
standards in such institutions. They provide guidance to identify and apply general
purpose frameworks and norms that are particularly relevant to social security.

o Effects of Laws and Regulations on Information Systems Audit Planning

 Audits Classification
The audit is classified into many different types and levels of assurance according to the
objectives, scopes, purposes, and procedures of how auditing is performed normally in
accordance with International Standards on Auditing (ISA) as well as other local
auditing standards. Audit classifications can include:

External Audit
The external audit refers to the audit firms that offer certain auditing services including
Assurance Service, Consultant Service, Tax Consultant Service, Legal Service,
Financial Advisory, and Risk Management Advisory. External auditors are normally
audit staffs who are working in audit firms. This type of audit is required to maintain the
professional code of ethics and strictly follow International Standards on Auditing and/or
local standards as required by local law. The firms work independently from clients that
they are auditing and if there be conflict of interest, proper procedures are needed to
take action to minimize them.

Internal Audit
Internal auditing is an independence and objectivity consulting service that is designed
to add value to the business and improve the entity’s operation. It provides a systematic
and disciplined approach to evaluating and assessing the entity’s risk management,
internal control, and corporate governance. Scope of internal audit is generally

Page 53 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

determined by the audit committee, the board of directors or directors that have
equivalence authorization. And if there is no audit committee and board of directors,
internal audit normally reports to the owner of the entity. Internal audit activities are
normally covered for the purposes of internal control reviewing, operational reviewing,
fraud investigation, compliant reviewing, and other special tasks assigned.

The following table lists out the different classes of audit.

Basis Classes
Scope  Specific Audit − Cash audit, Cost audit, Standard audit, Tax
audit, Interim audit, Audit in depth, Management audit,
Operational audit, Secretarial audit, Partial audit, Post &
vouch audit, etc. are common types of specific audit.
 General Audit − It can be an internal or an independent Audit.
Activities  Commercial
 Non-Commercial
Organization  Government
 Private
hfnLegal  Statutory − Insurance Company, Electricity Company,
Banking Companies, Trust, Company, Corporations, Co-
operative societies.
 Non-statutory − Individual, Firm, Sole trader, etc.
Examination methods  Internal Audit
 Independent Audit

o Audit Programs
An audit program is a checklist of the audit procedures that must be followed by an
auditor in order to complete an audit. The auditor reviews activities to identify
inefficiencies, reduce costs, and otherwise achieve organizational objectives. An auditor
signs off on each checklist item as it is completed, and then inserts the audit program
into the audit working papers as evidence that audit steps were completed. The
contents of an audit program will vary by the scope and nature of the audit, as well as
by industry. The auditing process differs each time an audit occurs, depending on the
client’s size, complexity, and other factors. There are a number of standard audit guides
available that are tailored to individual industries.

o Audit Methodology
The audit methodology describes the sample size, testing methods, and internal
controls auditors need to test. The illustration below summarizes the strategy behind
audit methodology:

Page 54 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

 Performing Audit work within Audit Guidelines

Auditors are tasked with carrying out their work following generally accepted auditing
standards. Generally accepted auditing standards (GAAS) are a set of systematic
guidelines used by auditors when conducting audits on companies' records. GAAS
helps to ensure the accuracy, consistency, and verifiability of auditors' actions and
reports. It consists of general standards, fieldwork, and reporting.

General Standards
- The auditor must have adequate technical training and proficiency to perform the
audit.
- The auditor must maintain independence in mental attitude in all matters relating to the
audit.
- The auditor must exercise due professional care in the performance of the audit and
the preparation of the auditor’s report.

Standards of Field Work

Page 55 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

- The auditor must adequately plan the work and must properly supervise any
assistants.
- The auditor must obtain a sufficient understanding of the entity and its environment,
including its internal control, to assess the risk of material misstatement of the financial
statements whether due to error or fraud, and to design the nature, timing, and extent
of further audit procedures.
- The auditor must obtain sufficient appropriate audit evidence by performing audit
procedures to afford a reasonable basis for an opinion regarding the financial
statements under audit.

Standards of Reporting
- The auditor must state in the auditor's report whether the findings are presented in
accordance with generally accepted accounting principles.
- The auditor must identify in the auditor's report those circumstances in which such
principles have not been consistently observed in the current period in relation to the
preceding period.
- If the auditor determines that informative disclosures in the findings are not reasonably
adequate, the auditor must so state in the auditor's report.
- The auditor's report must either express an opinion regarding the findings, taken as a
whole, or state that an opinion cannot be expressed. When the auditor cannot express
an overall opinion, the auditor should state the reasons in the auditor's report. In all
cases where an auditor's name is associated with financial statements, the auditor
should clearly indicate the character of the auditor's work, if any, and the degree of
responsibility the auditor is taking, in the auditor's report.

o Audit and Assurance Tools and Techniques

o Audit Objectives

o Fraud Detection

o Audit Risk and Materiality

o Risk Assessment Techniques

NIST SP 800–30r1, 800-39, and 800–66r1 36

Page 56 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

These methodologies are qualitative methods established for the use of the United
States federal government and the global general public, but they are particularly used
by regulated industries, such as healthcare. SP 800–66r1 is written specifically with
HIPAA clients in mind (though it is possible to use this document for other regulated
industries as well). 800-39 focuses on organizational risk management, and 800-30r1
focuses on information system risk management.

