LEGAL, ETHICAL AND

PROFFESIONAL ISSUES IN
INFORMATION SECURITY

GROUP 1 FUNDAMENTAL OF INFORMATION SECURITY

PRESENTANTION
Group Members
Delight Shumba 200449
Rumbidzai Chakumarani 210781
Isabel Musara 210786
Jubilee Maneswa 210313
Allen Dumba 210462
Danai Dawanyi 210101
Hastings Msokera 210706
INTRODUCTION
•Law and Ethics in Information Security
•Relevant US Laws
•International Laws and Legal Bodies
•Ethics & Information Security
•Codes of Ethics of Professional Organizations
Key Terms
Law - rules that mandate or prohibit certain behavior in society. Carry
the sanctions of governing authority.
Ethics -define socially acceptable behaviors. Universally recognized
examples include murder, theft, assault, and arson.

Information security-refers to the measures and practices that are

put in place to protect sensitive data from unauthorized access,
use, and disclosure. This includes physical security measures
such as locked doors and secure servers, as well as digital
security measures such as firewalls, encryption, and user
authentication.
LAWS AND ETHICS IN
INFORMATION SECURITY
TYPES OF LAWS

Civil Law - the law that pertains to persons, things and

relationships that devlop among them, excluding not only
criminal law also commercial law and labor law
Public -it regulates structure and administration of government
agencies and their relationships with citizens, employees and
other governments, providing careful checks and balances
examples criminal, administrative and constitutional law
Private- regulates relationship between individual and
organisations and it encompasses family law, commercial law &
labor law
Criminal-it violates harmful to society & actively enforced by
prosecution by the state
RELEVANT U.S. LAWS
Computer Fraud and Abuse Act of 1986 (CFA ACT)
Cornerstone of Federal Laws and enforcement acts
Computer Security Act of 1987
Communications Decency Act of 1996(CDA)
National Information Infrastructure Protection Act of
1996
Addresses Threats to computers
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act
of 1996
Establish mminium acceptance security pratices
INFORMATION SECURITY AND THE LAW

Information security professionals and managers must

understand the legal framework within which their
organisations operate.
They can influence the organisation to a greater or lesser
extent, depending on the nature of the organisation and
the scale on which it operates.
INTERNATIONAL LAWS AND LEGAL BODIES

It is important for IT professionals and information security practitioners to realize

that when their organisations do business on the internet , they do business globally
As a result, these professionals must be sensitive to the laws and ethical values of
many different cultures, societies and countries
It improve effectiveness of international investigations
It emphasis on copyright infringement prosecution
It lacks realistic provisions for enforcement
 Example of International Laws and Legal Bodies

1. Export & Espionage Laws

Economic Espionage Act of 1996 (EEA )
Security and freedom through encryption Act of 1999 (SAFE )
The acts include provisions about encryption that;
-Reinforce the right to use or sell encryption algorithms, without concern of key
registration
-Prohibit the federal government from requiring it
-Make it not probable cause in criminal activity
-Additional penalties for using it in a crime
2. U.S. Copyright Law
Intellectual property recognized as protected asset in the U.S. copyright law extends to electronic formats
With proper acknowledgement, permissible to include portions of others' work as reference
U.S Copyright Office Website www.copyright.gov

3. Digital Millenium CopyrightAct (DMCA)

American contributed to World Trade Organizations (WTO)
Plan to reduce the impact of copyright, trademark and privacy infringement
It response to European Union Directive 95/46/EC prohibits
Circumvention of protections and countermeasures
Manufacture and trafficking of devices used to circumvent such protections
Prohibits altering information attached or imbedded in copyrighted material
Council of Europe Convention on Cybercrime
The Council of Europe adopted the Convention on Cybercrime in 2001.
It created aninternational task force to oversee a range of security functions associated with Internet activitiesfor standardized
technology laws across international borders.
It also attempts to improve the effectiveness of international investigations into breaches of technology law.
This convention has been well received by advocates of intellectual property rights because it emphasizes prosecutionfor copyright
infringement.

However, many supporters of individual rights oppose the convention because they think it unduly infringes on freedom of speech and
threatens the civil liberties of U.S. residents.
The convention has more than its share of skeptics, who see it as an overly simplistic attempt to control a complex problem.
ETHICS AND INFORMATION SECURITY
The Ten Commnadments of Computer Ethics
Ethics and Information Security
Information security and ethics is defined as an all encompassing term that refers to all
activities needed to secure information and systems that support it in order to facilitate its
ethical use.
Many Professional groups have explicit rules governing ethical behavior in the
workplace IT and IT security do not have binding codes of ethics Professional
associations and certification agencies work to establish codes of ethics
Can prescribe ethical conduct Do not always have the ability to ban violators from
practice in field
Privacy

Federal Privacy Act of 1974

Is a "state of being free from unsanctioned intrusions"
It regulates government protection of privacy, with some exceptions Privacy of customer information
Privacy, ethics, and information security are all important considerations when it comes to managing sensitive
data in the digital age. Here's a breakdown of each concept and how they relate to each other:
This includes sensitive information such as medical records, financial information, and personal identifying
information (PII) such as social security numbers and addresses.
The collection and use of personal information is regulated by laws and regulations such as the General Data
Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability
Act (HIPAA) in the United States.
In Privacy, ethics, and information security are all interconnected and interdependent. For
example, without strong information security measures, personal information is vulnerable
to unauthorized access and use.
Without ethical considerations, personal information may be used in ways that are harmful
or discriminatory. And without privacy protections, individuals may not have control over
how their personal information is used.
Organizations and individuals have a responsibility to ensure that personal information is
collected and used in ways that are ethical, secure, and respect privacy rights.
This involves implementing strong data management practices, ensuring that individuals
have informed consent, and adhering to laws and regulations that protect personal
information.
CODES OF ETHICS AND PROFESSIONAL ORGANIZATIONS
A code of ethics sets out an organization's ethical guidelines and best
practices to follow for honesty, integrity, and professionalism
Several professional organizations have established codes of
conduct/ethics
Codes of ethics can have positive effect; unfortunately, many employers
do not encourage joining these professional organizations
Responsibility of security professionals to act ethically and according to
policies of employer, professional organization, and laws of society
Major IT Professional Organizations
Association of Computing Machinery (ACM)
International Information Systems Security Certification Consortium,
Inc. (ISC)²
System Administration, Networking, and Security Institute (SANS)
Information Technology Association of America (ITAA)
References
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/an-ethical-approach-to-
data-privacy-protection
https://guides.library.illinoisstate.edu/it/organizations
ISSA. “ISSA Code of Ethics.” ISSA Online. Accessed 14 April 2007 from
www.issa.org/codeofethics.html.
The Digital Person: Technology And Privacy In The Information Age, by Daniel Solove.
2004. New York University Press.
The Practical Guide to HIPAA Security and Compliance, by Kevin Beaver and
Rebecca Herold. 2003. Auerbach.
THANK YOU
ANY QUESTIONS