Information Assurance and Security 1

Ethics and Law in IT

AR-JAY R. SACAY | SECOND SEMESTER AY 2022-2023

 Learning Objectives
• Upon completion of this material, you should be able to:
– Describe the functions of and relationships among laws, regulations, and
professional organizations in information security
– Explain the differences between laws and ethics
– Identify major PH laws that affect the practice of information security
– Discuss the role of culture as it applies to ethics in information security
 Introduction
• You must understand the scope of an organization’s legal and ethical
responsibilities.
• To minimize liabilities/reduce risks, the information security
practitioner must:
– Understand the current legal environment
– Stay current with laws and regulations
– Watch for new and emerging issues
 Law and Ethics in Information Security
• Laws: rules that mandate or prohibit certain behavior and are
enforced by the state
• Ethics: regulate and define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a particular group
• Laws carry the authority of a governing authority; ethics do not.
 Organizational Liability and the Need for Counsel
• Liability: the legal obligation of an entity extending beyond criminal or
contract law; includes the legal obligation to make restitution
• Restitution: the legal obligation to compensate an injured party for
wrongs committed
• Due care: the legal standard requiring a prudent organization to act
legally and ethically and know the consequences of actions
• Due diligence: the legal standard requiring a prudent organization to
maintain the standard of due care and ensure actions are effective
 Organizational Liability and the Need for Counsel
(cont’d)
• Jurisdiction: court’s right to hear a case if the wrong was committed in
its territory or involved its citizenry
• Long-arm jurisdiction: application of laws to those residing outside a
court’s normal jurisdiction; usually granted when a person acts
illegally within the jurisdiction and leaves
 Policy Versus Law
• Policies: managerial directives that specify acceptable and
unacceptable employee behavior in the workplace
• Policies function as organizational laws; must be crafted and
implemented with care to ensure they are complete, appropriate, and
fairly applied to everyone
• Difference between policy and law: Ignorance of a policy is an
acceptable defense.
 Policy Versus Law (cont’d)
• Criteria for policy enforcement:
– Dissemination (distribution)
– Review (reading)
– Comprehension (understanding)
– Compliance (agreement)
– Uniform enforcement
 Types of Law
• Civil: governs nation or state; manages relationships/conflicts
between organizations and people
• Criminal: addresses activities and conduct harmful to society; actively
enforced by the state
• Private: family/commercial/labor law; regulates relationships between
individuals and organizations
• Public: regulates structure/administration of government agencies
and their relationships with citizens, employees, and other
governments
Relevant PH Law Related to Digital Technologies
• Republic Act No. 8792 - Electronic Commerce Act of 2000
(https://tinyurl.com/464cmavn)
• Republic Act 10173 – Data Privacy Act of 2012
(https://tinyurl.com/3nf52zyr)
• Republic Act No. 10175 - Cybercrime Prevention Act of 2012
(https://tinyurl.com/432dvevp/)
 International Laws and Legal Bodies
• When organizations do business on the Internet, they do business
globally.
• Professionals must be sensitive to the laws and ethical values of
many different cultures, societies, and countries.
• Because of the political complexities of relationships among nations
and differences in culture, few international laws cover privacy and
information security.
• These international laws are important but are limited in their
enforceability.
 International Laws and Legal Bodies

2 basic types of international law:

a) “Treaty Law”: formal agreements among states to be legally bound
b) “Customary International Law”: general & consistent practice
followed out of a sense of obligation
– Internet governance
– Human rights
– International trade/export controls
– “soft law”, norms, codes of conduct
 Ethics and Information Security
• Many professional disciplines have explicit rules governing the ethical
behavior of members.
• IT and IT security do not have binding codes of ethics.
• Professional associations and certification agencies work to maintain
ethical codes of conduct.
– Can prescribe ethical conduct
– Do not always have the ability to ban violators from practice in field
 Ethical Differences Across Cultures
• Cultural differences create difficulty in determining what is and is not
ethical.
• Difficulties arise when one nationality’s ethical behavior conflicts with
the ethics of another national group.
• Scenarios are grouped into:
– Software license infringement
– Illicit use
– Misuse of corporate resources
• Cultures have different views on the scenarios.
 Ethics and Education
• Education is the overriding factor in leveling ethical perceptions within
a small population.
• Employees must be trained and kept aware of the expected behavior
of an ethical employee, as well as many other information security
topics.
• Proper ethical training is vital to creating informed and a well-
prepared system user.
 Deterring Unethical and Illegal Behavior
• Three general causes of unethical and illegal behavior: ignorance,
accident, intent
• Deterrence: best method for preventing an illegal or unethical activity;
for example, laws, policies, technical controls
• Laws and policies only deter if three conditions are present:
– Fear of penalty
– Probability of being apprehended
– Probability of penalty being applied
 Codes of Ethics and Professional Organizations
• Many professional organizations have established codes of
conduct/ethics.
• Codes of ethics can have a positive effect; unfortunately, many
employers do not encourage joining these professional organizations.
• Responsibility of security professionals is to act ethically and
according to the policies of the employer, the professional
organization, and the laws of society.
 Major IT Professional Organizations
• Association of Computing Machinery (ACM)
– Established in 1947 as “the world’s first educational and scientific
computing society”
– Code of ethics contains references to protecting information
confidentiality, causing no harm, protecting others’ privacy, and
respecting others’ intellectual property and copyrights.
 Major IT Professional Organizations (cont’d)
• International Information Systems Security Certification Consortium,
Inc. (ISC)2
– Nonprofit organization focusing on the development and implementation
of information security certifications and credentials
– Code is primarily designed for the information security professionals who
have certification from (ISC)2.
– Code of ethics focuses on four mandatory canons.
 Major IT Professional Organizations (cont’d)
• SANS (originally System Administration, Networking, and Security
Institute)
– Professional organization with a large membership dedicated to the
protection of information and systems
– SANS offers a set of certifications called Global Information Assurance
Certification (GIAC).
 Major IT Professional Organizations (cont’d)
• ISACA (originally Information Systems Audit and Control Association)
– Professional association with focus on auditing, control, and security
– Concentrates on providing IT control practices and standards
– ISACA has a code of ethics for its professionals.
 Major IT Professional Organizations (cont’d)
• Information Systems Security Association (ISSA)
– Nonprofit society of information security (IS) professionals
– Primary mission to bring together qualified IS practitioners for information
exchange and educational development
– Promotes code of ethics similar to (ISC)2, ISACA, and ACM
 Summary
• Laws: rules that mandate or prohibit certain behavior in society;
drawn from ethics
• Ethics: define socially acceptable behaviors, based on cultural mores
(fixed moral attitudes or customs of a particular group)
• Types of law: civil, criminal, private, public
 Summary (cont’d)
• Many organizations have codes of conduct and/or codes of ethics.
• Organization increases liability if it refuses to take measures known
as due care.
• Due diligence requires that organizations make a valid effort to
protect others and continually maintain that effort.