Chapter 3 Laws and Ethics – Flashcards

Rules that mandate or prohibit certain behavior and are enforced by the state

Managerial directives that specify acceptable and unacceptable employee behavior in the workplace

Comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizations and people.

Addresses activities and conduct harmful to society, and is actively enforced by the state. Law can also be categorized as private or public.

Regulates the structure and the administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.

The Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA) is the cornerstone of many computer-related federal laws and enforcement efforts. It was originally written as an extension and clarification to the Comprehensive Crime Control Act of 1984.

The National Information Infrastructure Protection Act of 1996, which modified several sections of the previous act and increased the penalties for selected crimes.

• For the purpose of commercial advantage • For private financial gain • In furtherance of a criminal act

The Privacy of Customer Information Section of the common carrier regulations states that any proprietary information shall be used explicitly for providing services, and not for marketing purposes.

Informally referred to as the wiretapping acts, is a collection of statutes that regulates the interception of wire, electronic, and oral communications.

Also know as the Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange.

Contains many provisions that focus on facilitating affiliation among banks, securities firms, and insurance companies. This act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information.

Threats to Computers

Requires all federal computer systems that contain classified information to have security plans in place, and requires periodic security training for all people who operate, design or manage such systems

USA PATRIOTS Act of 2001 (update to 18 USC 1030) Defines stiffer penalties for prosecution of terrorist crimes

Ignorance, Accident, Intent

Ignorance of the law is no excuse, however, ignorance of policy and procedures is. The first method of deterrence is education, which is accomplished by designing, publishing, and disseminating an organizations policies and relevant laws.

People who have authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. Planning and control can help prevent this.

Criminal or unethical intent goes to the state of mind of the person performing the act; it is often necessary to establish criminal intent to successfully prosecute offenders. Need technical controls, and vigorous litigation or prosecution if these controls fail.

Fear of Penalty, Probability of being apprehended, Probability of penalty being applied

Potential offenders must fear the penalty. Threats of informal reprimand or verbal warning do not have the same impact as the threat of imprisonment or forfeiture of pay.

Potential offenders must believe there is a strong possibility of being caught.

Potential offenders must believe that the penalty will be administered.

Cultural differences can make it difficult to determine what is ethical and what is not-especially when it comes to the use of computers. Studies on ethic and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group

The American contribution to an international effort by the Word Intellectual Properties Organization (WIPO) to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures. This law was created in response to the 1995 adoption of Directive 95/46/EC by the European Union, which added protection for individual citizens with regard to the processing of personal data and its use and movement. The United Kingdom has implemented a version of this law called the Database Right to comply with Directive 95/46/EC.

It created an international task force to oversee a range of security functions associated with Internet activities and standardized technology law across international borders.

IT professionals and information security practitioners must realize that when their organization do business on the Internet, they do business globally. As a result, these professionals must be sensitive to the laws and ethical values of many different cultures, societies, and countries.

Also known as SOX or the Corporate and Auditing Accountability and Responsibility Act, is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. The law seeks to improve reliability and accuracy of financial reporting as well as increase the accountability of corporate governance, in publicly traded companies.

To protect American ingenuity, intellectual property, and competitive advantage, Congress passed the Economic Espionage Act in 1996. This law attempts to prevent trade secrets from being illegally shared.

Provides guidance for the use of encryption and provides protection from government intervention. The acts included include provisions that: 1. Reinforce a person right to use or sell encryption algorithms without concern for regulations requiring some form of key registration 2. Prohibit the federal government from requiring the use of encryption for contracts, grants, and other official documents and correspondence. 3. State that the use of encryption is not probable cause to suspect criminal activity. 4. Provide additional penalties for the use of encryption in the commission of a criminal act.

Communicate, Educate, and Execute seeks to inform all corporate stakeholders about ethically motived actions and then implement programs to achieve its stated value in practice.