CRAMM
CRAMM (CCTA Risk Analysis and Management Method) provides a staged and
disciplined approach embracing both technical (e.g., IT hardware and software) and
nontechnical (e.g., physical and human) aspects of security. To assess these
components, CRAMM is divided into three stages:
- Asset identification and valuation
- Threat and vulnerability assessment
- Countermeasure selection and recommendation.

Failure Modes and Effect Analysis

Failure modes and effect analysis was born in hardware analysis, but it can be used for
software and system analysis. It examines potential failures of each part or module and
examines effects of failure at three levels:
1. Immediate level (part or module)
2. Intermediate level (process or package)
3. System-wide
The organization would then “collect total impact for failure of given modules to
determine whether modules should be strengthened or further supported.”

FRAP
The Facilitated Risk Analysis Process (FRAP) makes a base assumption that a narrow
risk assessment is the most efficient way to determine risk in a system, business
segment, application, or process. The process allows organizations to prescreen
applications, systems, or other subjects to determine if a risk analysis is needed. By
establishing a unique prescreening process, organizations will be able to concentrate on
subjects that truly need a formal risk analysis. The process has little outlay of capital
and can be conducted by anyone with good facilitation skills.

OCTAVE
OCTAVE “is a self-directed information security risk evaluation.” OCTAVE is defined as
a situation where people from an organization manage and direct an information
security risk evaluation for their organization. The organization’s people direct risk
evaluation activities and are responsible for making decisions about the organization’s
efforts to improve information security. In OCTAVE, an interdisciplinary team, called the
analysis team, leads the evaluation.

Security Officers Management and Analysis Project (SOMAP)

The Security Officers Management and Analysis Project (SOMAP) is a Swiss nonprofit
organization with a primary goal to run an open information security management
project and maintain free and open tools and documentation under the GNU license.
SOMAP has created a handbook and a guide and a risk tool to help with understanding
risk management. In the SOMAP risk assessment guide, the qualitative and quantitative
methodologies are discussed. SOMAP identifies the importance of choosing the best

Page 57 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

methodology based on the goals of the organization. SOMAP illustrates risk

assessment workflow as illustrated below:

Spanning Tree Analysis

Spanning tree analysis “creates a ‘tree’ of all possible threats to or faults of the system.
‘Branches’ are general categories such as network threats, physical threats, component
failures, etc.” When conducting the risk assessment, organizations “prune ‘branches’
that do not apply.”

VAR
VAR (Value at Risk) methodology provides a summary of the worst loss due to a
security breach over a target horizon. Many of the information security risk assessment
tools are qualitative in nature and are not grounded in theory. VAR is identified as a
theoretically based, quantitative measure of information security risk. Many believe that
when organizations use VAR, they can achieve the best balance between risk and cost
of implementing security controls. Many organizations identify an acceptable risk profile
for their company. Determine the cost associated with this risk so that when the dollar
value at risk for the organization exceeds that dollar amount, the organization can be
alerted to the fact that an increased security investment is required. The VAR
framework for information security risk assessment appears in the figure below:

Page 58 of 61
 CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

o Risk Assessment and Treatment

 Communicate Audit Results

The context, findings, issues and actions against each area of the audit standard used
should be reported to the audit requestor.

Information Security Report

The report includes the following:

Basic Information
Includes the purpose of issue of the report, cautions relating to usage, target periods
and responsible departments.

Concept of Management Regarding Information Security

Includes policy regarding information-security undertakings, target scope, ranking of
stakeholders in the report and messages to stakeholders.

Information Security Governance

Information security management system (e.g., placement of responsibility,
organizational structure and compliance), risks relating to information security and
information security strategy.

Information Security Measures Planning and Goals

Page 59 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Includes action plan and target values.

Results and Evaluation of Information Security Measures

Includes results, evaluation, information security quality improvement activities,
management of overseas bases, outsourcing, social contribution activities relating to
information security and accident reports.

Principle Focal Themes Relating to Information Security

Includes internal controls and protection of personal information, undertakings to be
particularly emphasized such as Business Continuity Plans, introduction to themes and
newly devised points.

Third-Party Approval, Accreditation, etc. (if Required)

Includes ISMS compliance evaluation system, information security audits, privacy mark
systems, number of persons with information security qualifications, classification, and
ranking.

Given below is an example of information security status report structure that

includes the following detailed contents:

Introduction
Scope (strategy, policies, standards), perimeter (geographic/organizational units),
period covered (month/quarter/six months/year)

Overall status
Satisfactory/not yet satisfactory/unsatisfactory

Updates (as appropriate and relevant)

- Progress toward achieving the information security strategy
- Elements completed/in-hand/planned
- Changes in information security management system
- ISMS policy revision, organizational structure to implement ISMS (including
assignment of responsibilities)
- Progress toward certification
- ISMS (re)certification, certified information security audits
- Budgeting/staffing/training
- Financial situation, headcount adequacy, information security qualifications
- Other information security activities
- Business continuity management involvement, awareness campaigns,
internal/external audit assistance

Significant issues (if any)

- Results of information security reviews
- Recommendations, management responses, action plans, target dates
- Progress in respect of major internal/external audit reports
- Recommendations, management responses, action plans, target dates
- Information security incidents
- Estimated impact, action plans, target dates
- Compliance (or noncompliance) with related legislation and regulations
- Estimated impact, action plans, target dates

Page 60 of 61
CYBERSECURITY AND ETHICS NOTES ND3 SYLLABUS

Decision(s) required (if any)

- Additional resources
- To enable information security to support business initiative(s)

Page 61 of 61