Chapter 3

1. Learning Objectives

Understand the legal and ethical responsibilities in information security.

Differentiate between laws and ethics.

Know major national laws affecting information security.

Understand how culture influences ethics in security.

---

2. Laws vs. Ethics

Laws: Rules enforceable by courts, derived from ethics.

Ethics: Socially accepted behavior; not enforceable like laws.

Cultural mores influence what is considered ethical.

---

3. Organizational Liability

Liability: Legal obligation to make up for harm.

Due care: Ensuring employees understand and follow acceptable behavior.

Due diligence: Ongoing effort to maintain legal and ethical standards.

Jurisdiction: Legal authority of a court to hear a case.

---

4. Policies vs. Laws

Policies: Internal rules; act like laws inside an organization.

For a policy to be enforceable:

It must be disseminated, reviewed, understood, agreed upon, and enforced uniformly.

---

5. Types of Law

Civil Law: Manages relationships/conflicts between individuals/organizations.

Criminal Law: Focuses on offenses against society.

Private Law: Covers family, commercial, and labor law.

Public Law: Regulates government and citizen interactions.

---

6. Major U.S. Laws

Computer Fraud and Abuse Act (1986)

National Information Infrastructure Protection Act (1996)

USA PATRIOT Act (2001)

Computer Security Act (1987)

Gramm-Leach-Bliley Act (1999)

HIPAA (1996)

Federal Privacy Act (1974)

Electronic Communications Privacy Act (1986)

---

7. Privacy Laws and Identity Theft

Personal data is vulnerable to aggregation and misuse.

Identity theft: Use of personal data for fraud/crimes.

Laws regulate healthcare, financial, and communication privacy.

---

8. Export and Espionage Laws

Economic Espionage Act (1996): Protects trade secrets.

SAFE Act (1999): Addresses encryption rights and export restrictions.

---

9. U.S. Copyright and Intellectual Property

Copyright applies to electronic formats.

Fair use allows limited use for education, research, and news.

---

10. Financial Reporting

Sarbanes-Oxley Act (2002): Ensures transparency and accountability in public company

finances.

---

11. FOIA and Local Laws

Freedom of Information Act (1966): Access to federal records unless classified.

Security professionals must also comply with state and local regulations.

---

12. International Legal Considerations

Few enforceable international laws exist.

Important agreements include:

European Council Cyber-Crime Convention

TRIPS Agreement (WTO)

Digital Millennium Copyright Act (DMCA)

---

13. Ethics in Information Security

No single binding code of ethics for IT professionals.

Many professional groups have their own ethical codes.

"Ten Commandments of Computer Ethics" guide ethical behavior.

---

14. Ethical Challenges Across Cultures

Ethical standards differ by culture.

Scenarios often differ on:

Software piracy

Use of corporate resources

Illicit access

---

15. Education and Deterrence

Education levels ethical awareness and reduces risk.

Deterrence relies on:

Fear of penalty

Likelihood of being caught

Enforcement of punishment

---

16. Codes of Ethics & Professional Organizations

Organizations with codes:

ACM

(ISC)²

SANS/GIAC

ISACA

ISSA

These promote standards, certifications, and ethics in the profession.

---

17. Key Federal Agencies

Department of Homeland Security (DHS)

FBI InfraGard Program

National Security Agency (NSA)

U.S. Secret Service – Investigates cybercrimes and fraud

Chapter 4: Risk Management

1. Introduction to Risk Management

Risk Management: Identifying and controlling risks in an organization.

Risk Identification: Examining current security conditions.

Risk Control: Applying safeguards to reduce risks.

---

2. Components of Risk Management

Know Yourself: Understand assets and existing protections.

Know the Enemy: Identify and understand threats.

Communities of Interest: Security, management, and IT must work together.

---

3. Risk Identification

Classify and prioritize information assets: people, data, hardware, software.

Use project management principles to organize the identification process.

---

4. Asset Identification & Valuation

Iterative process: Involves people, procedures, data, software, hardware, networks.

Assets must be categorized, valued, and prioritized using weighted analysis.

---

5. Data Classification & Management

Classification levels: Public, Sensitive, Classified, etc.

Includes security clearance levels and need-to-know principles.

Involves safe storage, access, transport, and destruction of sensitive data.

---

6. Threat & Vulnerability Identification

Identify realistic threats and prioritize based on danger and cost.

Vulnerabilities: Weaknesses that threats can exploit.

Brainstorming helps uncover vulnerabilities across departments.

---

7. Risk Assessment

Assign risk scores to assets using:

Likelihood of attack (0.1 to 1.0 scale)

Impact or value of asset

Subtract existing control effects

Formula:

Risk = (Likelihood × Impact) – % Controlled + Uncertainty

---

8. Risk Control Strategies

Choose one of five strategies for each risk:

1. Defend (Avoid) – Prevent the risk via policies, training, or technology

2. Transfer – Shift risk to third parties (e.g., insurance, outsourcing)

3. Mitigate – Reduce impact via plans (IRP, DRP, BCP)

4. Accept – Do nothing if the cost of protection exceeds the value

5. Terminate – Eliminate the activity that introduces the risk

---

9. Cost-Benefit Analysis (CBA)

Evaluates if a control is worth its cost:

CBA = ALE(before) – ALE(after) – Annual Cost of Safeguard (ACS)

ALE = Annualized Loss Expectancy = SLE × ARO

SLE = Single Loss Expectancy

ARO = Annualized Rate of Occurrence

---

10. Feasibility Studies

Organizational Feasibility: Fits organizational goals.

Operational Feasibility: Acceptability by users/stakeholders.

Technical Feasibility: Available technical capabilities.

Political Feasibility: Organizational support and politics.

---

11. Qualitative vs. Quantitative Assessment

Quantitative: Uses numeric values and formulas.

Qualitative: Uses categories, scales, and expert judgment.

---

12. Benchmarking & Best Practices

Benchmarking: Learn from peer organizations (metrics or process-based).

Best Practices: Industry standards and methods.

Issues: Limited sharing, no one-size-fits-all, and evolving threats.

---

13. Baselining

Measure current security performance and compare against future results or industry
standards.

---

14. Documentation

Use risk worksheets:

Asset classification worksheet

Weighted criteria analysis

Ranked vulnerability risk worksheet

Each asset-vulnerability pair must have a control strategy and documentation of residual risk

---

15. Final Notes

Residual Risk: The remaining risk after controls are applied.

Organizations must know their risk appetite – the acceptable level of risk.

Risk management is a continuous process, not a one-time event.